Zdravim,
mam kupu problemu a par neprijemnych priznaku:)
..."inicializace aplikace (c0000005) se nezdarila" vyskakuje casto
...rezidentni stit NODu nasel infekce - conficker-červ; Agent-NGA-trojský kůň, Protector.I - virus
...Vyrazne zpomaleni skoro vsech aplikaci
...Extremne dlouhe nacitani zastupcu ve slozce "tento pocitac"; zde nevidim dvd mechaniky - asi se odinstalovaly drivery?
...Chvili jsem pozoroval, ze ve firefoxu zpusobuji youtube videa extremni zpomaleni (+obcas vyskoceni hlasky o skriptu, ktery zpusobuje zpomaleni), zatimco v IE se nic podobneho nedelo, ted je ale prehravani youtube videi opet (zazracne) plynule
zatim jsem nic sam nepodnikal (jen pred zhorsenim pred par dny pouzil Ccleaner)
Posilam log z Hijackthis
(a diky moc za pomoc):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:19:38, on 20.7.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spm\spmd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
c:\apache\APACHE.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
c:\apache\APACHE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\windows\system32\wuaucldt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe
C:\WINDOWS\sysinit.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Renata Bučková\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\cs-cz\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [dmsh32] rundll32.exe "C:\WINDOWS\system32\config\systemprofile\Local Settings\Data aplikací\dmsh32\dmsh32.dll", DllInit
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Renata Bučková\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [syncman] c:\documents and settings\renata bučková\wuaucldt.exe
O4 - HKCU\..\Policies\Explorer\Run: [system] C:\WINDOWS\sys.exe
O4 - HKCU\..\Policies\Explorer\Run: [sysinit] C:\WINDOWS\sysinit.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: srvklw32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} (CCTVUpdateInstall) - http://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC5AA624-4FE8-400F-B97D-0AAEEE9D4C43}: NameServer = 195.113.44.11,195.113.0.2
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - C:\Program Files\Invitrogen\Vector NTI Advance 9\Ncbi.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Služba Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH & Co. KG - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Renata Bučková\Plocha\map-tram.gif
O24 - Desktop Component 2: iGoogle - http://www.google.com/ig
--
End of file - 9880 bytes
Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz
inicializace aplikace (c0000005) se nezdarila atd.
Moderátor: Moderátoři
Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
-
riffman
- VIP
- Příspěvky: 3203
- Registrován: 20 říj 2004 07:00
- Bydliště: České Budějovice
- Kontaktovat uživatele:
Re: inicializace aplikace (c0000005) se nezdarila atd.
zdravim
stahnete a ulozte na plochu ComboFix
pote spustte aplikaci pod uctem s administratorskym opravnenim (nikoli pod uctem s omezenym opravnenim)
v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"
hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano:
dale muze dojit k varovani ohledne rezidentniho stitu vaseho antiviru a upozorneni na nenainstalovanou konzoli pro zotaveni; tu zatim neinstalujte.
v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho
behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)
upozorneni: pokud pouzivate antispyware s rezidentnim stitem, deaktivujte jeho rezidentni stit, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim Combofixu s rezidentem antispyware
po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem
stahnete a ulozte na plochu ComboFix
pote spustte aplikaci pod uctem s administratorskym opravnenim (nikoli pod uctem s omezenym opravnenim)
v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"
hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano:
dale muze dojit k varovani ohledne rezidentniho stitu vaseho antiviru a upozorneni na nenainstalovanou konzoli pro zotaveni; tu zatim neinstalujte.
v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho
behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)
upozorneni: pokud pouzivate antispyware s rezidentnim stitem, deaktivujte jeho rezidentni stit, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim Combofixu s rezidentem antispyware
po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem
Give us a chance to live
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Re: inicializace aplikace (c0000005) se nezdarila atd.
tady log:
ComboFix 10-07-19.02 - Renata Bučková 20.07.2010 19:30:28.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1535.1141 [GMT 2:00]
Spuštěný z: c:\documents and settings\Renata Bučková\Plocha\ComboFix.exe
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\daemon.dll
c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\system32\config\systemprofile\wuaucldt.exe
c:\windows\system32\sstray.exe
c:\windows\system32\wuaucldt.exe
c:\windows\tempf.txt
c:\windows\usta33.ini
c:\windows\system32\drivers\cdrom.sys chyběl.
Obnovena kopie z - c:\windows\$NtUninstallKB952011$\cdrom.sys
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-20 do 2010-07-20 )))))))))))))))))))))))))))))))
.
2010-07-20 19:16 . 2004-08-03 21:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-07-20 19:16 . 2004-08-03 21:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-07-18 21:00 . 2010-07-18 21:00 -------- d-----w- c:\program files\CCleaner
2010-07-13 07:14 . 2010-07-13 07:16 -------- d-----w- c:\program files\Opera
2010-07-12 19:26 . 2010-04-12 15:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-11 18:34 . 2010-07-20 19:20 540672 ----a-w- c:\windows\system32\drivers\enikfs.sys
2010-06-22 22:35 . 2010-06-22 22:35 -------- d-----w- C:\KBcertifikat
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 17:04 . 2004-08-15 06:11 15238 ----a-w- c:\windows\system32\Tablet.dat
2010-07-20 16:47 . 2006-06-28 09:14 58365324 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-07-18 21:05 . 2004-08-31 14:44 -------- d-----w- c:\program files\Teleport Pro
2010-07-12 19:26 . 2004-08-17 10:19 -------- d-----w- c:\program files\Java
2010-06-18 21:39 . 2009-07-14 23:04 -------- d-----w- c:\program files\ICQ6.5
2010-04-29 18:47 . 2010-04-29 18:47 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-12-14 18:54 . 2008-12-14 18:54 16896 --sh--w- c:\windows\sysinit.exe
2004-08-20 21:43 . 2004-08-20 21:43 56 --sh--r- c:\windows\system32\743BA4FBD0.sys
2005-01-31 16:16 . 2005-01-31 16:16 56 --sh--r- c:\windows\system32\A3CFA2EC35.sys
2007-04-16 15:54 . 2002-09-20 16:04 165417 --sha-r- c:\windows\system32\dimob.dll
2008-03-29 20:32 . 2004-08-20 21:43 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Renata Bučková\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2003-10-16 1356800]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2005-01-15 778240]
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe" [2004-08-13 86016]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-26 61440]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
c:\documents and settings\Renata Buźkov \Nabˇdka Start\Programy\Po spuçtŘnˇ\
srvklw32.exe [2004-8-17 34304]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Renata Bučková\Plocha\map-tram.gif
FriendlyName=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\GuildFTPd\\GuildFTPd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WinProxy\\WinProxy.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6447:TCP"= 6447:TCP:lhoth
R2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 135664]
R2 hawjzeb;Manager Support;c:\windows\system32\svchost.exe [2004-08-17 14336]
R2 PHPGeekUtil;PHPGeekUtil;c:\apache\APACHE.EXE [2002-01-25 20480]
R3 Aec3mts;Aec3mts; [x]
R3 RT2400;ASUS Wireless Driver;c:\windows\system32\DRIVERS\RT2400.sys [2003-09-26 51584]
R4 a347bus;a347bus;c:\windows\system32\DRIVERS\a347bus.sys [2004-04-30 160640]
S0 a347scsi;a347scsi;c:\windows\System32\Drivers\a347scsi.sys [2004-04-30 5248]
S0 d347bus;d347bus;c:\windows\system32\DRIVERS\d347bus.sys [2004-08-22 155136]
S0 d347prt;d347prt;c:\windows\System32\Drivers\d347prt.sys [2004-08-22 5248]
S0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2003-05-09 89749]
S0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2003-02-12 9600]
S1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-04-26 302000]
S1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-04-26 72624]
S2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [2007-04-26 1234480]
--- Ostatní služby/ovladače v paměti ---
*Deregistered* - enikfs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hawjzeb
.
