Nefunkční MS Word, TOTAL CMD, zpomalené PC. Prosím o kontrol

[Gustavson]

Nejprve se několikrát sám vypnul FireWall, poté jsem spustil ComboFix a počítač se začal zpomalovat, číst z disku apod.
Také se deaktivovala možnost spustit Správce úloh, nejde menu ve Wordu.
Total CMD napsal hlášku "WARNING: The TOTALCMD executable file is corrupted, possible VIRUS!..."
Soubor ComboFixu je možná také napadený.

Prosím o help. Toto jest včerejší výpis RSITu.



Logfile of random's system information tool 1.06 (written by random/random)
Run by Gustavson at 2010-08-03 23:50:49
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 9 GB (60%) free of 15 GB
Total RAM: 510 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:50:50, on 3.8.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HDD Health\HDDHealth.exe
C:\Program Files\Logitech\Vid\vid.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\RSIT.exe
C:\Program Files\trend micro\Gustavson.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ceskenoviny.cz/ekologie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\HDDHealth.exe -wl
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Vid\Vid.exe" -bootmode
O4 - HKCU\..\Run: [Logitech Vid HD] "C:\Program Files\Logitech\Vid\vid.exe" -bootmode
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3093406941
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5024 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-07-17 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-07-17 79648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2010-01-26 577536]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-05-15 339968]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-20 109488]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2005-05-11 49152]
"LWS"=C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe [2010-05-07 238936]
"PCMService"=C:\Program Files\Aspire Arcade\PCMService.exe [2004-03-25 81920]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"HDDHealth"=C:\Program Files\HDD Health\HDDHealth.exe [2008-06-15 1692672]
"Logitech Vid"=C:\Program Files\Logitech\Vid\Vid.exe [2010-05-11 6135128]
"Logitech Vid HD"=C:\Program Files\Logitech\Vid\vid.exe [2010-05-11 6135128]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 265096]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\games\RA2\GAME.EXE"="D:\games\RA2\GAME.EXE:*:Enabled:Main executable for Red Alert 2"
"C:\Program Files\Trillian\trillian.exe"="C:\Program Files\Trillian\trillian.exe:*:Enabled:Trillian"
"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe:*:Enabled:ipsec"
"C:\WINDOWS\SOUNDMAN.EXE"="C:\WINDOWS\SOUNDMAN.EXE:*:Enabled:ipsec"
"C:\Program Files\Logitech\Vid\Vid.exe"="C:\Program Files\Logitech\Vid\Vid.exe:*:Enabled:Logitech Vid HD"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 2 months======

