vir pomoc

[wichin]

Ahoj. Po přeinstalování windows a nainstalování sp3 se mi po startu objeví tohle okno nodu32.
Jde o vir? Pokaždé, když v hijacku fixnu services.exe, tak po restartu to tam zas je. Děkujiii.
Posílám log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:04, on 1.4.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\services.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{10FB5C9F-C1D4-4B2B-AA8B-640DAE9DFF94}: NameServer = 192.168.2.133,217.197.152.135
O17 - HKLM\System\CS1\Services\Tcpip\..\{10FB5C9F-C1D4-4B2B-AA8B-640DAE9DFF94}: NameServer = 192.168.2.133,217.197.152.135
O17 - HKLM\System\CS3\Services\Tcpip\..\{10FB5C9F-C1D4-4B2B-AA8B-640DAE9DFF94}: NameServer = 192.168.2.133,217.197.152.135
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3861 bytes




V procesech mi běží

[Reklama]

[jaro3]

Vypni rez. ochranu u NOD32 a Kerio deaktivuj.
Stáhni si ComboFix (by sUBs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[wichin]

ComboFix 09-03-31.01 - Jaroslav 2009-04-01 7:22:43.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.2047.1693 [GMT 2:00]
Spuštěný z: c:\documents and settings\Jaroslav\Plocha\ComboFix.exe
AV: Eset NOD32 Antivirus 2.50 *On-access scanning enabled* (Updated)
FW: Kerio Personal Firewall *disabled*
* Vytvořen nový Bod Obnovení
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jaroslav\Data aplikací\wiaserva.log
c:\windows\services.exe
c:\windows\system32\pthreadGC2.dll

.
((((((((((((((((((((((((( Soubory vytvořené od 2009-03-01 do 2009-04-01 )))))))))))))))))))))))))))))))
.

2009-04-01 06:46 . 2009-04-01 06:46 <DIR> d-------- c:\program files\Realtek AC97
2009-04-01 06:46 . 2006-02-08 16:28 10,518,528 --a------ c:\windows\system32\RTLCPL.exe
2009-04-01 06:46 . 2006-02-08 15:44 3,846,016 -ra------ c:\windows\system32\drivers\alcxwdm.sys
2009-04-01 06:46 . 2005-11-18 11:14 307,200 --a------ c:\windows\alcupd.exe
2009-04-01 06:46 . 2005-11-18 11:20 217,088 --a------ c:\windows\alcrmv.exe
2009-04-01 06:46 . 2002-02-05 13:54 141,016 --a------ c:\windows\system32\alsndmgr.wav
2009-04-01 06:46 . 2006-01-10 13:38 135,168 --a------ c:\windows\system32\RtlCPAPI.dll
2009-04-01 06:26 . 2009-04-01 06:26 <DIR> d-------- c:\program files\Zoner
2009-04-01 06:26 . 2009-04-01 06:27 <DIR> d-------- c:\documents and settings\Jaroslav\Data aplikací\Zoner
2009-04-01 03:29 . 2009-04-01 03:30 5,423 --a------ c:\windows\BricoPackFoldersDelete.cmd
2009-04-01 03:17 . 2009-04-01 03:17 <DIR> d-------- c:\windows\system32\cs
2009-04-01 03:17 . 2009-04-01 03:17 <DIR> d-------- c:\windows\system32\bits
2009-04-01 03:17 . 2009-04-01 03:17 <DIR> d-------- c:\windows\l2schemas
2009-04-01 03:05 . 2009-04-01 03:05 <DIR> d-------- c:\program files\Trend Micro
2009-04-01 01:24 . 2009-04-01 01:24 <DIR> d-------- c:\documents and settings\Jarda\Data aplikací
2009-04-01 01:09 . 2009-04-01 01:09 <DIR> d-------- c:\documents and settings\LocalService\Nabídka Start

