Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:33:47, on 5.7.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Olympus\ib\olycamdetect.exe
C:\Program Files\OpenOffice\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\QIP\qip.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJack\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.qip.ru/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.qip.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource= ... =CT1750559
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: QIPBHO Class - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Documents and Settings\Marhoul\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: QIPBHO Class - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Documents and Settings\Marhoul\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MDS_Menu] "C:\Program Files\Olympus\ib\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Olympus\ib" UpdateWithCreateOnce "Software\OLYMPUS\ib\1.0"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Olympus ib] "C:\Program Files\Olympus\ib\olycamdetect.exe" /Startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: Stáhnout odkaz s použitím BitCometu - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Stáhnout všechna videa s použitím BitCometu - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Stáhnout všechny odkazy s použitím BitCometu - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: QIP 2005 - {1EF681F7-A04B-4D6D-9012-A307CCA55610} - C:\Program Files\QIP\qip.exe (HKCU)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
--
End of file - 8640 bytes
kontrola logu ( bledulka-wav ) Vyřešeno
Re: kontrola logu ( bledulka-wav )
Ahoj,
tak na to kouknem, jestli nemáš nového bootkita, ten tohle umí
.
Spustíš program HJT
-klikni na tlačítko Do a system scan and save a logfile
-Vyběhne tabulka, na začátku každého řádku je čtvereček.
-U řádku , který jsem označila, dáš do čtverečku
fajfku
-nakonec zmáčkneš tlačítko Fix checked
**************************
Stáhni na plochu ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Před použitím vypni všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary
-Zavři všechna aktivní okna a spusť ho pod učtem s právy administrátora
- Po spuštění se zobrazí podmínky použití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování, se vytvoří log C:\ComboFix.txt, zkopíruj celý jeho obsah sem.
tak na to kouknem, jestli nemáš nového bootkita, ten tohle umí
.Spustíš program HJT
-klikni na tlačítko Do a system scan and save a logfile
-Vyběhne tabulka, na začátku každého řádku je čtvereček.
-U řádku , který jsem označila, dáš do čtverečku
fajfku
Kód: Vybrat vše
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.qip.ru/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.qip.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource= ... =CT1750559
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: QIPBHO Class - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Documents and Settings\Marhoul\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: QIPBHO Class - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Documents and Settings\Marhoul\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MDS_Menu] "C:\Program Files\Olympus\ib\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Olympus\ib" UpdateWithCreateOnce "Software\OLYMPUS\ib\1.0"
-nakonec zmáčkneš tlačítko Fix checked
**************************
Stáhni na plochu ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Před použitím vypni všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary
-Zavři všechna aktivní okna a spusť ho pod učtem s právy administrátora
- Po spuštění se zobrazí podmínky použití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování, se vytvoří log C:\ComboFix.txt, zkopíruj celý jeho obsah sem.
Re: kontrola logu ( bledulka-wav )
ComboFix 10-07-04.04 - Marhoul 05.07.2010 21:16:59.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2047.1566 [GMT 2:00]
Spuštěný z: c:\documents and settings\Marhoul\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100705-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\explorer.backup
c:\windows\system32\drivers\oreans32.sys
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_oreans32
-------\Service_oreans32
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-05 do 2010-07-05 )))))))))))))))))))))))))))))))
.
