rundll32.exe vytazuje CPU

[miraslam]

tak OTP strajkuje...

ked tam vlozim skript a dam opravit, tak prestane pracovat...
skusila som restart a aj znova stiahnut na plochu....
a este mi pride divne, ze v logu vyskakuje stale IE, ked ja ho vobec nepouzivam...

mam robit dalsie kroky or cakam?

dik

[stell]

skus tento script

Kód: Vybrat vše

:OTL
SRV - [2010.04.12 17:29:29 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009.06.01 22:20:12 | 000,222,968 | ---- | M] () [Auto | Running] -- C:\Program Files\ICQ6Toolbar\ICQ Service.exe -- (ICQ Service)
SRV - [2009.03.24 13:04:44 | 000,183,280 | ---- | M] (Google) [Auto | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009.02.03 16:34:28 | 000,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9860c8a847b7c) Google Update Service (gupdate1c9860c8a847b7c)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\gmer.sys -- (gmer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\MIROSL~1\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys -- (cpuz132)
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-442067760-3895052902-679195534-1006\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll File not found
:commands
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]

[miraslam]

tak ne....nieco to zo zaciatku robilo... a potom to zase zamrzlo...
u tohoto
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =

to aj posledne....

[stell]

dobre,vynechaj otl-a pokracuj dalej,

[miraslam]

log z mbr

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B401D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x86b401d0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !


log z avenger

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\atapi.sys|C:\Windows\System32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


a ani special version Gmer neslape...zacal skenovat a potom prestal pracovat

[stell]

:Stiahnite si a uložte HelpAsst_mebroot_fix


2:Zatvorte všetky spustené programy a okná.
dvoj-kliknite na súbor spustite a postupujte podľa
pokynov na obrazovke
Ak nastroj zistí MBR infekcie, prosím,nechajte

bezat- povolte MBR -f
Vypnut pocitac a prosím počkajte asi 5 minút,

Zapnut pocitac-
Kliknite na Štart> Spustiť a zadajte nasledujúci

príkaz
helpasst -mbrt [Enter]
Pri skonceni,otvori sa log.
Prosím postnite obsah tu.

[miraslam]

co znamena bezat- povolte MBR -f ?

[stell]

spust program a uvidis-nechaj bezat program ak zisti infekciu

[miraslam]

to sa stalo...dvakrat chcel zmackut lubovolne tlacitko a tym to skoncilo...
tak to ma byt?

[stell]

ok,
klik start klik spustit a vloz prikaz
helpasst -mbrt [enter]

[miraslam]

C:\Documents and Settings\Miroslava - Slamená\Plocha\HelpAsst_mebroot_fix.exe
čt 15.07.2010 at 17:22:21,60

Could not determine language ~ no action taken on account ~ please consult noahdfear

00000405
U§ivatelsk‚ jm‚no HelpAssistant
Jm‚no a pýˇjmenˇ éźet pomoci vzd len‚ plochy
Koment ý éźet pro poskytov nˇ vzd len‚ pomoci.
Koment ý u§ivatele
SmŘrov‚ źˇslo zemŘ 000 (Věchozˇ syst‚mov‚ nastavenˇ)
éźet je aktivnˇ Ne
éźet vyprçel Nikdy

Heslo bylo naposledy nastaveno 12/21/2006 8:57 AM
Heslo vyprçˇ Nikdy
Heslo lze mŘnit 12/21/2006 8:57 AM
Heslo je vy§adov no Ano
U§ivatel smˇ mŘnit heslo Ne

Pracovnˇ stanice byla povolena Vçe
Pýihlaçovacˇ skript
Profil u§ivatele
Domovskě adres ý
Naposledy pýihl çen Nikdy

Povolen‚ pýihlaçovacˇ hodiny Vçe

¬lenstvˇ v mˇstnˇch skupin ch
¬lenstvˇ v glob lnˇch skupin ch *None
Pýˇkaz byl ŁspŘçnŘ dokonźen.


~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on čt 15.07.2010 at 17:22:49,93

éźet je aktivnˇ Ne

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B2DCC0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x86b2dcc0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

[stell]

MBR -f
teraz tento prikaz-
potom restartni pocitac a znova daj tento prikaz
helpasst -mbrt

log postni sem.

[miraslam]

C:\Documents and Settings\Miroslava - Slamená\Plocha\HelpAsst_mebroot_fix.exe
čt 15.07.2010 at 17:22:21,60

Could not determine language ~ no action taken on account ~ please consult noahdfear

00000405
U§ivatelsk‚ jm‚no HelpAssistant
Jm‚no a pýˇjmenˇ éźet pomoci vzd len‚ plochy
Koment ý éźet pro poskytov nˇ vzd len‚ pomoci.
Koment ý u§ivatele
SmŘrov‚ źˇslo zemŘ 000 (Věchozˇ syst‚mov‚ nastavenˇ)
éźet je aktivnˇ Ne
éźet vyprçel Nikdy

Heslo bylo naposledy nastaveno 12/21/2006 8:57 AM
Heslo vyprçˇ Nikdy
Heslo lze mŘnit 12/21/2006 8:57 AM
Heslo je vy§adov no Ano
U§ivatel smˇ mŘnit heslo Ne

Pracovnˇ stanice byla povolena Vçe
Pýihlaçovacˇ skript
Profil u§ivatele
Domovskě adres ý
Naposledy pýihl çen Nikdy

Povolen‚ pýihlaçovacˇ hodiny Vçe

¬lenstvˇ v mˇstnˇch skupin ch
¬lenstvˇ v glob lnˇch skupin ch *None
Pýˇkaz byl ŁspŘçnŘ dokonźen.


~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on čt 15.07.2010 at 17:22:49,93

éźet je aktivnˇ Ne

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B2DCC0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x86b2dcc0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on źt 15.07.2010 at 17:35:43,95

éźet je aktivnˇ Ne

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B5EC40]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x86b5ec40
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

[stell]

klik-start-klik-spustit-napis prikaz
devmgmt.msc ok
klik-zalozka zobrazit-preboduj,zobrazit skryte zarizeni-v zozname najdi-ovladace nepodporujuce plug/and play technologiu.-klik na znamienko +,a sprav screenshot,,tak aby som videl vsetky ovladace.

[miraslam]

je to v prilohe na dvakrat