Asi vir, prosím pomocte mi..... Vyřešeno

[jaro3]

Toto otestuj na Virustotal
c:\windows\system32\drivers\538ffccb.sys
C:\cxhfsbpt.exe
c:\windows\system32\rqRHbXnL.dll
C:\1425364061
C:\rvlksh.exe
C:\begaxy.exe
Vlož sem pak výsledky.

[Reklama]

[-frost-]

nedá mi to, abych se neozval! co máte všichni pořád s tim, že stahovat z warez se nevyplatí. nevyplatí se to tomu, kdo stáhne soubor od neznámého uživatele a je natolik naivní, že ho bez jakýkoli kontroli hned rozbalí, a nebo popřípadě nainstaluje... je to čistě individuální věc, a takovýhle báchorky, že se to nevyplatí vznikaj právě kvůli takovejm lidem jako je vachi(nic proti)
předpokládám, že si o mně budete myslet, že jsem zarytej warezák, ale opak je pravdou... tuhle odezvu ve mně akorát vyvolaly vaše reakce na problém výše zmíněnýho uživatele. každý svýho štěstí strůjcem

[vachi]

Toto otestuj na Virustotal
c:\windows\system32\drivers\538ffccb.sys
C:\cxhfsbpt.exe
c:\windows\system32\rqRHbXnL.dll
C:\1425364061
C:\rvlksh.exe
C:\begaxy.exe
Vlož sem pak výsledky.

to musím každe zvlášť že?

[jaro3]

Samozřejmě, pak pošli jen odkazy výsledků, teprve pak vypracuji log , a bude třeba ještě mi něco poslat do SZ.
Vysvětlení později.

[vachi]

http://www.virustotal.com/cs/analisis/d ... 4db82a1389

http://www.virustotal.com/cs/analisis/a ... 86760b40f2

http://www.virustotal.com/cs/analisis/3 ... cf3440dcd0

http://www.virustotal.com/cs/analisis/4 ... 11fce78995

0 bytes size received / Se ha recibido un archivo vacio (C:\rvlksh.exe) - nenačetlo asi

0 bytes size received / Se ha recibido un archivo vacio (C:\begaxy.exe)

[jaro3]

Takže ještě poslední soubory na VT:
c:\windows\system32\Drivers\ati7ssxx.sys
c:\windows\system32\Drivers\ati0ffxx.sys
c:\windows\Tasks\ibaiszya.job
c:\windows\temp\cerF.tmp
Postup stejný.

[vachi]

na první dva hláška: Nemáte oprávnění soubor otevřít, požádejte vlastníka souboru nebo správce o přidělení oprávnění

http://www.virustotal.com/cs/analisis/7 ... b0ebe71f7d

http://www.virustotal.com/cs/analisis/4 ... e299bc58c2

[jaro3]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
c:\windows\system32\drivers\538ffccb.sys
C:\cxhfsbpt.exe
c:\windows\system32\rqRHbXnL.dll
C:\rvlksh.exe
C:\begaxy.exe
c:\windows\temp\cerF.tmp
c:\windows\system32\Drivers\ati7ssxx.sys
c:\windows\system32\Drivers\ati0ffxx.sys

Driver::
538ffccb
ati7ssxx
ati0ffxx

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sbqzkq]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sbqzkq]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0ffxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0ffxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7ssxx.sys]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000


Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT
EDIT: zároveň s logem z CF :
Stáhni si GMER
Po stažení aplikaci rozbal a spusť, probehne rychlý sken a otevře se hlavní okno programu:
pokud klikneš na tlačítko Save vpravo dole, muzeš vyexportovat první log, ktery vloziš sem.
abychom se dostali k "hlavnimu" skenu a ziskani logu z nej, ponechame v pravem sloupci zafajfkovane vsechny polozky a klikneme na tlacitko Scan,
Vyckame konce skenu (coz trva tak kolem peti deseti minut), pote opet klikneme na tlacitko Save a vyexportujeme log cislo 2,
i tento log vlozte na forum

[vachi]