Obsah adresáře 'Naplánované úlohy'
2010-07-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-16 08:12]
2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://google.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: imon.dll
TCP: {BC5AA624-4FE8-400F-B97D-0AAEEE9D4C43} = 195.113.44.11,195.113.0.2
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 9\Ncbi.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\Renata Bučková\Data aplikací\Mozilla\Firefox\Profiles\default.v4s\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.couchsurfing.org/index.html|http:// ... gle.com/ig
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
HKCU-Run-syncman - c:\documents and settings\renata bučková\wuaucldt.exe
HKLM-Run-nForce Tray Options - sstray.exe
HKLM-Run-syncman - c:\windows\system32\wuaucldt.exe
AddRemove-HijackThis - c:\documents and settings\Renata Bučková\Plocha\firefox download\HijackThis.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 21:18
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll >>UNKNOWN [0x89824CD0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
\Driver\ACPI -> ACPI.sys @ 0xf7588cb8
\Driver\atapi -> atapi.sys @ 0xf78857b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\enikfs]
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hawjzeb]
"ServiceDll"="c:\windows\system32\dimob.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2010-07-20 21:33:06
ComboFix-quarantined-files.txt 2010-07-20 19:32
Před spuštěním: 3 401 113 600
Po spuštění: 3 521 060 864
- - End Of File - - 2CED55AFE0DA9C412E26B219DDF45245
ComboFix 10-07-19.02 - Renata Bučková 20.07.2010 19:30:28.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1535.1141 [GMT 2:00]
Spuštěný z: c:\documents and settings\Renata Bučková\Plocha\ComboFix.exe
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\daemon.dll
c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\system32\config\systemprofile\wuaucldt.exe
c:\windows\system32\sstray.exe
c:\windows\system32\wuaucldt.exe
c:\windows\tempf.txt
c:\windows\usta33.ini
c:\windows\system32\drivers\cdrom.sys chyběl.
Obnovena kopie z - c:\windows\$NtUninstallKB952011$\cdrom.sys
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-20 do 2010-07-20 )))))))))))))))))))))))))))))))
.
2010-07-20 19:16 . 2004-08-03 21:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-07-20 19:16 . 2004-08-03 21:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-07-18 21:00 . 2010-07-18 21:00 -------- d-----w- c:\program files\CCleaner
2010-07-13 07:14 . 2010-07-13 07:16 -------- d-----w- c:\program files\Opera
2010-07-12 19:26 . 2010-04-12 15:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-11 18:34 . 2010-07-20 19:20 540672 ----a-w- c:\windows\system32\drivers\enikfs.sys
2010-06-22 22:35 . 2010-06-22 22:35 -------- d-----w- C:\KBcertifikat
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 17:04 . 2004-08-15 06:11 15238 ----a-w- c:\windows\system32\Tablet.dat
2010-07-20 16:47 . 2006-06-28 09:14 58365324 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-07-18 21:05 . 2004-08-31 14:44 -------- d-----w- c:\program files\Teleport Pro
2010-07-12 19:26 . 2004-08-17 10:19 -------- d-----w- c:\program files\Java
2010-06-18 21:39 . 2009-07-14 23:04 -------- d-----w- c:\program files\ICQ6.5
2010-04-29 18:47 . 2010-04-29 18:47 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-12-14 18:54 . 2008-12-14 18:54 16896 --sh--w- c:\windows\sysinit.exe
2004-08-20 21:43 . 2004-08-20 21:43 56 --sh--r- c:\windows\system32\743BA4FBD0.sys
2005-01-31 16:16 . 2005-01-31 16:16 56 --sh--r- c:\windows\system32\A3CFA2EC35.sys
2007-04-16 15:54 . 2002-09-20 16:04 165417 --sha-r- c:\windows\system32\dimob.dll
2008-03-29 20:32 . 2004-08-20 21:43 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Renata Bučková\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2003-10-16 1356800]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2005-01-15 778240]
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe" [2004-08-13 86016]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-26 61440]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
c:\documents and settings\Renata Buźkov \Nabˇdka Start\Programy\Po spuçtŘnˇ\
srvklw32.exe [2004-8-17 34304]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Renata Bučková\Plocha\map-tram.gif
FriendlyName=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\GuildFTPd\\GuildFTPd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WinProxy\\WinProxy.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6447:TCP"= 6447:TCP:lhoth
R2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 135664]
R2 hawjzeb;Manager Support;c:\windows\system32\svchost.exe [2004-08-17 14336]
R2 PHPGeekUtil;PHPGeekUtil;c:\apache\APACHE.EXE [2002-01-25 20480]
R3 Aec3mts;Aec3mts; [x]
R3 RT2400;ASUS Wireless Driver;c:\windows\system32\DRIVERS\RT2400.sys [2003-09-26 51584]
R4 a347bus;a347bus;c:\windows\system32\DRIVERS\a347bus.sys [2004-04-30 160640]
S0 a347scsi;a347scsi;c:\windows\System32\Drivers\a347scsi.sys [2004-04-30 5248]
S0 d347bus;d347bus;c:\windows\system32\DRIVERS\d347bus.sys [2004-08-22 155136]
S0 d347prt;d347prt;c:\windows\System32\Drivers\d347prt.sys [2004-08-22 5248]
S0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2003-05-09 89749]
S0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2003-02-12 9600]
S1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-04-26 302000]
S1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-04-26 72624]
S2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [2007-04-26 1234480]
--- Ostatní služby/ovladače v paměti ---
*Deregistered* - enikfs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hawjzeb
.
Obsah adresáře 'Naplánované úlohy'
2010-07-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-16 08:12]
2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://google.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: imon.dll
TCP: {BC5AA624-4FE8-400F-B97D-0AAEEE9D4C43} = 195.113.44.11,195.113.0.2
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 9\Ncbi.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\Renata Bučková\Data aplikací\Mozilla\Firefox\Profiles\default.v4s\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.couchsurfing.org/index.html|http:// ... gle.com/ig
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
HKCU-Run-syncman - c:\documents and settings\renata bučková\wuaucldt.exe
HKLM-Run-nForce Tray Options - sstray.exe
HKLM-Run-syncman - c:\windows\system32\wuaucldt.exe
AddRemove-HijackThis - c:\documents and settings\Renata Bučková\Plocha\firefox download\HijackThis.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 21:18
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll >>UNKNOWN [0x89824CD0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
\Driver\ACPI -> ACPI.sys @ 0xf7588cb8
\Driver\atapi -> atapi.sys @ 0xf78857b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\enikfs]
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hawjzeb]
"ServiceDll"="c:\windows\system32\dimob.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2010-07-20 21:33:06
ComboFix-quarantined-files.txt 2010-07-20 19:32
Před spuštěním: 3 401 113 600
Po spuštění: 3 521 060 864
- - End Of File - - 2CED55AFE0DA9C412E26B219DDF45245
-
riffman
- VIP
- Příspěvky: 3203
- Registrován: 20 říj 2004 07:00
- Bydliště: České Budějovice
- Kontaktovat uživatele:
Re: inicializace aplikace (c0000005) se nezdarila atd.
takhle zasranej stroj uz jsem dlouho nevidel..
stahnete TDSSKiller , rozbalte do slozky C:\WINDOWS\system32\drivers a spustte
v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"
zobrazi se nasledujici okno:
probehne sken, na jehoz konci se v pripade infekce zobrazi nasledujici okno:
Pokud uvidite na poslednim radku hlasku "Close all programs and choose Y to restart or N to continue", zmacknete klavesu Y a vas stroj bude restartovan
po restartu znovu aplikujte Combofix a vlozte sem log po aplikaci
stahnete TDSSKiller , rozbalte do slozky C:\WINDOWS\system32\drivers a spustte
v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"
zobrazi se nasledujici okno:
probehne sken, na jehoz konci se v pripade infekce zobrazi nasledujici okno:
Pokud uvidite na poslednim radku hlasku "Close all programs and choose Y to restart or N to continue", zmacknete klavesu Y a vas stroj bude restartovan
po restartu znovu aplikujte Combofix a vlozte sem log po aplikaci
Give us a chance to live
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Re: inicializace aplikace (c0000005) se nezdarila atd.
hmm:) jinak prubezne dik za pomocriffman píše:takhle zasranej stroj uz jsem dlouho nevidel..
