Předem děkuji
ComboFix 09-12-27.04 - Standík 29.12.2009 0:01.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2046.1616 [GMT 1:00]
Spuštěný z: c:\documents and settings\Standík\Plocha\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Rezidentní štít AV je zapnutý
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\OPTIONS\CABS\_desktop.ini
c:\windows\system32\ieuinit.inf
c:\windows\system32\winchap.dll
c:\windows\Sysvxd.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SSHNAS
-------\Service_SSHNAS
((((((((((((((((((((((((( Soubory vytvořené od 2009-11-28 do 2009-12-28 )))))))))))))))))))))))))))))))
.
2009-12-28 21:35 . 2009-12-28 21:38 200 ---ha-w- c:\windows\winshell.dat
2009-12-20 23:39 . 2009-12-20 23:39 -------- d-----w- c:\program files\WinPcap
2009-11-30 18:05 . 2009-11-30 18:05 47616 ----a-w- c:\windows\system32\drivers\Pcouffin.sys
2009-11-30 18:05 . 2009-11-30 18:05 -------- d-----w- c:\program files\vso
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 21:47 . 2009-12-28 21:47 918045 ---ha-w- C:\DH Temp.tmp
2009-11-12 19:45 . 2009-11-12 17:50 -------- d-----w- c:\program files\Common Files\Anvsoft
2009-11-11 10:01 . 2009-09-03 18:23 -------- d-----w- c:\program files\AdorageI-GfxDatas
2009-11-04 15:10 . 2009-11-04 15:10 -------- d-----w- c:\program files\Cyberlink
2009-11-04 15:10 . 2009-11-04 15:10 -------- d-----w- c:\program files\Common Files\CyberLink
2009-11-04 15:10 . 2007-12-16 14:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-04 15:09 . 2009-02-27 09:30 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-11-02 08:20 . 2009-09-08 09:48 -------- d-----w- c:\program files\Common Files\InterVideo
2009-10-29 19:39 . 2001-10-25 11:00 90452 ----a-w- c:\windows\system32\perfc005.dat
2009-10-29 19:39 . 2001-10-25 11:00 456118 ----a-w- c:\windows\system32\perfh005.dat
2009-10-22 16:42 . 2009-10-22 16:42 4608 ----a-w- c:\windows\system32\bbchlp.dll
2009-10-22 16:42 . 2009-10-22 16:42 4096 ----a-w- c:\windows\system32\drivers\bbcap.sys
2009-10-22 16:42 . 2009-10-22 16:42 30720 ----a-w- c:\windows\system32\bbcap.dll
2009-10-21 09:03 . 2009-10-13 09:50 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-20 18:19 . 2009-10-20 18:19 281104 ----a-w- c:\windows\system32\wpcap.dll
2009-10-20 18:19 . 2009-10-20 18:19 100880 ----a-w- c:\windows\system32\Packet.dll
2009-10-20 18:19 . 2009-10-20 18:19 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2009-10-20 18:19 . 2009-10-20 18:19 53299 ----a-w- c:\windows\system32\pthreadVC.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEXPRESS"="c:\documents and settings\All Users\Data aplikací\LangSoft\OETRN.EXE" [2009-09-03 26624]
"uTorrent"="c:\programy\uTorrent\uTorrent.exe" [2009-12-14 289584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 16132608]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2007-02-06 1953792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"nwiz"="nwiz.exe" [2007-06-28 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"egui"="c:\programy\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"SunJavaUpdateSched"="c:\programy\Java\jre6\bin\jusched.exe" [2009-09-03 149280]
"EasyTuneV"="c:\program files\Gigabyte\ET5\ETcall.exe" [2007-04-26 24576]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
c:\documents and settings\Standˇk\Nabˇdka Start\Programy\Po spuçtŘnˇ\
siszyd32.exe [2004-8-17 34304]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Aktualizovat ESET licenci.lnk - c:\programy\ESET\MiNODLogin\MiNODLogin.exe [2009-8-22 125952]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2009-02-28 18:40 75048 ----a-w- c:\program files\Cyberlink\Shared Files\brs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-09-20 13:35 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
2007-09-06 13:08 136136 ----a-w- c:\programy\DAEMON Tools Pro\DTProAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 07:51 1836328 ----a-w- c:\programy\Nero 8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 13:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD9LanguageShortcut]
2008-10-13 19:41 50472 ------w- c:\programy\CyberLink\PowerDVD9\PowerDVD9\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-03 18:11 282624 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]