ComboFix 09-01-10.03 - xp 2009-01-11 15:18:24.4 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.2047.1524 [GMT 1:00]
Spuštěný z: c:\documents and settings\xp\Plocha\CFI\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\xp\Plocha\CFScript.txt
* Vytvořen nový Bod Obnovení

FILE ::
C:\begaxy.exe
C:\cxhfsbpt.exe
C:\rvlksh.exe
c:\windows\system32\drivers\538ffccb.sys
c:\windows\system32\Drivers\ati0ffxx.sys
c:\windows\system32\Drivers\ati7ssxx.sys
c:\windows\system32\rqRHbXnL.dll
c:\windows\temp\cerF.tmp
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\begaxy.exe
C:\cxhfsbpt.exe
C:\rvlksh.exe
c:\windows\system32\drivers\538ffccb.sys
c:\windows\system32\rqRHbXnL.dll
c:\windows\system32\sbqzkq.dll
c:\windows\temp\cerF.tmp

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ati7ssxx
-------\Service_538ffccb
-------\Service_ati0ffxx
-------\Service_ati7ssxx


((((((((((((((((((((((((( Soubory vytvořené od 2008-12-11 do 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-10 20:05 . 2009-01-10 20:05 <DIR> d-------- c:\documents and settings\xp\Data aplikací\DAEMON Tools Pro
2009-01-09 14:25 . 2009-01-09 14:25 <DIR> d-------- c:\program files\DAEMON Tools Toolbar
2009-01-09 14:25 . 2009-01-10 19:55 <DIR> d-------- c:\program files\DAEMON Tools Lite
2009-01-09 14:25 . 2009-01-09 14:25 <DIR> d-------- c:\documents and settings\xp\Data aplikací\DAEMON Tools Lite
2009-01-09 14:25 . 2009-01-09 14:25 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\DAEMON Tools Lite
2009-01-09 14:17 . 2009-01-09 14:17 <DIR> d-------- c:\program files\Alcohol Soft
2009-01-09 10:30 . 2009-01-09 10:30 <DIR> d-------- c:\program files\ESET
2009-01-09 10:21 . 2009-01-11 10:14 5,760 --a------ c:\windows\system32\drivers\restore.sys
2009-01-09 00:20 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2009-01-09 00:20 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2009-01-09 00:20 . 2008-05-30 14:19 507,400 --a------ c:\windows\system32\XAudio2_1.dll
2009-01-09 00:20 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2009-01-09 00:20 . 2008-05-30 14:18 238,088 --a------ c:\windows\system32\xactengine3_1.dll
2009-01-09 00:20 . 2008-05-30 14:17 65,032 --a------ c:\windows\system32\XAPOFX1_0.dll
2009-01-09 00:20 . 2008-05-30 14:17 25,608 --a------ c:\windows\system32\X3DAudio1_4.dll
2009-01-09 00:19 . 2009-01-09 00:19 <DIR> d-------- c:\windows\Logs
2009-01-09 00:19 . 2009-01-09 00:19 682,280 --a------ c:\windows\system32\pbsvc.exe
2009-01-08 23:59 . 2009-01-10 19:55 <DIR> d-------- c:\documents and settings\xp\Data aplikací\cogad
2009-01-08 23:58 . 2009-01-08 23:58 2 --a------ C:\1425364061
2009-01-08 14:29 . 2009-01-08 14:29 <DIR> d-------- c:\documents and settings\xp\Data aplikací\Leadertech
2009-01-04 23:55 . 2009-01-04 23:55 <DIR> d-------- c:\documents and settings\xp\Data aplikací\dvdcss
2009-01-04 23:47 . 2009-01-04 23:47 <DIR> d-------- c:\documents and settings\xp\Data aplikací\CyberLink
2008-12-23 12:18 . 2008-12-23 12:18 <DIR> d-------- c:\documents and settings\xp\Data aplikací\2K Sports
2008-12-23 11:58 . 2008-12-23 12:16 <DIR> d-------- c:\program files\NBA 2K9
2008-12-22 20:08 . 2008-12-22 20:09 <DIR> d-------- C:\FIFA 09 Demo