Po spusteni TDSSKilleru to probiha trochu nestandartne...hned by to chtelo mazat: viz prilozeny obrazek...mam mazat?
- Untitled-1.jpg (75.25 KiB) Zobrazeno 2498 x
-
riffman
- VIP
- Příspěvky: 3203
- Registrován: 20 říj 2004 07:00
- Bydliště: České Budějovice
- Kontaktovat uživatele:
Re: inicializace aplikace (c0000005) se nezdarila atd.
smazat, to tam nema absolutne co delat 
Give us a chance to live
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Re: inicializace aplikace (c0000005) se nezdarila atd.
Killer probehl...log:
ComboFix 10-07-19.02 - Renata Bučková 22.07.2010 20:59:14.2.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1535.1127 [GMT 2:00]
Spuštěný z: c:\documents and settings\Renata Bučková\Plocha\ComboFix.exe
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-22 do 2010-07-22 )))))))))))))))))))))))))))))))
.
2010-07-21 07:22 . 2010-06-30 15:25 1013584 ----a-w- c:\windows\system32\drivers\TDSSKiller.exe
2010-07-21 07:22 . 2010-07-21 07:18 981780 ----a-w- c:\windows\system32\drivers\tdsskiller.zip
2010-07-20 19:16 . 2004-08-03 21:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-07-20 19:16 . 2004-08-03 21:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-07-18 21:00 . 2010-07-18 21:00 -------- d-----w- c:\program files\CCleaner
2010-07-13 07:14 . 2010-07-13 07:16 -------- d-----w- c:\program files\Opera
2010-07-12 19:26 . 2010-04-12 15:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-22 22:35 . 2010-06-22 22:35 -------- d-----w- C:\KBcertifikat
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 18:57 . 2004-08-15 06:11 15238 ----a-w- c:\windows\system32\Tablet.dat
2010-07-20 16:47 . 2006-06-28 09:14 58365324 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-07-18 21:05 . 2004-08-31 14:44 -------- d-----w- c:\program files\Teleport Pro
2010-07-12 19:26 . 2004-08-17 10:19 -------- d-----w- c:\program files\Java
2010-06-18 21:39 . 2009-07-14 23:04 -------- d-----w- c:\program files\ICQ6.5
2010-04-29 18:47 . 2010-04-29 18:47 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-12-14 18:54 . 2008-12-14 18:54 16896 --sh--w- c:\windows\sysinit.exe
2004-08-20 21:43 . 2004-08-20 21:43 56 --sh--r- c:\windows\system32\743BA4FBD0.sys
2005-01-31 16:16 . 2005-01-31 16:16 56 --sh--r- c:\windows\system32\A3CFA2EC35.sys
2007-04-16 15:54 . 2002-09-20 16:04 165417 --sha-r- c:\windows\system32\dimob.dll
2008-03-29 20:32 . 2004-08-20 21:43 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-07-20_19.20.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-22 18:57 . 2010-07-22 18:57 16384 c:\windows\Temp\Perflib_Perfdata_2cc.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Renata Bučková\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2003-10-16 1356800]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2005-01-15 778240]
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe" [2004-08-13 86016]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-26 61440]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
c:\documents and settings\Renata Buźkov \Nabˇdka Start\Programy\Po spuçtŘnˇ\
srvklw32.exe [2004-8-17 34304]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Renata Bučková\Plocha\map-tram.gif
FriendlyName=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\GuildFTPd\\GuildFTPd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WinProxy\\WinProxy.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6447:TCP"= 6447:TCP:lhoth
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [8.6.2005 17:26 5248]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [28.12.2004 3:42 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [28.12.2004 3:42 5248]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [14.8.2004 16:52 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [14.8.2004 16:52 9600]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26.4.2007 10:21 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26.4.2007 10:21 72624]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26.4.2007 10:21 1234480]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7.1.2010 0:58 135664]
S2 hawjzeb;Manager Support;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 12:00 14336]
S2 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [25.1.2002 6:30 20480]
S3 Aec3mts;Aec3mts; [x]
S3 RT2400;ASUS Wireless Driver;c:\windows\system32\drivers\RT2400.sys [14.8.2004 15:37 51584]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [8.6.2005 17:26 160640]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hawjzeb
.
Obsah adresáře 'Naplánované úlohy'
2010-07-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-16 08:12]
2010-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
2010-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://google.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: imon.dll
TCP: {BC5AA624-4FE8-400F-B97D-0AAEEE9D4C43} = 195.113.44.11,195.113.0.2
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 9\Ncbi.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\Renata Bučková\Data aplikací\Mozilla\Firefox\Profiles\default.v4s\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.couchsurfing.org/index.html|http:// ... gle.com/ig
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
SafeBoot-klmdb.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-22 21:19
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll >>UNKNOWN [0x8981A2F0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
\Driver\ACPI -> ACPI.sys @ 0xf7588cb8
\Driver\atapi -> 0x891261b0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hawjzeb]
"ServiceDll"="c:\windows\system32\dimob.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(844)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2010-07-22 21:25:12
ComboFix-quarantined-files.txt 2010-07-22 19:24
ComboFix2.txt 2010-07-20 19:33
Před spuštěním: 3 457 261 568
Po spuštění: 3 446 272 000
- - End Of File - - A6A59A0839E62B62FCF9F22327892F0D
ComboFix 10-07-19.02 - Renata Bučková 22.07.2010 20:59:14.2.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1535.1127 [GMT 2:00]
Spuštěný z: c:\documents and settings\Renata Bučková\Plocha\ComboFix.exe
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-22 do 2010-07-22 )))))))))))))))))))))))))))))))
.
2010-07-21 07:22 . 2010-06-30 15:25 1013584 ----a-w- c:\windows\system32\drivers\TDSSKiller.exe
2010-07-21 07:22 . 2010-07-21 07:18 981780 ----a-w- c:\windows\system32\drivers\tdsskiller.zip
2010-07-20 19:16 . 2004-08-03 21:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-07-20 19:16 . 2004-08-03 21:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-07-18 21:00 . 2010-07-18 21:00 -------- d-----w- c:\program files\CCleaner
2010-07-13 07:14 . 2010-07-13 07:16 -------- d-----w- c:\program files\Opera
2010-07-12 19:26 . 2010-04-12 15:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-22 22:35 . 2010-06-22 22:35 -------- d-----w- C:\KBcertifikat
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 18:57 . 2004-08-15 06:11 15238 ----a-w- c:\windows\system32\Tablet.dat
2010-07-20 16:47 . 2006-06-28 09:14 58365324 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-07-18 21:05 . 2004-08-31 14:44 -------- d-----w- c:\program files\Teleport Pro
2010-07-12 19:26 . 2004-08-17 10:19 -------- d-----w- c:\program files\Java
2010-06-18 21:39 . 2009-07-14 23:04 -------- d-----w- c:\program files\ICQ6.5
2010-04-29 18:47 . 2010-04-29 18:47 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-12-14 18:54 . 2008-12-14 18:54 16896 --sh--w- c:\windows\sysinit.exe
2004-08-20 21:43 . 2004-08-20 21:43 56 --sh--r- c:\windows\system32\743BA4FBD0.sys
2005-01-31 16:16 . 2005-01-31 16:16 56 --sh--r- c:\windows\system32\A3CFA2EC35.sys
2007-04-16 15:54 . 2002-09-20 16:04 165417 --sha-r- c:\windows\system32\dimob.dll
2008-03-29 20:32 . 2004-08-20 21:43 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-07-20_19.20.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-22 18:57 . 2010-07-22 18:57 16384 c:\windows\Temp\Perflib_Perfdata_2cc.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Renata Bučková\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2003-10-16 1356800]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2005-01-15 778240]
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe" [2004-08-13 86016]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-26 61440]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
c:\documents and settings\Renata Buźkov \Nabˇdka Start\Programy\Po spuçtŘnˇ\
srvklw32.exe [2004-8-17 34304]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Renata Bučková\Plocha\map-tram.gif
FriendlyName=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\GuildFTPd\\GuildFTPd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WinProxy\\WinProxy.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6447:TCP"= 6447:TCP:lhoth
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [8.6.2005 17:26 5248]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [28.12.2004 3:42 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [28.12.2004 3:42 5248]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [14.8.2004 16:52 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [14.8.2004 16:52 9600]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26.4.2007 10:21 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26.4.2007 10:21 72624]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26.4.2007 10:21 1234480]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7.1.2010 0:58 135664]
S2 hawjzeb;Manager Support;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 12:00 14336]
S2 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [25.1.2002 6:30 20480]
S3 Aec3mts;Aec3mts; [x]
S3 RT2400;ASUS Wireless Driver;c:\windows\system32\drivers\RT2400.sys [14.8.2004 15:37 51584]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [8.6.2005 17:26 160640]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hawjzeb
.
