VIRUS ALERT!

[Terka]

Ahoj moc prosim o pomoc. Mam taky problem s timto virem, ale jsem v pocitacich totalni laik a i navody co jsem nasla jsou pro me nesrozumitelny. Co je to napr. spybot nebo hitjack??? a kde to najdu? vsude pisou ze to mam vypnout a neco nekam poslat. Pomooooooooooooc please.

Vítám Tě na PC-HELP! Příště si založ vlastní téma, jinak je z toho zmatek. Přesouvám to na samostatné téma a upravuji název. Pic

[Reklama]

[fredik]

Návod na to jak udělat log z HJT najdeš zde

[Terka]

Moc dik ted posilam co se objevilo. A co s tim dal?

[Terka]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:33: VIRUS ALERT!, on 12.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://securityresponse.symantec.com/av ... _homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://securityresponse.symantec.com/av ... _homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://securityresponse.symantec.com/av ... _homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/av ... _homepage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: P2P Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P_.dll
O3 - Toolbar: P2P Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P_.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: olnmraew - {8357C7B3-5BBF-4A22-A18D-A1D1C43BE188} - C:\WINDOWS\olnmraew.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [AdVantage] "C:\Program Files\AdVantage\AdVantage.exe"
O4 - HKLM\..\Policies\Explorer\Run: []

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O21 - SSODL: qmafxprs - {96CF22DA-BF4D-4CE1-88C2-CC7E53D609EE} - C:\WINDOWS\qmafxprs.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Plánovač automatické aktualizace LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9159 bytes

[Terka]

Tak uz jsem to projela i combofixem a vyplivlo to toto
ComboFix 08-10-11.04 - a 2008-10-12 22:04:09.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1469 [GMT 2:00]
Spuštěný z: C:\Documents and Settings\a\Plocha\ComboFix.exe
* Vytvořen nový Bod Obnovení

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\etgo.exe
C:\WINDOWS\olnmraew.dll
C:\WINDOWS\qmafxprs.dll
C:\WINDOWS\system32\basfrsur.ini
C:\WINDOWS\system32\bmnghlec.ini
C:\WINDOWS\system32\byXQJYqO.dll
C:\WINDOWS\system32\byXRhHya.dll
C:\WINDOWS\system32\celhgnmb.dll
C:\WINDOWS\system32\ddcbCSME.dll
C:\WINDOWS\system32\efcCspOg.dll
C:\WINDOWS\system32\fnbkcaxi.ini
C:\WINDOWS\system32\geBqqNFV.dll
C:\WINDOWS\system32\gppgylii.ini
C:\WINDOWS\system32\hgGwXoli.dll
C:\WINDOWS\system32\iiffdBrO.dll
C:\WINDOWS\system32\iilygppg.dll
C:\WINDOWS\system32\jkkKbAQi.dll
C:\WINDOWS\system32\lsmqxvyy.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlJaWpMd.dll
C:\WINDOWS\system32\opnnmNHX.dll
C:\WINDOWS\system32\OqYJQXyb.ini
C:\WINDOWS\system32\OqYJQXyb.ini2
C:\WINDOWS\system32\qoMeCsSj.dll
C:\WINDOWS\system32\rusrfsab.dll
C:\WINDOWS\system32\uBKlmnmp.ini
C:\WINDOWS\system32\uBKlmnmp.ini2
C:\WINDOWS\system32\xxyXqOEv.dll
C:\WINDOWS\system32\yyvxqmsl.ini
C:\WINDOWS\vortsgbqtda.dll

----- BITS: Možné infikované stránky -----

hxxp://78.157.142.26
.
((((((((((((((((((((((((( Soubory vytvořené od 2008-09-12 do 2008-10-12 )))))))))))))))))))))))))))))))
.

