log z Combofix
ComboFix 10-07-07.02 - Miroslava - Slamená 09.07.2010 17:50:29.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.623 [GMT 2:00]
Spuštěný z: c:\documents and settings\Miroslava - Slamená\Plocha\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-09 do 2010-07-09 )))))))))))))))))))))))))))))))
.
2010-07-08 21:16 . 2010-07-08 21:17 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-23 06:30 . 2010-06-23 06:30 -------- d-----w- c:\program files\iPod
2010-06-23 06:29 . 2010-06-23 06:31 -------- d-----w- c:\program files\iTunes
2010-06-23 06:24 . 2010-06-23 06:24 -------- d-----w- c:\program files\Bonjour
2010-06-15 11:20 . 2010-06-15 11:20 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 08:40 . 2010-05-06 10:35 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 21:18 . 2007-08-07 17:25 -------- d-----w- c:\program files\DivX
2010-07-07 12:13 . 2010-06-07 18:06 -------- d-----w- c:\program files\trend micro
2010-06-23 09:48 . 2006-09-16 00:43 83320 ----a-w- c:\windows\system32\perfc005.dat
2010-06-23 09:48 . 2006-09-16 00:43 439206 ----a-w- c:\windows\system32\perfh005.dat
2010-06-23 06:30 . 2008-01-30 12:33 -------- d-----w- c:\program files\Common Files\Apple
2010-06-20 09:04 . 2010-04-26 09:13 3532 ----a-w- C:\drmHeader.bin
2010-06-09 23:01 . 2008-11-20 19:19 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-06-09 23:01 . 2008-02-20 16:01 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-06-03 16:13 . 2008-10-26 12:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 16:13 . 2008-02-28 15:57 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-28 20:29 . 2010-05-28 19:57 -------- d-----w- c:\program files\Olympus
2010-05-28 20:29 . 2006-09-15 20:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:35 . 2006-09-16 00:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:09 . 2006-09-16 00:43 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 21:37 . 2010-04-24 21:37 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-24 21:37 . 2010-04-24 21:37 54920 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-24 21:37 . 2010-04-24 21:37 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-20 05:32 . 2006-09-16 00:43 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 18:47 . 2009-03-24 20:32 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-19 18:47 . 2008-01-30 12:33 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-12 15:29 . 2010-04-19 19:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-07 12:22 . 2007-03-18 13:57 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
------- Sigcheck -------
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 16:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-15 322352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7585792]
"nwiz"="nwiz.exe" [2006-08-16 1617920]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 53248]
"fscp"="c:\program files\AVC Finger-sensing Pad Driver\fscp.exe" [2006-08-31 995328]
"FuncKey"="c:\program files\Hotkey Management\FuncKey.exe" [2006-09-05 139264]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 45056]
"OdTray.exe"="c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe" [2005-05-18 1015871]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-28 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-5-28 118784]
PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2008-12-25 40960]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 09:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2006-12-25 22:24 106496 ----a-w- c:\windows\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\12Voip.com\\12Voip\\12Voip.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [14.1.2007 17:11 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [14.1.2007 17:11 5248]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26.10.2008 14:07 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26.10.2008 14:07 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14.3.2010 11:50 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14.3.2010 11:51 308064]
R2 Ethpdrv;Ethernet Packet Driver;c:\windows\system32\drivers\ethpdrv.sys [13.9.2007 11:31 9728]
R2 FspadSvc;FspadSvc;c:\program files\AVC Finger-sensing Pad Driver\fspadsvr.exe [16.9.2006 2:45 520704]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [24.7.2009 19:14 222968]
R3 fspad;AVC Finger-sensing Pad Driver for Windows 2000/XP;c:\windows\system32\drivers\fspad.sys [16.9.2006 2:45 22912]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [16.9.2006 2:45 217600]
S2 gupdate1c9860c8a847b7c;Google Update Service (gupdate1c9860c8a847b7c);c:\program files\Google\Update\GoogleUpdate.exe [3.2.2009 16:34 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 20:19 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [14.12.2009 17:47 16512]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [26.12.2006 23:37 30192]
S3 ipw_bus;IPWireless;c:\windows\system32\drivers\ipw_bus.sys [13.9.2007 11:31 58320]
S3 ipw_mdfl;Wireless Broadband Modem Filter;c:\windows\system32\drivers\ipw_mdfl.sys [13.9.2007 11:31 8272]
S3 ipw_mdm;Wireless Broadband Modem (WDM);c:\windows\system32\drivers\ipw_mdm.sys [13.9.2007 11:31 95440]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [26.10.2008 12:04 27904]
.
Obsah adresáře 'Naplánované úlohy'
2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]
2010-07-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-26 11:04]
2010-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
2010-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.atlas.cz/?from=icqhp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&s ... f8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-09 18:02
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B22790]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dbf28
\Driver\ACPI -> ACPI.sys @ 0xf7337cb8
\Driver\atapi -> 0x86b22790
\Driver\iaStor -> iaStor.sys @ 0xf7225b58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\odyEvent.dll
- - - - - - - > 'explorer.exe'(2708)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Celkový čas: 2010-07-09 18:10:29 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-09 16:10
ComboFix2.txt 2010-07-08 13:44
ComboFix3.txt 2010-04-25 22:07
ComboFix4.txt 2010-04-25 13:30
Před spuštěním: Volných bajtů: 16 454 193 152
Po spuštění: Volných bajtů: 16 487 567 360
- - End Of File - - 1100335625E98B346ED5B0ADBDF7B154
Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz
rundll32.exe vytazuje CPU
Moderátor: Moderátoři
Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
-
Rudy
- Site Admin
- Příspěvky: 119418
- Registrován: 30 říj 2003 13:42
- Bydliště: Plzeň
- Kontaktovat uživatele:
Re: rundll32.exe vytazuje CPU
Zkuste toto:
Otevřte půoznámkový blok a zkopírujte do něj:
Problém nejspíš je v napadeném souboru atapi.sys, který je nutno přepsat. Avengeru se to nepodařilo, musíme zkoušet další možnosti.
Otevřte půoznámkový blok a zkopírujte do něj:
Uložte na plochu jako CFScript.txt. pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkaz ze skriptu.FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
Problém nejspíš je v napadeném souboru atapi.sys, který je nutno přepsat. Avengeru se to nepodařilo, musíme zkoušet další možnosti.
Dotazy a logy vkládejte pouze do vašich threadů. Soukromé zprávy, icq a e-maily neslouží k řešení vašich problémů.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Re: rundll32.exe vytazuje CPU
hotovo, tady je log
chcem sa este spytat, co znamena toto v logu?
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false)
dik
ComboFix 10-07-07.02 - Miroslava - Slamená 09.07.2010 20:07:36.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.616 [GMT 2:00]
Spuštěný z: c:\documents and settings\Miroslava - Slamená\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Miroslava - Slamená\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-09 do 2010-07-09 )))))))))))))))))))))))))))))))
.