Obsah adresáře 'Naplánované úlohy'
2010-07-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-16 08:12]
2010-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
2010-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://google.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: imon.dll
TCP: {BC5AA624-4FE8-400F-B97D-0AAEEE9D4C43} = 195.113.44.11,195.113.0.2
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 9\Ncbi.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\Renata Bučková\Data aplikací\Mozilla\Firefox\Profiles\default.v4s\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.couchsurfing.org/index.html|http:// ... gle.com/ig
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
SafeBoot-klmdb.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-22 21:19
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll >>UNKNOWN [0x8981A2F0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
\Driver\ACPI -> ACPI.sys @ 0xf7588cb8
\Driver\atapi -> 0x891261b0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hawjzeb]
"ServiceDll"="c:\windows\system32\dimob.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(844)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2010-07-22 21:25:12
ComboFix-quarantined-files.txt 2010-07-22 19:24
ComboFix2.txt 2010-07-20 19:33
Před spuštěním: 3 457 261 568
Po spuštění: 3 446 272 000
- - End Of File - - A6A59A0839E62B62FCF9F22327892F0D
-
riffman
- VIP
- Příspěvky: 3203
- Registrován: 20 říj 2004 07:00
- Bydliště: České Budějovice
- Kontaktovat uživatele:
Re: inicializace aplikace (c0000005) se nezdarila atd.
jdeme mazat, operace sice probehla, ale svinstvo je tam dal
spachame to do dvou kroku
krok 1:
krok 2:
pokud jste tak jeste neucinil, presunte Combofix na plochu
otevrete si Poznamkovy blok
do nej zkopirujte skript z nasledujiciho okna:
ulozte vami vytvoreny textovy soubor jako CFScript.txt na plochu
po ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:
po aplikaci by na vas mel vybafnout dalsi log, vlozte jej sem
Upozorneni: je mozne, ze po aplikaci skriptu a restartu nenabehnou Windows, v takovem pripade znovu restartujte, po restartu mackejte F8 a zvolte Posledni znamou fukncni konfiguraci
spachame to do dvou kroku
krok 1:Naughty píše:stahni, http://download.bleepingcomputer.com/sU ... etsvcs.zip , rozbal, spust, potvrd pripadna dialogova okno. Restart pc
krok 2:pokud jste tak jeste neucinil, presunte Combofix na plochu
otevrete si Poznamkovy blok
do nej zkopirujte skript z nasledujiciho okna:
Kód: Vybrat vše
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6447:TCP"=-
Driver::
hawjzeb
File::
c:\documents and settings\Renata Bučková\Nabídka Start\Programy\Po spuštění\srvklw32.exepo ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:
po aplikaci by na vas mel vybafnout dalsi log, vlozte jej sem
Upozorneni: je mozne, ze po aplikaci skriptu a restartu nenabehnou Windows, v takovem pripade znovu restartujte, po restartu mackejte F8 a zvolte Posledni znamou fukncni konfiguraci
Give us a chance to live
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Re: inicializace aplikace (c0000005) se nezdarila atd.
posilam log po spusteni scriptu, ale nebylo to bez komplikaci: combofix mi vyhodil neco v tom smyslu, ze uz je prosly a bude spusten jen s omezenou funkcnosti (a potom me nechal jeste jednou prokliknout "ano" v takovem tom predinstalacnim souhlasu o pouzivani softwaru)...nejak sem nesledoval, jestli je combofix jen trial s nejakou omezenou dobou funkcnosti, ale podle tohohle mi to tak skoro prislo...?
ComboFix 10-07-19.02 - Renata Bučková 25.07.2010 13:37:36.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1535.1154 [GMT 2:00]
Spuštěný z: c:\documents and settings\Renata Bučková\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Renata Bučková\Plocha\CFScript.txt
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
- REŽIM S OMEZENOU FUNKČNOSTÍ -
FILE ::
"c:\documents and settings\Renata Bučková\Nabídka Start\Programy\Po spuštění\srvklw32.exe"
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Renata Bučková\Nabídka Start\Programy\Po spuštění\srvklw32.exe
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-25 do 2010-07-25 )))))))))))))))))))))))))))))))
.
2010-07-21 07:22 . 2010-06-30 15:25 1013584 ----a-w- c:\windows\system32\drivers\TDSSKiller.exe
2010-07-21 07:22 . 2010-07-21 07:18 981780 ----a-w- c:\windows\system32\drivers\tdsskiller.zip
2010-07-20 19:16 . 2004-08-03 21:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-07-20 19:16 . 2004-08-03 21:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-07-18 21:00 . 2010-07-18 21:00 -------- d-----w- c:\program files\CCleaner
2010-07-13 07:14 . 2010-07-13 07:16 -------- d-----w- c:\program files\Opera
2010-07-12 19:26 . 2010-06-22 02:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 11:26 . 2004-08-15 06:11 15238 ----a-w- c:\windows\system32\Tablet.dat
2010-07-25 10:29 . 2006-06-28 09:14 58370686 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-07-22 20:06 . 2004-08-17 10:12 -------- d-----w- c:\program files\Common Files\Java
2010-07-22 19:58 . 2004-08-17 10:19 -------- d-----w- c:\program files\Java
2010-07-18 21:05 . 2004-08-31 14:44 -------- d-----w- c:\program files\Teleport Pro
2010-06-18 21:39 . 2009-07-14 23:04 -------- d-----w- c:\program files\ICQ6.5
2010-04-29 18:47 . 2010-04-29 18:47 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-12-14 18:54 . 2008-12-14 18:54 16896 --sh--w- c:\windows\sysinit.exe
2004-08-20 21:43 . 2004-08-20 21:43 56 --sh--r- c:\windows\system32\743BA4FBD0.sys
2005-01-31 16:16 . 2005-01-31 16:16 56 --sh--r- c:\windows\system32\A3CFA2EC35.sys
2007-04-16 15:54 . 2002-09-20 16:04 165417 --sha-r- c:\windows\system32\dimob.dll
2008-03-29 20:32 . 2004-08-20 21:43 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-07-20_19.20.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-25 11:26 . 2010-07-25 11:26 16384 c:\windows\Temp\Perflib_Perfdata_1c8.dat
- 2010-07-12 19:26 . 2010-04-12 15:29 153376 c:\windows\system32\javaws.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 153376 c:\windows\system32\javaws.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 145184 c:\windows\system32\javaw.exe
- 2010-07-12 19:26 . 2010-04-12 15:29 145184 c:\windows\system32\javaw.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 145184 c:\windows\system32\java.exe
- 2010-07-12 19:26 . 2010-04-12 15:29 145184 c:\windows\system32\java.exe
+ 2010-07-22 20:06 . 2010-07-22 20:06 180224 c:\windows\Installer\1163d1.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Renata Bučková\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2003-10-16 1356800]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2005-01-15 778240]
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe" [2004-08-13 86016]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-26 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Renata Bučková\Plocha\map-tram.gif
FriendlyName=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\GuildFTPd\\GuildFTPd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WinProxy\\WinProxy.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [8.6.2005 17:26 5248]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [28.12.2004 3:42 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [28.12.2004 3:42 5248]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [14.8.2004 16:52 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [14.8.2004 16:52 9600]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26.4.2007 10:21 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26.4.2007 10:21 72624]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26.4.2007 10:21 1234480]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7.1.2010 0:58 135664]
S2 hawjzeb;Manager Support;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 12:00 14336]
S2 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [25.1.2002 6:30 20480]
S3 Aec3mts;Aec3mts; [x]
S3 RT2400;ASUS Wireless Driver;c:\windows\system32\drivers\RT2400.sys [14.8.2004 15:37 51584]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [8.6.2005 17:26 160640]
.