2010-08-03 23:41:23 ----D---- C:\rsit
2010-08-03 23:41:23 ----D---- C:\Program Files\trend micro
2010-08-03 23:38:37 ----A---- C:\ComboFix.txt
2010-08-03 22:33:37 ----A---- C:\Boot.bak
2010-08-03 22:33:29 ----RASHD---- C:\cmdcons
2010-08-03 22:29:47 ----A---- C:\WINDOWS\zip.exe
2010-08-03 22:29:47 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-08-03 22:29:47 ----A---- C:\WINDOWS\SWSC.exe
2010-08-03 22:29:47 ----A---- C:\WINDOWS\SWREG.exe
2010-08-03 22:29:47 ----A---- C:\WINDOWS\sed.exe
2010-08-03 22:29:47 ----A---- C:\WINDOWS\PEV.exe
2010-08-03 22:29:47 ----A---- C:\WINDOWS\NIRCMD.exe
2010-08-03 22:29:47 ----A---- C:\WINDOWS\MBR.exe
2010-08-03 22:29:47 ----A---- C:\WINDOWS\grep.exe
2010-08-03 22:28:07 ----D---- C:\WINDOWS\ERDNT
2010-08-03 22:25:28 ----D---- C:\Qoobox
2010-08-03 08:37:01 ----HDC---- C:\WINDOWS\$NtUninstallKB2286198$
2010-08-02 12:28:33 ----A---- C:\WINDOWS\system32\chsbrkr.dll
2010-08-02 12:28:29 ----A---- C:\WINDOWS\system32\chtbrkr.dll
2010-08-02 12:27:11 ----A---- C:\WINDOWS\system32\korwbrkr.dll
2010-08-02 12:27:09 ----A---- C:\WINDOWS\system32\msir3jp.dll
2010-08-02 12:26:16 ----A---- C:\WINDOWS\system32\kbd101a.dll
2010-08-02 12:17:36 ----A---- C:\WINDOWS\system32\kbdnecNT.dll
2010-08-02 12:17:36 ----A---- C:\WINDOWS\system32\kbdnecAT.dll
2010-08-02 12:17:36 ----A---- C:\WINDOWS\system32\kbdnec95.dll
2010-08-02 12:16:09 ----A---- C:\WINDOWS\system32\c_is2022.dll
2010-08-02 12:15:41 ----A---- C:\WINDOWS\system32\uniime.dll
2010-08-02 12:15:14 ----A---- C:\WINDOWS\system32\c_g18030.dll
2010-08-02 12:15:09 ----A---- C:\WINDOWS\system32\kbdlk41j.dll
2010-08-02 12:15:09 ----A---- C:\WINDOWS\system32\kbdlk41a.dll
2010-08-02 12:15:09 ----A---- C:\WINDOWS\system32\f3ahvoas.dll
2010-08-02 12:15:08 ----A---- C:\WINDOWS\system32\kbdibm02.dll
2010-08-02 12:15:08 ----A---- C:\WINDOWS\system32\kbdax2.dll
2010-08-02 12:15:08 ----A---- C:\WINDOWS\system32\kbd106n.dll
2010-08-02 12:15:08 ----A---- C:\WINDOWS\system32\kbd101.dll
2010-08-02 12:15:07 ----A---- C:\WINDOWS\system32\imjp81k.dll
2010-08-02 12:12:14 ----A---- C:\WINDOWS\system32\kbdkor.dll
2010-08-02 12:12:14 ----A---- C:\WINDOWS\system32\kbdjpn.dll
2010-08-02 12:12:14 ----A---- C:\WINDOWS\system32\kbd103.dll
2010-08-02 12:12:14 ----A---- C:\WINDOWS\system32\kbd101c.dll
2010-08-02 12:12:13 ----A---- C:\WINDOWS\system32\kbd101b.dll
2010-08-02 12:12:12 ----A---- C:\WINDOWS\system32\kbd106.dll
2010-08-01 23:30:50 ----D---- C:\Program Files\Common Files\Java
2010-08-01 23:29:33 ----A---- C:\WINDOWS\system32\javaws.exe
2010-08-01 23:29:33 ----A---- C:\WINDOWS\system32\javaw.exe
2010-08-01 23:29:32 ----A---- C:\WINDOWS\system32\java.exe
2010-07-20 12:39:13 ----D---- C:\Documents and Settings\Gustavson\Data aplikací\dvdcss
2010-07-19 13:44:14 ----D---- C:\Documents and Settings\Gustavson\Data aplikací\vlc
2010-07-19 13:43:35 ----D---- C:\Program Files\VideoLAN
2010-07-15 00:52:44 ----A---- C:\WINDOWS\IsUn0405.exe
2010-07-14 13:12:47 ----HDC---- C:\WINDOWS\$NtUninstallKB2229593$
2010-07-07 04:48:31 ----A---- C:\WINDOWS\system32\ff_vfw.dll.manifest
2010-07-07 04:48:30 ----A---- C:\WINDOWS\system32\ff_vfw.dll
2010-07-07 04:48:28 ----D---- C:\Program Files\ffdshow
2010-07-04 12:15:25 ----D---- C:\Documents and Settings\Gustavson\Data aplikací\CyberLink
2010-07-04 12:13:51 ----D---- C:\Program Files\CyberLink
2010-07-04 12:13:35 ----D---- C:\Program Files\Aspire Arcade
2010-06-17 16:27:04 ----D---- C:\Documents and Settings\Gustavson\Data aplikací\Logitech
2010-06-17 16:11:13 ----D---- C:\Documents and Settings\Gustavson\Data aplikací\Leadertech
2010-06-17 16:05:30 ----D---- C:\Documents and Settings\All Users\Data aplikací\LogiShrd
2010-06-17 15:50:51 ----D---- C:\Documents and Settings\All Users\Data aplikací\Logitech
2010-06-17 15:50:41 ----D---- C:\Program Files\Common Files\LWS
2010-06-17 15:50:13 ----D---- C:\Program Files\Logitech
2010-06-17 15:50:13 ----D---- C:\Program Files\Common Files\LogiShrd
2010-06-17 15:32:47 ----A---- C:\WINDOWS\system32\vfwwdm32.dll
2010-06-13 12:48:08 ----A---- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
2010-06-10 09:16:55 ----HDC---- C:\WINDOWS\$NtUninstallKB980218$
2010-06-10 09:16:50 ----HDC---- C:\WINDOWS\$NtUninstallKB980195$
2010-06-10 09:16:42 ----HDC---- C:\WINDOWS\$NtUninstallKB979559$
2010-06-10 09:14:21 ----HDC---- C:\WINDOWS\$NtUninstallKB978695_WM9$
2010-06-10 09:14:14 ----HDC---- C:\WINDOWS\$NtUninstallKB979482$
2010-06-10 09:14:08 ----HDC---- C:\WINDOWS\$NtUninstallKB975562$
2010-06-09 10:04:50 ----D---- C:\Program Files\R