2010-07-08 21:16 . 2010-07-08 21:17 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-23 06:30 . 2010-06-23 06:30 -------- d-----w- c:\program files\iPod
2010-06-23 06:29 . 2010-06-23 06:31 -------- d-----w- c:\program files\iTunes
2010-06-23 06:24 . 2010-06-23 06:24 -------- d-----w- c:\program files\Bonjour
2010-06-15 11:20 . 2010-06-15 11:20 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 08:40 . 2010-05-06 10:35 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 21:18 . 2007-08-07 17:25 -------- d-----w- c:\program files\DivX
2010-07-07 12:13 . 2010-06-07 18:06 -------- d-----w- c:\program files\trend micro
2010-06-23 09:48 . 2006-09-16 00:43 83320 ----a-w- c:\windows\system32\perfc005.dat
2010-06-23 09:48 . 2006-09-16 00:43 439206 ----a-w- c:\windows\system32\perfh005.dat
2010-06-23 06:30 . 2008-01-30 12:33 -------- d-----w- c:\program files\Common Files\Apple
2010-06-20 09:04 . 2010-04-26 09:13 3532 ----a-w- C:\drmHeader.bin
2010-06-09 23:01 . 2008-11-20 19:19 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-06-09 23:01 . 2008-02-20 16:01 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-06-03 16:13 . 2008-10-26 12:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 16:13 . 2008-02-28 15:57 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-28 20:29 . 2010-05-28 19:57 -------- d-----w- c:\program files\Olympus
2010-05-28 20:29 . 2006-09-15 20:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:35 . 2006-09-16 00:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:09 . 2006-09-16 00:43 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 21:37 . 2010-04-24 21:37 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-24 21:37 . 2010-04-24 21:37 54920 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-24 21:37 . 2010-04-24 21:37 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-20 05:32 . 2006-09-16 00:43 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 18:47 . 2009-03-24 20:32 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-19 18:47 . 2008-01-30 12:33 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-12 15:29 . 2010-04-19 19:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-07 12:22 . 2007-03-18 13:57 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
------- Sigcheck -------
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 14:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-15 322352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7585792]
"nwiz"="nwiz.exe" [2006-08-16 1617920]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 53248]
"fscp"="c:\program files\AVC Finger-sensing Pad Driver\fscp.exe" [2006-08-31 995328]
"FuncKey"="c:\program files\Hotkey Management\FuncKey.exe" [2006-09-05 139264]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 45056]
"OdTray.exe"="c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe" [2005-05-18 1015871]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-28 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-5-28 118784]
PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2008-12-25 40960]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 09:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2006-12-25 22:24 106496 ----a-w- c:\windows\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\12Voip.com\\12Voip\\12Voip.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [14.1.2007 17:11 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [14.1.2007 17:11 5248]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26.10.2008 14:07 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26.10.2008 14:07 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14.3.2010 11:50 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14.3.2010 11:51 308064]
R2 Ethpdrv;Ethernet Packet Driver;c:\windows\system32\drivers\ethpdrv.sys [13.9.2007 11:31 9728]
R2 FspadSvc;FspadSvc;c:\program files\AVC Finger-sensing Pad Driver\fspadsvr.exe [16.9.2006 2:45 520704]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [24.7.2009 19:14 222968]
R3 fspad;AVC Finger-sensing Pad Driver for Windows 2000/XP;c:\windows\system32\drivers\fspad.sys [16.9.2006 2:45 22912]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [16.9.2006 2:45 217600]
S2 gupdate1c9860c8a847b7c;Google Update Service (gupdate1c9860c8a847b7c);c:\program files\Google\Update\GoogleUpdate.exe [3.2.2009 16:34 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 20:19 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [14.12.2009 17:47 16512]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [26.12.2006 23:37 30192]
S3 ipw_bus;IPWireless;c:\windows\system32\drivers\ipw_bus.sys [13.9.2007 11:31 58320]
S3 ipw_mdfl;Wireless Broadband Modem Filter;c:\windows\system32\drivers\ipw_mdfl.sys [13.9.2007 11:31 8272]
S3 ipw_mdm;Wireless Broadband Modem (WDM);c:\windows\system32\drivers\ipw_mdm.sys [13.9.2007 11:31 95440]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [26.10.2008 12:04 27904]
.
Obsah adresáře 'Naplánované úlohy'
2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]
2010-07-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-26 11:04]
2010-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
2010-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.atlas.cz/?from=icqhp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&s ... f8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-09 20:21
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B2D758]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dbf28
\Driver\ACPI -> ACPI.sys @ 0xf7337cb8
\Driver\atapi -> 0x86b2d758
\Driver\iaStor -> iaStor.sys @ 0xf7225b58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\odyEvent.dll
- - - - - - - > 'explorer.exe'(3792)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Celkový čas: 2010-07-09 20:27:50 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-09 18:27
ComboFix2.txt 2010-07-09 16:10
ComboFix3.txt 2010-07-08 13:44
ComboFix4.txt 2010-04-25 22:07
ComboFix5.txt 2010-07-09 18:00
Před spuštěním: Volných bajtů: 16 480 235 520
Po spuštění: Volných bajtů: 16 470 114 304
- - End Of File - - C58AC7FC6E995D73DE20F93591F897E4
chcem sa este spytat, co znamena toto v logu?
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false)
dik
ComboFix 10-07-07.02 - Miroslava - Slamená 09.07.2010 20:07:36.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.616 [GMT 2:00]
Spuštěný z: c:\documents and settings\Miroslava - Slamená\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Miroslava - Slamená\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-09 do 2010-07-09 )))))))))))))))))))))))))))))))
.
2010-07-08 21:16 . 2010-07-08 21:17 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-23 06:30 . 2010-06-23 06:30 -------- d-----w- c:\program files\iPod
2010-06-23 06:29 . 2010-06-23 06:31 -------- d-----w- c:\program files\iTunes
2010-06-23 06:24 . 2010-06-23 06:24 -------- d-----w- c:\program files\Bonjour
2010-06-15 11:20 . 2010-06-15 11:20 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 08:40 . 2010-05-06 10:35 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 21:18 . 2007-08-07 17:25 -------- d-----w- c:\program files\DivX
2010-07-07 12:13 . 2010-06-07 18:06 -------- d-----w- c:\program files\trend micro
2010-06-23 09:48 . 2006-09-16 00:43 83320 ----a-w- c:\windows\system32\perfc005.dat
2010-06-23 09:48 . 2006-09-16 00:43 439206 ----a-w- c:\windows\system32\perfh005.dat
2010-06-23 06:30 . 2008-01-30 12:33 -------- d-----w- c:\program files\Common Files\Apple
2010-06-20 09:04 . 2010-04-26 09:13 3532 ----a-w- C:\drmHeader.bin
2010-06-09 23:01 . 2008-11-20 19:19 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-06-09 23:01 . 2008-02-20 16:01 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-06-03 16:13 . 2008-10-26 12:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 16:13 . 2008-02-28 15:57 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-28 20:29 . 2010-05-28 19:57 -------- d-----w- c:\program files\Olympus
2010-05-28 20:29 . 2006-09-15 20:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:35 . 2006-09-16 00:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:09 . 2006-09-16 00:43 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 21:37 . 2010-04-24 21:37 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-24 21:37 . 2010-04-24 21:37 54920 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-24 21:37 . 2010-04-24 21:37 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-20 05:32 . 2006-09-16 00:43 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 18:47 . 2009-03-24 20:32 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-19 18:47 . 2008-01-30 12:33 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-12 15:29 . 2010-04-19 19:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-07 12:22 . 2007-03-18 13:57 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
------- Sigcheck -------
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 14:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-15 322352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7585792]
"nwiz"="nwiz.exe" [2006-08-16 1617920]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 53248]
"fscp"="c:\program files\AVC Finger-sensing Pad Driver\fscp.exe" [2006-08-31 995328]
"FuncKey"="c:\program files\Hotkey Management\FuncKey.exe" [2006-09-05 139264]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 45056]
"OdTray.exe"="c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe" [2005-05-18 1015871]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-28 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-5-28 118784]
PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2008-12-25 40960]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 09:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2006-12-25 22:24 106496 ----a-w- c:\windows\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\12Voip.com\\12Voip\\12Voip.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [14.1.2007 17:11 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [14.1.2007 17:11 5248]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26.10.2008 14:07 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26.10.2008 14:07 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14.3.2010 11:50 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14.3.2010 11:51 308064]
R2 Ethpdrv;Ethernet Packet Driver;c:\windows\system32\drivers\ethpdrv.sys [13.9.2007 11:31 9728]
R2 FspadSvc;FspadSvc;c:\program files\AVC Finger-sensing Pad Driver\fspadsvr.exe [16.9.2006 2:45 520704]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [24.7.2009 19:14 222968]
R3 fspad;AVC Finger-sensing Pad Driver for Windows 2000/XP;c:\windows\system32\drivers\fspad.sys [16.9.2006 2:45 22912]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [16.9.2006 2:45 217600]
S2 gupdate1c9860c8a847b7c;Google Update Service (gupdate1c9860c8a847b7c);c:\program files\Google\Update\GoogleUpdate.exe [3.2.2009 16:34 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 20:19 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [14.12.2009 17:47 16512]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [26.12.2006 23:37 30192]
S3 ipw_bus;IPWireless;c:\windows\system32\drivers\ipw_bus.sys [13.9.2007 11:31 58320]
S3 ipw_mdfl;Wireless Broadband Modem Filter;c:\windows\system32\drivers\ipw_mdfl.sys [13.9.2007 11:31 8272]
S3 ipw_mdm;Wireless Broadband Modem (WDM);c:\windows\system32\drivers\ipw_mdm.sys [13.9.2007 11:31 95440]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [26.10.2008 12:04 27904]
.