Obsah adresáře 'Naplánované úlohy'
2010-07-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-16 08:12]
2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://google.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: imon.dll
Trusted Zone: mojebanka.cz\*
Trusted Zone: mojebanka.cz\*
TCP: {BC5AA624-4FE8-400F-B97D-0AAEEE9D4C43} = 195.113.44.11,195.113.0.2
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 9\Ncbi.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\Renata Bučková\Data aplikací\Mozilla\Firefox\Profiles\default.v4s\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.couchsurfing.org/index.html|http:// ... gle.com/ig
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 13:41
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll >>UNKNOWN [0x8981A2F0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
\Driver\ACPI -> ACPI.sys @ 0xf7588cb8
\Driver\atapi -> 0x89176850
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hawjzeb]
"ServiceDll"="c:\windows\system32\dimob.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2010-07-25 13:46:23
ComboFix-quarantined-files.txt 2010-07-25 11:46
ComboFix2.txt 2010-07-22 19:25
ComboFix3.txt 2010-07-20 19:33
Před spuštěním: 3 573 997 568
Po spuštění: 3 599 081 472
- - End Of File - - 211B7F6F31372C63F20ED4B4C709898D
ComboFix 10-07-19.02 - Renata Bučková 25.07.2010 13:37:36.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1535.1154 [GMT 2:00]
Spuštěný z: c:\documents and settings\Renata Bučková\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Renata Bučková\Plocha\CFScript.txt
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
- REŽIM S OMEZENOU FUNKČNOSTÍ -
FILE ::
"c:\documents and settings\Renata Bučková\Nabídka Start\Programy\Po spuštění\srvklw32.exe"
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Renata Bučková\Nabídka Start\Programy\Po spuštění\srvklw32.exe
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-25 do 2010-07-25 )))))))))))))))))))))))))))))))
.
2010-07-21 07:22 . 2010-06-30 15:25 1013584 ----a-w- c:\windows\system32\drivers\TDSSKiller.exe
2010-07-21 07:22 . 2010-07-21 07:18 981780 ----a-w- c:\windows\system32\drivers\tdsskiller.zip
2010-07-20 19:16 . 2004-08-03 21:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-07-20 19:16 . 2004-08-03 21:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-07-18 21:00 . 2010-07-18 21:00 -------- d-----w- c:\program files\CCleaner
2010-07-13 07:14 . 2010-07-13 07:16 -------- d-----w- c:\program files\Opera
2010-07-12 19:26 . 2010-06-22 02:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 11:26 . 2004-08-15 06:11 15238 ----a-w- c:\windows\system32\Tablet.dat
2010-07-25 10:29 . 2006-06-28 09:14 58370686 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-07-22 20:06 . 2004-08-17 10:12 -------- d-----w- c:\program files\Common Files\Java
2010-07-22 19:58 . 2004-08-17 10:19 -------- d-----w- c:\program files\Java
2010-07-18 21:05 . 2004-08-31 14:44 -------- d-----w- c:\program files\Teleport Pro
2010-06-18 21:39 . 2009-07-14 23:04 -------- d-----w- c:\program files\ICQ6.5
2010-04-29 18:47 . 2010-04-29 18:47 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-12-14 18:54 . 2008-12-14 18:54 16896 --sh--w- c:\windows\sysinit.exe
2004-08-20 21:43 . 2004-08-20 21:43 56 --sh--r- c:\windows\system32\743BA4FBD0.sys
2005-01-31 16:16 . 2005-01-31 16:16 56 --sh--r- c:\windows\system32\A3CFA2EC35.sys
2007-04-16 15:54 . 2002-09-20 16:04 165417 --sha-r- c:\windows\system32\dimob.dll
2008-03-29 20:32 . 2004-08-20 21:43 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-07-20_19.20.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-25 11:26 . 2010-07-25 11:26 16384 c:\windows\Temp\Perflib_Perfdata_1c8.dat
- 2010-07-12 19:26 . 2010-04-12 15:29 153376 c:\windows\system32\javaws.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 153376 c:\windows\system32\javaws.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 145184 c:\windows\system32\javaw.exe
- 2010-07-12 19:26 . 2010-04-12 15:29 145184 c:\windows\system32\javaw.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 145184 c:\windows\system32\java.exe
- 2010-07-12 19:26 . 2010-04-12 15:29 145184 c:\windows\system32\java.exe
+ 2010-07-22 20:06 . 2010-07-22 20:06 180224 c:\windows\Installer\1163d1.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Renata Bučková\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2003-10-16 1356800]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2005-01-15 778240]
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe" [2004-08-13 86016]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-26 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Renata Bučková\Plocha\map-tram.gif
FriendlyName=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\GuildFTPd\\GuildFTPd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WinProxy\\WinProxy.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [8.6.2005 17:26 5248]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [28.12.2004 3:42 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [28.12.2004 3:42 5248]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [14.8.2004 16:52 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [14.8.2004 16:52 9600]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26.4.2007 10:21 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26.4.2007 10:21 72624]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26.4.2007 10:21 1234480]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7.1.2010 0:58 135664]
S2 hawjzeb;Manager Support;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 12:00 14336]
S2 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [25.1.2002 6:30 20480]
S3 Aec3mts;Aec3mts; [x]
S3 RT2400;ASUS Wireless Driver;c:\windows\system32\drivers\RT2400.sys [14.8.2004 15:37 51584]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [8.6.2005 17:26 160640]
.
Obsah adresáře 'Naplánované úlohy'
2010-07-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-16 08:12]
2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://google.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: imon.dll
Trusted Zone: mojebanka.cz\*
Trusted Zone: mojebanka.cz\*
TCP: {BC5AA624-4FE8-400F-B97D-0AAEEE9D4C43} = 195.113.44.11,195.113.0.2
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 9\Ncbi.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\Renata Bučková\Data aplikací\Mozilla\Firefox\Profiles\default.v4s\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.couchsurfing.org/index.html|http:// ... gle.com/ig
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 13:41
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll >>UNKNOWN [0x8981A2F0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
\Driver\ACPI -> ACPI.sys @ 0xf7588cb8
\Driver\atapi -> 0x89176850
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hawjzeb]
"ServiceDll"="c:\windows\system32\dimob.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2010-07-25 13:46:23
ComboFix-quarantined-files.txt 2010-07-25 11:46
ComboFix2.txt 2010-07-22 19:25
ComboFix3.txt 2010-07-20 19:33
Před spuštěním: 3 573 997 568
Po spuštění: 3 599 081 472
- - End Of File - - 211B7F6F31372C63F20ED4B4C709898D
-
riffman
- VIP
- Příspěvky: 3203
- Registrován: 20 říj 2004 07:00
- Bydliště: České Budějovice
- Kontaktovat uživatele:
Re: inicializace aplikace (c0000005) se nezdarila atd.
chjo...jeste porad to neni optimalni...