2008-10-12 21:59 . 2008-10-12 21:59 9,123 --a------ C:\ResetTeaTimer.bat
2008-10-12 21:32 . 2008-10-12 21:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-12 16:35 . 2008-10-12 16:35 <DIR> d-------- C:\Documents and Settings\a\Data aplikací\Symantec
2008-10-11 17:12 . 2008-10-11 17:12 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-11 17:11 . 2008-10-11 17:11 16 --a------ C:\WINDOWS\system32\coh.cache
2008-10-11 17:01 . 2008-10-12 14:27 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-10-11 16:59 . 2008-10-11 17:34 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-11 16:59 . 2008-10-11 17:34 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-11 16:59 . 2008-10-11 17:34 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-11 16:59 . 2008-10-11 17:34 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-11 16:58 . 2008-10-11 17:34 <DIR> d-------- C:\Program Files\Symantec
2008-10-11 16:57 . 2008-10-12 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Symantec
2008-10-11 16:55 . 2008-10-12 22:09 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-10-11 14:21 . 2008-10-11 14:21 <DIR> d-------- C:\iPMS
2008-10-11 13:18 . 2008-10-11 13:18 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-11 13:18 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2008-10-11 13:18 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-10-11 13:18 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2008-10-11 09:48 . 2008-10-11 09:48 95 --a------ C:\WINDOWS\wininit.ini
2008-10-11 09:15 . 2008-10-11 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2008-10-10 20:29 . 2008-10-10 18:09 86,016 --a------ C:\WINDOWS\qkeftmxn.exe
2008-10-10 12:17 . 2008-04-14 05:22 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-10-10 12:15 . 2008-10-10 12:15 <DIR> d-------- C:\Documents and Settings\a\Data aplikací\Nero
2008-10-10 12:13 . 2008-10-10 12:13 <DIR> d-------- C:\Program Files\Nero
2008-10-10 12:13 . 2008-10-10 12:14 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-10-10 12:13 . 2008-10-10 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Nero
2008-10-03 15:27 . 2008-10-03 15:28 <DIR> d-------- C:\Program Files\ICQ6
2008-09-19 15:19 . 2008-05-01 16:37 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-19 15:16 . 2008-04-11 21:06 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-10 17:07 98,304 ----a-w C:\WINDOWS\DUMP5f56.tmp
2008-10-04 14:33 --------- d-----w C:\Documents and Settings\a\Data aplikací\BearShare
2008-10-02 10:56 --------- d-----w C:\Documents and Settings\a\Data aplikací\foobar2000
2008-10-01 09:42 --------- d-----w C:\Documents and Settings\a\Data aplikací\ICQ
2008-09-22 12:32 --------- d-----w C:\Program Files\Webteh
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2006-03-20 13:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.

Co dal? prosim pomozte.

[jaro3]

Dovolím si zaskočit za fredika.
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
C:\WINDOWS\qkeftmxn.exe
C:\WINDOWS\system32\wmpns.dll


Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu .

[Terka]

Tak jsem to udelala a vyjelo toto a co dal
ComboFix 08-10-11.04 - a 2008-10-13 9:30:21.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1402 [GMT 2:00]
Spuštěný z: C:\Documents and Settings\a\Plocha\ComboFix.exe
Použité ovládací přepínače :: C:\Documents and Settings\a\Plocha\CFScript.txt
* Vytvořen nový Bod Obnovení

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!

FILE ::
C:\WINDOWS\qkeftmxn.exe
C:\WINDOWS\system32\wmpns.dll
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\qkeftmxn.exe
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\wmpns.dll

.
((((((((((((((((((((((((( Soubory vytvořené od 2008-09-13 do 2008-10-13 )))))))))))))))))))))))))))))))
.