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 04:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-01 04:45 --------- d-----w c:\program files\ffdshow
2009-04-01 01:30 71,918 ----a-w c:\windows\BricoPackUninst.cmd
2009-04-01 01:30 219,648 ----a-w c:\windows\system32\uxtheme.dll
2009-04-01 00:56 --------- d-----w c:\program files\Eset
2009-04-01 00:54 --------- d-----w c:\program files\Java
2009-04-01 00:43 --------- d-----w c:\program files\DAEMON Tools
2009-04-01 00:40 685,816 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-01 00:39 --------- d-----w c:\program files\Common Files\Adobe
2009-04-01 00:37 --------- d-----w c:\program files\Opera
2009-04-01 00:32 --------- d-----w c:\program files\LS
2009-04-01 00:18 --------- d-----w c:\program files\Lavasoft
2009-04-01 00:18 --------- d-----w c:\documents and settings\Jaroslav\Data aplikací\Lavasoft
2009-04-01 00:01 --------- d-----w c:\program files\Windows Media Connect 2
2009-03-31 23:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-31 23:44 --------- d-----w c:\documents and settings\Jaroslav\Data aplikací\InterVideo
2009-03-31 23:43 --------- d-----w c:\program files\InterVideo
2009-03-31 23:43 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-31 23:40 --------- d-----w c:\documents and settings\Jaroslav\Data aplikací\BSplayer PRO
2009-03-31 23:38 --------- d-----w c:\program files\Webteh
2009-03-31 23:34 --------- d-----w c:\program files\CCleaner
2009-03-31 23:14 --------- d-----w c:\program files\Kerio
2009-03-31 23:13 --------- d-----w c:\program files\QuickTime
2009-03-31 23:12 --------- d-----w c:\documents and settings\All Users\Data aplikací\Apple Computer
2009-03-31 22:58 --------- d-----w c:\documents and settings\All Users\Data aplikací\Office Genuine Advantage
2009-03-31 22:49 --------- d-----w c:\program files\My Company Name
2009-03-31 22:43 502,208 ----a-w c:\windows\system32\drivers\amon.sys
2009-03-31 22:43 270,336 ----a-w c:\windows\system32\imon.dll
2009-03-31 22:38 315,392 ----a-w c:\windows\HideWin.exe
2009-03-31 22:38 --------- d-----w c:\program files\Realtek
2009-03-31 22:33 --------- d-----w c:\program files\Intel
2009-03-31 22:29 1,075,712 ----a-w c:\windows\system32\AutoPartNt.exe
2009-03-31 22:23 --------- d-----w c:\documents and settings\All Users\Data aplikací\Acronis
2009-03-31 22:20 97,248 ----a-w c:\windows\system32\drivers\snapman.sys
2009-03-31 22:20 --------- d-----w c:\program files\Common Files\Acronis
2009-03-31 22:20 --------- d-----w c:\program files\Acronis
2009-03-31 22:16 --------- d-----w c:\program files\microsoft frontpage
2009-03-31 22:15 558,142 ----a-w c:\windows\java\Packages\TVX73F7T.ZIP
2009-03-31 22:15 155,995 ----a-w c:\windows\java\Packages\H7DV3BTB.ZIP
2009-03-09 03:19 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-16 21:17 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-09 14:07 1,846,784 ----a-w c:\windows\system32\win32k.sys
2006-07-27 16:26 34,816 ----a-w c:\program files\opera\program\plugins\spellcheck.dll
.