stahnete Avenger
v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"
do okna s nazvem Input script here vlozte nasledujici text:
kliknete na Execute, potvrdte na vyskocivsim okne hlasku o potvrzeni provedeni skriptu klikem na Yes:
pote budete odmeneni dalsim okynkem informujicim vas o nastaveni skriptu pro dalsi start OS, kliknutim na tlacitko Yes restartujete pocitac
po restartu na vas vybafne log z avengeru, vlozte jej sem
stahnete Avengerv operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"
do okna s nazvem Input script here vlozte nasledujici text:
Kód: Vybrat vše
Drivers to delete:
hawjzeb pote budete odmeneni dalsim okynkem informujicim vas o nastaveni skriptu pro dalsi start OS, kliknutim na tlacitko Yes restartujete pocitac
po restartu na vas vybafne log z avengeru, vlozte jej sem
Give us a chance to live
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Re: inicializace aplikace (c0000005) se nezdarila atd.
v kazdem pripade uz po spusteni skriptu combofixem byl obrovsky rozdil v chovani pocitace - zrychleni nacitani vsech aplikaci, rychle prochazeni adresaru, coz predtim bylo utrpeni...
tady optmisticky vypadajici log:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "hawjzeb" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
tady optmisticky vypadajici log:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "hawjzeb" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
-
riffman
- VIP
- Příspěvky: 3203
- Registrován: 20 říj 2004 07:00
- Bydliště: České Budějovice
- Kontaktovat uživatele:
Re: inicializace aplikace (c0000005) se nezdarila atd.
taaaaaaaaaaaak...a jeste jednou Combofix a doufam, ze uz tam ta bestie nebude 
Give us a chance to live
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Re: inicializace aplikace (c0000005) se nezdarila atd.
takze:
ComboFix 10-07-19.02 - Renata Bučková 26.07.2010 2:32.4.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1535.1144 [GMT 2:00]
Spuštěný z: c:\documents and settings\Renata Bučková\Plocha\ComboFix.exe
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
- REŽIM S OMEZENOU FUNKČNOSTÍ -
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-26 do 2010-07-26 )))))))))))))))))))))))))))))))
.
2010-07-21 07:22 . 2010-06-30 15:25 1013584 ----a-w- c:\windows\system32\drivers\TDSSKiller.exe
2010-07-21 07:22 . 2010-07-21 07:18 981780 ----a-w- c:\windows\system32\drivers\tdsskiller.zip
2010-07-20 19:16 . 2004-08-03 21:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-07-20 19:16 . 2004-08-03 21:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-07-18 21:00 . 2010-07-18 21:00 -------- d-----w- c:\program files\CCleaner
2010-07-13 07:14 . 2010-07-13 07:16 -------- d-----w- c:\program files\Opera
2010-07-12 19:26 . 2010-06-22 02:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 00:26 . 2004-08-15 06:11 15238 ----a-w- c:\windows\system32\Tablet.dat
2010-07-25 10:29 . 2006-06-28 09:14 58370686 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-07-22 20:06 . 2004-08-17 10:12 -------- d-----w- c:\program files\Common Files\Java
2010-07-22 19:58 . 2004-08-17 10:19 -------- d-----w- c:\program files\Java
2010-07-18 21:05 . 2004-08-31 14:44 -------- d-----w- c:\program files\Teleport Pro
2010-06-18 21:39 . 2009-07-14 23:04 -------- d-----w- c:\program files\ICQ6.5
2010-04-29 18:47 . 2010-04-29 18:47 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-12-14 18:54 . 2008-12-14 18:54 16896 --sh--w- c:\windows\sysinit.exe
2004-08-20 21:43 . 2004-08-20 21:43 56 --sh--r- c:\windows\system32\743BA4FBD0.sys
2005-01-31 16:16 . 2005-01-31 16:16 56 --sh--r- c:\windows\system32\A3CFA2EC35.sys
2007-04-16 15:54 . 2002-09-20 16:04 165417 --sha-r- c:\windows\system32\dimob.dll
2008-03-29 20:32 . 2004-08-20 21:43 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-07-20_19.20.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-26 00:26 . 2010-07-26 00:26 16384 c:\windows\Temp\Perflib_Perfdata_4a4.dat
- 2010-07-12 19:26 . 2010-04-12 15:29 153376 c:\windows\system32\javaws.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 153376 c:\windows\system32\javaws.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 145184 c:\windows\system32\javaw.exe
- 2010-07-12 19:26 . 2010-04-12 15:29 145184 c:\windows\system32\javaw.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 145184 c:\windows\system32\java.exe
- 2010-07-12 19:26 . 2010-04-12 15:29 145184 c:\windows\system32\java.exe
+ 2010-07-22 20:06 . 2010-07-22 20:06 180224 c:\windows\Installer\1163d1.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Renata Bučková\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2003-10-16 1356800]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2005-01-15 778240]
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe" [2004-08-13 86016]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-26 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Renata Bučková\Plocha\map-tram.gif
FriendlyName=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\GuildFTPd\\GuildFTPd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WinProxy\\WinProxy.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [8.6.2005 17:26 5248]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [28.12.2004 3:42 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [28.12.2004 3:42 5248]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [14.8.2004 16:52 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [14.8.2004 16:52 9600]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26.4.2007 10:21 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26.4.2007 10:21 72624]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26.4.2007 10:21 1234480]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7.1.2010 0:58 135664]
S2 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [25.1.2002 6:30 20480]
S3 Aec3mts;Aec3mts; [x]
S3 RT2400;ASUS Wireless Driver;c:\windows\system32\drivers\RT2400.sys [14.8.2004 15:37 51584]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [8.6.2005 17:26 160640]
.
Obsah adresáře 'Naplánované úlohy'
2010-07-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-16 08:12]
2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://google.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: imon.dll
Trusted Zone: mojebanka.cz\*
Trusted Zone: mojebanka.cz\*
TCP: {BC5AA624-4FE8-400F-B97D-0AAEEE9D4C43} = 195.113.44.11,195.113.0.2
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 9\Ncbi.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\Renata Bučková\Data aplikací\Mozilla\Firefox\Profiles\default.v4s\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.couchsurfing.org/index.html|http:// ... gle.com/ig
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 02:35
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll >>UNKNOWN [0x8981A2F0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
\Driver\ACPI -> ACPI.sys @ 0xf7588cb8
\Driver\atapi -> 0x88fb8340
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2010-07-26 02:40:55
ComboFix-quarantined-files.txt 2010-07-26 00:40
ComboFix2.txt 2010-07-25 11:46
ComboFix3.txt 2010-07-22 19:25
ComboFix4.txt 2010-07-20 19:33
Před spuštěním: 3 587 760 128
Po spuštění: 3 578 314 752
- - End Of File - - 7320B1914840CF7214952A937D703440
ComboFix 10-07-19.02 - Renata Bučková 26.07.2010 2:32.4.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1535.1144 [GMT 2:00]
Spuštěný z: c:\documents and settings\Renata Bučková\Plocha\ComboFix.exe
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
- REŽIM S OMEZENOU FUNKČNOSTÍ -
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-26 do 2010-07-26 )))))))))))))))))))))))))))))))
.