Obsah adresáře 'Naplánované úlohy'
2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]
2010-07-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-26 11:04]
2010-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
2010-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.atlas.cz/?from=icqhp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&s ... f8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-09 20:21
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B2D758]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dbf28
\Driver\ACPI -> ACPI.sys @ 0xf7337cb8
\Driver\atapi -> 0x86b2d758
\Driver\iaStor -> iaStor.sys @ 0xf7225b58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\odyEvent.dll
- - - - - - - > 'explorer.exe'(3792)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Celkový čas: 2010-07-09 20:27:50 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-09 18:27
ComboFix2.txt 2010-07-09 16:10
ComboFix3.txt 2010-07-08 13:44
ComboFix4.txt 2010-04-25 22:07
ComboFix5.txt 2010-07-09 18:00
Před spuštěním: Volných bajtů: 16 480 235 520
Po spuštění: Volných bajtů: 16 470 114 304
- - End Of File - - C58AC7FC6E995D73DE20F93591F897E4
-
Rudy
- Site Admin
- Příspěvky: 119418
- Registrován: 30 říj 2003 13:42
- Bydliště: Plzeň
- Kontaktovat uživatele:
Re: rundll32.exe vytazuje CPU
Stále odolává. Zkuste ještě tento skript:
Máte-li v PC nainstalován DaemonTools, či jiný program k emulování mechanik, odinstalujte.KILLALL::
SRPeek::
c:\windows\system32\drivers\atapi.sys
RESTORE::
c:\windows\system32\drivers\atapi.sys
Dotazy a logy vkládejte pouze do vašich threadů. Soukromé zprávy, icq a e-maily neslouží k řešení vašich problémů.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Re: rundll32.exe vytazuje CPU
ComboFix 10-07-07.02 - Miroslava - Slamená 09.07.2010 21:16:31.7.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.625 [GMT 2:00]
Spuštěný z: c:\documents and settings\Miroslava - Slamená\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Miroslava - Slamená\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\atapi.sys . . . je infikován!!
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-09 do 2010-07-09 )))))))))))))))))))))))))))))))
.
2010-07-08 21:16 . 2010-07-08 21:17 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-23 06:30 . 2010-06-23 06:30 -------- d-----w- c:\program files\iPod
2010-06-23 06:29 . 2010-06-23 06:31 -------- d-----w- c:\program files\iTunes
2010-06-23 06:24 . 2010-06-23 06:24 -------- d-----w- c:\program files\Bonjour
2010-06-15 11:20 . 2010-06-15 11:20 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 08:40 . 2010-05-06 10:35 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 21:18 . 2007-08-07 17:25 -------- d-----w- c:\program files\DivX
2010-07-07 12:13 . 2010-06-07 18:06 -------- d-----w- c:\program files\trend micro
2010-06-23 09:48 . 2006-09-16 00:43 83320 ----a-w- c:\windows\system32\perfc005.dat
2010-06-23 09:48 . 2006-09-16 00:43 439206 ----a-w- c:\windows\system32\perfh005.dat
2010-06-23 06:30 . 2008-01-30 12:33 -------- d-----w- c:\program files\Common Files\Apple
2010-06-20 09:04 . 2010-04-26 09:13 3532 ----a-w- C:\drmHeader.bin
2010-06-09 23:01 . 2008-11-20 19:19 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-06-09 23:01 . 2008-02-20 16:01 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-06-03 16:13 . 2008-10-26 12:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 16:13 . 2008-02-28 15:57 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-28 20:29 . 2010-05-28 19:57 -------- d-----w- c:\program files\Olympus
2010-05-28 20:29 . 2006-09-15 20:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:35 . 2006-09-16 00:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:09 . 2006-09-16 00:43 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 21:37 . 2010-04-24 21:37 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-24 21:37 . 2010-04-24 21:37 54920 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-24 21:37 . 2010-04-24 21:37 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-20 05:32 . 2006-09-16 00:43 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 18:47 . 2009-03-24 20:32 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-19 18:47 . 2008-01-30 12:33 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-12 15:29 . 2010-04-19 19:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-07 12:22 . 2007-03-18 13:57 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
c:\avenger\atapi.sys [x]
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 \RP722\A0082365.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 c:\combofix\atapi.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 \RP722\A0082289.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 \RP722\A0082758.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 c:\windows\system32\dllcache\atapi.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 \RP722\A0082253.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 \RP722\A0082883.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 c:\windows\system32\drivers\atapi.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 \RP722\A0082214.sys
[-] D47F5369F21883C5F93DA716C18C4A79 96512 \RP722\A0082859.sys
.
------- Sigcheck -------
[-] 2008-04-13 12:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-15 322352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7585792]
"nwiz"="nwiz.exe" [2006-08-16 1617920]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 53248]
"fscp"="c:\program files\AVC Finger-sensing Pad Driver\fscp.exe" [2006-08-31 995328]
"FuncKey"="c:\program files\Hotkey Management\FuncKey.exe" [2006-09-05 139264]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 45056]
"OdTray.exe"="c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe" [2005-05-18 1015871]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-28 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-5-28 118784]
PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2008-12-25 40960]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 09:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2006-12-25 22:24 106496 ----a-w- c:\windows\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\12Voip.com\\12Voip\\12Voip.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [14.1.2007 17:11 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [14.1.2007 17:11 5248]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26.10.2008 14:07 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26.10.2008 14:07 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14.3.2010 11:50 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14.3.2010 11:51 308064]
R2 Ethpdrv;Ethernet Packet Driver;c:\windows\system32\drivers\ethpdrv.sys [13.9.2007 11:31 9728]
R2 FspadSvc;FspadSvc;c:\program files\AVC Finger-sensing Pad Driver\fspadsvr.exe [16.9.2006 2:45 520704]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [24.7.2009 19:14 222968]
R3 fspad;AVC Finger-sensing Pad Driver for Windows 2000/XP;c:\windows\system32\drivers\fspad.sys [16.9.2006 2:45 22912]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [16.9.2006 2:45 217600]
S2 gupdate1c9860c8a847b7c;Google Update Service (gupdate1c9860c8a847b7c);c:\program files\Google\Update\GoogleUpdate.exe [3.2.2009 16:34 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 20:19 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [14.12.2009 17:47 16512]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [26.12.2006 23:37 30192]
S3 ipw_bus;IPWireless;c:\windows\system32\drivers\ipw_bus.sys [13.9.2007 11:31 58320]
S3 ipw_mdfl;Wireless Broadband Modem Filter;c:\windows\system32\drivers\ipw_mdfl.sys [13.9.2007 11:31 8272]
S3 ipw_mdm;Wireless Broadband Modem (WDM);c:\windows\system32\drivers\ipw_mdm.sys [13.9.2007 11:31 95440]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [26.10.2008 12:04 27904]
.
