Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz

podivné chování PC

Nemáte v tuto chvíli žádný problém s pc a chcete se jen ujistit, že je vše v pořádku?
Vložte log z FRST nebo RSIT.

Moderátor: Moderátoři

Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]

Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.

!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Odpovědět
Zpráva
Autor
dinospages
Vzorný návštěvník
Vzorný návštěvník
Příspěvky: 240
Registrován: 20 črc 2006 11:33

podivné chování PC

#1 Příspěvek od dinospages »

Ahoj rádci, jsem u pc které se prý chová nestandartne na nic extra jse mneprisel, procistil jsem ho ccleanerem projel rychly scan AVASTEM a nic to nenaslo:
Prikladam log z HJT protoze RSIT nejde stahnout.

Udajne problemy:
Pri spusteni po nacitani windows po logu se restartuje (nekdy i 3x po sobe), nebo rozhozeny obraz (
cerveny vzorek malych kosticek), někdy pri praci zmizej ikony musi se restartovat.
Ve win se to nikdy samo nerestartuje jen to vytuhne.




log z HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:10:28, on 10.5.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\Logitech Vid\vid.exe
C:\Program Files\USB TV\EM28XX\BDARemote.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Webteh\BSplayer\bsplayer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
D:\games_images\totalcmd\TOTALCMD.EXE
C:\Documents and Settings\Chlupacek\Plocha\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qip.ru/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.qip.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by QIP.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: QIPBHO Class - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Program Files\Internet Explorer\qipsearchbar.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QIPBHO - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Program Files\Internet Explorer\qipsearchbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Logitech . Registrace produktu.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Logitech . Registrace produktu.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe (User 'Default user')
O4 - Startup: Logitech . Registrace produktu.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BDARemote.lnk = C:\Program Files\USB TV\EM28XX\BDARemote.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Služba Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

--
End of file - 7741 bytes
_________________________________________________________________
RSIT | MWAV | CCleaner
Nahoru
dinospages
Vzorný návštěvník
Vzorný návštěvník
Příspěvky: 240
Registrován: 20 črc 2006 11:33

Re: podivné chování PC

#2 Příspěvek od dinospages »

nevydrzel jsem a risknul jsem combofix musim jit pryc od znamyho, naslo to nejaky rootkit zde je log

ComboFix 10-05-10.02 - Chlupacek 10.05.2010 23:24:30.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.511.137 [GMT 2:00]
Spuštěný z: c:\documents and settings\Chlupacek\Plocha\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\qiPSearchbar.dll
c:\windows\TEMP\logishrd\LVPrcInj03.dll

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-04-10 do 2010-05-10 )))))))))))))))))))))))))))))))
.

2010-05-10 19:00 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-10 19:00 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-10 19:00 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-10 19:00 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-10 19:00 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-10 19:00 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-10 19:00 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-10 18:59 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-10 18:59 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-10 18:59 . 2010-05-10 18:59 -------- d-----w- c:\program files\Alwil Software
2010-05-10 18:57 . 2010-05-10 18:57 -------- d--h--r- c:\documents and settings\Chlupacek\Recent
2010-05-10 18:55 . 2010-05-10 18:55 -------- d-----w- c:\program files\CCleaner
2010-05-10 18:44 . 2010-05-10 18:49 -------- d-----w- c:\program files\SpeedFan
2010-05-10 18:42 . 2010-03-30 21:38 20968 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys
2010-05-10 18:42 . 2010-05-10 18:42 -------- d-----w- c:\program files\CPUID
2010-05-10 10:01 . 2009-10-07 08:49 6756632 ----a-r- c:\windows\system32\drivers\lvuvc.sys
2010-05-10 10:01 . 2009-10-07 08:48 539160 ----a-w- c:\windows\system32\LVUI2RC.dll
2010-05-10 10:01 . 2009-10-07 08:48 539160 ----a-w- c:\windows\system32\LVUI2.dll
2010-05-10 10:01 . 2009-10-07 08:43 416280 ----a-r- c:\windows\system32\lvcodec2.dll
2010-05-10 10:00 . 2009-10-07 08:43 199192 ----a-w- c:\windows\system32\lvci12101110.dll
2010-05-10 10:00 . 2009-10-07 08:24 34068 ----a-r- c:\windows\system32\Repository.reg
2010-05-10 10:00 . 2009-10-07 08:47 266008 ----a-r- c:\windows\system32\drivers\lvrs.sys
2010-05-10 10:00 . 2009-10-07 08:46 114712 ----a-r- c:\windows\system32\drivers\lvpopflt.sys
2010-05-10 10:00 . 2009-10-07 08:49 23832 ----a-r- c:\windows\system32\drivers\lvuvcflt.sys
2010-05-10 09:58 . 2010-05-10 15:49 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-05-10 09:58 . 2010-05-10 10:02 -------- d-----w- c:\program files\Logitech
2010-05-09 11:17 . 2010-05-09 11:17 -------- d-----w- c:\program files\Screamer Radio

