boj s virem win32:rootkit-gen

[Puk22]

problem s virem rootkit-gen
výpis z combofix


ComboFix 10-02-26.03 - Pukk 27.02.2010 13:01:32.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2047.1546 [GMT 1:00]
Spuštěný z: c:\documents and settings\Pukk\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100227-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Pukk\Dokumenty\cc_20090118_100638.reg
c:\documents and settings\Pukk\Dokumenty\cc_20100103_092857.reg
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-01-27 do 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-26 14:37 . 2004-08-03 21:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-26 14:37 . 2004-08-03 21:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-02-26 14:32 . 2004-08-03 22:00 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-02-26 14:32 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-02-26 14:32 . 2004-08-03 22:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-02-26 14:32 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-02-26 14:31 . 2010-02-27 11:34 132 ----a-w- c:\windows\system32\fjhdyfhsn.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 16:42 . 2008-08-16 10:16 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-08 19:25 . 2010-01-26 17:16 -------- d-----w- c:\program files\Google
2010-01-18 18:19 . 2009-03-24 17:27 -------- d-----w- c:\program files\MpcStar
2010-01-17 16:57 . 2010-01-17 16:56 -------- d-----w- c:\program files\Lightsmark 2008
2010-01-15 15:36 . 2008-07-10 08:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-15 15:36 . 2008-08-13 15:26 -------- d-----w- c:\program files\AGEIA Technologies
2010-01-15 15:35 . 2010-01-15 15:14 -------- d-----w- c:\program files\Common Files\BioWare
2010-01-15 15:16 . 2001-10-25 12:00 77872 ----a-w- c:\windows\system32\perfc005.dat
2010-01-15 15:16 . 2001-10-25 12:00 428750 ----a-w- c:\windows\system32\perfh005.dat
2010-01-03 13:32 . 2009-03-10 18:27 -------- d-----w- c:\program files\ICQ6.5
2010-01-02 15:34 . 2008-07-04 14:50 -------- d--h--w- c:\program files\InstallShield Installation Information
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Folder)]
@="{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}"
[HKEY_CLASSES_ROOT\CLSID\{02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1}]
2009-11-11 19:42 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Fully Synced)]
@="{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}"
[HKEY_CLASSES_ROOT\CLSID\{CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1}]
2009-11-11 19:42 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Not Latest Version)]
@="{284C090F-EB1D-4A6E-872E-6DB72E417E24}"
[HKEY_CLASSES_ROOT\CLSID\{284C090F-EB1D-4A6E-872E-6DB72E417E24}]
2009-11-11 19:42 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Syncplicity Icon Overlay (Shared Folder)]
@="{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}"
[HKEY_CLASSES_ROOT\CLSID\{3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC}]
2009-11-11 19:42 38400 ----a-w- c:\program files\Syncplicity\SyncplicityShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Syncplicity"="c:\program files\Syncplicity\Syncplicity.exe" [2009-11-11 655360]
"PC Suite Tray"="d:\programy\nokia suite\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 16125440]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="d:\programy\omnipage\OpwareSE4.exe" [2007-02-04 79400]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\Pukk\Nabˇdka Start\Programy\Po spuçtŘnˇ\
winesm32.exe [2004-8-17 29184]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - d:\programy\Adobe\akrobat\Reader\reader_sl.exe [2005-9-24 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\lotr\\game.dat"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"d:\\Hry\\lotr\\game.dat"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\ImageJ\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Altap Salamander 2.5\\salamand.exe"=
"d:\\Hry\\AOE2\\empires2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\programy\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Hry\\Dragon Age\\bin_ship\\daorigins.exe"=
"d:\\Hry\\Dragon Age\\DAOriginsLauncher.exe"=
"d:\\Hry\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"d:\\programy\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8199:TCP"= 8199:TCP:BitComet 8199 TCP
"8199:UDP"= 8199:UDP:BitComet 8199 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4.7.2008 16:43 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4.7.2008 16:43 20560]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6.7.2008 11:10 721904]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26.1.2010 18:16 135664]
S3 DAUpdaterSvc;Dragon Age: Prameny - aktualizace obsahu;d:\hry\Dragon Age\bin_ship\daupdatersvc.service.exe [15.1.2010 16:27 25832]
S3 FXDrv32;FXDrv32;\??\e:\fxdrv32.sys --> e:\FXDrv32.sys [?]
.
Obsah adresáře 'Naplánované úlohy'