Obsah adresáře 'Naplánované úlohy'
2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]
2010-07-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-26 11:04]
2010-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
2010-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.atlas.cz/?from=icqhp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&s ... f8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-09 21:25
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86BAA6A8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dbf28
\Driver\ACPI -> ACPI.sys @ 0xf7337cb8
\Driver\atapi -> 0x86baa6a8
\Driver\iaStor -> iaStor.sys @ 0xf7225b58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\odyEvent.dll
- - - - - - - > 'explorer.exe'(2912)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Celkový čas: 2010-07-09 21:33:16 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-09 19:33
ComboFix2.txt 2010-07-09 18:27
ComboFix3.txt 2010-07-09 16:10
ComboFix4.txt 2010-07-08 13:44
ComboFix5.txt 2010-07-09 19:08
Před spuštěním: Volných bajtů: 14 981 828 608
Po spuštění: Volných bajtů: 14 971 801 600
- - End Of File - - 08447FA0D1DF5DAAE569604B72E4BFCF
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.625 [GMT 2:00]
Spuštěný z: c:\documents and settings\Miroslava - Slamená\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Miroslava - Slamená\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\atapi.sys . . . je infikován!!
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-09 do 2010-07-09 )))))))))))))))))))))))))))))))
.
2010-07-08 21:16 . 2010-07-08 21:17 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-23 06:30 . 2010-06-23 06:30 -------- d-----w- c:\program files\iPod
2010-06-23 06:29 . 2010-06-23 06:31 -------- d-----w- c:\program files\iTunes
2010-06-23 06:24 . 2010-06-23 06:24 -------- d-----w- c:\program files\Bonjour
2010-06-15 11:20 . 2010-06-15 11:20 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 08:40 . 2010-05-06 10:35 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 21:18 . 2007-08-07 17:25 -------- d-----w- c:\program files\DivX
2010-07-07 12:13 . 2010-06-07 18:06 -------- d-----w- c:\program files\trend micro
2010-06-23 09:48 . 2006-09-16 00:43 83320 ----a-w- c:\windows\system32\perfc005.dat
2010-06-23 09:48 . 2006-09-16 00:43 439206 ----a-w- c:\windows\system32\perfh005.dat
2010-06-23 06:30 . 2008-01-30 12:33 -------- d-----w- c:\program files\Common Files\Apple
2010-06-20 09:04 . 2010-04-26 09:13 3532 ----a-w- C:\drmHeader.bin
2010-06-09 23:01 . 2008-11-20 19:19 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-06-09 23:01 . 2008-02-20 16:01 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-06-03 16:13 . 2008-10-26 12:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 16:13 . 2008-02-28 15:57 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-28 20:29 . 2010-05-28 19:57 -------- d-----w- c:\program files\Olympus
2010-05-28 20:29 . 2006-09-15 20:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:35 . 2006-09-16 00:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:09 . 2006-09-16 00:43 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 21:37 . 2010-04-24 21:37 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-24 21:37 . 2010-04-24 21:37 54920 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-24 21:37 . 2010-04-24 21:37 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-20 05:32 . 2006-09-16 00:43 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 18:47 . 2009-03-24 20:32 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-19 18:47 . 2008-01-30 12:33 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-12 15:29 . 2010-04-19 19:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-07 12:22 . 2007-03-18 13:57 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
c:\avenger\atapi.sys [x]
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 \RP722\A0082365.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 c:\combofix\atapi.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 \RP722\A0082289.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 \RP722\A0082758.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 c:\windows\system32\dllcache\atapi.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 \RP722\A0082253.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 \RP722\A0082883.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 c:\windows\system32\drivers\atapi.sys
[7] 9F3A2F5AA6875C72BF062C712CFA2674 96512 \RP722\A0082214.sys
[-] D47F5369F21883C5F93DA716C18C4A79 96512 \RP722\A0082859.sys
.
------- Sigcheck -------
[-] 2008-04-13 12:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-15 322352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7585792]
"nwiz"="nwiz.exe" [2006-08-16 1617920]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 53248]
"fscp"="c:\program files\AVC Finger-sensing Pad Driver\fscp.exe" [2006-08-31 995328]
"FuncKey"="c:\program files\Hotkey Management\FuncKey.exe" [2006-09-05 139264]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 45056]
"OdTray.exe"="c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe" [2005-05-18 1015871]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-28 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-5-28 118784]
PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2008-12-25 40960]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 09:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2006-12-25 22:24 106496 ----a-w- c:\windows\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\12Voip.com\\12Voip\\12Voip.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [14.1.2007 17:11 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [14.1.2007 17:11 5248]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26.10.2008 14:07 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26.10.2008 14:07 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14.3.2010 11:50 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14.3.2010 11:51 308064]
R2 Ethpdrv;Ethernet Packet Driver;c:\windows\system32\drivers\ethpdrv.sys [13.9.2007 11:31 9728]
R2 FspadSvc;FspadSvc;c:\program files\AVC Finger-sensing Pad Driver\fspadsvr.exe [16.9.2006 2:45 520704]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [24.7.2009 19:14 222968]
R3 fspad;AVC Finger-sensing Pad Driver for Windows 2000/XP;c:\windows\system32\drivers\fspad.sys [16.9.2006 2:45 22912]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [16.9.2006 2:45 217600]
S2 gupdate1c9860c8a847b7c;Google Update Service (gupdate1c9860c8a847b7c);c:\program files\Google\Update\GoogleUpdate.exe [3.2.2009 16:34 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 20:19 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [14.12.2009 17:47 16512]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [26.12.2006 23:37 30192]
S3 ipw_bus;IPWireless;c:\windows\system32\drivers\ipw_bus.sys [13.9.2007 11:31 58320]
S3 ipw_mdfl;Wireless Broadband Modem Filter;c:\windows\system32\drivers\ipw_mdfl.sys [13.9.2007 11:31 8272]
S3 ipw_mdm;Wireless Broadband Modem (WDM);c:\windows\system32\drivers\ipw_mdm.sys [13.9.2007 11:31 95440]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [26.10.2008 12:04 27904]
.
Obsah adresáře 'Naplánované úlohy'
2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]
2010-07-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-26 11:04]
2010-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
2010-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.atlas.cz/?from=icqhp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&s ... f8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-09 21:25
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86BAA6A8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dbf28
\Driver\ACPI -> ACPI.sys @ 0xf7337cb8
\Driver\atapi -> 0x86baa6a8
\Driver\iaStor -> iaStor.sys @ 0xf7225b58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\odyEvent.dll
- - - - - - - > 'explorer.exe'(2912)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Celkový čas: 2010-07-09 21:33:16 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-09 19:33
ComboFix2.txt 2010-07-09 18:27
ComboFix3.txt 2010-07-09 16:10
ComboFix4.txt 2010-07-08 13:44
ComboFix5.txt 2010-07-09 19:08
Před spuštěním: Volných bajtů: 14 981 828 608
Po spuštění: Volných bajtů: 14 971 801 600
- - End Of File - - 08447FA0D1DF5DAAE569604B72E4BFCF
-
Rudy
- Site Admin
- Příspěvky: 119418
- Registrován: 30 říj 2003 13:42
- Bydliště: Plzeň
- Kontaktovat uživatele:
Re: rundll32.exe vytazuje CPU
Neustále se to vrací.
1. vypněte obnovu systému, restartujte PC a opět obnovu zapněte.
2. Stáhněte, nainstalujte a spusťte AVPTool: http://www.viry.cz/forum/viewtopic.php?f=29&t=58179 . Proveďte sken a vše, co najde, nechte léčit. Nakonec vložte log.
1. vypněte obnovu systému, restartujte PC a opět obnovu zapněte.
2. Stáhněte, nainstalujte a spusťte AVPTool: http://www.viry.cz/forum/viewtopic.php?f=29&t=58179 . Proveďte sken a vše, co najde, nechte léčit. Nakonec vložte log.