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-10 21:30 . 2010-05-10 10:01 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-10 21:30 . 2010-05-10 10:00 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-05-10 21:29 . 2009-11-09 01:32 3407872 ---ha-w- c:\documents and settings\Chlupacek\NTUSER.DAT
2010-05-10 19:05 . 2009-11-09 01:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-27 05:21 . 2010-04-27 05:21 4096 ----a-w- c:\windows\system32\0A.tmp
2010-04-16 14:44 . 2010-03-14 13:32 -------- d-----w- c:\program files\Google
2010-04-13 19:25 . 2010-04-13 19:25 4096 ----a-w- c:\windows\system32\06.tmp
2010-04-10 16:09 . 2010-04-10 16:09 4096 ----a-w- c:\windows\system32\04.tmp
2010-03-28 10:05 . 2001-10-25 14:00 46016 ----a-w- c:\windows\system32\perfc005.dat
2010-03-28 10:05 . 2001-10-25 14:00 309716 ----a-w- c:\windows\system32\perfh005.dat
2010-03-27 17:51 . 2010-03-27 17:51 -------- d-----w- c:\program files\Common Files\Skype
2010-02-19 08:27 . 2010-02-19 08:27 4096 ----a-w- c:\windows\system32\01.tmp
2009-10-11 23:49 . 2009-11-09 16:12 1222901 ----a-w- c:\program files\Mv-2player_0.7.0_RC2.exe
2009-10-05 17:34 . 2009-12-25 13:58 118000 ----a-w- c:\program files\mozilla firefox\components\qippipe.dll
2004-08-17 13:49 . 2004-08-17 13:49 171376 --sha-r- c:\windows\system32\zfscs.dll
.

------- Sigcheck -------

[-] 2008-07-16 . 21DC51B6D100B4C7691D07ECF3807444 . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorFX"="c:\program files\Stardock\CursorFX\CursorFX.exe" [2008-07-07 416768]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 65536]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\Chlupacek\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Logitech . Registrace produktu.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2009-10-14 517384]

c:\documents and settings\Chlupacek\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Logitech . Registrace produktu.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2009-10-14 517384]

c:\documents and settings\Chlupacek\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Logitech . Registrace produktu.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2009-10-14 517384]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2009-11-9 81997]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2009-11-9 561152]

c:\documents and settings\Chlupacek\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Logitech . Registrace produktu.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2009-10-14 517384]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"e:\\hry\\Age Of Empires 2 & The Conquerors Expansion - Full Game - [HUSSEY]\\age2_x1.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1792:TCP"= 1792:TCP:idqtb

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [9.11.2009 3:52 75904]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10.5.2010 21:00 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10.5.2010 21:00 19024]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [10.5.2010 20:42 20968]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [3.12.2009 8:55 90112]
R3 axvbusx;axvbusx;c:\windows\system32\drivers\axvbusx.sys [27.12.2002 21:14 8384]
R3 axvscsi;axvscsi;c:\windows\system32\drivers\axvscsi.sys [27.12.2002 21:14 98560]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [3.12.2009 8:55 27632]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14.3.2010 15:32 135664]
S2 tmniqf;Time Universal;c:\windows\system32\svchost.exe -k netsvcs [17.8.2004 15:49 14336]
S3 lwyuu;lwyuu;c:\windows\system32\0A.tmp [27.4.2010 7:21 4096]
S3 rdqxhvqr;rdqxhvqr;c:\windows\system32\06.tmp [13.4.2010 21:25 4096]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9.11.2009 3:46 691696]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tmniqf
.
Obsah adresáře 'Naplánované úlohy'

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 13:32]

2010-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 13:32]

2010-05-10 c:\windows\Tasks\User_Feed_Synchronization-{D86302C7-5FB9-4534-A5C9-0264F768BFCD}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chlupacek\Data aplikací\Mozilla\Firefox\Profiles\hl8kzupr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 23:30
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82005860]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf859afc3
\Driver\ACPI -> ACPI.sys @ 0xf84edcb8
\Driver\atapi -> 0x82005860
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC #2 -> SendCompleteHandler -> NDIS.sys @ 0xf8362bc3
PacketIndicateHandler -> NDIS.sys @ 0xf8350a0b
SendHandler -> NDIS.sys @ 0xf8364b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lwyuu]
"ImagePath"="\??\c:\windows\system32\0A.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdqxhvqr]
"ImagePath"="\??\c:\windows\system32\06.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmniqf]
"ServiceDll"="c:\windows\system32\zfscs.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(3408)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\RocketDock\RocketDock.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\program files\Stardock\CursorFX\CurXP0.dll
c:\windows\system32\webcheck.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Logitech\Logitech Vid\LU\LULnchr.exe
c:\program files\Logitech\Logitech Vid\LU\LogitechUpdate.exe
.
**************************************************************************
.
Celkový čas: 2010-05-10 23:32:46 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-05-10 21:32