2008-10-13 03:00 . 2008-10-13 03:00 <DIR> d-------- C:\WINDOWS\LastGood
2008-10-13 03:00 . 2008-10-13 03:00 1,393 --a------ C:\WINDOWS\imsins.BAK
2008-10-13 00:45 . 2008-10-13 00:45 0 --a------ C:\23990098.$$$
2008-10-12 23:44 . 2008-10-12 23:44 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-10-12 23:44 . 2008-10-12 23:44 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-10-12 23:44 . 2008-10-12 23:44 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-10-12 23:44 . 2008-10-12 23:44 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-10-12 23:44 . 2008-10-12 23:44 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-10-12 23:44 . 2008-10-12 23:44 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-10-12 23:37 . 2008-10-12 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\MicroWorld
2008-10-12 23:37 . 2008-04-14 05:22 147,968 --a------ C:\WINDOWS\R.COM
2008-10-12 23:37 . 2008-04-14 05:22 137,216 --a------ C:\WINDOWS\system32\T.COM
2008-10-12 23:37 . 2008-10-13 00:49 52 --a------ C:\WINDOWS\Lic.xxx
2008-10-12 23:22 . 2008-10-12 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Yahoo! Companion
2008-10-12 23:10 . 2008-10-12 23:10 <DIR> d-------- C:\Program Files\Yahoo!
2008-10-12 23:10 . 2008-10-12 23:10 <DIR> d-------- C:\Program Files\CCleaner
2008-10-12 22:16 . 2008-10-12 22:16 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-10-12 21:59 . 2008-10-12 21:59 9,123 --a------ C:\ResetTeaTimer.bat
2008-10-12 21:32 . 2008-10-12 21:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-12 16:35 . 2008-10-12 16:35 <DIR> d-------- C:\Documents and Settings\a\Data aplikací\Symantec
2008-10-11 17:12 . 2008-10-11 17:12 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-11 17:11 . 2008-10-11 17:11 16 --a------ C:\WINDOWS\system32\coh.cache
2008-10-11 17:01 . 2008-10-12 14:27 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-10-11 16:59 . 2008-10-11 17:34 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-11 16:59 . 2008-10-11 17:34 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-11 16:59 . 2008-10-11 17:34 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-11 16:59 . 2008-10-11 17:34 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-11 16:58 . 2008-10-11 17:34 <DIR> d-------- C:\Program Files\Symantec
2008-10-11 16:57 . 2008-10-13 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Symantec
2008-10-11 16:55 . 2008-10-12 23:37 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-10-11 14:21 . 2008-10-11 14:21 <DIR> d-------- C:\iPMS
2008-10-11 13:18 . 2008-10-11 13:18 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-11 13:18 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2008-10-11 13:18 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-10-11 13:18 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2008-10-11 09:48 . 2008-10-11 09:48 95 --a------ C:\WINDOWS\wininit.ini
2008-10-11 09:15 . 2008-10-11 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2008-10-10 12:15 . 2008-10-10 12:15 <DIR> d-------- C:\Documents and Settings\a\Data aplikací\Nero
2008-10-10 12:13 . 2008-10-10 12:13 <DIR> d-------- C:\Program Files\Nero
2008-10-10 12:13 . 2008-10-10 12:14 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-10-10 12:13 . 2008-10-10 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Nero
2008-10-03 15:27 . 2008-10-03 15:28 <DIR> d-------- C:\Program Files\ICQ6
2008-09-19 15:19 . 2008-05-01 16:37 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-19 15:16 . 2008-04-11 21:06 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-10 17:07 98,304 ----a-w C:\WINDOWS\DUMP5f56.tmp
2008-10-04 14:33 --------- d-----w C:\Documents and Settings\a\Data aplikací\BearShare
2008-10-02 10:56 --------- d-----w C:\Documents and Settings\a\Data aplikací\foobar2000
2008-10-01 09:42 --------- d-----w C:\Documents and Settings\a\Data aplikací\ICQ
2008-09-22 12:32 --------- d-----w C:\Program Files\Webteh
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2006-03-20 13:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-12_22.17.06.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-12 20:16:47 32,768 ----a-r C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
- 2004-08-10 23:45:04 229,376 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-20 04:01:32 227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2004-08-10 23:45:06 2,362,104 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
+ 2006-12-07 06:40:49 2,362,184 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
- 2003-04-18 14:46:22 1,233,920 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2007-05-08 13:03:04 1,275,392 ----a-w C:\WINDOWS\system32\msxml4.dll
- 2004-08-10 23:45:04 229,376 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-20 04:01:32 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
- 2004-08-10 23:45:06 2,362,104 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-12-07 06:40:49 2,362,184 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2008-10-12 21:34:10 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_398.dat
+ 2007-05-08 13:06:44 1,275,392 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{2bae58c2-79f9-45d1-a286-81f911301c3a}"= "C:\Program Files\P2P_Energy\tbP2P_.dll" [2008-07-10 1600024]

[HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
2008-07-10 14:04 1600024 --a------ C:\Program Files\P2P_Energy\tbP2P_.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2bae58c2-79f9-45d1-a286-81f911301c3a}"= "C:\Program Files\P2P_Energy\tbP2P_.dll" [2008-07-10 1600024]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{2BAE58C2-79F9-45D1-A286-81F911301C3A}"= "C:\Program Files\P2P_Energy\tbP2P_.dll" [2008-07-10 1600024]

[HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-09-01 173304]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-15 131072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-03-30 C:\WINDOWS\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS.exe]
"Debugger"=dummy.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS20.exe]
"Debugger"=dummy.dat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 Plánovač automatické aktualizace LiveUpdate;Plánovač automatické aktualizace LiveUpdate;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-09-26 554352]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2008-04-13 69120]

*Newly Created Service* - COMHOST
.
Obsah adresáře 'Naplánované úlohy'

2008-10-12 C:\WINDOWS\Tasks\Norton Internet Security - Prověřit tento počítač - a.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 03:09]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKU-Default-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-13 09:32:08
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
Celkový čas: 2008-10-13 9:32:56
ComboFix-quarantined-files.txt 2008-10-13 07:32:52
ComboFix2.txt 2008-10-12 21:03:25
ComboFix3.txt 2008-10-12 20:17:54