Dotazy a logy vkládejte pouze do vašich threadů. Soukromé zprávy, icq a e-maily neslouží k řešení vašich problémů.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Re: rundll32.exe vytazuje CPU
tu je log...vypada to ciste...i kdyz kdo vi
Autoscan: completed 1 minute ago (events: 2, objects: 272723, time: 01:42:19)
10.7.2010 19:49:52 Task started
10.7.2010 21:32:11 Task completed
Autoscan: completed 1 minute ago (events: 2, objects: 272723, time: 01:42:19)
10.7.2010 19:49:52 Task started
10.7.2010 21:32:11 Task completed
-
Rudy
- Site Admin
- Příspěvky: 119418
- Registrován: 30 říj 2003 13:42
- Bydliště: Plzeň
- Kontaktovat uživatele:
Re: rundll32.exe vytazuje CPU
Čisté to není, jak píše ComboFix, atapi.sys je infikován.
Restartujte do nouz. režimu a CF spusťte tímto skriptem:
Restartujte do nouz. režimu a CF spusťte tímto skriptem:
FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
Dotazy a logy vkládejte pouze do vašich threadů. Soukromé zprávy, icq a e-maily neslouží k řešení vašich problémů.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Re: rundll32.exe vytazuje CPU
ok, chcem sa este spytat na nieco:
ako vypnem rezisten. stit AVG v nudzovom rezime? je to vobec mozne?
dakujem
ako vypnem rezisten. stit AVG v nudzovom rezime? je to vobec mozne?
dakujem
Re: rundll32.exe vytazuje CPU
tak nakoniec sa mi to podarilo aj bez pomoci 
posielam log
ComboFix 10-07-07.02 - Miroslava - Slamená 11.07.2010 0:27.8.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.624 [GMT 2:00]
Spuštěný z: c:\documents and settings\Miroslava - Slamená\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Miroslava - Slamená\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-10 do 2010-07-10 )))))))))))))))))))))))))))))))
.
2010-07-10 21:06 . 2010-07-10 21:11 -------- d-----w- c:\documents and settings\Administrator.N-1A4A6D4869384
2010-07-09 20:21 . 2009-10-22 11:54 37392 ----a-w- c:\windows\system32\drivers\13165962.sys
2010-07-09 20:21 . 2009-10-09 21:31 315408 ----a-w- c:\windows\system32\drivers\1316596.sys
2010-07-09 20:21 . 2009-09-25 15:59 128016 ----a-w- c:\windows\system32\drivers\13165961.sys
2010-07-08 21:16 . 2010-07-08 21:17 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-23 06:30 . 2010-06-23 06:30 -------- d-----w- c:\program files\iPod
2010-06-23 06:29 . 2010-06-23 06:31 -------- d-----w- c:\program files\iTunes
2010-06-23 06:24 . 2010-06-23 06:24 -------- d-----w- c:\program files\Bonjour
2010-06-15 11:20 . 2010-06-15 11:20 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 08:40 . 2010-05-06 10:35 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 21:18 . 2007-08-07 17:25 -------- d-----w- c:\program files\DivX
2010-07-07 12:13 . 2010-06-07 18:06 -------- d-----w- c:\program files\trend micro
2010-06-23 09:48 . 2006-09-16 00:43 83320 ----a-w- c:\windows\system32\perfc005.dat
2010-06-23 09:48 . 2006-09-16 00:43 439206 ----a-w- c:\windows\system32\perfh005.dat
2010-06-23 06:30 . 2008-01-30 12:33 -------- d-----w- c:\program files\Common Files\Apple
2010-06-20 09:04 . 2010-04-26 09:13 3532 ----a-w- C:\drmHeader.bin
2010-06-09 23:01 . 2008-11-20 19:19 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-06-09 23:01 . 2008-02-20 16:01 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-06-03 16:13 . 2008-10-26 12:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 16:13 . 2008-02-28 15:57 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-28 20:29 . 2010-05-28 19:57 -------- d-----w- c:\program files\Olympus
2010-05-28 20:29 . 2006-09-15 20:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:35 . 2006-09-16 00:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:09 . 2006-09-16 00:43 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 21:37 . 2010-04-24 21:37 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-24 21:37 . 2010-04-24 21:37 54920 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-24 21:37 . 2010-04-24 21:37 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-20 05:32 . 2006-09-16 00:43 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 18:47 . 2009-03-24 20:32 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-19 18:47 . 2008-01-30 12:33 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-12 15:29 . 2010-04-19 19:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-07 12:22 . 2007-03-18 13:57 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
------- Sigcheck -------
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 10:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-15 322352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7585792]
"nwiz"="nwiz.exe" [2006-08-16 1617920]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 53248]
"fscp"="c:\program files\AVC Finger-sensing Pad Driver\fscp.exe" [2006-08-31 995328]
"FuncKey"="c:\program files\Hotkey Management\FuncKey.exe" [2006-09-05 139264]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 45056]
"OdTray.exe"="c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe" [2005-05-18 1015871]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-28 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\Miroslava - Slamen \Nabˇdka Start\Programy\Po spuçtŘnˇ\
setup_9.0.0.722_09.07.2010_23-54.lnk - c:\documents and settings\Miroslava - Slamen \Plocha\Virus Removal Tool\setup_9.0.0.722_09.07.2010_23-54\startup.exe [2010-7-9 72208]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-5-28 118784]
PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2008-12-25 40960]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 09:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2006-12-25 22:24 106496 ----a-w- c:\windows\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\12Voip.com\\12Voip\\12Voip.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 13165962;13165962 Boot Guard Driver;c:\windows\system32\drivers\13165962.sys [9.7.2010 22:21 37392]
R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [14.1.2007 17:11 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [14.1.2007 17:11 5248]
R1 13165961;13165961;c:\windows\system32\drivers\13165961.sys [9.7.2010 22:21 128016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26.10.2008 14:07 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26.10.2008 14:07 242896]
R1 setup_9.0.0.722_09.07.2010_23-54drv;setup_9.0.0.722_09.07.2010_23-54drv;c:\windows\system32\drivers\1316596.sys [9.7.2010 22:21 315408]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14.3.2010 11:50 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14.3.2010 11:51 308064]
R2 Ethpdrv;Ethernet Packet Driver;c:\windows\system32\drivers\ethpdrv.sys [13.9.2007 11:31 9728]
R2 FspadSvc;FspadSvc;c:\program files\AVC Finger-sensing Pad Driver\fspadsvr.exe [16.9.2006 2:45 520704]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [24.7.2009 19:14 222968]
R3 fspad;AVC Finger-sensing Pad Driver for Windows 2000/XP;c:\windows\system32\drivers\fspad.sys [16.9.2006 2:45 22912]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [16.9.2006 2:45 217600]
S2 gupdate1c9860c8a847b7c;Google Update Service (gupdate1c9860c8a847b7c);c:\program files\Google\Update\GoogleUpdate.exe [3.2.2009 16:34 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 20:19 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [14.12.2009 17:47 16512]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [26.12.2006 23:37 30192]
S3 ipw_bus;IPWireless;c:\windows\system32\drivers\ipw_bus.sys [13.9.2007 11:31 58320]
S3 ipw_mdfl;Wireless Broadband Modem Filter;c:\windows\system32\drivers\ipw_mdfl.sys [13.9.2007 11:31 8272]
S3 ipw_mdm;Wireless Broadband Modem (WDM);c:\windows\system32\drivers\ipw_mdm.sys [13.9.2007 11:31 95440]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [26.10.2008 12:04 27904]
.