Před spuštěním: 4 341 223 424
Po spuštění: 4 358 774 784

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B8A80F29F5012758B6AF33518D7892A4
_________________________________________________________________
RSIT | MWAV | CCleaner
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: podivné chování PC

#3 Příspěvek od motji »

Dobrý večer :)
:arcisit: Ještě tam něco zbylo

:arrow: Pokud nemáte, přesuňte Combofix na plochu
-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka

Kód: Vybrat vše


KillAll::

Driver::
rdqxhvqr
tmniqf
lwyuu

Netsvc::
tmniqf

Collect::
c:\windows\system32\zfscs.dll
c:\windows\system32\0A.tmp
c:\windows\system32\06.tmp
c:\windows\system32\04.tmp
c:\windows\system32\01.tmp

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1792:TCP"=-

Extra::

DDS::
uStart Page = hxxp://www.daemon-search.com/startpage
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
-uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:

Obrázek


-po aplikaci na Vás vypadne další log,vložte ho sem

Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci


:arrow: Stahněte MBAM z mého podpisu
-Nainstalujte,dejte úplný sken

NIC NEMAZAT :!:
-MBAM má občas falešné detekce,proto budeme mazat až po kontrole logu.
-Log zkopírujte sem.
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: podivné chování PC

#4 Příspěvek od motji »

Jak to tu vypadá? :)
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
dinospages
Vzorný návštěvník
Vzorný návštěvník
Příspěvky: 240
Registrován: 20 črc 2006 11:33

Re: podivné chování PC

#5 Příspěvek od dinospages »

ComboFix 10-07-06.03 - Chlupacek 07.07.2010 10:08:59.2.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.511.330 [GMT 2:00]
Spuštěný z: c:\documents and settings\Chlupacek\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Chlupacek\Plocha\CFScript.txt
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\system32\01.tmp
file zipped: c:\windows\system32\04.tmp
file zipped: c:\windows\system32\06.tmp
file zipped: c:\windows\system32\0A.tmp
file zipped: c:\windows\system32\zfscs.dll
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\01.tmp
c:\windows\system32\04.tmp
c:\windows\system32\06.tmp
c:\windows\system32\0A.tmp
c:\windows\system32\zfscs.dll

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TMNIQF
-------\Service_lwyuu
-------\Service_rdqxhvqr
-------\Service_tmniqf


((((((((((((((((((((((((( Soubory vytvořené od 2010-06-07 do 2010-07-07 )))))))))))))))))))))))))))))))
.

2010-07-07 07:52 . 2010-07-07 07:51 389632 ----a-w- c:\windows\system32\CF3869.exe
2010-06-15 17:50 . 2010-07-07 07:41 -------- d--h--r- c:\documents and settings\Chlupacek\Recent

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-07 08:15 . 2010-05-10 10:01 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-07 08:15 . 2010-05-10 10:00 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-07-07 08:14 . 2009-11-09 01:32 3407872 ---ha-w- c:\documents and settings\Chlupacek\NTUSER.DAT
2010-06-21 18:19 . 2010-06-21 18:19 4096 ----a-w- c:\windows\system32\08.tmp
2010-06-14 08:53 . 2010-06-14 08:53 4096 ----a-w- c:\windows\system32\07.tmp
2010-05-29 19:36 . 2010-05-29 19:02 -------- d-----w- c:\program files\GameSpy Arcade
2010-05-29 19:03 . 2010-05-29 19:03 -------- d-----w- c:\program files\directx
2010-05-21 05:46 . 2010-05-21 05:46 4096 ----a-w- c:\windows\system32\05.tmp
2010-05-19 14:54 . 2010-05-19 14:54 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-19 07:44 . 2010-03-14 13:32 -------- d-----w- c:\program files\Google
2010-05-16 18:16 . 2010-05-15 10:00 -------- d-----w- c:\program files\rajce
2010-05-12 15:32 . 2010-05-12 15:32 4096 ----a-w- c:\windows\system32\03.tmp
2010-05-10 21:35 . 2010-05-10 18:44 -------- d-----w- c:\program files\SpeedFan
2010-05-10 19:05 . 2009-11-09 01:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-10 18:59 . 2010-05-10 18:59 -------- d-----w- c:\program files\Alwil Software
2010-05-10 18:55 . 2010-05-10 18:55 -------- d-----w- c:\program files\CCleaner
2010-05-10 18:42 . 2010-05-10 18:42 -------- d-----w- c:\program files\CPUID
2010-05-10 15:49 . 2010-05-10 09:58 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-05-10 10:02 . 2010-05-10 09:58 -------- d-----w- c:\program files\Logitech
2010-05-09 11:17 . 2010-05-09 11:17 -------- d-----w- c:\program files\Screamer Radio
2010-04-14 16:47 . 2010-05-10 18:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-05-10 18:59 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:35 . 2010-05-10 19:00 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-05-10 19:00 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-05-10 19:00 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-05-10 19:00 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2010-05-10 19:00 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2010-05-10 19:00 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2010-05-10 19:00 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-11 23:49 . 2009-11-09 16:12 1222901 ----a-w- c:\program files\Mv-2player_0.7.0_RC2.exe
2009-10-05 17:34 . 2009-12-25 13:58 118000 ----a-w- c:\program files\mozilla firefox\components\qippipe.dll
.

