Nainstaloval jsem ten Combofix, tak tady je log.
Prosím pomozte mi. Jsem si jistej, že sem včera chytil nějakej rootkit
Za poslední 3 měsíce sem kvůli němu reinstaloval compa snad čtyrykrát.
Díky moc za rady. Sem už z toho zoufalej..
ComboFix 10-05-16.02 - Ladik 17.05.2010 17:54:47.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.420.1029.18.1022.508 [GMT 2:00]
Spuštěný z: c:\documents and settings\Ladik\Dokumenty\Stažené soubory\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100516-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\AskSearch\bin\DeFAultsearch.dll
c:\windows\Uninstall.ini
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-04-17 do 2010-05-17 )))))))))))))))))))))))))))))))
.
2010-05-17 08:25 . 2005-02-25 02:34 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2010-05-17 08:24 . 2010-05-17 08:25 -------- d--h--w- c:\windows\$hf_mig$
2010-05-13 12:57 . 2010-05-13 12:57 -------- d-----w- c:\program files\Google
2010-05-12 23:55 . 2004-08-18 18:00 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-05-12 23:55 . 2004-08-18 18:00 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 11:44 . 2005-04-13 10:38 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-09 08:14 . 2005-04-13 09:45 70794 ----a-w- c:\windows\system32\perfc005.dat
2010-05-09 08:14 . 2005-04-13 09:45 394400 ----a-w- c:\windows\system32\perfh005.dat
2010-04-29 13:39 . 2010-03-23 14:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2010-03-23 14:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-16 21:39 . 2010-04-16 21:39 -------- d-----w- c:\program files\BSplayer
2010-04-16 21:33 . 2010-04-16 21:33 -------- d-----w- c:\program files\VLC
2010-04-06 18:26 . 2010-04-06 18:26 -------- d-----w- c:\program files\ICQ6Toolbar
2010-04-06 18:26 . 2010-04-06 18:26 -------- d-----w- c:\program files\ICQ7.1
2010-03-27 17:50 . 2005-04-13 09:57 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-27 17:50 . 2005-04-13 09:57 2378 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-03-27 17:49 . 2005-04-13 09:57 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-03-27 15:28 . 2010-03-27 15:28 -------- d-----w- c:\program files\BitTorrent
2010-03-27 15:28 . 2010-03-27 15:28 -------- d-----w- c:\program files\AskSearch
2010-03-27 15:28 . 2010-03-27 15:28 -------- d-----w- c:\program files\AskBarDis
2010-03-25 08:33 . 2010-03-25 08:33 -------- d-----w- c:\program files\Notepad++
2010-03-25 08:11 . 2010-03-25 08:11 -------- d-----w- c:\program files\Common Files\Macromedia
2010-03-25 08:11 . 2010-03-25 08:11 -------- d-----w- c:\program files\Macromedia
2010-03-23 14:22 . 2010-03-23 14:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-23 14:20 . 2010-03-23 14:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 12:18 . 2010-03-22 12:18 -------- d-----w- c:\program files\Microsoft Works
2010-03-22 12:17 . 2010-03-22 12:17 -------- d-----w- c:\program files\MSBuild
2010-03-22 12:16 . 2010-03-22 12:16 -------- d-----w- c:\program files\Microsoft.NET
2010-03-22 12:14 . 2010-03-22 12:14 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-03-22 11:34 . 2010-03-22 11:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-21 17:00 . 2010-03-21 17:00 -------- d-----w- c:\program files\totalcmd
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 15:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-07 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-07 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 688218]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-18 110592]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-18 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-18 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-18 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-18 455168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 344064]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-03-28 188416]
"ePowerManagement"="c:\acer\ePM\ePM.exe" [2005-03-24 2880512]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-09-05 319488]
"eRecoveryService"="c:\program files\Acer\eRecovery\Monitor.exe" [2005-06-29 352256]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]
c:\documents and settings\Ladik\Nabˇdka Start\Programy\Po spuçtŘnˇ\
wwwzuc32.exe [2004-8-18 29184]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\ICQ7.1\\ICQ.exe"=
"c:\\Program Files\\ICQ7.1\\aolload.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [21.3.2010 1:33 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21.3.2010 1:33 20560]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [6.4.2010 20:26 246520]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [13.5.2010 14:57 136176]
.
Obsah adresáře 'Naplánované úlohy'
2010-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-13 12:57]
2010-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-13 12:57]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://seznam.cz/
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{71BFC818-0CED-42D6-9C87-5142918957EE} - c:\program files\ICQ7.1\ICQ.exe
TCP: {E8D8DDA6-767C-41FC-953A-C3BA29A34737} = 77.48.254.254,77.48.100.254
FF - ProfilePath - c:\documents and settings\Ladik\Data aplikací\Mozilla\Firefox\Profiles\yb329x6v.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... 2.0.0.2&q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 18:19
Windows 5.1.2600 Service Pack 2 FAT NTAPI
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2010-05-17 18:28:19
ComboFix-quarantined-files.txt 2010-05-17 16:28
Před spuštěním: Volných bajtů: 32 525 811 712
Po spuštění: Volných bajtů: 33 107 083 264
WindowsXP-KB310994-SP2-Home-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - F79FF38A86723746C98E827C5C4B11A8
mam poslat i ten posledni log?
Přispějete na provoz fóra?