------- Sigcheck -------

2008-08-26 11:12 827904 a74381b8d7024b2d8bb5691a93f825b8 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 12:36 668672 dc068c9c851b3f601d91bfa93e053993 c:\windows\$hf_mig$\KB958215\SP2QFE\wininet.dll
2008-10-16 03:03 667136 8e7de90524f7dd5db33cc38ad9a1b0b4 c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
2008-10-16 03:06 668160 370940e124256d20de4ca7e51377335c c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
2008-12-21 01:48 827904 a039ce5f34bf98760f877b29e5a1d4cd c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
2004-08-17 15:49 691712 321e734a0b91c43725463c509056b2aa c:\windows\$NtServicePackUninstall$\wininet.dll
2008-10-16 12:39 660480 20275ea77612128219308d1bfac3f7ab c:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 10:27 826368 0930f57122ff74739e3684d0016877f1 c:\windows\ie7updates\KB961260-IE7\wininet.dll
2008-12-21 01:03 817152 755047861018f8e84be05346e7392606 c:\windows\ServicePackFiles\i386\wininet.dll
2008-12-21 01:03 826368 793da751c812efc3c6786bbd3b8489a8 c:\windows\SoftwareDistribution\Download\26fe11b653d65cac4dd7670f42732137\SP2GDR\wininet.dll
2008-12-21 01:48 827904 a039ce5f34bf98760f877b29e5a1d4cd c:\windows\SoftwareDistribution\Download\26fe11b653d65cac4dd7670f42732137\SP2QFE\wininet.dll
2008-10-16 12:39 660480 20275ea77612128219308d1bfac3f7ab c:\windows\SoftwareDistribution\Download\83f190f9e0a95cb6bf971f6d27f9deef\SP2GDR\wininet.dll
2008-10-16 12:36 668672 dc068c9c851b3f601d91bfa93e053993 c:\windows\SoftwareDistribution\Download\83f190f9e0a95cb6bf971f6d27f9deef\SP2QFE\wininet.dll
2008-10-16 03:03 667136 8e7de90524f7dd5db33cc38ad9a1b0b4 c:\windows\SoftwareDistribution\Download\83f190f9e0a95cb6bf971f6d27f9deef\SP3GDR\wininet.dll
2008-10-16 03:06 668160 370940e124256d20de4ca7e51377335c c:\windows\SoftwareDistribution\Download\83f190f9e0a95cb6bf971f6d27f9deef\SP3QFE\wininet.dll
2008-04-14 05:22 667136 3fe5e65a7ed9ec98aee9167ca07812d3 c:\windows\SoftwareDistribution\Download\ab04a73630759d84a46114bfca20f64c\wininet.dll
2008-08-26 10:27 826368 0930f57122ff74739e3684d0016877f1 c:\windows\SoftwareDistribution\Download\b036fb87dc9cfdb88c64df1ddd121b4f\SP2GDR\wininet.dll
2008-08-26 11:12 827904 a74381b8d7024b2d8bb5691a93f825b8 c:\windows\SoftwareDistribution\Download\b036fb87dc9cfdb88c64df1ddd121b4f\SP2QFE\wininet.dll
2008-12-21 01:03 817152 755047861018f8e84be05346e7392606 c:\windows\system32\wininet.dll
2008-12-21 01:03 826368 793da751c812efc3c6786bbd3b8489a8 c:\windows\system32\dllcache\wininet.dll

2008-04-14 05:22 976384 13e794e5591776cbc71055a7b3cc1d5f c:\windows\explorer.exe
2004-08-17 15:49 974848 4d32d7ffc2f583fe21ef0a4f99eabb12 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-14 05:22 976384 13e794e5591776cbc71055a7b3cc1d5f c:\windows\ServicePackFiles\i386\explorer.exe
2008-04-14 05:22 1034240 27afd587c462e280ee046b8cca3c2cd1 c:\windows\SoftwareDistribution\Download\ab04a73630759d84a46114bfca20f64c\explorer.exe

2004-08-17 15:49 100864 dc0447eda50475e6eb9aa14c308efd9b c:\windows\$NtServicePackUninstall$\wuauclt.exe
2008-10-16 14:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\ServicePackFiles\i386\wuauclt.exe
2008-04-14 05:22 111104 df7917138b80c79d15b3e8520d565311 c:\windows\SoftwareDistribution\Download\ab04a73630759d84a46114bfca20f64c\wuauclt.exe
2008-10-16 14:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\system32\dllcache\wuauclt.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-08-16 167368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-04-01 917504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kerio\\Personal Firewall 4\\kpf4gui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2004-11-02 262144]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-04-01 39424]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2002-08-29 69120]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - PROCEXP100
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

Notify-WgaLogon - (no file)
MSConfigStartUp-services - c:\windows\services.exe


.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: imon.dll
TCP: {10FB5C9F-C1D4-4B2B-AA8B-640DAE9DFF94} = 192.168.2.133,217.197.152.135
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 07:23:34
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'lsass.exe'(1032)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2009-04-01 7:24:22
ComboFix-quarantined-files.txt 2009-04-01 05:24:20

Před spuštěním: Volných bajtů: 239 427 612 672
Po spuštění: Volných bajtů: 239,556,005,888

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

177 --- E O F --- 2009-04-01 01:22:24

[jaro3]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000000


Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

[wichin]

ComboFix 09-03-31.01 - Jaroslav 2009-04-01 7:39:16.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.2047.1669 [GMT 2:00]
Spuštěný z: c:\documents and settings\Jaroslav\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Jaroslav\Plocha\CFScript.txt
AV: Eset NOD32 Antivirus 2.50 *On-access scanning enabled* (Updated)
FW: Kerio Personal Firewall *disabled*
* Vytvořen nový Bod Obnovení
* Resident AV is active

.