------- Sigcheck -------

[-] 2008-07-16 . 21DC51B6D100B4C7691D07ECF3807444 . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-05-10_21.30.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-07 08:16 . 2010-07-07 08:16 16384 c:\windows\temp\Perflib_Perfdata_4d0.dat
+ 2010-07-07 08:17 . 2010-07-07 08:17 16384 c:\windows\temp\Perflib_Perfdata_1f8.dat
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ARPPRODUCTICON.exe
+ 2010-07-07 08:16 . 2009-10-06 23:47 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
- 2010-05-10 21:30 . 2009-10-06 23:47 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
+ 2004-01-06 07:43 . 2004-01-06 07:43 188416 c:\windows\system32\eax.dll
+ 2010-05-19 15:05 . 2010-05-19 15:05 254464 c:\windows\Installer\45b84a.msi
+ 2010-05-06 07:26 . 2010-05-06 07:26 1265664 c:\windows\Installer\805d5.msi
+ 2010-05-19 07:44 . 2010-05-19 07:44 1235968 c:\windows\Installer\1fc3d.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorFX"="c:\program files\Stardock\CursorFX\CursorFX.exe" [2008-07-07 416768]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 65536]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2009-11-9 81997]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2009-11-9 561152]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"e:\\hry\\Age Of Empires 2 & The Conquerors Expansion - Full Game - [HUSSEY]\\age2_x1.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [9.11.2009 3:52 75904]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10.5.2010 21:00 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10.5.2010 21:00 19024]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [10.5.2010 20:42 20968]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [3.12.2009 8:55 90112]
R3 axvbusx;axvbusx;c:\windows\system32\drivers\axvbusx.sys [27.12.2002 21:14 8384]
R3 axvscsi;axvscsi;c:\windows\system32\drivers\axvscsi.sys [27.12.2002 21:14 98560]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [3.12.2009 8:55 27632]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14.3.2010 15:32 135664]
S3 vjhwosq;vjhwosq;c:\windows\system32\05.tmp [21.5.2010 7:46 4096]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9.11.2009 3:46 691696]
.
Obsah adresáře 'Naplánované úlohy'

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 13:32]

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 13:32]

2010-07-07 c:\windows\Tasks\User_Feed_Synchronization-{D86302C7-5FB9-4534-A5C9-0264F768BFCD}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
------- Doplňkový sken -------
.
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chlupacek\Data aplikací\Mozilla\Firefox\Profiles\hl8kzupr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 10:16
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81EAC0B8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf859afc3
\Driver\ACPI -> ACPI.sys @ 0xf84edcb8
\Driver\atapi -> 0x81eac0b8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC #2 -> SendCompleteHandler -> NDIS.sys @ 0xf8362bc3
PacketIndicateHandler -> NDIS.sys @ 0xf8350a0b
SendHandler -> NDIS.sys @ 0xf8364b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vjhwosq]
"ImagePath"="\??\c:\windows\system32\05.tmp"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(5520)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\RocketDock\RocketDock.dll
c:\program files\Stardock\CursorFX\CurXP0.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Logitech\Logitech Vid\LU\LULnchr.exe
c:\program files\Logitech\Logitech Vid\LU\LogitechUpdate.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2010-07-07 10:19:28 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-07 08:19
ComboFix2.txt 2010-05-10 21:32

Před spuštěním: 2 573 905 920
Po spuštění: 2 658 504 704

- - End Of File - - 98D9257A2A2DC13747ABDE0D61080AD9
_________________________________________________________________
RSIT | MWAV | CCleaner
Nahoru
dinospages
Vzorný návštěvník
Vzorný návštěvník
Příspěvky: 240
Registrován: 20 črc 2006 11:33

Re: podivné chování PC

#6 Příspěvek od dinospages »

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Verze databáze: 4287

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

7.7.2010 10:41:23
mbam-log-2010-07-07 (10-41-23).txt

Typ skenu: Rychlý sken
Skenované objekty: 118787
Uplynulý čas: 5 minuta(y), 35 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované složky: 0
Infikované soubory: 4

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
C:\WINDOWS\system32\03.tmp (Worm.Conficker) -> No action taken.
C:\WINDOWS\system32\05.tmp (Worm.Conficker) -> No action taken.
C:\WINDOWS\system32\07.tmp (Worm.Conficker) -> No action taken.
C:\WINDOWS\system32\08.tmp (Worm.Conficker) -> No action taken.
_________________________________________________________________
RSIT | MWAV | CCleaner
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: podivné chování PC