2008-07-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 12:21]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-26 17:16]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-26 17:16]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.centrum.cz/
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://search.qip.ru
uSearchURL,(Default) = hxxp://search.qip.ru/search?query=%s&from=IE
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Stáhnout odkaz s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: Stáhnout všechna videa s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Stáhnout všechny odkazy s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\Pukk\Data aplikací\Mozilla\Firefox\Profiles\xift4ytv.default\
FF - component: c:\documents and settings\Pukk\Data aplikací\Mozilla\Firefox\Profiles\xift4ytv.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - plugin: d:\programy\Adobe\akrobat\Reader\browser\nppdf32.dll
FF - plugin: d:\programy\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: d:\programy\Mozilla Firefox\plugins\NPBOARDS.dll

---- NASTAVENÍ FIREFOXU ----
d:\programy\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

SafeBoot-Wdf01000.sys



**************************************************************************
skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory:

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-117609710-1659004503-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:51,3f,df,7e,f4,f1,85,2a,71,ac,22,11,f2,c6,a8,1f,7f,72,0a,c4,86,24,a4,
a8,e1,3a,36,a4,ef,b0,2f,fd,c4,6d,00,cf,83,79,33,d5,d6,91,0d,f2,36,8c,9b,d6,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-117609710-1659004503-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:2d,66,d4,5e,46,9b,7b,d1,56,2b,14,eb,39,ed,dc,20,b4,33,ab,5a,d4,
a4,d0,84,93,66,a7,ce,38,cf,70,1c,a5,23,02,d2,df,ca,75,b5,74,eb,d1,fd,5c,5e,\
"rkeysecu"=hex:12,4a,8b,bd,38,c6,8d,90,70,48,ca,da,d5,91,c6,9a
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2010-02-27 13:06:13
ComboFix-quarantined-files.txt 2010-02-27 12:06

Před spuštěním: 2 864 480 256
Po spuštění: 3 740 950 528

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 7DEB31069E6E153822754957E20340AA

[earl]

Zdravim,

:arrow:Otestujte na VIRUSTOTALu a JOTTISCANu

e:\FXDrv32.sys

(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledky sem vlozte)

Pokud skener napíše, že soubor již byl testován, dejte otestovat znovu.

Stahnete GMER , rozbalte a spustte

probehne sken, po jehoz ukonceni na vas vyskoci vysledky

pote kliknete na Save a ulozite tak log, jehoz obsah sem vlozte

pote dle tohoto navodu

absolvujte druhy sken a opet obsah logu sem.

[Puk22]

e:\FXDrv32.sys

mam malý problém, protože e:\ je moje dvd mechanika, nevím jaky soubor otestovat, zkoušel jsem tento soubor najít v pc ale taky se mi to nepodařilo, jak mám pokračovat?

[earl]

Provedte sken GMERem.

Jeste dodam,ze mit v pc zaroven Daemon Tools i Alcohol 120 neni idealni,jelikoz oba softy maji agresivni drivery a pak to muze zpusobit potize a chyby.

Takze jeden odinstalujte.

[Puk22]

výpisy z GMERu


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-02-28 08:47:40
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Pukk\LOCALS~1\Temp\pxtdapob.sys


---- System - GMER 1.0.15 ----

SSDT spwc.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spwc.sys ZwEnumerateValueKey [0xB9EC6032]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89E531F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----







GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-28 10:17:23
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Pukk\LOCALS~1\Temp\pxtdapob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAA81B6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAA81BA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAA81B14C]
SSDT spwc.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spwc.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAA81B64E]
SSDT spwc.sys ZwQueryKey [0xB9EC610A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAA81B76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAA81B72E]

INT 0x62 ? 89E54BF8
INT 0x73 ? 89C20BF8
INT 0x73 ? 89C20BF8
INT 0x83 ? 89E54BF8
INT 0x94 ? 89C20BF8
INT 0xB1 ? 89DE6BF8
INT 0xB1 ? 89DE6BF8
INT 0xB4 ? 89C20BF8

---- Kernel code sections - GMER 1.0.15 ----

? spwc.sys Systém nemůže nalézt uvedený soubor. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB7135000, 0x17C39E, 0xE8000020]
.text USBPORT.SYS!DllUnload B70CD62C 5 Bytes JMP 89C201D8
.text azx29z26.SYS B706A386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text azx29z26.SYS B706A3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text azx29z26.SYS B706A3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text azx29z26.SYS B706A3C9 1 Byte [2E]
.text azx29z26.SYS B706A3C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...
.text a4pcgr3p.SYS B7032386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a4pcgr3p.SYS B70323AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a4pcgr3p.SYS B70323C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a4pcgr3p.SYS B70323C9 1 Byte [30]
.text a4pcgr3p.SYS B70323C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA7B77300, 0x3AE88, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA3D0300, 0x1B7E, 0xE8000020]
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xA79E7F00, 0x24000, 0x48000000]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1520] ntdll.dll!NtQueryDirectoryFile + 6 7C90DF64 4 Bytes [90, 61, FF, 00] {NOP ; POPA ; INC DWORD [EAX]}