======List of files/folders modified in the last 2 months======

2010-08-03 23:41:23 ----RD---- C:\Program Files
2010-08-03 23:38:40 ----D---- C:\WINDOWS\system32\drivers
2010-08-03 23:38:39 ----D---- C:\WINDOWS\Temp
2010-08-03 23:37:27 ----D---- C:\WINDOWS\system32\CatRoot2
2010-08-03 23:33:06 ----D---- C:\WINDOWS
2010-08-03 23:33:06 ----A---- C:\WINDOWS\system.ini
2010-08-03 23:16:45 ----D---- C:\WINDOWS\system32\config
2010-08-03 23:15:02 ----D---- C:\WINDOWS\system32
2010-08-03 23:15:02 ----D---- C:\WINDOWS\AppPatch
2010-08-03 23:14:59 ----D---- C:\Program Files\Common Files
2010-08-03 23:11:20 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-08-03 22:48:24 ----D---- C:\WINDOWS\repair
2010-08-03 22:33:37 ----RASH---- C:\boot.ini
2010-08-03 22:29:47 ----SHD---- C:\System Volume Information
2010-08-03 22:29:47 ----D---- C:\WINDOWS\system32\Restore
2010-08-03 22:29:30 ----D---- C:\WINDOWS\Prefetch
2010-08-03 20:45:01 ----A---- C:\WINDOWS\WINCMD.INI
2010-08-03 08:37:11 ----HD---- C:\WINDOWS\inf
2010-08-03 08:37:06 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-08-03 02:58:53 ----HD---- C:\WINDOWS\$hf_mig$
2010-08-02 12:26:46 ----RSD---- C:\WINDOWS\Fonts
2010-08-02 12:26:30 ----D---- C:\WINDOWS\Help
2010-08-01 23:30:50 ----SHD---- C:\WINDOWS\Installer
2010-08-01 23:29:25 ----D---- C:\Program Files\Java
2010-07-27 08:30:31 ----A---- C:\WINDOWS\system32\shell32.dll
2010-07-17 05:00:04 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-07-15 17:54:21 ----SHD---- C:\WINDOWS\CSC
2010-07-15 14:38:30 ----D---- C:\Documents and Settings\Gustavson\Data aplikací\Adobe
2010-07-15 00:54:27 ----D---- C:\Program Files\Common Files\Adobe
2010-07-15 00:54:26 ----D---- C:\Program Files\Adobe
2010-07-14 13:13:07 ----A---- C:\WINDOWS\imsins.BAK
2010-07-08 09:45:52 ----D---- C:\Program Files\Trillian
2010-07-04 12:13:35 ----HD---- C:\Program Files\InstallShield Installation Information
2010-07-02 21:39:06 ----A---- C:\WINDOWS\system32\MRT.exe
2010-06-17 16:11:12 ----SD---- C:\Documents and Settings\Gustavson\Data aplikací\Microsoft
2010-06-17 16:11:01 ----D---- C:\WINDOWS\system32\ReinstallBackups
2010-06-10 18:26:46 ----D---- C:\Program Files\Internet Explorer
2010-06-10 09:13:16 ----D---- C:\WINDOWS\system32\cs-cz
2010-06-10 09:13:02 ----D---- C:\WINDOWS\ie7updates
2010-06-10 08:50:10 ----SD---- C:\WINDOWS\Downloaded Program Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
R1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 SMBHC;Microsoft SM Bus Host Controller Driver; C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 6784]
R2 EpmPsd;Acer EPM Power Scheme Driver; \??\C:\WINDOWS\system32\drivers\epm-psd.sys []
R2 EpmShd;Acer EPM System Hardware Driver; \??\C:\WINDOWS\system32\drivers\epm-shd.sys []
R2 irda;Protokol IrDA; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-14 88192]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 NwlnkIpx;Transportní protokol kompatibilní s NWLink IPX/SPX/NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-14 88320]
R2 NwlnkNb;Služba NWLink pro rozhraní NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2001-10-25 63232]
R2 NwlnkSpx;Protokol NWLink SPX/SPXII; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2001-10-25 55936]
R3 abp470n5;abp470n5; \??\C:\WINDOWS\system32\drivers\pmngoo.sys []
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-05-15 745984]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camcaud.sys [2004-04-29 292352]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camchal.sys [2004-04-29 274688]
R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
R3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-03-10 1041536]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-03-10 199552]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SMBBATT;Microsoft Smart Battery Driver; C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2008-04-14 16000]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2004-05-26 67584]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Ovladač standardního rozbočovače USB; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2004-08-19 3210496]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-03-10 682624]
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2010-01-26 4017536]
S3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2003-09-26 44032]
S3 CCDECODE;Dekodér Closed Caption; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 FilterService;UVCFilterService; C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys [2010-05-15 23904]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-03-08 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-03-08 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-03-08 21744]
S3 lvpopflt;Logitech POP Suppression Filter; C:\WINDOWS\system32\DRIVERS\lvpopflt.sys [2010-05-15 114784]
S3 LVRS;Logitech RightSound Filter Driver; C:\WINDOWS\system32\DRIVERS\lvrs.sys [2010-05-15 276448]
S3 LVUVC;Logitech Webcam 300(UVC); C:\WINDOWS\system32\DRIVERS\lvuvc.sys [2010-05-15 6842592]
S3 mbr;mbr; \??\C:\DOCUME~1\GUSTAV~1\LOCALS~1\Temp\mbr.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
S3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2008-04-14 28672]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 usbaudio;Ovladač zvukové karty USB (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbvideo;Zobrazovací zařízení USB (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984]
S3 WSTCODEC;Dálnopisný kodek světového standardu; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-05-15 376832]
R2 Irmon;Sledování infračerveného přenosu; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-07-17 153376]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2007-08-09 73728]