2009-02-16 08:55 87336 ------w- c:\programy\CyberLink\PowerDVD9\PowerDVD9\PDVD9Serv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 14:07 2260480 ------w- c:\programy\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TO2SSM_McciTrayApp]
2008-08-15 16:33 1473536 ----a-w- c:\program files\TO2SSM\McciTrayApp.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programy\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Programy\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Programy\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Programy\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Programy\\uTorrent\\utorrent.exe"=
"c:\\Programy\\CyberLink\\PowerDVD9\\PowerDVD9\\PowerDVD Cinema\\PowerDVDCinema.exe"=
"c:\\Programy\\CyberLink\\PowerDVD9\\PowerDVD9\\PowerDVD9.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [13.10.2009 10:50 206256]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3.9.2009 10:09 685816]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9.4.2009 14:18 107256]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/11/04 16:10];c:\programy\CyberLink\PowerDVD9\PowerDVD9\000.fcl [28.2.2009 19:40 87536]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [27.10.2008 17:03 759072]
R2 ekrn;ESET Service;c:\programy\ESET\ESET Smart Security\ekrn.exe [9.4.2009 14:19 731840]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20.10.2009 19:19 50704]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [22.3.2006 16:33 826752]
R3 bbcap;bbcap;c:\windows\system32\drivers\bbcap.sys [22.10.2009 17:42 4096]
R3 MarkFun_NT;MarkFun_NT;c:\program files\Gigabyte\ET5\MARKFUN.W32 [3.9.2009 11:16 19776]
S1 sp_rsdrv2;Spyware Terminator Driver 2;\??\c:\documents and settings\All Users\Data aplikací\Spyware Terminator\sp_rsdrv2.sys --> c:\documents and settings\All Users\Data aplikací\Spyware Terminator\sp_rsdrv2.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\programy\Spyware Doctor\pctsAuxs.exe [13.10.2009 10:50 348752]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]
--- Ostatní služby/ovladače v paměti ---
*NewlyCreated* - MARKFUN_NT
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.cz.o2.com/welcome/cz/index.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} - {CC963627-B1DC-40E0-B52A-CF21EE748449} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Standík\Data aplikací\Mozilla\Firefox\Profiles\0wfnyxc3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.cz/
FF - plugin: c:\programy\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: c:\programy\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\programy\Java\jre6\bin\new_plugin\npjp2.dll
---- NASTAVENÍ FIREFOXU ----
c:\programy\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
HKCU-Run-WEBTRAN - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 00:10
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
c:\documents and settings\Standík\Nabídka Start\Programy\Po spuštění\siszyd32.exe 34304 bytes executable
sken byl úspešně dokončen
skryté soubory: 1
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89E4C1E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8fcfc3
\Driver\ACPI -> ACPI.sys @ 0xba67dcb8
\Driver\atapi -> 0x89e4c1e8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba4e5ba0
PacketIndicateHandler -> NDIS.sys @ 0xba4f2b21
SendHandler -> NDIS.sys @ 0xba4d087b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\c:\program files\Gigabyte\ET5\markfun.w32"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\programy\CyberLink\PowerDVD9\PowerDVD9\000.fcl"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'explorer.exe'(2828)
c:\documents and settings\All Users\Data aplikací\LangSoft\TrnOEH.dll
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\programy\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\programy\Nero 8\Nero BackItUp\NBService.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
c:\program files\Gigabyte\ET5\GUI.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2009-12-29 00:13:05 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-12-28 23:13
Před spuštěním: Volných bajtů: 10 906 861 568
Po spuštění: Volných bajtů: 11 067 469 824
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
- - End Of File - - 8F784A3069DE749B37B63631C1494357
Přispějete na provoz fóra?