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 14:21 --------- d-----w c:\documents and settings\xp\Data aplikací\OpenOffice.org2
2009-01-11 13:23 202,040 ----a-w c:\windows\system32\PnkBstrB.exe
2009-01-11 13:23 137,688 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-11 09:09 14,336 ----a-w c:\windows\system32\svchost.exe
2009-01-10 19:05 --------- d-----w c:\documents and settings\xp\Data aplikací\DAEMON Tools
2009-01-09 13:46 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-01-08 23:56 --------- d-----w c:\program files\EA SPORTS
2009-01-08 23:19 22,328 ----a-w c:\documents and settings\xp\Data aplikací\PnkBstrK.sys
2009-01-08 23:18 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-08 23:04 --------- d-----w c:\program files\Activision
2008-12-29 18:43 --------- d-----w c:\documents and settings\xp\Data aplikací\uTorrent
2008-12-23 18:09 70,968 ----a-w c:\windows\system32\PnkBstrA.exe
2008-12-10 08:26 --------- d-----w c:\program files\Common Files\Adobe
2008-12-09 10:34 --------- d-----w c:\program files\ICQ6.5
2008-12-09 10:34 --------- d-----w c:\documents and settings\xp\Data aplikací\ICQ
2008-12-09 10:33 --------- d-----w c:\program files\ICQ6Toolbar
2008-12-09 10:33 --------- d-----w c:\documents and settings\All Users\Data aplikací\ICQ
2008-12-03 12:38 --------- d-----w c:\program files\GamePark
2008-11-21 09:59 --------- d-----w c:\program files\Winamp
2008-11-20 18:54 --------- d-----w c:\documents and settings\xp\Data aplikací\Skype
2008-11-20 18:40 --------- d-----w c:\documents and settings\xp\Data aplikací\skypePM
2008-11-19 22:06 --------- d-----w c:\program files\edu-learning
.

((((((((((((((((((((((((((((( snapshot@2009-01-10_20.26.58,31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-01-10 19:14:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-11 09:14:33 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-10 19:14:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-11 09:14:33 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-11 09:14:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009011120090112\index.dat
- 2009-01-10 19:14:35 14,336 -c--a-w c:\windows\system32\dllcache\svchost.exe
+ 2009-01-11 09:09:20 14,336 -c--a-w c:\windows\system32\dllcache\svchost.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6704e6e2-7d64-4c95-8712-bc8b5c44dd79}]
c:\windows\system32\geBuSMee.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]
"GAINWARD"="c:\program files\EXPERTool\TBPanel.exe" [2008-07-03 2177576]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2008-11-30 172792]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-23 203720]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"tvjbmonitor"="c:\program files\MMEDIA\TV Jukebox 3.0\tvjbMonitor.exe" [2006-08-08 53248]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Config"="c:\program files\Microsoft Games\Age Of Empires ii\Config.exe" [2006-07-06 151552]
"TO2SSM_McciTrayApp"="c:\program files\TO2SSM\McciTrayApp.exe" [2008-08-15 1473536]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\xp\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-03-22 393216]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-06-10 34312]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2004-08-03 69120]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-06-10 468224]
R4 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-12-09 222456]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bfdee082-949e-11dd-917b-0021851c1169}]
\Shell\AutoRun\command - g:\flash.exe g:\
\Shell\Explore\command - g:\flash.exe g:\
\Shell\Open\command - g:\flash.exe g:\
.
Obsah adresáře 'Naplánované úlohy'

2009-01-11 c:\windows\Tasks\ibaiszya.job
- c:\windows\system32\rundll32.exe [2004-08-17 14:49]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.cz.o2.com/welcome/cz/index.html
IE: Download Using &BitSpirit - c:\program files\BitSpirit\bsurl.htm
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: ÓñČĚŘľ«ÁéĎÂÔŘ(&B)
FF - ProfilePath - c:\documents and settings\xp\Data aplikací\Mozilla\Firefox\Profiles\yvp6xdu5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 15:21:45
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
c:\program files\OpenOffice.org 2.2\program\soffice.exe
c:\program files\OpenOffice.org 2.2\program\soffice.bin
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2009-01-11 15:23:56 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-01-11 14:23:54
ComboFix2.txt 2009-01-11 09:16:51
ComboFix3.txt 2009-01-10 19:27:25