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA8042] spwc.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA813E] spwc.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA80C0] spwc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA8800] spwc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA86D6] spwc.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB7E9C] spwc.sys
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[HAL.dll!KfAcquireSpinLock] 001C9C96
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[HAL.dll!READ_PORT_UCHAR] C6168B00
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[HAL.dll!KeGetCurrentIrql] 001CB986
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[HAL.dll!KfRaiseIrql] 428A0A00
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[HAL.dll!KfLowerIrql] BA86880C
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[HAL.dll!HalGetInterruptVector] 8B00001C
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[HAL.dll!HalTranslateBusAddress] 24A48DFA
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[HAL.dll!KeStallExecutionProcessor] 00000000
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[HAL.dll!KfReleaseSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D3F0304
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[HAL.dll!READ_PORT_USHORT] CB033043
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 0673C13B
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[HAL.dll!WRITE_PORT_UCHAR] C13B0003
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[WMILIB.SYS!WmiSystemControl] 75000E7B
IAT \SystemRoot\System32\Drivers\azx29z26.SYS[WMILIB.SYS!WmiCompleteRequest] 0B7D80E3
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[HAL.dll!READ_PORT_UCHAR] B08B8932
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[HAL.dll!KeGetCurrentIrql] 89000001
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[HAL.dll!KfRaiseIrql] 0001BC83
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[HAL.dll!KfLowerIrql] 24468B00
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[HAL.dll!HalGetInterruptVector] 89820C8D
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[HAL.dll!KfReleaseSpinLock] 000000BD
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0208B389
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00
IAT \SystemRoot\System32\Drivers\a4pcgr3p.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[648] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002
IAT C:\WINDOWS\system32\services.exe[648] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61449C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61449D87] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61449C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61449CF2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4060] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89E531F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBPDO-0 89AF4318
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89DE41F8
Device \Driver\dmio \Device\DmControl\DmConfig 89DE41F8
Device \Driver\dmio \Device\DmControl\DmPnP 89DE41F8
Device \Driver\dmio \Device\DmControl\DmInfo 89DE41F8
Device \Driver\usbohci \Device\USBPDO-1 89AF4318
Device \Driver\usbohci \Device\USBPDO-2 89AF4318
Device \Driver\PCI_PNP3252 \Device\00000046 spwc.sys
Device \Driver\usbohci \Device\USBPDO-3 89AF4318
Device \Driver\PCI_PNP3252 \Device\00000047 spwc.sys
Device \Driver\usbohci \Device\USBPDO-4 89AF4318

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbehci \Device\USBPDO-5 89AAE1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89E551F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 89E551F8
Device \Driver\Cdrom \Device\CdRom0 89C9E1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{5675C68F-B8E8-4514-B3D3-5DBB79CF2148} 89862500
Device \Driver\Cdrom \Device\CdRom1 89C9E1F8
Device \Driver\atapi \Device\Ide\IdePort0 89E541F8
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 89E541F8
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort2 89E541F8
Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort3 89E541F8
Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 89E541F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-5 89E541F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-5 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Cdrom \Device\CdRom2 89C9E1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89862500
Device \Driver\NetBT \Device\NetbiosSmb 89862500
Device \Driver\sptd \Device\4191049502 spwc.sys
Device \Driver\sptd \Device\4190893252 spwc.sys

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBFDO-0 89AF4318
Device \Driver\usbohci \Device\USBFDO-1 89AF4318
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 897FD500
Device \Driver\usbohci \Device\USBFDO-2 89AF4318
Device \FileSystem\MRxSmb \Device\LanmanRedirector 897FD500
Device \Driver\usbohci \Device\USBFDO-3 89AF4318
Device \Driver\usbohci \Device\USBFDO-4 89AF4318
Device \Driver\Ftdisk \Device\FtControl 89E551F8
Device \Driver\usbehci \Device\USBFDO-5 89AAE1F8
Device \Driver\a4pcgr3p \Device\Scsi\a4pcgr3p1 8996B500
Device \Driver\a4pcgr3p \Device\Scsi\a4pcgr3p1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\a4pcgr3p \Device\Scsi\a4pcgr3p1Port4Path0Target0Lun0 8996B500
Device \Driver\a4pcgr3p \Device\Scsi\a4pcgr3p1Port4Path0Target0Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\azx29z26 \Device\Scsi\azx29z261 899B61F8
Device \Driver\azx29z26 \Device\Scsi\azx29z261 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\azx29z26 \Device\Scsi\azx29z261Port5Path0Target0Lun0 899B61F8
Device \Driver\azx29z26 \Device\Scsi\azx29z261Port5Path0Target0Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \FileSystem\Cdfs \Cdfs 8986B500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 2013100863
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -2066831736
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x28 0xC9 0xF8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x42 0x88 0xCE 0x53 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xD4 0xDA 0x60 0x95 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA6 0x41 0x4D 0x6E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x22 0xB3 0xC3 0x37 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x09 0x91 0x4C 0x73 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF0 0xDB 0xA6 0x27 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x28 0xC9 0xF8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x42 0x88 0xCE 0x53 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xD4 0xDA 0x60 0x95 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA6 0x41 0x4D 0x6E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x22 0xB3 0xC3 0x37 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x09 0x91 0x4C 0x73 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF0 0xDB 0xA6 0x27 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ctvod\OpenWithProgids@\f\1T\0V\0o\0D

