Internet Saving Optimizer nejde odinstalovat Vyřešeno

[braque]

Snazim sa vyriesit problem s otvaranim neziaducich okien... Pocas surfovania sa mi vo Firefoxe 3.5.1. otvaraju okna http://sk.funtest.me, http://adultfriendfinder.com/, http://www.travian.sk/ a kopa dalsich. Eset, ani AdAware, ani SUPERAntiSpyware nepomahaju.

Nasla som medzi programami Internet Saving Optimizer. Vobec sa neda odinstalovat klasickym sposobom (t.j. cez "pridanie alebo odstranenie programov").

Mozu tie dva problemy spolu suvisiet? Ako ich vyriesim?

Dik!

[Reklama]

[Damned]

Stáhni si z mého podpisu HijackThis a podle návodu udělej log. Ten sem potom vlož.

[braque]

Tak tu to je:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:52, on 24.7.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MUDr.Hajdak Jozef\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.gamingharbor.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Media Access Startup - {25B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Media Access Startup\1.5.0.850\HPIEAddOn.dll
O2 - BHO: NP Helper Class - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Internet Saving Optimizer\3.4.0.4340\NPIEAddOn.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: XBTP01621 - {D0285C32-F09A-49bd-BA67-FDAB0A58675E} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SetupExeDll] StatusCheck.exe
O4 - HKLM\..\Run: [Uint32] abrek.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [jbaxu.exe] C:\WINDOWS\system32\jbaxu.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DCC_send] jopplerg.exe
O4 - HKCU\..\Run: [jopplerg] mozilla-text.exe
O4 - HKCU\..\Run: [ATLIEHELPER] bhoserv.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F01BD21-6B8B-4C6C-A518-3CA6590DC878}: NameServer = 172.16.0.2,62.168.96.4
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Služba Google Update (gupdate1c9b0631bca1850) (gupdate1c9b0631bca1850) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7036 bytes

[Damned]

Spusť HJT, vypni prohlížeče, odpoj se od internetu a fixni (zatrhnout políčko před hodnotou, zmáčknout
"Fix checked"):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.gamingharbor.com
R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Media Access Startup - {25B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Media Access Startup\1.5.0.850\HPIEAddOn.dll
O2 - BHO: NP Helper Class - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Internet Saving Optimizer\3.4.0.4340\NPIEAddOn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: XBTP01621 - {D0285C32-F09A-49bd-BA67-FDAB0A58675E} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll (file missing)
O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SetupExeDll] StatusCheck.exe
O4 - HKLM\..\Run: [Uint32] abrek.exe
O4 - HKLM\..\Run: [jbaxu.exe] C:\WINDOWS\system32\jbaxu.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [DCC_send] jopplerg.exe
O4 - HKCU\..\Run: [jopplerg] mozilla-text.exe
O4 - HKCU\..\Run: [ATLIEHELPER] bhoserv.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} -
****************************************************************************************************************************************
Zkus odinstalovat:
bearshare, Media Access Startup, Internet Saving Optimizer
*****************************************************************************************************************************************
Stáhni si Malwarebytes' Anti-Malware
Nainstaluj a spusť ho
- na konci instalace se ujisti že máš zvoleny/zatrhnuty obě možnosti:
Aktualizace Malwarebytes' Anti-Malware a Spustit aplikaci Malwarebytes' Anti-Malware, pokud jo tak klikni na tlačítko konec
- pokud bude nalezena aktualizace, tak se stáhne a nainstaluje
- program se po té spustí a nech vybranou možnost Provést rychlý sken a klikni na tlačítko Skenovat
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Zobrazit výsledky
- pak zvol možnost uložit log a ulož si log na plochu
- po té klikni na tlačítko Exit, objeví se ti hláška tak zvol Ano
(zatím nic nemaž!).
Vlož sem pak obsah toho logu.

[braque]

Dik moc za podrobny navod. Tu je ten log:

Malwarebytes' Anti-Malware 1.39
Verze databáze: 2492
Windows 5.1.2600 Service Pack 2

24.7.2009 14:09:18
mbam-log-2009-07-24 (14-09-06).txt

Typ skenu: Rychlý sken
Objektu skenováno: 88977
Uplynulý cas: 15 minute(s), 19 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 4
Infikované hodnoty registru: 1
Infikované položky dat registru: 0
Infikované složky: 4
Infikované soubory: 2

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
HKEY_CLASSES_ROOT\explorerbar.funexplorer (Adware.DoubleD) -> No action taken.
HKEY_CLASSES_ROOT\explorerbar.funexplorer.1 (Adware.DoubleD) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25b8d58c-b0cb-46b0-ba64-05b3804e4e86} (Adware.DoubleD) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35b8d58c-b0cb-46b0-ba64-05b3804e4e86} (Adware.DoubleD) -> No action taken.