Před spuštěním: 2 468 843 520
Po spuštění: 2,464,727,040

197

[vachi]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:24:58, on 11.1.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MMEDIA\TV Jukebox 3.0\tvjbMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Games\Age Of Empires ii\Config.exe
C:\Program Files\TO2SSM\McciTrayApp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EXPERTool\TBPanel.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\xp\Plocha\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cz.o2.com/welcome/cz/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6704e6e2-7d64-4c95-8712-bc8b5c44dd79} - C:\WINDOWS\system32\geBuSMee.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [tvjbmonitor] C:\Program Files\MMEDIA\TV Jukebox 3.0\tvjbMonitor.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Config] C:\Program Files\Microsoft Games\Age Of Empires ii\Config.exe
O4 - HKLM\..\Run: [TO2SSM_McciTrayApp] C:\Program Files\TO2SSM\McciTrayApp.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GAINWARD] C:\Program Files\EXPERTool\TBPanel.exe /A
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\daemon.exe -autorun
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1253398953
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Eset HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA (pnkbstra) - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB (pnkbstrb) - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6930 bytes

[vachi]

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-11 15:26:21
Windows 5.1.2600 Service Pack 2


---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x12a14c00 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- System - GMER 1.0.14 ----

SSDT sprt.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT sprt.sys ZwEnumerateValueKey [0xBA6C7030]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 89E531F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

---- EOF - GMER 1.0.14 ----

[vachi]

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-11 15:32:26
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT sprt.sys ZwCreateKey [0xBA6A80E0]
SSDT sprt.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT sprt.sys ZwEnumerateValueKey [0xBA6C7030]
SSDT sprt.sys ZwOpenKey [0xBA6A80C0]
SSDT sprt.sys ZwQueryKey [0xBA6C7108]
SSDT sprt.sys ZwQueryValueKey [0xBA6C6F88]
SSDT sprt.sys ZwSetValueKey [0xBA6C719A]

INT 0x63 ? 89E54BF8
INT 0x63 ? 89E54BF8
INT 0x63 ? 89E54BF8
INT 0x63 ? 89E54BF8
INT 0x63 ? 89A34F00
INT 0x63 ? 89A34F00
INT 0x63 ? 89E54BF8
INT 0x83 ? 89E54BF8
INT 0x83 ? 89E54BF8
INT 0x83 ? 89A34F00
INT 0x83 ? 89E54BF8
INT 0x84 ? 89A34F00
INT 0xA4 ? 89A34F00
INT 0xB4 ? 89A34F00

---- Kernel code sections - GMER 1.0.14 ----

? sprt.sys Systém nemůže nalézt uvedený soubor. !
? Combo-Fix.sys Systém nemůže nalézt uvedený soubor. !
.text USBPORT.SYS!DllUnload B9E2D62C 5 Bytes JMP 89A344E0
.text a4vnvyf5.SYS B9D41386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text a4vnvyf5.SYS B9D413AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text a4vnvyf5.SYS B9D413C4 3 Bytes [ 00, 70, 02 ]
.text a4vnvyf5.SYS B9D413C9 1 Byte [ 2E ]
.text a4vnvyf5.SYS B9D413CB 9 Bytes [ 00, 00, 5C, 02, 00, 00, 00, ... ]
.text ...
? C:\ComboFix\catchme.sys Systém nemůže nalézt uvedenou cestu. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Systém nemůže nalézt uvedený soubor. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1528] kernel32.dll!SetUnhandledExceptionFilter 7C8447B5 4 Bytes [ C2, 04, 00, 00 ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] sprt.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] sprt.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] sprt.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] sprt.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] sprt.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] sprt.sys
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[HAL.dll!KfAcquireSpinLock] 8A000002
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[HAL.dll!READ_PORT_UCHAR] 83880846
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[HAL.dll!KeGetCurrentIrql] 000001C0
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[HAL.dll!KfRaiseIrql] 2C4EB70F
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[HAL.dll!KfLowerIrql] 8303C183
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[HAL.dll!HalGetInterruptVector] D103FCE1
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[HAL.dll!HalTranslateBusAddress] 2E7E8366
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[HAL.dll!KeStallExecutionProcessor] 8D1C7400
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[HAL.dll!KfReleaseSpinLock] 83893204
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00000218
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[HAL.dll!READ_PORT_USHORT] 2E4EB70F
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 021C8B89
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[HAL.dll!WRITE_PORT_UCHAR] B70F0000
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[WMILIB.SYS!WmiSystemControl] 03D00304
IAT \SystemRoot\System32\Drivers\a4vnvyf5.SYS[WMILIB.SYS!WmiCompleteRequest] 0CB389F2