---- EOF - GMER 1.0.15 ----

[earl]

Log je ok.

Jak se chova pc ted?

[Puk22]

ne uplne standartně, velice dlouho (řádově minuty) trvá než v lišta kde je start hodiny atd začne fungovat a výkon CPU je 50% aniž by běžel jakýkoliv program

[earl]

Stahnete si na plochu a rozbalte RootRepeal

spustte RootRepeal.exe - klepnete na File a potom na Scan - po skenu kliknete na Save Report a log vlozte sem.

V pripade nejasnosti navod v mem podpisu.

[Puk22]

označena záložka files a proveden scan:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/02/28 12:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

[earl]

Pouzijte MBAM

instalace,uplny sken,vlozit sem log-NIC NEMAZAT!

[Puk22]

Malwarebytes' Anti-Malware 1.44
Verze databáze: 3805
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

28.2.2010 14:18:50
mbam-log-2010-02-28 (14-18-33).txt

Typ kontroly: Kompletní kontrola (C:\|D:\|)
Zkontrolované objekty: 336609
Uplynulý čas: 1 hour(s), 32 minute(s), 3 second(s)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované adresáře: 0
Infikované soubory: 3

Infikované procesy v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované moduly v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované klíče registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované hodnoty registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované datové položky registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované adresáře:
(Nebyly nalezeny žádné škodlivé položky)

Infikované soubory:
C:\Documents and Settings\Pukk\Nabídka Start\Programy\Po spuštění\winesm32.exe (Worm.KoobFace) -> No action taken.
D:\záloha\záloha\EA games craks\fff-ea117.exe (Trojan.Orsam) -> No action taken.
C:\Documents and Settings\Pukk\Data aplikací\avdrn.dat (Malware.Trace) -> No action taken.

[earl]

Dejte smazat,co MBAM nasel.

Dokud budou v pc cracky apod.,tak je vzdy vyssi riziko vyskytu infekce v pc

Start - spustit - napiste ComboFix /Uninstall - a klepnout na OK
-----------------------------------------------------------------------------------------------------------------

Pouzijte T-Cleaner na vycisteni pc po utilitach pouzitych pri odvirovani.Postupujte dle instrukci na obrazovce.Pri detekci antivirem se jedna o falesny poplach.
-----------------------------------------------------------------------------------------------------------------

Vycistete pc Ccleanerem.

Vzdy nejprve Analyzovat a pak Spustit Cleaner.2x po sobe.

Windows-odskrtnout historii a historii automatickeho vyplnovani formularu - prisel byste o historii navstivenych stranek a o ulozena hesla ve formularich

(je to sice z pohledu zabezpeceni spatne,ale aspon pak uzivatel nenadava,kam ze mu to zmizelo )

Aplikace-u prohlizecu internetu odskrtnout Historii internetu.

Registry-nechat vse zaskrtle,Hledej problemy,Opravit vybrane problemy

(nechat ho udelat zalohu-ta je ulozena v Dokumentech-DULEZITE).

Taktez 2x-3x po sobe.
------------------------------------------------------------------------------------------------------------------

Provedte nekolikrat po sobe defragmentaci systemoveho disku C:

Pro zrychleni startu Windows stahnete a spustte program StartUpLite

Program vypise seznam zbytecnych programu spoustejicich se pri startu Windows .

K vypnuti spousteni techto programu zaskrtnete u prislusnych radku Disable a kliknete na Continue.

Pak popiste stav.

[Puk22]

Chvíli mne nejel zvuk, tak jsem ještě přeinstaloval ovladače na základovku, a ted mně přijde že počítač šlape stejne jak před útokem viru.


Snad je po všem, co myslíte?


Mnohokrát děkuji za pomoc!

[earl]

Je po vsem.

A nemate zac.

[Puk22]

super, ještě jednou děkuji


Ivo