Obsah adresáře 'Naplánované úlohy'
2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]
2010-07-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-26 11:04]
2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.atlas.cz/?from=icqhp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&s ... f8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-11 00:38
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B326D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dbf28
\Driver\ACPI -> ACPI.sys @ 0xf7337cb8
\Driver\atapi -> 0x86b326d0
\Driver\iaStor -> iaStor.sys @ 0xf7225b58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\odyEvent.dll
- - - - - - - > 'explorer.exe'(580)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Celkový čas: 2010-07-11 00:47:40 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-10 22:47
ComboFix2.txt 2010-07-09 19:33
ComboFix3.txt 2010-07-09 18:27
ComboFix4.txt 2010-07-09 16:10
ComboFix5.txt 2010-07-10 22:19
Před spuštěním: Volných bajtů: 34 487 943 168
Po spuštění: Volných bajtů: 34 478 514 176
- - End Of File - - 7E353BEF04F7EA6FF430AB129B6A915B
posielam log
ComboFix 10-07-07.02 - Miroslava - Slamená 11.07.2010 0:27.8.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.624 [GMT 2:00]
Spuštěný z: c:\documents and settings\Miroslava - Slamená\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Miroslava - Slamená\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-10 do 2010-07-10 )))))))))))))))))))))))))))))))
.
2010-07-10 21:06 . 2010-07-10 21:11 -------- d-----w- c:\documents and settings\Administrator.N-1A4A6D4869384
2010-07-09 20:21 . 2009-10-22 11:54 37392 ----a-w- c:\windows\system32\drivers\13165962.sys
2010-07-09 20:21 . 2009-10-09 21:31 315408 ----a-w- c:\windows\system32\drivers\1316596.sys
2010-07-09 20:21 . 2009-09-25 15:59 128016 ----a-w- c:\windows\system32\drivers\13165961.sys
2010-07-08 21:16 . 2010-07-08 21:17 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-23 06:30 . 2010-06-23 06:30 -------- d-----w- c:\program files\iPod
2010-06-23 06:29 . 2010-06-23 06:31 -------- d-----w- c:\program files\iTunes
2010-06-23 06:24 . 2010-06-23 06:24 -------- d-----w- c:\program files\Bonjour
2010-06-15 11:20 . 2010-06-15 11:20 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 08:40 . 2010-05-06 10:35 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 21:18 . 2007-08-07 17:25 -------- d-----w- c:\program files\DivX
2010-07-07 12:13 . 2010-06-07 18:06 -------- d-----w- c:\program files\trend micro
2010-06-23 09:48 . 2006-09-16 00:43 83320 ----a-w- c:\windows\system32\perfc005.dat
2010-06-23 09:48 . 2006-09-16 00:43 439206 ----a-w- c:\windows\system32\perfh005.dat
2010-06-23 06:30 . 2008-01-30 12:33 -------- d-----w- c:\program files\Common Files\Apple
2010-06-20 09:04 . 2010-04-26 09:13 3532 ----a-w- C:\drmHeader.bin
2010-06-09 23:01 . 2008-11-20 19:19 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-06-09 23:01 . 2008-02-20 16:01 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-06-03 16:13 . 2008-10-26 12:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 16:13 . 2008-02-28 15:57 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-28 20:29 . 2010-05-28 19:57 -------- d-----w- c:\program files\Olympus
2010-05-28 20:29 . 2006-09-15 20:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:35 . 2006-09-16 00:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:09 . 2006-09-16 00:43 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 21:37 . 2010-04-24 21:37 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-24 21:37 . 2010-04-24 21:37 54920 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-24 21:37 . 2010-04-24 21:37 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-20 05:32 . 2006-09-16 00:43 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 18:47 . 2009-03-24 20:32 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-19 18:47 . 2008-01-30 12:33 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-12 15:29 . 2010-04-19 19:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-07 12:22 . 2007-03-18 13:57 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
------- Sigcheck -------
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 10:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-15 322352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7585792]
"nwiz"="nwiz.exe" [2006-08-16 1617920]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 53248]
"fscp"="c:\program files\AVC Finger-sensing Pad Driver\fscp.exe" [2006-08-31 995328]
"FuncKey"="c:\program files\Hotkey Management\FuncKey.exe" [2006-09-05 139264]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 45056]
"OdTray.exe"="c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe" [2005-05-18 1015871]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-28 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\Miroslava - Slamen \Nabˇdka Start\Programy\Po spuçtŘnˇ\
setup_9.0.0.722_09.07.2010_23-54.lnk - c:\documents and settings\Miroslava - Slamen \Plocha\Virus Removal Tool\setup_9.0.0.722_09.07.2010_23-54\startup.exe [2010-7-9 72208]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-5-28 118784]
PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2008-12-25 40960]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 09:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2006-12-25 22:24 106496 ----a-w- c:\windows\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\12Voip.com\\12Voip\\12Voip.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 13165962;13165962 Boot Guard Driver;c:\windows\system32\drivers\13165962.sys [9.7.2010 22:21 37392]
R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [14.1.2007 17:11 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [14.1.2007 17:11 5248]
R1 13165961;13165961;c:\windows\system32\drivers\13165961.sys [9.7.2010 22:21 128016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26.10.2008 14:07 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26.10.2008 14:07 242896]
R1 setup_9.0.0.722_09.07.2010_23-54drv;setup_9.0.0.722_09.07.2010_23-54drv;c:\windows\system32\drivers\1316596.sys [9.7.2010 22:21 315408]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14.3.2010 11:50 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14.3.2010 11:51 308064]
R2 Ethpdrv;Ethernet Packet Driver;c:\windows\system32\drivers\ethpdrv.sys [13.9.2007 11:31 9728]
R2 FspadSvc;FspadSvc;c:\program files\AVC Finger-sensing Pad Driver\fspadsvr.exe [16.9.2006 2:45 520704]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [24.7.2009 19:14 222968]
R3 fspad;AVC Finger-sensing Pad Driver for Windows 2000/XP;c:\windows\system32\drivers\fspad.sys [16.9.2006 2:45 22912]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [16.9.2006 2:45 217600]
S2 gupdate1c9860c8a847b7c;Google Update Service (gupdate1c9860c8a847b7c);c:\program files\Google\Update\GoogleUpdate.exe [3.2.2009 16:34 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 20:19 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [14.12.2009 17:47 16512]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [26.12.2006 23:37 30192]
S3 ipw_bus;IPWireless;c:\windows\system32\drivers\ipw_bus.sys [13.9.2007 11:31 58320]
S3 ipw_mdfl;Wireless Broadband Modem Filter;c:\windows\system32\drivers\ipw_mdfl.sys [13.9.2007 11:31 8272]
S3 ipw_mdm;Wireless Broadband Modem (WDM);c:\windows\system32\drivers\ipw_mdm.sys [13.9.2007 11:31 95440]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [26.10.2008 12:04 27904]
.
Obsah adresáře 'Naplánované úlohy'
2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]
2010-07-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-26 11:04]
2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.atlas.cz/?from=icqhp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&s ... f8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-11 00:38
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B326D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dbf28
\Driver\ACPI -> ACPI.sys @ 0xf7337cb8
\Driver\atapi -> 0x86b326d0
\Driver\iaStor -> iaStor.sys @ 0xf7225b58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\odyEvent.dll
- - - - - - - > 'explorer.exe'(580)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Celkový čas: 2010-07-11 00:47:40 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-10 22:47
ComboFix2.txt 2010-07-09 19:33
ComboFix3.txt 2010-07-09 18:27
ComboFix4.txt 2010-07-09 16:10
ComboFix5.txt 2010-07-10 22:19
Před spuštěním: Volných bajtů: 34 487 943 168
Po spuštění: Volných bajtů: 34 478 514 176
- - End Of File - - 7E353BEF04F7EA6FF430AB129B6A915B
-
Rudy
- Site Admin
- Příspěvky: 119418
- Registrován: 30 říj 2003 13:42
- Bydliště: Plzeň
- Kontaktovat uživatele:
Re: rundll32.exe vytazuje CPU
Drží se stále. Zkuste aplikovat TDSSKiller: http://support.kaspersky.com/downloads/ ... killer.zip . Po aplikaci restartujte PC a znovu zopakujte postup s ComboFixem, jehož log sem vložte.