#7 Příspěvek od motji »

:arrow: Co našel mbam, smažte

:arrow: Pokud nemáte, přesuňte Combofix na plochu
-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka

Kód: Vybrat vše


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

Driver::
vjhwosq

Collect::
c:\windows\system32\05.tmp 

DDS::
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip

Firefox::
FF - ProfilePath - c:\documents and settings\Chlupacek\Data aplikací\Mozilla\Firefox\Profiles\hl8kzupr.default\
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
-uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:

Obrázek


-po aplikaci na Vás vypadne další log,vložte ho sem

Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci


:arrow:Stáhněte OTM http://oldtimer.geekstogo.com/OTM.exe
Stáhněte na plochu Otm, 2krát klikněte na Otm,spustí se program,
Do levého okna "Paste Instructions for Items to be Moved" pod žlutou čáru zkopírujete skript

Kód: Vybrat vše

:processes
explorer.exe
 
:files
C:\WINDOWS\system32\*.tmp.dll /s
C:\WINDOWS\system32\SET*.tmp /s
C:\WINDOWS\*.tmp /s

:commands
[emptytemp]
[EMPTYFLASH]
[Reboot]
-klikněte na červené tlačítko Moveit!
-sem vložte obsah zeleného okénka
-Pokud se bude chtít restartovat pc, dejte YES,log pak najdete C:\_OTM\MovedFiles. Log vložte sem
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
dinospages
Vzorný návštěvník
Vzorný návštěvník
Příspěvky: 240
Registrován: 20 črc 2006 11:33

Re: podivné chování PC

#8 Příspěvek od dinospages »

ComboFix 10-07-06.03 - Chlupacek 07.07.2010 15:01:05.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.511.327 [GMT 2:00]
Spuštěný z: c:\documents and settings\Chlupacek\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Chlupacek\Plocha\CFScript.txt
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_vjhwosq


((((((((((((((((((((((((( Soubory vytvořené od 2010-06-07 do 2010-07-07 )))))))))))))))))))))))))))))))
.

2010-07-07 08:30 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-07 08:30 . 2010-07-07 08:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-07 08:30 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-07 07:52 . 2010-07-07 07:51 389632 ----a-w- c:\windows\system32\CF3869.exe
2010-06-15 17:50 . 2010-07-07 12:53 -------- d--h--r- c:\documents and settings\Chlupacek\Recent

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-07 13:06 . 2010-05-10 10:01 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-07 13:06 . 2010-05-10 10:00 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-07-07 13:04 . 2009-11-09 01:32 3407872 ---ha-w- c:\documents and settings\Chlupacek\NTUSER.DAT
2010-05-29 19:36 . 2010-05-29 19:02 -------- d-----w- c:\program files\GameSpy Arcade
2010-05-29 19:03 . 2010-05-29 19:03 -------- d-----w- c:\program files\directx
2010-05-19 14:54 . 2010-05-19 14:54 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-19 07:44 . 2010-03-14 13:32 -------- d-----w- c:\program files\Google
2010-05-16 18:16 . 2010-05-15 10:00 -------- d-----w- c:\program files\rajce
2010-05-10 21:35 . 2010-05-10 18:44 -------- d-----w- c:\program files\SpeedFan
2010-05-10 19:05 . 2009-11-09 01:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-10 18:59 . 2010-05-10 18:59 -------- d-----w- c:\program files\Alwil Software
2010-05-10 18:55 . 2010-05-10 18:55 -------- d-----w- c:\program files\CCleaner
2010-05-10 18:42 . 2010-05-10 18:42 -------- d-----w- c:\program files\CPUID
2010-05-10 15:49 . 2010-05-10 09:58 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-05-10 10:02 . 2010-05-10 09:58 -------- d-----w- c:\program files\Logitech
2010-05-09 11:17 . 2010-05-09 11:17 -------- d-----w- c:\program files\Screamer Radio
2010-04-14 16:47 . 2010-05-10 18:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 16:47 . 2010-05-10 18:59 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 16:35 . 2010-05-10 19:00 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 16:35 . 2010-05-10 19:00 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 16:31 . 2010-05-10 19:00 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 16:31 . 2010-05-10 19:00 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-14 16:31 . 2010-05-10 19:00 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-14 16:31 . 2010-05-10 19:00 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 16:30 . 2010-05-10 19:00 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-11 23:49 . 2009-11-09 16:12 1222901 ----a-w- c:\program files\Mv-2player_0.7.0_RC2.exe
2009-10-05 17:34 . 2009-12-25 13:58 118000 ----a-w- c:\program files\mozilla firefox\components\qippipe.dll
.