-----------------EOF-----------------

[riffman]

zdravim

v prvni fazi restartujte stroj, mackejte po startu F8 a zvolte Stav nouze s praci v siti

pote stahnete Avenger


v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"

do okna s nazvem Input script here vlozte nasledujici text:

Kód: Vybrat vše

Drivers to delete:
abp470n5

Files to delete:
C:\WINDOWS\system32\drivers\pmngoo.sys

kliknete na Execute, potvrdte na vyskocivsim okne hlasku o potvrzeni provedeni skriptu klikem na Yes:



pote budete odmeneni dalsim okynkem informujicim vas o nastaveni skriptu pro dalsi start OS, kliknutim na tlacitko Yes restartujete pocitac

po restartu na vas vybafne log z avengeru, vlozte jej sem

[Gustavson]

Spuštění Stavu nouze s prací v síti končí BlueScreenem s nějakou chybou v paměti, co jsem stihl zahlédnout. Standardní spuštění jde. Ještě zkusím obyč stav nouze.

[Gustavson]

a teď mi v normální režimu ještě vyskočila chyba ze SW webkamery -

"
MS Visual C++ Runtime Library
Runtime Error!
Program: C:/Program Files/Logitech/LWS/LU/LULnchr.exe
R6002
-floating point support not loaded
"

[riffman]

pravdepodobne infekce souborovym injektorem...

mate instalacni CD s Windows?