2010-07-21 07:22 . 2010-06-30 15:25 1013584 ----a-w- c:\windows\system32\drivers\TDSSKiller.exe
2010-07-21 07:22 . 2010-07-21 07:18 981780 ----a-w- c:\windows\system32\drivers\tdsskiller.zip
2010-07-20 19:16 . 2004-08-03 21:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-07-20 19:16 . 2004-08-03 21:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-07-18 21:00 . 2010-07-18 21:00 -------- d-----w- c:\program files\CCleaner
2010-07-13 07:14 . 2010-07-13 07:16 -------- d-----w- c:\program files\Opera
2010-07-12 19:26 . 2010-06-22 02:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 00:26 . 2004-08-15 06:11 15238 ----a-w- c:\windows\system32\Tablet.dat
2010-07-25 10:29 . 2006-06-28 09:14 58370686 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-07-22 20:06 . 2004-08-17 10:12 -------- d-----w- c:\program files\Common Files\Java
2010-07-22 19:58 . 2004-08-17 10:19 -------- d-----w- c:\program files\Java
2010-07-18 21:05 . 2004-08-31 14:44 -------- d-----w- c:\program files\Teleport Pro
2010-06-18 21:39 . 2009-07-14 23:04 -------- d-----w- c:\program files\ICQ6.5
2010-04-29 18:47 . 2010-04-29 18:47 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-12-14 18:54 . 2008-12-14 18:54 16896 --sh--w- c:\windows\sysinit.exe
2004-08-20 21:43 . 2004-08-20 21:43 56 --sh--r- c:\windows\system32\743BA4FBD0.sys
2005-01-31 16:16 . 2005-01-31 16:16 56 --sh--r- c:\windows\system32\A3CFA2EC35.sys
2007-04-16 15:54 . 2002-09-20 16:04 165417 --sha-r- c:\windows\system32\dimob.dll
2008-03-29 20:32 . 2004-08-20 21:43 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-07-20_19.20.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-26 00:26 . 2010-07-26 00:26 16384 c:\windows\Temp\Perflib_Perfdata_4a4.dat
- 2010-07-12 19:26 . 2010-04-12 15:29 153376 c:\windows\system32\javaws.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 153376 c:\windows\system32\javaws.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 145184 c:\windows\system32\javaw.exe
- 2010-07-12 19:26 . 2010-04-12 15:29 145184 c:\windows\system32\javaw.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 145184 c:\windows\system32\java.exe
- 2010-07-12 19:26 . 2010-04-12 15:29 145184 c:\windows\system32\java.exe
+ 2010-07-22 20:06 . 2010-07-22 20:06 180224 c:\windows\Installer\1163d1.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Renata Bučková\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2003-10-16 1356800]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2005-01-15 778240]
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe" [2004-08-13 86016]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-26 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Renata Bučková\Plocha\map-tram.gif
FriendlyName=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\GuildFTPd\\GuildFTPd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WinProxy\\WinProxy.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [8.6.2005 17:26 5248]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [28.12.2004 3:42 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [28.12.2004 3:42 5248]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [14.8.2004 16:52 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [14.8.2004 16:52 9600]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26.4.2007 10:21 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26.4.2007 10:21 72624]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26.4.2007 10:21 1234480]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7.1.2010 0:58 135664]
S2 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [25.1.2002 6:30 20480]
S3 Aec3mts;Aec3mts; [x]
S3 RT2400;ASUS Wireless Driver;c:\windows\system32\drivers\RT2400.sys [14.8.2004 15:37 51584]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [8.6.2005 17:26 160640]
.
Obsah adresáře 'Naplánované úlohy'
2010-07-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-16 08:12]
2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://google.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: imon.dll
Trusted Zone: mojebanka.cz\*
Trusted Zone: mojebanka.cz\*
TCP: {BC5AA624-4FE8-400F-B97D-0AAEEE9D4C43} = 195.113.44.11,195.113.0.2
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 9\Ncbi.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\Renata Bučková\Data aplikací\Mozilla\Firefox\Profiles\default.v4s\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.couchsurfing.org/index.html|http:// ... gle.com/ig
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 02:35
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll >>UNKNOWN [0x8981A2F0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
\Driver\ACPI -> ACPI.sys @ 0xf7588cb8
\Driver\atapi -> 0x88fb8340
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2010-07-26 02:40:55
ComboFix-quarantined-files.txt 2010-07-26 00:40
ComboFix2.txt 2010-07-25 11:46
ComboFix3.txt 2010-07-22 19:25
ComboFix4.txt 2010-07-20 19:33
Před spuštěním: 3 587 760 128
Po spuštění: 3 578 314 752
- - End Of File - - 7320B1914840CF7214952A937D703440
-
riffman
- VIP
- Příspěvky: 3203
- Registrován: 20 říj 2004 07:00
- Bydliště: České Budějovice
- Kontaktovat uživatele:
Re: inicializace aplikace (c0000005) se nezdarila atd.
prvni faze definitivne za nami, jdeme na druhou
stahnete TDSSKiller , rozbalte do slozky C:\WINDOWS\system32\drivers a spustte
v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"
zobrazi se nasledujici okno:
probehne sken, na jehoz konci se v pripade infekce zobrazi nasledujici okno:
Pokud uvidite na poslednim radku hlasku "Close all programs and choose Y to restart or N to continue", zmacknete klavesu Y a vas stroj bude restartovan
po restartu znovu aplikujte Combofix a vlozte sem log po aplikaci
stahnete TDSSKiller , rozbalte do slozky C:\WINDOWS\system32\drivers a spustte
v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"
zobrazi se nasledujici okno:
probehne sken, na jehoz konci se v pripade infekce zobrazi nasledujici okno:
Pokud uvidite na poslednim radku hlasku "Close all programs and choose Y to restart or N to continue", zmacknete klavesu Y a vas stroj bude restartovan
po restartu znovu aplikujte Combofix a vlozte sem log po aplikaci
Give us a chance to live
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Give us a chance to die
Give us a chance to be free
Without fire from the sky
Give us a chance to love
Give us a chance to hate
Give us a chance, before you kill us all
Re: inicializace aplikace (c0000005) se nezdarila atd.
tak tdskiller uz, zda se, nic neudelal...podle vypisku v prubehu nic nemazal a ani si nerekl o restart, v kazdem pripade sem restartoval a combofix rika:
ComboFix 10-07-19.02 - Renata Bučková 26.07.2010 23:56:47.5.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1535.1147 [GMT 2:00]
Spuštěný z: c:\documents and settings\Renata Bučková\Plocha\ComboFix.exe
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
- REŽIM S OMEZENOU FUNKČNOSTÍ -
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-26 do 2010-07-26 )))))))))))))))))))))))))))))))
.
2010-07-21 07:22 . 2010-06-30 15:25 1013584 ----a-w- c:\windows\system32\drivers\TDSSKiller.exe
2010-07-21 07:22 . 2010-07-21 07:18 981780 ----a-w- c:\windows\system32\drivers\tdsskiller.zip
2010-07-20 19:16 . 2004-08-03 21:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-07-20 19:16 . 2004-08-03 21:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-07-18 21:00 . 2010-07-18 21:00 -------- d-----w- c:\program files\CCleaner
2010-07-13 07:14 . 2010-07-13 07:16 -------- d-----w- c:\program files\Opera
2010-07-12 19:26 . 2010-06-22 02:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 21:41 . 2004-08-15 06:11 15238 ----a-w- c:\windows\system32\Tablet.dat
2010-07-25 10:29 . 2006-06-28 09:14 58370686 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-07-22 20:06 . 2004-08-17 10:12 -------- d-----w- c:\program files\Common Files\Java
2010-07-22 19:58 . 2004-08-17 10:19 -------- d-----w- c:\program files\Java
2010-07-18 21:05 . 2004-08-31 14:44 -------- d-----w- c:\program files\Teleport Pro
2010-06-18 21:39 . 2009-07-14 23:04 -------- d-----w- c:\program files\ICQ6.5
2010-04-29 18:47 . 2010-04-29 18:47 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-12-14 18:54 . 2008-12-14 18:54 16896 --sh--w- c:\windows\sysinit.exe
2004-08-20 21:43 . 2004-08-20 21:43 56 --sh--r- c:\windows\system32\743BA4FBD0.sys
2005-01-31 16:16 . 2005-01-31 16:16 56 --sh--r- c:\windows\system32\A3CFA2EC35.sys
2007-04-16 15:54 . 2002-09-20 16:04 165417 --sha-r- c:\windows\system32\dimob.dll
2008-03-29 20:32 . 2004-08-20 21:43 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-07-20_19.20.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-26 21:41 . 2010-07-26 21:41 16384 c:\windows\Temp\Perflib_Perfdata_184.dat
- 2010-07-12 19:26 . 2010-04-12 15:29 153376 c:\windows\system32\javaws.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 153376 c:\windows\system32\javaws.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 145184 c:\windows\system32\javaw.exe
- 2010-07-12 19:26 . 2010-04-12 15:29 145184 c:\windows\system32\javaw.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 145184 c:\windows\system32\java.exe
- 2010-07-12 19:26 . 2010-04-12 15:29 145184 c:\windows\system32\java.exe
+ 2010-07-22 20:06 . 2010-07-22 20:06 180224 c:\windows\Installer\1163d1.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Renata Bučková\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2003-10-16 1356800]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2005-01-15 778240]
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe" [2004-08-13 86016]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-26 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Renata Bučková\Plocha\map-tram.gif
FriendlyName=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\GuildFTPd\\GuildFTPd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WinProxy\\WinProxy.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [8.6.2005 17:26 5248]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [28.12.2004 3:42 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [28.12.2004 3:42 5248]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [14.8.2004 16:52 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [14.8.2004 16:52 9600]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26.4.2007 10:21 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26.4.2007 10:21 72624]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26.4.2007 10:21 1234480]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7.1.2010 0:58 135664]
S2 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [25.1.2002 6:30 20480]
S3 Aec3mts;Aec3mts; [x]
S3 RT2400;ASUS Wireless Driver;c:\windows\system32\drivers\RT2400.sys [14.8.2004 15:37 51584]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [8.6.2005 17:26 160640]
.