------- Sigcheck -------

[-] 2008-07-16 . 21DC51B6D100B4C7691D07ECF3807444 . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-05-10_21.30.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-07 13:07 . 2010-07-07 13:07 16384 c:\windows\temp\Perflib_Perfdata_d0.dat
+ 2010-07-07 13:06 . 2010-07-07 13:06 16384 c:\windows\temp\Perflib_Perfdata_468.dat
+ 2009-08-06 17:24 . 2009-08-06 17:24 44768 c:\windows\system32\wups2.dll
+ 2009-11-09 01:24 . 2009-08-06 17:24 35552 c:\windows\system32\wups.dll
+ 2009-11-09 01:24 . 2009-08-06 17:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-07-07 08:18 . 2009-08-06 17:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2009-11-09 01:24 . 2009-08-06 17:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2009-11-09 01:24 . 2009-08-06 17:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-17 13:49 . 2009-08-06 17:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-17 13:49 . 2009-08-06 17:24 96480 c:\windows\system32\cdm.dll
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-19 07:44 . 2010-05-19 07:44 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ARPPRODUCTICON.exe
- 2010-05-10 21:30 . 2009-10-06 23:47 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
+ 2010-07-07 13:06 . 2009-10-06 23:47 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
+ 2009-11-09 01:24 . 2009-08-06 17:24 209632 c:\windows\system32\wuweb.dll
+ 2009-11-09 01:24 . 2009-08-06 17:24 327896 c:\windows\system32\wucltui.dll
+ 2009-11-09 01:24 . 2009-08-06 17:23 575704 c:\windows\system32\wuapi.dll
+ 2004-01-06 07:43 . 2004-01-06 07:43 188416 c:\windows\system32\eax.dll
+ 2009-11-09 01:24 . 2009-08-06 17:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2009-11-09 01:24 . 2009-08-06 17:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2009-11-09 01:24 . 2009-08-06 17:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2010-05-19 15:05 . 2010-05-19 15:05 254464 c:\windows\Installer\45b84a.msi
+ 2009-11-09 01:24 . 2009-08-06 17:23 1929952 c:\windows\system32\wuaueng.dll
+ 2009-11-09 01:24 . 2009-08-06 17:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2010-05-06 07:26 . 2010-05-06 07:26 1265664 c:\windows\Installer\805d5.msi
+ 2010-05-19 07:44 . 2010-05-19 07:44 1235968 c:\windows\Installer\1fc3d.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorFX"="c:\program files\Stardock\CursorFX\CursorFX.exe" [2008-07-07 416768]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 65536]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2009-11-9 81997]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2009-11-9 561152]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"e:\\hry\\Age Of Empires 2 & The Conquerors Expansion - Full Game - [HUSSEY]\\age2_x1.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [9.11.2009 3:52 75904]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10.5.2010 21:00 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10.5.2010 21:00 19024]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [10.5.2010 20:42 20968]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [3.12.2009 8:55 90112]
R3 axvbusx;axvbusx;c:\windows\system32\drivers\axvbusx.sys [27.12.2002 21:14 8384]
R3 axvscsi;axvscsi;c:\windows\system32\drivers\axvscsi.sys [27.12.2002 21:14 98560]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [3.12.2009 8:55 27632]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14.3.2010 15:32 135664]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9.11.2009 3:46 691696]
.
Obsah adresáře 'Naplánované úlohy'

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 13:32]

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 13:32]

2010-07-07 c:\windows\Tasks\User_Feed_Synchronization-{D86302C7-5FB9-4534-A5C9-0264F768BFCD}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
------- Doplňkový sken -------
.
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Chlupacek\Data aplikací\Mozilla\Firefox\Profiles\hl8kzupr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 15:06
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82008CB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf859afc3
\Driver\ACPI -> ACPI.sys @ 0xf84edcb8
\Driver\atapi -> 0x82008cb0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC #2 -> SendCompleteHandler -> NDIS.sys @ 0xf8362bc3
PacketIndicateHandler -> NDIS.sys @ 0xf8350a0b
SendHandler -> NDIS.sys @ 0xf8364b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(5312)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\RocketDock\RocketDock.dll
c:\program files\Stardock\CursorFX\CurXP0.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Logitech\Logitech Vid\LU\LULnchr.exe
c:\program files\Logitech\Logitech Vid\LU\LogitechUpdate.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Celkový čas: 2010-07-07 15:09:03 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-07 13:09
ComboFix2.txt 2010-07-07 08:19
ComboFix3.txt 2010-05-10 21:32

Před spuštěním: 2 557 825 024
Po spuštění: 2 553 974 784

- - End Of File - - 7D5F30BDBE61012CE1D1D356FFB09469
_________________________________________________________________
RSIT | MWAV | CCleaner
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: podivné chování PC

#9 Příspěvek od motji »

Ještě ten log z OTM :)
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
dinospages
Vzorný návštěvník
Vzorný návštěvník
Příspěvky: 240
Registrován: 20 črc 2006 11:33

Re: podivné chování PC

#10 Příspěvek od dinospages »