[Gustavson]

CD mám.
Jen jsem ještě chtěl dodat jednu info - na začátku po spuštění Stavu nouze se po zápisu položek do startovacího logu ukáže hláška "Stisknout Esc na na zrušení načítání xmasbus.sys" A když ho stisknu, tak se načítání systému zastaví úplně, takže je potřeba ho vypnout knoflíkem.

[riffman]

dostanemte se aspon nekam? ja bych potreboval udelat aspon jeden sken

[Gustavson]

Můžu pustit Avenger z normálního režimu? Ne z nouznáku...

[riffman]

jasne ze aaaano

[Gustavson]

Při spuštění Avengeru se objevila chyba:
"
Editor registru
správce zakázal úpravy registru
"
po restartu zase nějaká chyba (hned zmizela), pc se restartoval a potom už naběhl i s logem:



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "abp470n5" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\pmngoo.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\pmngoo.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

[riffman]

fajn

stahnete GMER , rozbalte a spustte


v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"

probehne sken, po jehoz ukonceni na vas bafnou vysledky

pote kliknete na Save a ulozite tak log, jehoz obsah sem vlozte

pote dle tohoto navodu absolvujte druhy sken a opet obsah logu sem

[Gustavson]

Druhý log bude během chvilky hotový.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-08-04 21:41:54
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\GUSTAV~1\LOCALS~1\Temp\pwldypog.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 823859CC
Device \FileSystem\Fastfat \Fat 82120DCC

---- Modules - GMER 1.0.15 ----

Module _________ F8439000-F8451000 (98304 bytes)

---- EOF - GMER 1.0.15 ----

[riffman]

podle toho prvniho tusim pruser, pockam si na nej

[Gustavson]

Je tu... a jak je to s tím průserem? Jinak, tohle mi PC ještě nikdy nědělal, co se mi stalo za těch x let zatím nejhoršího je zrušený HDD.


MER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-04 22:02:46
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\GUSTAV~1\LOCALS~1\Temp\pwldypog.sys


---- Kernel code sections - GMER 1.0.15 ----

? qejnzzr.sys Systém nemůže nalézt uvedený soubor. !
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF77BCE80]
? C:\WINDOWS\system32\drivers\pmngoo.sys Systém nemůže nalézt uvedený soubor. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 414AF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 4162203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 41621FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 41622003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 41621F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 41621F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 41622079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 414D176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ole32.dll!OleLoadFromStream 77519C85 5 Bytes JMP 4162223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 823859CC
Device \FileSystem\Fastfat \FatCdrom 82120DCC
Device \Driver\Cdrom \Device\CdRom0 82015158
Device \FileSystem\Rdbss \Device\FsWrap 821572CC
Device \Driver\Cdrom \Device\CdRom1 82015158
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82015260
Device \Driver\atapi \Device\Ide\IdePort0 82015260
Device \Driver\atapi \Device\Ide\IdePort1 82015260
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 82015260
Device \Driver\SMBHC \Device\SmbHc SMBCLASS.SYS (SMBus Class Driver/Microsoft Corporation)
Device \FileSystem\Srv \Device\LanmanServer 815035CC
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8217F204
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8217F204
Device \FileSystem\Npfs \Device\NamedPipe 8210EBBC
Device \FileSystem\Msfs \Device\Mailslot 8210873C
Device \Driver\xmasscsi \Device\Scsi\xmasscsi1 82014F00
Device \Driver\xmasscsi \Device\Scsi\xmasscsi1Port2Path0Target0Lun0 82014F00
Device \FileSystem\Fastfat \Fat 82120DCC
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 82137E1C
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 82137E1C
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 82137E1C
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 82137E1C
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 82137E1C
Device \FileSystem\Cdfs \Cdfs 82117A44

---- Modules - GMER 1.0.15 ----

Module _________ F8439000-F8451000 (98304 bytes)

---- EOF - GMER 1.0.15 ----

[riffman]

neco tam vidim, zkusime se ujistit..

stahnete si RootRepeal z adresy http://rootrepeal.googlepages.com/RootRepeal.zip


v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"

rozbalit, spustit, precvaknout na zalozku SSDT, klik na Scan, pockat, pak kliknutim na Save Report ulozit log a jeho obsah zkopirovat sem

to same pak na zalozkach Drivers, Stealth Objects a Hidden Services