Obsah adresáře 'Naplánované úlohy'
2010-07-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-16 08:12]
2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://google.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: imon.dll
Trusted Zone: mojebanka.cz\*
Trusted Zone: mojebanka.cz\*
TCP: {BC5AA624-4FE8-400F-B97D-0AAEEE9D4C43} = 195.113.44.11,195.113.0.2
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 9\Ncbi.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\Renata Bučková\Data aplikací\Mozilla\Firefox\Profiles\default.v4s\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.couchsurfing.org/index.html|http:// ... gle.com/ig
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-27 00:00
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll >>UNKNOWN [0x8981A2F0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
\Driver\ACPI -> ACPI.sys @ 0xf7588cb8
\Driver\atapi -> 0x890ada08
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2010-07-27 00:05:15
ComboFix-quarantined-files.txt 2010-07-26 22:05
ComboFix2.txt 2010-07-26 00:41
ComboFix3.txt 2010-07-25 11:46
ComboFix4.txt 2010-07-22 19:25
ComboFix5.txt 2010-07-26 21:52
Před spuštěním: 3 553 677 312
Po spuštění: 3 540 267 008
- - End Of File - - A41CEE234B9DA75CF0230D7782911BD9
ComboFix 10-07-19.02 - Renata Bučková 26.07.2010 23:56:47.5.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1535.1147 [GMT 2:00]
Spuštěný z: c:\documents and settings\Renata Bučková\Plocha\ComboFix.exe
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
- REŽIM S OMEZENOU FUNKČNOSTÍ -
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-26 do 2010-07-26 )))))))))))))))))))))))))))))))
.
2010-07-21 07:22 . 2010-06-30 15:25 1013584 ----a-w- c:\windows\system32\drivers\TDSSKiller.exe
2010-07-21 07:22 . 2010-07-21 07:18 981780 ----a-w- c:\windows\system32\drivers\tdsskiller.zip
2010-07-20 19:16 . 2004-08-03 21:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-07-20 19:16 . 2004-08-03 21:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-07-18 21:00 . 2010-07-18 21:00 -------- d-----w- c:\program files\CCleaner
2010-07-13 07:14 . 2010-07-13 07:16 -------- d-----w- c:\program files\Opera
2010-07-12 19:26 . 2010-06-22 02:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 21:41 . 2004-08-15 06:11 15238 ----a-w- c:\windows\system32\Tablet.dat
2010-07-25 10:29 . 2006-06-28 09:14 58370686 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-07-22 20:06 . 2004-08-17 10:12 -------- d-----w- c:\program files\Common Files\Java
2010-07-22 19:58 . 2004-08-17 10:19 -------- d-----w- c:\program files\Java
2010-07-18 21:05 . 2004-08-31 14:44 -------- d-----w- c:\program files\Teleport Pro
2010-06-18 21:39 . 2009-07-14 23:04 -------- d-----w- c:\program files\ICQ6.5
2010-04-29 18:47 . 2010-04-29 18:47 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-12-14 18:54 . 2008-12-14 18:54 16896 --sh--w- c:\windows\sysinit.exe
2004-08-20 21:43 . 2004-08-20 21:43 56 --sh--r- c:\windows\system32\743BA4FBD0.sys
2005-01-31 16:16 . 2005-01-31 16:16 56 --sh--r- c:\windows\system32\A3CFA2EC35.sys
2007-04-16 15:54 . 2002-09-20 16:04 165417 --sha-r- c:\windows\system32\dimob.dll
2008-03-29 20:32 . 2004-08-20 21:43 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-07-20_19.20.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-26 21:41 . 2010-07-26 21:41 16384 c:\windows\Temp\Perflib_Perfdata_184.dat
- 2010-07-12 19:26 . 2010-04-12 15:29 153376 c:\windows\system32\javaws.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 153376 c:\windows\system32\javaws.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 145184 c:\windows\system32\javaw.exe
- 2010-07-12 19:26 . 2010-04-12 15:29 145184 c:\windows\system32\javaw.exe
+ 2010-07-22 19:58 . 2010-06-22 02:36 145184 c:\windows\system32\java.exe
- 2010-07-12 19:26 . 2010-04-12 15:29 145184 c:\windows\system32\java.exe
+ 2010-07-22 20:06 . 2010-07-22 20:06 180224 c:\windows\Installer\1163d1.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Renata Bučková\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2003-10-16 1356800]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2005-01-15 778240]
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe" [2004-08-13 86016]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-26 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Renata Bučková\Plocha\map-tram.gif
FriendlyName=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\GuildFTPd\\GuildFTPd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WinProxy\\WinProxy.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [8.6.2005 17:26 5248]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [28.12.2004 3:42 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [28.12.2004 3:42 5248]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [14.8.2004 16:52 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [14.8.2004 16:52 9600]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26.4.2007 10:21 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26.4.2007 10:21 72624]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26.4.2007 10:21 1234480]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7.1.2010 0:58 135664]
S2 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [25.1.2002 6:30 20480]
S3 Aec3mts;Aec3mts; [x]
S3 RT2400;ASUS Wireless Driver;c:\windows\system32\drivers\RT2400.sys [14.8.2004 15:37 51584]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [8.6.2005 17:26 160640]
.
Obsah adresáře 'Naplánované úlohy'
2010-07-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-16 08:12]
2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://google.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: imon.dll
Trusted Zone: mojebanka.cz\*
Trusted Zone: mojebanka.cz\*
TCP: {BC5AA624-4FE8-400F-B97D-0AAEEE9D4C43} = 195.113.44.11,195.113.0.2
Handler: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - c:\program files\Invitrogen\Vector NTI Advance 9\Ncbi.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\Renata Bučková\Data aplikací\Mozilla\Firefox\Profiles\default.v4s\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.couchsurfing.org/index.html|http:// ... gle.com/ig
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-27 00:00
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll >>UNKNOWN [0x8981A2F0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bfc3
\Driver\ACPI -> ACPI.sys @ 0xf7588cb8
\Driver\atapi -> 0x890ada08
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0004
ParseProcedure -> ntoskrnl.exe @ 0x8056f00e
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2010-07-27 00:05:15
ComboFix-quarantined-files.txt 2010-07-26 22:05
ComboFix2.txt 2010-07-26 00:41
ComboFix3.txt 2010-07-25 11:46
ComboFix4.txt 2010-07-22 19:25
ComboFix5.txt 2010-07-26 21:52
Před spuštěním: 3 553 677 312
Po spuštění: 3 540 267 008
- - End Of File - - A41CEE234B9DA75CF0230D7782911BD9
Přispějete na provoz fóra?