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
File/Folder C:\WINDOWS\system32\*.tmp.dll not found.
File/Folder C:\WINDOWS\system32\SET*.tmp not found.
C:\WINDOWS\msdownld.tmp folder moved successfully.
C:\WINDOWS\SET3.tmp moved successfully.
C:\WINDOWS\SET4.tmp moved successfully.
C:\WINDOWS\SET8.tmp moved successfully.
C:\WINDOWS\Installer\MSI9B.tmp moved successfully.
C:\WINDOWS\Installer\MSIA8.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\07c90dcbdedfe16c2b58e68ce910936a\BIT13.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\15505cb3377485b4df4da28877082b16\BITD.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\2b718ee1d090bbb2c1fd360b48d9f6fa\BIT21.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\2fc4dec0729be72ede0de711a02133ed\BIT9.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\3c57ac844bfce4568180bf35adbaff1d\BIT1D.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\5098dd9035927e206645a10b773e39d3\BIT12.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\8573f895b9caebec15a2846b147c4acc\BITB.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\9434f38734605ee74bf380b05e9ff9a2\BIT10.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\98df63c725396df2d3ec6f45abce37f1\BIT14.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\a9de1b2071cad5998138befbe3b835b7\BIT1B.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\ae4ac74864a34bda5a1d4d2ed27ee4c8\BIT18.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\b063f356f9664bd7343d099ddfdac7fc\BIT16.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\b3ba0f7542150a0ff634f02bb11873ed\BIT13.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\b44c9002180e450d88cff54ce8e1390b\BIT20.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\b66048432d7341c70ef08a575b3c4ee7\BIT19.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\be21e799c4114ec3b7e78e2497c5dec7\BIT15.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\c7009c335500dda6e89a802c109fc30b\BIT17.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\cb0f38ed286b9b731b45e45765e59ca2\BIT1F.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\d19c7542001d3ac83634e213d52b0edb\BITD.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\db3e2bfd86d0eb6a08a6ca58444df0e3\BIT11.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\e2a232d55639014e09b06bb202e33806\BITF.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\f3146c7a92d8fac266514a452b7053fb\BIT1E.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\f5e3940b5bd958bd79ba427de6730940\BIT10.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\f92a703d430c20c560b87f46a8bc13ab\BIT11.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\fa5f3faa18dd78f73661bcbc7c66f517\BIT22.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\febfc82258e18b5699c0653f337b4c1d\BITF.tmp moved successfully.
C:\WINDOWS\system32\CONFIG.TMP moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Chlupacek
->Temp folder emptied: 6081 bytes
->Temporary Internet Files folder emptied: 5298268 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 89868473 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 3530 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 109080 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 91,00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 07072010_165837

Files moved on Reboot...

Registry entries deleted on Reboot...
_________________________________________________________________
RSIT | MWAV | CCleaner
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: podivné chování PC

#11 Příspěvek od motji »

:arrow: Klikněte mi do podpisu na SVI a podle návodu zapněte a vypněte obnovu systému,


:arrow: Stáhněte http://www.f-secure.com/v-descs/worm_w3 ... p_al.shtml

:arrow: odpojte se od internetu a programy spusťte v nouzovém režimu (po restartu mačkejte F8) a vyberte nouzový režim
- logy vložte sem


Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, klikněte na Save a tím si uložíte log,který sem vložíte

-Podle návodu v odkazu provedete druhý sken a log sem také vložíte.

http://www.f-secure.com/v-descs/worm_w3 ... p_al.shtml



:arrow: Máte ve společné síti ještě nějaký počítač?
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
dinospages
Vzorný návštěvník
Vzorný návštěvník
Příspěvky: 240
Registrován: 20 črc 2006 11:33

Re: podivné chování PC

#12 Příspěvek od dinospages »

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-07 18:55:50
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\CHLUPA~1\LOCALS~1\Temp\uwlirpoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----
_________________________________________________________________
RSIT | MWAV | CCleaner
Nahoru
dinospages
Vzorný návštěvník
Vzorný návštěvník
Příspěvky: 240
Registrován: 20 črc 2006 11:33

Re: podivné chování PC

#13 Příspěvek od dinospages »