2010-07-05 18:32 . 2010-07-05 18:32 -------- d-----w- c:\program files\HiJack
2010-07-05 15:59 . 2009-03-26 23:16 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2010-07-05 15:59 . 2010-07-05 15:59 -------- d-----w- c:\program files\CPUID
2010-07-05 13:02 . 2010-07-05 13:02 -------- d-----w- c:\program files\URUSoft
2010-07-05 12:08 . 2010-07-05 12:10 -------- dc-h--w- c:\windows\ie8
2010-07-04 17:15 . 2010-07-04 17:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-04 16:15 . 2010-07-04 16:16 -------- d-----w- c:\program files\Realtek AC97
2010-07-03 13:43 . 2010-07-04 14:15 -------- d-----w- c:\program files\Nexus Radio
2010-07-03 13:43 . 2010-07-03 13:52 -------- d-----w- C:\My Saved Files
2010-07-03 11:27 . 2010-07-03 11:27 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-03 11:27 . 2010-07-03 11:27 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-03 11:27 . 2010-07-05 12:07 -------- d-s---w- c:\documents and settings\LocalService\Oblíbené položky
2010-07-01 09:31 . 2010-07-01 09:31 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-01 08:50 . 2010-07-01 08:50 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-01 08:49 . 2010-07-05 12:03 -------- d-s---w- c:\documents and settings\NetworkService\Oblíbené položky
2010-07-01 08:49 . 2010-07-01 08:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-26 13:37 . 2010-06-27 07:31 -------- d-----w- c:\program files\Ray Adams
2010-06-20 17:40 . 2010-06-20 17:40 -------- d-----w- c:\windows\system32\AGEIA
2010-06-20 17:40 . 2010-06-20 17:41 -------- d-----w- c:\program files\AGEIA Technologies
2010-06-20 14:52 . 2010-06-20 14:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-20 14:37 . 2010-06-20 14:37 -------- d-----w- c:\program files\ATI
2010-06-18 08:30 . 2010-06-18 08:35 -------- d-----w- c:\program files\CENZURA
2010-06-11 14:52 . 2010-07-04 14:15 -------- d-----w- c:\program files\NewFolder Software
2010-06-09 14:25 . 2010-05-06 10:35 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 19:08 . 2009-07-13 12:36 -------- d-----w- c:\program files\JetAudio
2010-07-05 18:56 . 2009-07-13 13:40 -------- d-----w- c:\program files\BitComet
2010-07-05 07:46 . 2009-11-02 18:51 -------- d-----w- c:\program files\JDownloader
2010-07-04 16:16 . 2010-01-11 12:34 -------- d-----w- c:\program files\AvRack
2010-07-01 09:32 . 2009-07-13 11:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-25 19:59 . 2010-05-25 14:35 -------- d-----w- c:\program files\The KMPlayer
2010-06-24 12:38 . 2002-12-05 12:00 82552 ----a-w- c:\windows\system32\perfc005.dat
2010-06-24 12:38 . 2002-12-05 12:00 437832 ----a-w- c:\windows\system32\perfh005.dat
2010-06-20 17:20 . 2010-07-01 09:29 183426 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1029.dat
2010-06-20 14:37 . 2009-07-13 11:26 -------- d-----w- c:\program files\ATI Technologies
2010-06-20 14:27 . 2009-09-11 11:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-23 15:58 . 2010-05-23 15:58 -------- d-----w- c:\program files\VideoLAN
2010-05-20 09:27 . 2010-05-20 09:27 -------- d-----w- c:\program files\Olympus
2010-05-20 09:22 . 2010-05-20 09:22 -------- d-----w- c:\program files\DIFX
2010-05-06 10:35 . 2002-12-05 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:09 . 2002-12-05 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:32 . 2002-12-05 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.
------- Sigcheck -------
[-] 2008-04-14 . 13E794E5591776CBC71055A7B3CC1D5F . 976384 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 13E794E5591776CBC71055A7B3CC1D5F . 976384 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2002-12-05 . 11D80755545CFB5EB9659EE88440EAE2 . 1004544 . . [6.00.2800.1106] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"Olympus ib"="c:\program files\Olympus\ib\olycamdetect.exe" [2010-02-04 93376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Marhoul\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice\OpenOffice.org 3\program\quickstart.exe [2009-1-15 393216]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15484:TCP"= 15484:TCP:BitComet 15484 TCP
"15484:UDP"= 15484:UDP:BitComet 15484 UDP
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [13.7.2009 14:46 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [13.7.2009 14:46 20560]
R2 nxsIO32;NextSensor Kernel I/O Driver;c:\windows\system32\drivers\nxsIO32.sys [4.10.2009 15:03 2208]
S3 OlyCamComm;OLYMPUS USB Communication Device;c:\windows\system32\drivers\OlyCamComm.sys [20.5.2010 11:22 21648]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [13.7.2009 13:51 721904]
.
Obsah adresáře 'Naplánované úlohy'
2010-07-05 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2010-02-28 12:38]
.
.
------- Doplňkový sken -------
.