Dotazy a logy vkládejte pouze do vašich threadů. Soukromé zprávy, icq a e-maily neslouží k řešení vašich problémů.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Re: rundll32.exe vytazuje CPU
ok a combofix pouzit zase v nudzovom rezime ci normalne?
dik.
dik.
-
Rudy
- Site Admin
- Příspěvky: 119418
- Registrován: 30 říj 2003 13:42
- Bydliště: Plzeň
- Kontaktovat uživatele:
Re: rundll32.exe vytazuje CPU
miraslam píše:ok a combofix pouzit zase v nudzovom rezime ci normalne?
dik.
Můžete v normálním, ale z hlediska indikace problému je to jedno.
Dotazy a logy vkládejte pouze do vašich threadů. Soukromé zprávy, icq a e-maily neslouží k řešení vašich problémů.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Re: rundll32.exe vytazuje CPU
ComboFix 10-07-07.02 - Miroslava - Slamená 11.07.2010 11:48:00.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.631 [GMT 2:00]
Spuštěný z: c:\documents and settings\Miroslava - Slamená\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Miroslava - Slamená\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-11 do 2010-07-11 )))))))))))))))))))))))))))))))
.
2010-07-10 21:06 . 2010-07-10 21:11 -------- d-----w- c:\documents and settings\Administrator.N-1A4A6D4869384
2010-07-09 20:21 . 2009-10-22 11:54 37392 ----a-w- c:\windows\system32\drivers\13165962.sys
2010-07-09 20:21 . 2009-10-09 21:31 315408 ----a-w- c:\windows\system32\drivers\1316596.sys
2010-07-09 20:21 . 2009-09-25 15:59 128016 ----a-w- c:\windows\system32\drivers\13165961.sys
2010-07-08 21:16 . 2010-07-08 21:17 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-23 06:30 . 2010-06-23 06:30 -------- d-----w- c:\program files\iPod
2010-06-23 06:29 . 2010-06-23 06:31 -------- d-----w- c:\program files\iTunes
2010-06-23 06:24 . 2010-06-23 06:24 -------- d-----w- c:\program files\Bonjour
2010-06-15 11:20 . 2010-06-15 11:20 -------- d-----w- c:\program files\Microsoft Silverlight
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 21:18 . 2007-08-07 17:25 -------- d-----w- c:\program files\DivX
2010-07-07 12:13 . 2010-06-07 18:06 -------- d-----w- c:\program files\trend micro
2010-06-23 09:48 . 2006-09-16 00:43 83320 ----a-w- c:\windows\system32\perfc005.dat
2010-06-23 09:48 . 2006-09-16 00:43 439206 ----a-w- c:\windows\system32\perfh005.dat
2010-06-23 06:30 . 2008-01-30 12:33 -------- d-----w- c:\program files\Common Files\Apple
2010-06-20 09:04 . 2010-04-26 09:13 3532 ----a-w- C:\drmHeader.bin
2010-06-09 23:01 . 2008-11-20 19:19 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-06-09 23:01 . 2008-02-20 16:01 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-06-03 16:13 . 2008-10-26 12:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 16:13 . 2008-02-28 15:57 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-28 20:29 . 2010-05-28 19:57 -------- d-----w- c:\program files\Olympus
2010-05-28 20:29 . 2006-09-15 20:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:35 . 2006-09-16 00:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:09 . 2006-09-16 00:43 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 21:37 . 2010-04-24 21:37 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-24 21:37 . 2010-04-24 21:37 54920 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-24 21:37 . 2010-04-24 21:37 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-20 05:32 . 2006-09-16 00:43 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 18:47 . 2009-03-24 20:32 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-19 18:47 . 2008-01-30 12:33 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-12 15:29 . 2010-04-19 19:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-07 12:22 . 2007-03-18 13:57 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
------- Sigcheck -------
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 08:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-15 322352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7585792]
"nwiz"="nwiz.exe" [2006-08-16 1617920]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 53248]
"fscp"="c:\program files\AVC Finger-sensing Pad Driver\fscp.exe" [2006-08-31 995328]
"FuncKey"="c:\program files\Hotkey Management\FuncKey.exe" [2006-09-05 139264]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 45056]
"OdTray.exe"="c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe" [2005-05-18 1015871]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-28 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\Miroslava - Slamen \Nabˇdka Start\Programy\Po spuçtŘnˇ\
setup_9.0.0.722_09.07.2010_23-54.lnk - c:\documents and settings\Miroslava - Slamen \Plocha\Virus Removal Tool\setup_9.0.0.722_09.07.2010_23-54\startup.exe [2010-7-9 72208]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-5-28 118784]
PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2008-12-25 40960]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 09:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2006-12-25 22:24 106496 ----a-w- c:\windows\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\12Voip.com\\12Voip\\12Voip.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 13165962;13165962 Boot Guard Driver;c:\windows\system32\drivers\13165962.sys [9.7.2010 22:21 37392]
R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [14.1.2007 17:11 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [14.1.2007 17:11 5248]
R1 13165961;13165961;c:\windows\system32\drivers\13165961.sys [9.7.2010 22:21 128016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26.10.2008 14:07 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26.10.2008 14:07 242896]
R1 setup_9.0.0.722_09.07.2010_23-54drv;setup_9.0.0.722_09.07.2010_23-54drv;c:\windows\system32\drivers\1316596.sys [9.7.2010 22:21 315408]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14.3.2010 11:50 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14.3.2010 11:51 308064]
R2 Ethpdrv;Ethernet Packet Driver;c:\windows\system32\drivers\ethpdrv.sys [13.9.2007 11:31 9728]
R2 FspadSvc;FspadSvc;c:\program files\AVC Finger-sensing Pad Driver\fspadsvr.exe [16.9.2006 2:45 520704]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [24.7.2009 19:14 222968]
R3 fspad;AVC Finger-sensing Pad Driver for Windows 2000/XP;c:\windows\system32\drivers\fspad.sys [16.9.2006 2:45 22912]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [16.9.2006 2:45 217600]
S2 gupdate1c9860c8a847b7c;Google Update Service (gupdate1c9860c8a847b7c);c:\program files\Google\Update\GoogleUpdate.exe [3.2.2009 16:34 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 20:19 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [14.12.2009 17:47 16512]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [26.12.2006 23:37 30192]
S3 ipw_bus;IPWireless;c:\windows\system32\drivers\ipw_bus.sys [13.9.2007 11:31 58320]
S3 ipw_mdfl;Wireless Broadband Modem Filter;c:\windows\system32\drivers\ipw_mdfl.sys [13.9.2007 11:31 8272]
S3 ipw_mdm;Wireless Broadband Modem (WDM);c:\windows\system32\drivers\ipw_mdm.sys [13.9.2007 11:31 95440]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [26.10.2008 12:04 27904]
.
Obsah adresáře 'Naplánované úlohy'
2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]
2010-07-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-26 11:04]
2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.atlas.cz/?from=icqhp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&s ... f8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-11 12:00
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B314A0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dbf28
\Driver\ACPI -> ACPI.sys @ 0xf7337cb8
\Driver\atapi -> 0x86b314a0
\Driver\iaStor -> iaStor.sys @ 0xf7225b58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\odyEvent.dll
- - - - - - - > 'explorer.exe'(2912)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Celkový čas: 2010-07-11 12:08:34 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-11 10:08
ComboFix2.txt 2010-07-10 22:47
ComboFix3.txt 2010-07-09 19:33
ComboFix4.txt 2010-07-09 18:27
ComboFix5.txt 2010-07-11 09:40
Před spuštěním: Volných bajtů: 34 358 808 576
Po spuštění: Volných bajtů: 34 349 129 728
- - End Of File - - A7BB6C2E1E7A0C483EBE040ADA1AB5E6
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.631 [GMT 2:00]
Spuštěný z: c:\documents and settings\Miroslava - Slamená\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Miroslava - Slamená\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-11 do 2010-07-11 )))))))))))))))))))))))))))))))
.