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-07 19:16:05
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\CHLUPA~1\LOCALS~1\Temp\uwlirpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB2D6FC08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB2D6FAC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB2D70078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB2D6FFA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB2D6F69A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB2D6FB9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB2D6F5DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB2D6F63E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB2D6FCBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB2D70146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB2D6FC7E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB2D6FDFE]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF80EE510]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[540] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[540] USER32.dll!SetWindowPos 77D3C78E 5 Bytes JMP 03EF1040 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\Program Files\Mozilla Firefox\firefox.exe[540] USER32.dll!GetIconInfo 77D3E9A1 5 Bytes JMP 03EF1120 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\Program Files\Mozilla Firefox\firefox.exe[540] USER32.dll!DrawIconEx 77D3F38A 5 Bytes JMP 03EF11E0 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\WINDOWS\Explorer.EXE[1212] USER32.dll!SetWindowPos 77D3C78E 5 Bytes JMP 10001040 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\WINDOWS\Explorer.EXE[1212] USER32.dll!GetIconInfo 77D3E9A1 5 Bytes JMP 10001120 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\WINDOWS\Explorer.EXE[1212] USER32.dll!DrawIconEx 77D3F38A 5 Bytes JMP 100011E0 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1468] USER32.dll!SetWindowPos 77D3C78E 5 Bytes JMP 029B1040 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1468] USER32.dll!GetIconInfo 77D3E9A1 5 Bytes JMP 029B1120 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[1468] USER32.dll!DrawIconEx 77D3F38A 5 Bytes JMP 029B11E0 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\Program Files\RocketDock\RocketDock.exe[1484] USER32.dll!SetWindowPos 77D3C78E 5 Bytes JMP 00F11040 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\Program Files\RocketDock\RocketDock.exe[1484] USER32.dll!GetIconInfo 77D3E9A1 5 Bytes JMP 00F11120 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\Program Files\RocketDock\RocketDock.exe[1484] USER32.dll!DrawIconEx 77D3F38A 5 Bytes JMP 00F111E0 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[1504] USER32.dll!SetPropW + 11B 77D3DECE 7 Bytes JMP 10031D10 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[1504] USER32.dll!SetWindowRgn + 2BD 77D4209D 7 Bytes JMP 10031C80 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
.text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[1504] USER32.dll!SetClipboardData + 259 77D60169 7 Bytes JMP 10031CF0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software)
.text C:\DOCUME~1\CHLUPA~1\LOCALS~1\Temp\Rar$EX00.016\gmer.exe[3196] USER32.dll!SetWindowPos 77D3C78E 5 Bytes JMP 00C81040 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\DOCUME~1\CHLUPA~1\LOCALS~1\Temp\Rar$EX00.016\gmer.exe[3196] USER32.dll!GetIconInfo 77D3E9A1 5 Bytes JMP 00C81120 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )
.text C:\DOCUME~1\CHLUPA~1\LOCALS~1\Temp\Rar$EX00.016\gmer.exe[3196] USER32.dll!DrawIconEx 77D3F38A 5 Bytes JMP 00C811E0 C:\Program Files\Stardock\CursorFX\CurXP0.dll (CursorFX support DLL/ )

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000
IAT C:\WINDOWS\Explorer.EXE[1212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00D32F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00D32C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00D32CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00D32CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [02BA2F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [02BA2C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [02BA2CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [02BA2CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Skype\Phone\Skype.exe[1516] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [04EA2F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Skype\Phone\Skype.exe[1516] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [04EA2C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Skype\Phone\Skype.exe[1516] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [04EA2CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Skype\Phone\Skype.exe[1516] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [04EA2CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech Vid\vid.exe[1528] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [0B812F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech Vid\vid.exe[1528] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [0B812C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech Vid\vid.exe[1528] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [0B812CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech Vid\vid.exe[1528] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [0B812CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Cdrom \Device\CdRom0 8200C448
Device \Driver\atapi \Device\Ide\IdePort0 8200C2B8
Device \Driver\atapi \Device\Ide\IdePort1 8200C2B8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 8200C2B8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8200C2B8
Device \Driver\Cdrom \Device\CdRom1 8200C448
Device \Driver\Cdrom \Device\CdRom2 8200C448

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\axvscsi \Device\Scsi\axvscsi1 8200B950
Device \Driver\axvscsi \Device\Scsi\axvscsi1Port3Path0Target0Lun0 8200B950
Device \Driver\axvscsi \Device\Scsi\axvscsi1Port3Path0Target1Lun0 8200B950

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE2 0xCA 0x51 0xC3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x98 0x92 0x9B 0x83 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF9 0x10 0x8E 0x28 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE2 0xCA 0x51 0xC3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x98 0x92 0x9B 0x83 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF9 0x10 0x8E 0x28 ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Data aplikací\Alwil Software\Avast5\aswAr.run 0 bytes

---- EOF - GMER 1.0.15 ----
_________________________________________________________________
RSIT | MWAV | CCleaner
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: podivné chování PC

#14 Příspěvek od motji »

Fajn, Gmer je Ok.

:arrow: Ještě prosím spusťte v nouzovém režimu
ftp://ftp.f-secure.com/anti-virus/tools ... wnadup.zip

A pak nahlaste stav počítače :) .
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
dinospages
Vzorný návštěvník
Vzorný návštěvník
Příspěvky: 240
Registrován: 20 črc 2006 11:33

Re: podivné chování PC

#15 Příspěvek od dinospages »

v nouzovém režimu spustím f-downadup ukazuje mi to že to pracuje,
ale nevim kde ted mam najít ten log?? :(
_________________________________________________________________
RSIT | MWAV | CCleaner
Nahoru
Odpovědět

Zpět na „Preventivní kontroly logů“