IE: Stáhnout odkaz s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: Stáhnout Star Downloaderem
IE: Stáhnout všechna videa s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Stáhnout všechny odkazy s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Marhoul\Data aplikací\Mozilla\Firefox\Profiles\j3odslaa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - QIP Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\npstar.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-05 21:30
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8c,c7,6c,d5,7c,67,f8,47,b2,ad,07,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8c,c7,6c,d5,7c,67,f8,47,b2,ad,07,\
[HKEY_USERS\S-1-5-21-1417001333-1580436667-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b9,1c,d3,4a,29,dc,c1,74,61,4c,9e,6f,87,7e,c2,80,aa,7d,58,88,2c,9c,a7,
d9,39,01,db,25,b7,49,8a,c3,56,75,26,23,17,18,3f,6d,3f,dd,e8,0d,a0,a5,4d,37,\
"??"=hex:b5,e1,85,ce,4a,00,cd,48,20,e8,12,c1,20,f2,1b,74
[HKEY_USERS\S-1-5-21-1417001333-1580436667-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:e8,f0,67,9d,2a,45,24,5a,c0,e6,ec,63,99,87,08,e7,8d,3f,71,e3,3d,
d4,d2,19,dd,c3,6d,33,07,a9,bf,3d,02,d6,3e,45,21,36,d4,01,8a,2e,c7,be,d0,d9,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3104)
c:\program files\RocketDock\RocketDock.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\SOUNDMAN.EXE
c:\program files\OpenOffice\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice\OpenOffice.org 3\program\soffice.bin
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Celkový čas: 2010-07-05 21:39:27 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-05 19:39
Před spuštěním: Volných bajtů: 23 331 115 008
Po spuštění: Volných bajtů: 23 594 885 120
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer
- - End Of File - - 5D507D1E480C12103A19D67F8A4605EA
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2047.1566 [GMT 2:00]
Spuštěný z: c:\documents and settings\Marhoul\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100705-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\explorer.backup
c:\windows\system32\drivers\oreans32.sys
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_oreans32
-------\Service_oreans32
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-05 do 2010-07-05 )))))))))))))))))))))))))))))))
.
2010-07-05 18:32 . 2010-07-05 18:32 -------- d-----w- c:\program files\HiJack
2010-07-05 15:59 . 2009-03-26 23:16 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2010-07-05 15:59 . 2010-07-05 15:59 -------- d-----w- c:\program files\CPUID
2010-07-05 13:02 . 2010-07-05 13:02 -------- d-----w- c:\program files\URUSoft
2010-07-05 12:08 . 2010-07-05 12:10 -------- dc-h--w- c:\windows\ie8
2010-07-04 17:15 . 2010-07-04 17:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-04 16:15 . 2010-07-04 16:16 -------- d-----w- c:\program files\Realtek AC97
2010-07-03 13:43 . 2010-07-04 14:15 -------- d-----w- c:\program files\Nexus Radio
2010-07-03 13:43 . 2010-07-03 13:52 -------- d-----w- C:\My Saved Files
2010-07-03 11:27 . 2010-07-03 11:27 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-03 11:27 . 2010-07-03 11:27 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-03 11:27 . 2010-07-05 12:07 -------- d-s---w- c:\documents and settings\LocalService\Oblíbené položky
2010-07-01 09:31 . 2010-07-01 09:31 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-01 08:50 . 2010-07-01 08:50 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-01 08:49 . 2010-07-05 12:03 -------- d-s---w- c:\documents and settings\NetworkService\Oblíbené položky
2010-07-01 08:49 . 2010-07-01 08:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-26 13:37 . 2010-06-27 07:31 -------- d-----w- c:\program files\Ray Adams
2010-06-20 17:40 . 2010-06-20 17:40 -------- d-----w- c:\windows\system32\AGEIA
2010-06-20 17:40 . 2010-06-20 17:41 -------- d-----w- c:\program files\AGEIA Technologies
2010-06-20 14:52 . 2010-06-20 14:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-20 14:37 . 2010-06-20 14:37 -------- d-----w- c:\program files\ATI
2010-06-18 08:30 . 2010-06-18 08:35 -------- d-----w- c:\program files\CENZURA
2010-06-11 14:52 . 2010-07-04 14:15 -------- d-----w- c:\program files\NewFolder Software
2010-06-09 14:25 . 2010-05-06 10:35 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 19:08 . 2009-07-13 12:36 -------- d-----w- c:\program files\JetAudio
2010-07-05 18:56 . 2009-07-13 13:40 -------- d-----w- c:\program files\BitComet
2010-07-05 07:46 . 2009-11-02 18:51 -------- d-----w- c:\program files\JDownloader
2010-07-04 16:16 . 2010-01-11 12:34 -------- d-----w- c:\program files\AvRack
2010-07-01 09:32 . 2009-07-13 11:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-25 19:59 . 2010-05-25 14:35 -------- d-----w- c:\program files\The KMPlayer
2010-06-24 12:38 . 2002-12-05 12:00 82552 ----a-w- c:\windows\system32\perfc005.dat
2010-06-24 12:38 . 2002-12-05 12:00 437832 ----a-w- c:\windows\system32\perfh005.dat
2010-06-20 17:20 . 2010-07-01 09:29 183426 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1029.dat
2010-06-20 14:37 . 2009-07-13 11:26 -------- d-----w- c:\program files\ATI Technologies
2010-06-20 14:27 . 2009-09-11 11:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-23 15:58 . 2010-05-23 15:58 -------- d-----w- c:\program files\VideoLAN
2010-05-20 09:27 . 2010-05-20 09:27 -------- d-----w- c:\program files\Olympus
2010-05-20 09:22 . 2010-05-20 09:22 -------- d-----w- c:\program files\DIFX
2010-05-06 10:35 . 2002-12-05 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 08:09 . 2002-12-05 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:32 . 2002-12-05 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.