2010-07-10 21:06 . 2010-07-10 21:11 -------- d-----w- c:\documents and settings\Administrator.N-1A4A6D4869384
2010-07-09 20:21 . 2009-10-22 11:54 37392 ----a-w- c:\windows\system32\drivers\13165962.sys
2010-07-09 20:21 . 2009-10-09 21:31 315408 ----a-w- c:\windows\system32\drivers\1316596.sys
2010-07-09 20:21 . 2009-09-25 15:59 128016 ----a-w- c:\windows\system32\drivers\13165961.sys
2010-07-08 21:16 . 2010-07-08 21:17 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-23 06:30 . 2010-06-23 06:30 -------- d-----w- c:\program files\iPod
2010-06-23 06:29 . 2010-06-23 06:31 -------- d-----w- c:\program files\iTunes
2010-06-23 06:24 . 2010-06-23 06:24 -------- d-----w- c:\program files\Bonjour
2010-06-15 11:20 . 2010-06-15 11:20 -------- d-----w- c:\program files\Microsoft Silverlight
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 21:18 . 2007-08-07 17:25 -------- d-----w- c:\program files\DivX
2010-07-07 12:13 . 2010-06-07 18:06 -------- d-----w- c:\program files\trend micro
2010-06-23 09:48 . 2006-09-16 00:43 83320 ----a-w- c:\windows\system32\perfc005.dat
2010-06-23 09:48 . 2006-09-16 00:43 439206 ----a-w- c:\windows\system32\perfh005.dat
2010-06-23 06:30 . 2008-01-30 12:33 -------- d-----w- c:\program files\Common Files\Apple
2010-06-20 09:04 . 2010-04-26 09:13 3532 ----a-w- C:\drmHeader.bin
2010-06-09 23:01 . 2008-11-20 19:19 45648 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-06-09 23:01 . 2008-02-20 16:01 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-06-09 23:01 . 2008-02-20 16:01 133616 ------w- c:\windows\system32\pxafs.dll
2010-06-03 16:13 . 2008-10-26 12:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 16:13 . 2008-02-28 15:57 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-28 20:29 . 2010-05-28 19:57 -------- d-----w- c:\program files\Olympus
2010-05-28 20:29 . 2006-09-15 20:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:35 . 2006-09-16 00:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:09 . 2006-09-16 00:43 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 21:37 . 2010-04-24 21:37 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-24 21:37 . 2010-04-24 21:37 54920 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-24 21:37 . 2010-04-24 21:37 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-20 05:32 . 2006-09-16 00:43 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-19 18:47 . 2009-03-24 20:32 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-19 18:47 . 2008-01-30 12:33 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-12 15:29 . 2010-04-19 19:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-07 12:22 . 2007-03-18 13:57 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
------- Sigcheck -------
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 08:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-15 322352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7585792]
"nwiz"="nwiz.exe" [2006-08-16 1617920]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 53248]
"fscp"="c:\program files\AVC Finger-sensing Pad Driver\fscp.exe" [2006-08-31 995328]
"FuncKey"="c:\program files\Hotkey Management\FuncKey.exe" [2006-09-05 139264]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 45056]
"OdTray.exe"="c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe" [2005-05-18 1015871]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-28 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\Miroslava - Slamen \Nabˇdka Start\Programy\Po spuçtŘnˇ\
setup_9.0.0.722_09.07.2010_23-54.lnk - c:\documents and settings\Miroslava - Slamen \Plocha\Virus Removal Tool\setup_9.0.0.722_09.07.2010_23-54\startup.exe [2010-7-9 72208]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2010-5-28 118784]
PHOTOfunSTUDIO -viewer-.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe [2008-12-25 40960]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 09:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2006-12-25 22:24 106496 ----a-w- c:\windows\system32\odyEvent.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\12Voip.com\\12Voip\\12Voip.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 13165962;13165962 Boot Guard Driver;c:\windows\system32\drivers\13165962.sys [9.7.2010 22:21 37392]
R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [14.1.2007 17:11 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [14.1.2007 17:11 5248]
R1 13165961;13165961;c:\windows\system32\drivers\13165961.sys [9.7.2010 22:21 128016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26.10.2008 14:07 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26.10.2008 14:07 242896]
R1 setup_9.0.0.722_09.07.2010_23-54drv;setup_9.0.0.722_09.07.2010_23-54drv;c:\windows\system32\drivers\1316596.sys [9.7.2010 22:21 315408]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [14.3.2010 11:50 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [14.3.2010 11:51 308064]
R2 Ethpdrv;Ethernet Packet Driver;c:\windows\system32\drivers\ethpdrv.sys [13.9.2007 11:31 9728]
R2 FspadSvc;FspadSvc;c:\program files\AVC Finger-sensing Pad Driver\fspadsvr.exe [16.9.2006 2:45 520704]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [24.7.2009 19:14 222968]
R3 fspad;AVC Finger-sensing Pad Driver for Windows 2000/XP;c:\windows\system32\drivers\fspad.sys [16.9.2006 2:45 22912]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [16.9.2006 2:45 217600]
S2 gupdate1c9860c8a847b7c;Google Update Service (gupdate1c9860c8a847b7c);c:\program files\Google\Update\GoogleUpdate.exe [3.2.2009 16:34 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 20:19 13592]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [14.12.2009 17:47 16512]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [26.12.2006 23:37 30192]
S3 ipw_bus;IPWireless;c:\windows\system32\drivers\ipw_bus.sys [13.9.2007 11:31 58320]
S3 ipw_mdfl;Wireless Broadband Modem Filter;c:\windows\system32\drivers\ipw_mdfl.sys [13.9.2007 11:31 8272]
S3 ipw_mdm;Wireless Broadband Modem (WDM);c:\windows\system32\drivers\ipw_mdm.sys [13.9.2007 11:31 95440]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [26.10.2008 12:04 27904]
.
Obsah adresáře 'Naplánované úlohy'
2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]
2010-07-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-26 11:04]
2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 14:34]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.atlas.cz/?from=icqhp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&s ... f8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\Miroslava - Slamená\Data aplikací\Mozilla\Firefox\Profiles\jp5kr9xn.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-11 12:00
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B314A0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dbf28
\Driver\ACPI -> ACPI.sys @ 0xf7337cb8
\Driver\atapi -> 0x86b314a0
\Driver\iaStor -> iaStor.sys @ 0xf7225b58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\odyEvent.dll
- - - - - - - > 'explorer.exe'(2912)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Celkový čas: 2010-07-11 12:08:34 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-11 10:08
ComboFix2.txt 2010-07-10 22:47
ComboFix3.txt 2010-07-09 19:33
ComboFix4.txt 2010-07-09 18:27
ComboFix5.txt 2010-07-11 09:40
Před spuštěním: Volných bajtů: 34 358 808 576
Po spuštění: Volných bajtů: 34 349 129 728
- - End Of File - - A7BB6C2E1E7A0C483EBE040ADA1AB5E6
-
Rudy
- Site Admin
- Příspěvky: 119418
- Registrován: 30 říj 2003 13:42
- Bydliště: Plzeň
- Kontaktovat uživatele:
Re: rundll32.exe vytazuje CPU
Už se nám ukázal ten rootkit. Spusťte CF ještě jednou tímto skriptem:
KillAll::
Collect::
c:\windows\system32\drivers\13165962.sys
c:\windows\system32\drivers\1316596.sys
c:\windows\system32\drivers\13165961.sys
Driver:
13165962
1316596
13165961
FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
Dotazy a logy vkládejte pouze do vašich threadů. Soukromé zprávy, icq a e-maily neslouží k řešení vašich problémů.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Přispějete na provoz fóra?