((((((((((((((((((((((((( Soubory vytvořené od 2009-03-01 do 2009-04-01 )))))))))))))))))))))))))))))))
.

2009-04-01 06:46 . 2009-04-01 06:46 <DIR> d-------- c:\program files\Realtek AC97
2009-04-01 06:46 . 2006-02-08 16:28 10,518,528 --a------ c:\windows\system32\RTLCPL.exe
2009-04-01 06:46 . 2006-02-08 15:44 3,846,016 -ra------ c:\windows\system32\drivers\alcxwdm.sys
2009-04-01 06:46 . 2005-11-18 11:14 307,200 --a------ c:\windows\alcupd.exe
2009-04-01 06:46 . 2005-11-18 11:20 217,088 --a------ c:\windows\alcrmv.exe
2009-04-01 06:46 . 2002-02-05 13:54 141,016 --a------ c:\windows\system32\alsndmgr.wav
2009-04-01 06:46 . 2006-01-10 13:38 135,168 --a------ c:\windows\system32\RtlCPAPI.dll
2009-04-01 06:26 . 2009-04-01 06:26 <DIR> d-------- c:\program files\Zoner
2009-04-01 06:26 . 2009-04-01 06:27 <DIR> d-------- c:\documents and settings\Jaroslav\Data aplikací\Zoner
2009-04-01 03:29 . 2009-04-01 03:30 5,423 --a------ c:\windows\BricoPackFoldersDelete.cmd
2009-04-01 03:17 . 2009-04-01 03:17 <DIR> d-------- c:\windows\system32\cs
2009-04-01 03:17 . 2009-04-01 03:17 <DIR> d-------- c:\windows\system32\bits
2009-04-01 03:17 . 2009-04-01 03:17 <DIR> d-------- c:\windows\l2schemas
2009-04-01 03:05 . 2009-04-01 03:05 <DIR> d-------- c:\program files\Trend Micro
2009-04-01 01:24 . 2009-04-01 01:24 <DIR> d-------- c:\documents and settings\Jarda\Data aplikací
2009-04-01 01:09 . 2009-04-01 01:09 <DIR> d-------- c:\documents and settings\LocalService\Nabídka Start