------- Sigcheck -------
[-] 2008-04-14 . 13E794E5591776CBC71055A7B3CC1D5F . 976384 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 13E794E5591776CBC71055A7B3CC1D5F . 976384 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2002-12-05 . 11D80755545CFB5EB9659EE88440EAE2 . 1004544 . . [6.00.2800.1106] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"Olympus ib"="c:\program files\Olympus\ib\olycamdetect.exe" [2010-02-04 93376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Marhoul\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice\OpenOffice.org 3\program\quickstart.exe [2009-1-15 393216]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15484:TCP"= 15484:TCP:BitComet 15484 TCP
"15484:UDP"= 15484:UDP:BitComet 15484 UDP
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [13.7.2009 14:46 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [13.7.2009 14:46 20560]
R2 nxsIO32;NextSensor Kernel I/O Driver;c:\windows\system32\drivers\nxsIO32.sys [4.10.2009 15:03 2208]
S3 OlyCamComm;OLYMPUS USB Communication Device;c:\windows\system32\drivers\OlyCamComm.sys [20.5.2010 11:22 21648]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [13.7.2009 13:51 721904]
.
Obsah adresáře 'Naplánované úlohy'
2010-07-05 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2010-02-28 12:38]
.
.
------- Doplňkový sken -------
.
IE: Stáhnout odkaz s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: Stáhnout Star Downloaderem
IE: Stáhnout všechna videa s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Stáhnout všechny odkazy s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Marhoul\Data aplikací\Mozilla\Firefox\Profiles\j3odslaa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - QIP Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\npstar.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-05 21:30
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8c,c7,6c,d5,7c,67,f8,47,b2,ad,07,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8c,c7,6c,d5,7c,67,f8,47,b2,ad,07,\
[HKEY_USERS\S-1-5-21-1417001333-1580436667-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b9,1c,d3,4a,29,dc,c1,74,61,4c,9e,6f,87,7e,c2,80,aa,7d,58,88,2c,9c,a7,
d9,39,01,db,25,b7,49,8a,c3,56,75,26,23,17,18,3f,6d,3f,dd,e8,0d,a0,a5,4d,37,\
"??"=hex:b5,e1,85,ce,4a,00,cd,48,20,e8,12,c1,20,f2,1b,74
[HKEY_USERS\S-1-5-21-1417001333-1580436667-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:e8,f0,67,9d,2a,45,24,5a,c0,e6,ec,63,99,87,08,e7,8d,3f,71,e3,3d,
d4,d2,19,dd,c3,6d,33,07,a9,bf,3d,02,d6,3e,45,21,36,d4,01,8a,2e,c7,be,d0,d9,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3104)
c:\program files\RocketDock\RocketDock.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\SOUNDMAN.EXE
c:\program files\OpenOffice\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice\OpenOffice.org 3\program\soffice.bin
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Celkový čas: 2010-07-05 21:39:27 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-05 19:39
Před spuštěním: Volných bajtů: 23 331 115 008
Po spuštění: Volných bajtů: 23 594 885 120
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer
- - End Of File - - 5D507D1E480C12103A19D67F8A4605EA
Re: kontrola logu ( bledulka-wav )
Otestuj na www.virustotal.com
c:\windows\explorer.exe
-Do okénka zkopíruj cestu k souboru , pokud napíše, že soubor byl už testován, dej otestovat znovu.