Infikované hodnoty registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{5617eca9-488d-4ba2-8562-9710b9ab78d2} (Adware.DoubleD) -> No action taken.

Infikované položky dat registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované složky:
C:\Program Files\DoubleD (Adware.DoubleD) -> No action taken.
c:\program files\DoubleD\GamingHarbor Toolbar (Adware.DoubleD) -> No action taken.
C:\Program Files\Media Access Startup (Adware.DoubleD) -> No action taken.
C:\Program Files\Internet Saving Optimizer (Adware.DoubleD) -> No action taken.

Infikované soubory:
c:\documents and settings\mudr.hajdak jozef\local settings\temporary internet files\ISOSetup.exe (Trojan.Agent) -> No action taken.
c:\winamp504_full.exe (Trojan.Agent) -> No action taken.

[braque]

Internet Saving Optimizer sa mi podarilo odstranit. Ale bearshare som ani nenasla v zozname programov....

[Damned]

Takže spusť znovu MbAM a dej Scan
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Show Results
- ujistit se že máš zatrhnuté všechny vypsané nálezy a klikni na tlačítko Remove Selected
- když skončí odstraňování tak se ti zobrazí log, tak ho sem dej.
- pak zvol v programu OK a pak program ukonči přes Exit

Vypni rezidentní štít antiviru (pokud máš tak i antispyware).
Stáhni si ComboFix (by sUBs)
nebo ComboFix (subs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[braque]

Tak jo, toto je ten prvy log:

Malwarebytes' Anti-Malware 1.39
Verze databáze: 2492
Windows 5.1.2600 Service Pack 2

24.7.2009 20:25:22
mbam-log-2009-07-24 (20-25-22).txt

Typ skenu: Úplný sken (C:\|D:\|)
Objektu skenováno: 146617
Uplynulý cas: 1 hour(s), 48 minute(s), 12 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 4
Infikované hodnoty registru: 1
Infikované položky dat registru: 0
Infikované složky: 4
Infikované soubory: 2

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
HKEY_CLASSES_ROOT\explorerbar.funexplorer (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\explorerbar.funexplorer.1 (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25b8d58c-b0cb-46b0-ba64-05b3804e4e86} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35b8d58c-b0cb-46b0-ba64-05b3804e4e86} (Adware.DoubleD) -> Quarantined and deleted successfully.

Infikované hodnoty registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{5617eca9-488d-4ba2-8562-9710b9ab78d2} (Adware.DoubleD) -> Quarantined and deleted successfully.

Infikované položky dat registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované složky:
C:\Program Files\DoubleD (Adware.DoubleD) -> Quarantined and deleted successfully.
c:\program files\DoubleD\GamingHarbor Toolbar (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Media Access Startup (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\Internet Saving Optimizer (Adware.DoubleD) -> Quarantined and deleted successfully.

Infikované soubory:
c:\documents and settings\mudr.hajdak jozef\local settings\temporary internet files\ISOSetup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\winamp504_full.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[braque]

a tu je druhy log:

ComboFix 09-07-23.04 - xxxxxxxxxxxxxxxxx 24.07.2009 20:41.1.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.511.233 [GMT 2:00]
Running from: c:\documents and settings\xxxxxxxxxxxxxxxxx\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\0xf9.exe
C:\data
c:\data\mzdy0001.mdb
c:\data\mzdy0002.mdb
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Temporary Internet Files\_tm130.tmp
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Temporary Internet Files\_tm1579.tmp
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Temporary Internet Files\_tm20D.tmp
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Temporary Internet Files\_tm230.tmp
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Temporary Internet Files\_tm293.tmp
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Temporary Internet Files\_tm31.tmp
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Temporary Internet Files\_tm32.tmp
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Temporary Internet Files\_tm5A.tmp
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Temporary Internet Files\_tm80.tmp
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Temporary Internet Files\_tm9CD.tmp
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Temporary Internet Files\stb06759.tmp
c:\program files\INSTALL.LOG
c:\windows\system32\MSPRPSK.DLL

.
((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.