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 89E531F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\NetBT \Device\NetBT_Tcpip_{29B16137-A53A-42DD-8176-2DCB8E9D1C9D} 89C521F8
Device \Driver\sptd \Device\3319426356 sprt.sys
Device \Driver\usbuhci \Device\USBPDO-0 89B3F470
Device \Driver\PCI_PNP2606 \Device\00000044 sprt.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89DE41F8
Device \Driver\dmio \Device\DmControl\DmConfig 89DE41F8
Device \Driver\dmio \Device\DmControl\DmPnP 89DE41F8
Device \Driver\dmio \Device\DmControl\DmInfo 89DE41F8
Device \Driver\usbuhci \Device\USBPDO-1 89B3F470
Device \Driver\usbuhci \Device\USBPDO-2 89B3F470
Device \Driver\usbehci \Device\USBPDO-3 89C5A1F8
Device \Driver\usbuhci \Device\USBPDO-4 89B3F470

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\usbuhci \Device\USBPDO-5 89B3F470
Device \Driver\usbuhci \Device\USBPDO-6 89B3F470
Device \Driver\Ftdisk \Device\HarddiskVolume1 89E551F8
Device \Driver\usbehci \Device\USBPDO-7 89C5A1F8
Device \Driver\Cdrom \Device\CdRom0 89BF1470
Device \Driver\Cdrom \Device\CdRom1 89BF1470
Device \Driver\atapi \Device\Ide\IdePort0 89E541F8
Device \Driver\atapi \Device\Ide\IdePort1 89E541F8
Device \Driver\atapi \Device\Ide\IdePort2 89E541F8
Device \Driver\atapi \Device\Ide\IdePort3 89E541F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e 89E541F8
Device \Driver\atapi \Device\Ide\IdePort4 89E541F8
Device \Driver\atapi \Device\Ide\IdePort5 89E541F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-6 89E541F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-19 89E541F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89C521F8
Device \Driver\NetBT \Device\NetbiosSmb 89C521F8
Device \Driver\usbuhci \Device\USBFDO-0 89B3F470
Device \Driver\usbuhci \Device\USBFDO-1 89B3F470
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89ABD500
Device \Driver\usbuhci \Device\USBFDO-2 89B3F470
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89ABD500
Device \Driver\usbehci \Device\USBFDO-3 89C5A1F8
Device \Driver\usbuhci \Device\USBFDO-4 89B3F470
Device \Driver\Ftdisk \Device\FtControl 89E551F8
Device \Driver\usbuhci \Device\USBFDO-5 89B3F470
Device \Driver\usbuhci \Device\USBFDO-6 89B3F470
Device \Driver\usbehci \Device\USBFDO-7 89C5A1F8
Device \Driver\a4vnvyf5 \Device\Scsi\a4vnvyf51 8992B500
Device \FileSystem\Cdfs \Cdfs 89AAE500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0d79c293c1ed61418462e24595c90d04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0d79c293c1ed61418462e24595c90d04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0d79c293c1ed61418462e24595c90d04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0d79c293c1ed61418462e24595c90d04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0d79c293c1ed61418462e24595c90d04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB2 0x04 0xB2 0xA2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0d79c293c1ed61418462e24595c90d04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0d79c293c1ed61418462e24595c90d04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0d79c293c1ed61418462e24595c90d04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0d79c293c1ed61418462e24595c90d04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0d79c293c1ed61418462e24595c90d04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB2 0x04 0xB2 0xA2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x12a14c00 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.14 ----