-Sem vlož link s výsledky.
Stáhni Bootkit Remover http://www.esagelab.com/files/bootkit_remover.rar
-ulož na plochu
-spusť
- pak klikni do černého okna a zkopíruj sem výsledek, případně dej screen
c:\windows\explorer.exe
-Do okénka zkopíruj cestu k souboru , pokud napíše, že soubor byl už testován, dej otestovat znovu.
-Sem vlož link s výsledky.
Stáhni Bootkit Remover http://www.esagelab.com/files/bootkit_remover.rar
-ulož na plochu
-spusť
- pak klikni do černého okna a zkopíruj sem výsledek, případně dej screen
Re: kontrola logu ( bledulka-wav )
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: aac7d8a98e39dfde27285ef395e66821
\\.\D: -> \\.\PhysicalDrive1
MD5: aac7d8a98e39dfde27285ef395e66821
Size Device Name MBR Status
--------------------------------------------
38 GB \\.\PhysicalDrive0 Unknown boot code
232 GB \\.\PhysicalDrive1 Unknown boot code
Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
Press any key to quit...
(c) 2009 eSage Lab
www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: aac7d8a98e39dfde27285ef395e66821
\\.\D: -> \\.\PhysicalDrive1
MD5: aac7d8a98e39dfde27285ef395e66821
Size Device Name MBR Status
--------------------------------------------
38 GB \\.\PhysicalDrive0 Unknown boot code
232 GB \\.\PhysicalDrive1 Unknown boot code
Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
Press any key to quit...
Re: kontrola logu ( bledulka-wav )
Takže pro jistotu si udělej zálohu důležitých souborů, ale mělo by to být ok 
-Program bootkit remover přesuň na plochu, pokud nemáš.
- start - spustit - do řádku napiš
-enter
-enter
-restartuj počítač
-spusť znovu Bootkit remover a vlož sem log
-Program bootkit remover přesuň na plochu, pokud nemáš.
- start - spustit - do řádku napiš
Kód: Vybrat vše
"%userprofile%\Plocha\remover.exe" fix \\.\PhysicalDrive0-enter
Kód: Vybrat vše
"%userprofile%\Plocha\remover.exe" fix \\.\PhysicalDrive1
-enter
-restartuj počítač
-spusť znovu Bootkit remover a vlož sem log
Re: kontrola logu ( bledulka-wav )
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\D: -> \\.\PhysicalDrive1
MD5: 6def5ffcbcdbdb4082f1015625e597bd
Size Device Name MBR Status
--------------------------------------------
38 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
232 GB \\.\PhysicalDrive1 OK (DOS/Win32 Boot code found)
Press any key to quit...
(c) 2009 eSage Lab
www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\D: -> \\.\PhysicalDrive1
MD5: 6def5ffcbcdbdb4082f1015625e597bd
Size Device Name MBR Status
--------------------------------------------
38 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
232 GB \\.\PhysicalDrive1 OK (DOS/Win32 Boot code found)
Press any key to quit...
Re: kontrola logu ( bledulka-wav )
Fajn, problémy přetrvávají?
Stahni AVPtool http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
-nainstaluj, nech provést sken všechn jednotek
-co najde nech léčit
-pak sem vlož log.
Stahni AVPtool http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
-nainstaluj, nech provést sken všechn jednotek
-co najde nech léčit
-pak sem vlož log.
Re: kontrola logu ( bledulka-wav )
no zatim to vypada ze je to v poradku, pokud se to znovu objevi tak dam vedet, jinak teda smekam pred tebou klobouk, tohle je pro me spanelska vesnice
Re: kontrola logu ( bledulka-wav )
Ještě udělej ten avptool, kdyby tam byli nějaké zbytky a pak spusť znovu combofix.
Chytil jsi poměrně nový vir, který se právě takto projevuje
, a není nijak viditelný .
A pak napiš, zda už je vše v pořádku
Chytil jsi poměrně nový vir, který se právě takto projevuje
, a není nijak viditelný .A pak napiš, zda už je vše v pořádku
Re: kontrola logu ( bledulka-wav )
dobra jeste sem tedy dohodim ty logy, ale az zitra
Kdo je online
Uživatelé prohlížející si toto fórum: DotNetDotCom.org [Bot] a 3 hosti