2009-07-24 11:37 . 2009-07-24 11:37 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxx\Application Data\Malwarebytes
2009-07-24 11:37 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 11:37 . 2009-07-24 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-24 11:37 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 11:37 . 2009-07-24 11:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 09:37 . 2009-07-24 09:37 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-07-24 09:37 . 2009-07-24 09:37 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-07-24 03:48 . 2009-07-24 03:48 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Application Data\ESET
2009-07-24 00:10 . 2009-07-24 00:10 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxx\Application Data\TrojanHunter
2009-07-23 22:11 . 2009-07-24 09:22 -------- d-----w- c:\program files\TrojanHunter 5.0
2009-07-23 18:05 . 2009-07-24 18:36 117760 ----a-w- c:\documents and settings\xxxxxxxxxxxxxxxxx\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-23 18:03 . 2009-07-23 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-23 18:02 . 2009-07-23 18:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-23 18:02 . 2009-07-23 18:02 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxx\Application Data\SUPERAntiSpyware.com
2009-07-23 18:02 . 2009-07-23 18:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-07 09:46 . 2009-07-24 11:36 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Application Data\Internet Saving Optimizer
2009-07-07 09:45 . 2009-07-13 11:47 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Application Data\Media Access Startup
2009-07-07 09:43 . 2009-07-07 09:43 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Application Data\DoubleD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 10:02 . 2005-05-06 22:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-24 10:02 . 2005-05-06 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-24 09:27 . 2008-02-27 23:46 -------- d-----w- c:\program files\Kate's Video Converter
2009-07-24 09:27 . 2003-09-20 09:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-23 07:42 . 2005-02-01 20:29 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxx\Application Data\Skype
2009-07-22 22:33 . 2007-08-22 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-21 01:50 . 2009-03-09 10:07 -------- d-----w- c:\documents and settings\xxxxxxxxxxxxxxxxx\Application Data\uTorrent
2009-07-21 01:24 . 2004-12-20 21:15 -------- d-----w- c:\program files\MSN Messenger
2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:27 . 2002-08-29 03:41 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-26 11:29 . 2006-10-08 10:45 -------- d-----w- c:\program files\Google
2009-05-07 15:44 . 2002-08-29 03:41 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-23 18:32 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-12-05 17:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-22 22:08 . 2008-09-07 09:54 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2006-09-28 19:21 . 2006-09-27 18:23 56 --sh--r- c:\windows\system32\B47C9A38FC.sys
2006-09-28 19:21 . 2006-09-27 18:02 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-12-14 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-12-14 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-12-14 217088]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 222208]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-24 1451264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Assistant\\Nassi.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23.6.2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23.6.2009 11:01 72944]
R2 Angelnt;Angelnt;c:\windows\system32\drivers\ANGELNT.SYS [22.3.2007 14:11 51072]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [24.10.2008 20:51 468224]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23.6.2009 11:01 7408]
S2 gupdate1c9b0631bca1850;Služba Google Update (gupdate1c9b0631bca1850);c:\program files\Google\Update\GoogleUpdate.exe [29.3.2009 13:40 133104]
S3 TNET1130;IEEE 802.11g Wireless Cardbus/PCI Adapter;c:\windows\system32\drivers\TNET1130.sys [12.11.2004 13:18 385792]
.
Contents of the 'Scheduled Tasks' folder

2009-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-29 11:39]

2009-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-29 11:39]

2009-07-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-25 21:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: {7F01BD21-6B8B-4C6C-A518-3CA6590DC878} = 172.16.0.2,62.168.96.4
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\xxxxxxxxxxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\q0j42ncw.Nepojmenovaný\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com/
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 20:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-07-24 20:55
ComboFix-quarantined-files.txt 2009-07-24 18:54

Pre-Run: 59 785 019 392 bytes free
Post-Run: 25 adresárov, 60 479 139 840 voľných bajtov

202 --- E O F --- 2009-07-15 20:03

[braque]

Zda sa, ze je problem vyrieseny. Aspon zatial sa mi ziadne neziaduce okno neotvorilo. Dufam, ze to takto ostane.

Myslis, ze Eset je dobry program? Mozno bol ten PC v hroznom stave este pred instalaciou Esetu. Je to pocitac, ktory pouzivaju hlavne rodicia, takze podla toho aj vyzera.

Diky moc za pomoc!!!!

[Owner]

Nod 32 nebo Eset Smart Security jsou špičky ve svém oboru. Proto bych doporučoval , pokud máš Eset Smart Security odinstalovat ostatní firewally a antiviry ,ať zbytečně nebrzdí systém.

[Damned]

To: owner Kde má další antivir?

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok).
Zkopíruj do něj následující celý text označený zeleně:

File::
c:\windows\system32\B47C9A38FC.sys
c:\windows\Tasks\WGASetup.job
c:\windows\system32\KB905474\wgasetup.exe

Folder::
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Application Data\Internet Saving Optimizer
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Application Data\Media Access Startup
c:\documents and settings\xxxxxxxxxxxxxxxxx\Local Settings\Application Data\DoubleD

Driver::
B47C9A38FC




Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.


Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe
a když se oba soubory překryjí, skript upusť.


- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT a popiš chování počítače