Před spuštěním: Volných bajtů: 38 569 160 704
Po spuštění: Volných bajtů: 38,784,491,520

183 --- E O F --- 2008-10-13 01:01:10

[jaro3]

Toto dej na Virustotal:http://www.virustotal.com/

návod zde:http://www.pc-help.cz/viewtopic.php?f=70&t=5121

Kód: Vybrat vše

C:\WINDOWS\R.COM
C:\WINDOWS\system32\T.COM

Ještě jeden script v CF:

Kód: Vybrat vše

File::
C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe
C:\WINDOWS\Lic.xxx
C:\23990098.$$$

Folder::
C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe
C:\WINDOWS\Lic.xxx
C:\23990098.$$$

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000


Pak sem vlož znovu log z CF.

[Terka]

Dalsi log
ComboFix 08-10-11.04 - a 2008-10-13 13:58:00.4 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1352 [GMT 2:00]
Spuštěný z: C:\Documents and Settings\a\Plocha\ComboFix.exe
Použité ovládací přepínače :: C:\Documents and Settings\a\Plocha\CFScript.txt
* Vytvořen nový Bod Obnovení

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!

FILE ::
C:\23990098.$$$
C:\WINDOWS\Lic.xxx
C:\WINDOWS\logo1_.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\zts2.exe
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\23990098.$$$
C:\WINDOWS\Lic.xxx
C:\WINDOWS\logo1_.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\zts2.exe

.
((((((((((((((((((((((((( Soubory vytvořené od 2008-09-13 do 2008-10-13 )))))))))))))))))))))))))))))))
.

2008-10-13 03:00 . 2008-10-13 03:00 <DIR> d-------- C:\WINDOWS\LastGood
2008-10-13 03:00 . 2008-10-13 03:00 1,393 --a------ C:\WINDOWS\imsins.BAK
2008-10-12 23:37 . 2008-10-12 23:37 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\MicroWorld
2008-10-12 23:37 . 2008-04-14 05:22 147,968 --a------ C:\WINDOWS\R.COM
2008-10-12 23:37 . 2008-04-14 05:22 137,216 --a------ C:\WINDOWS\system32\T.COM
2008-10-12 23:22 . 2008-10-12 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Yahoo! Companion
2008-10-12 23:10 . 2008-10-12 23:10 <DIR> d-------- C:\Program Files\Yahoo!
2008-10-12 23:10 . 2008-10-12 23:10 <DIR> d-------- C:\Program Files\CCleaner
2008-10-12 22:16 . 2008-10-12 22:16 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-10-12 21:59 . 2008-10-12 21:59 9,123 --a------ C:\ResetTeaTimer.bat
2008-10-12 21:32 . 2008-10-12 21:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-12 16:35 . 2008-10-12 16:35 <DIR> d-------- C:\Documents and Settings\a\Data aplikací\Symantec
2008-10-11 17:12 . 2008-10-11 17:12 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-11 17:11 . 2008-10-11 17:11 16 --a------ C:\WINDOWS\system32\coh.cache
2008-10-11 17:01 . 2008-10-12 14:27 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-10-11 16:59 . 2008-10-11 17:34 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-11 16:59 . 2008-10-11 17:34 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-11 16:59 . 2008-10-11 17:34 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-11 16:59 . 2008-10-11 17:34 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-11 16:58 . 2008-10-11 17:34 <DIR> d-------- C:\Program Files\Symantec
2008-10-11 16:57 . 2008-10-13 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Symantec
2008-10-11 16:55 . 2008-10-12 23:37 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-10-11 14:21 . 2008-10-11 14:21 <DIR> d-------- C:\iPMS
2008-10-11 13:18 . 2008-10-11 13:18 <DIR> d-------- C:\Program Files\Alwil Software
2008-10-11 13:18 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2008-10-11 13:18 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-10-11 13:18 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2008-10-11 09:48 . 2008-10-11 09:48 95 --a------ C:\WINDOWS\wininit.ini
2008-10-11 09:15 . 2008-10-11 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2008-10-10 12:15 . 2008-10-10 12:15 <DIR> d-------- C:\Documents and Settings\a\Data aplikací\Nero
2008-10-10 12:13 . 2008-10-10 12:13 <DIR> d-------- C:\Program Files\Nero
2008-10-10 12:13 . 2008-10-10 12:14 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-10-10 12:13 . 2008-10-10 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Nero
2008-10-03 15:27 . 2008-10-03 15:28 <DIR> d-------- C:\Program Files\ICQ6
2008-09-19 15:19 . 2008-05-01 16:37 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-19 15:16 . 2008-04-11 21:06 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-10 17:07 98,304 ----a-w C:\WINDOWS\DUMP5f56.tmp
2008-10-04 14:33 --------- d-----w C:\Documents and Settings\a\Data aplikací\BearShare
2008-10-02 10:56 --------- d-----w C:\Documents and Settings\a\Data aplikací\foobar2000
2008-10-01 09:42 --------- d-----w C:\Documents and Settings\a\Data aplikací\ICQ
2008-09-22 12:32 --------- d-----w C:\Program Files\Webteh
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2006-03-20 13:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-12_22.17.06.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-12 20:16:47 32,768 ----a-r C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
- 2004-08-10 23:45:04 229,376 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-20 04:01:32 227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2004-08-10 23:45:06 2,362,104 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
+ 2006-12-07 06:40:49 2,362,184 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
- 2003-04-18 14:46:22 1,233,920 ----a-w C:\WINDOWS\system32\msxml4.dll
+ 2007-05-08 13:03:04 1,275,392 ----a-w C:\WINDOWS\system32\msxml4.dll
- 2004-08-10 23:45:04 229,376 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-20 04:01:32 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
- 2004-08-10 23:45:06 2,362,104 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-12-07 06:40:49 2,362,184 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2008-10-12 21:34:10 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_398.dat
+ 2007-05-08 13:06:44 1,275,392 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{2bae58c2-79f9-45d1-a286-81f911301c3a}"= "C:\Program Files\P2P_Energy\tbP2P_.dll" [2008-07-10 1600024]

[HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2bae58c2-79f9-45d1-a286-81f911301c3a}]
2008-07-10 14:04 1600024 --a------ C:\Program Files\P2P_Energy\tbP2P_.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2bae58c2-79f9-45d1-a286-81f911301c3a}"= "C:\Program Files\P2P_Energy\tbP2P_.dll" [2008-07-10 1600024]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{2BAE58C2-79F9-45D1-A286-81F911301C3A}"= "C:\Program Files\P2P_Energy\tbP2P_.dll" [2008-07-10 1600024]

[HKEY_CLASSES_ROOT\clsid\{2bae58c2-79f9-45d1-a286-81f911301c3a}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-09-01 173304]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-15 131072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-03-30 C:\WINDOWS\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS.exe]
"Debugger"=dummy.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iPMS20.exe]
"Debugger"=dummy.dat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 Plánovač automatické aktualizace LiveUpdate;Plánovač automatické aktualizace LiveUpdate;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-09-26 554352]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2008-04-13 69120]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Obsah adresáře 'Naplánované úlohy'

2008-10-12 C:\WINDOWS\Tasks\Norton Internet Security - Prověřit tento počítač - a.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 03:09]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKU-Default-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-13 13:59:22
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
Celkový čas: 2008-10-13 14:00:09
ComboFix-quarantined-files.txt 2008-10-13 12:00:05
ComboFix2.txt 2008-10-13 07:32:58
ComboFix3.txt 2008-10-12 21:03:25
ComboFix4.txt 2008-10-12 20:17:54

Před spuštěním: Volných bajtů: 38 495 911 936
Po spuštění: Volných bajtů: 38,752,989,184

181 --- E O F --- 2008-10-13 01:01:10

[jaro3]

Tak , ještě jednou bych Tě požádal o otestování těchto dvou souborů na VirusTotal, než je odstraním.:
Virustotal:http://www.virustotal.com/

návod zde:http://www.pc-help.cz/viewtopic.php?f=70&t=5121

C:\WINDOWS\R.COM
C:\WINDOWS\system32\T.COM

[Diallix]

jaro3, povec mi, ako mozes dat uzivatelovi nieco mazat cez combofix, ked ho nema cely? Toto nemyslis vazne.


Terka, tie dva subory netestujte. Su ok.

Prosim, tieto veci najdite a zmazte:
C:\WINDOWS\DUMP5f56.tmp
C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe

Nasledne poprosim o novy log z HJT.

[Terka]

Tak jsem to smazala znovu projela a vysledek je zde. Co dal? Diky

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:21, on 13.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\a\Plocha\mplayerc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/av ... _homepage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: P2P Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P_.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: P2P Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P_.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: P2P Energy Toolbar - {2bae58c2-79f9-45d1-a286-81f911301c3a} - C:\Program Files\P2P_Energy\tbP2P_.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Plánovač automatické aktualizace LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9471 bytes