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 04:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-01 04:45 --------- d-----w c:\program files\ffdshow
2009-04-01 01:30 71,918 ----a-w c:\windows\BricoPackUninst.cmd
2009-04-01 01:30 219,648 ----a-w c:\windows\system32\uxtheme.dll
2009-04-01 00:56 --------- d-----w c:\program files\Eset
2009-04-01 00:54 --------- d-----w c:\program files\Java
2009-04-01 00:43 --------- d-----w c:\program files\DAEMON Tools
2009-04-01 00:40 685,816 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-01 00:39 --------- d-----w c:\program files\Common Files\Adobe
2009-04-01 00:37 --------- d-----w c:\program files\Opera
2009-04-01 00:32 --------- d-----w c:\program files\LS
2009-04-01 00:18 --------- d-----w c:\program files\Lavasoft
2009-04-01 00:18 --------- d-----w c:\documents and settings\Jaroslav\Data aplikací\Lavasoft
2009-04-01 00:01 --------- d-----w c:\program files\Windows Media Connect 2
2009-03-31 23:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-31 23:44 --------- d-----w c:\documents and settings\Jaroslav\Data aplikací\InterVideo
2009-03-31 23:43 --------- d-----w c:\program files\InterVideo
2009-03-31 23:43 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-31 23:40 --------- d-----w c:\documents and settings\Jaroslav\Data aplikací\BSplayer PRO
2009-03-31 23:38 --------- d-----w c:\program files\Webteh
2009-03-31 23:34 --------- d-----w c:\program files\CCleaner
2009-03-31 23:14 --------- d-----w c:\program files\Kerio
2009-03-31 23:13 --------- d-----w c:\program files\QuickTime
2009-03-31 23:12 --------- d-----w c:\documents and settings\All Users\Data aplikací\Apple Computer
2009-03-31 22:58 --------- d-----w c:\documents and settings\All Users\Data aplikací\Office Genuine Advantage
2009-03-31 22:49 --------- d-----w c:\program files\My Company Name
2009-03-31 22:43 502,208 ----a-w c:\windows\system32\drivers\amon.sys
2009-03-31 22:43 270,336 ----a-w c:\windows\system32\imon.dll
2009-03-31 22:38 315,392 ----a-w c:\windows\HideWin.exe
2009-03-31 22:38 --------- d-----w c:\program files\Realtek
2009-03-31 22:33 --------- d-----w c:\program files\Intel
2009-03-31 22:29 1,075,712 ----a-w c:\windows\system32\AutoPartNt.exe
2009-03-31 22:23 --------- d-----w c:\documents and settings\All Users\Data aplikací\Acronis
2009-03-31 22:20 97,248 ----a-w c:\windows\system32\drivers\snapman.sys
2009-03-31 22:20 --------- d-----w c:\program files\Common Files\Acronis
2009-03-31 22:20 --------- d-----w c:\program files\Acronis
2009-03-31 22:16 --------- d-----w c:\program files\microsoft frontpage
2009-03-31 22:15 558,142 ----a-w c:\windows\java\Packages\TVX73F7T.ZIP
2009-03-31 22:15 155,995 ----a-w c:\windows\java\Packages\H7DV3BTB.ZIP
2009-03-09 03:19 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-16 21:17 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-09 14:07 1,846,784 ----a-w c:\windows\system32\win32k.sys
2006-07-27 16:26 34,816 ----a-w c:\program files\opera\program\plugins\spellcheck.dll
.

------- Sigcheck -------

2008-08-26 11:12 827904 a74381b8d7024b2d8bb5691a93f825b8 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 12:36 668672 dc068c9c851b3f601d91bfa93e053993 c:\windows\$hf_mig$\KB958215\SP2QFE\wininet.dll
2008-10-16 03:03 667136 8e7de90524f7dd5db33cc38ad9a1b0b4 c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
2008-10-16 03:06 668160 370940e124256d20de4ca7e51377335c c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
2008-12-21 01:48 827904 a039ce5f34bf98760f877b29e5a1d4cd c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
2004-08-17 15:49 691712 321e734a0b91c43725463c509056b2aa c:\windows\$NtServicePackUninstall$\wininet.dll
2008-10-16 12:39 660480 20275ea77612128219308d1bfac3f7ab c:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 10:27 826368 0930f57122ff74739e3684d0016877f1 c:\windows\ie7updates\KB961260-IE7\wininet.dll
2008-12-21 01:03 817152 755047861018f8e84be05346e7392606 c:\windows\ServicePackFiles\i386\wininet.dll
2008-12-21 01:03 826368 793da751c812efc3c6786bbd3b8489a8 c:\windows\SoftwareDistribution\Download\26fe11b653d65cac4dd7670f42732137\SP2GDR\wininet.dll
2008-12-21 01:48 827904 a039ce5f34bf98760f877b29e5a1d4cd c:\windows\SoftwareDistribution\Download\26fe11b653d65cac4dd7670f42732137\SP2QFE\wininet.dll
2008-10-16 12:39 660480 20275ea77612128219308d1bfac3f7ab c:\windows\SoftwareDistribution\Download\83f190f9e0a95cb6bf971f6d27f9deef\SP2GDR\wininet.dll
2008-10-16 12:36 668672 dc068c9c851b3f601d91bfa93e053993 c:\windows\SoftwareDistribution\Download\83f190f9e0a95cb6bf971f6d27f9deef\SP2QFE\wininet.dll
2008-10-16 03:03 667136 8e7de90524f7dd5db33cc38ad9a1b0b4 c:\windows\SoftwareDistribution\Download\83f190f9e0a95cb6bf971f6d27f9deef\SP3GDR\wininet.dll
2008-10-16 03:06 668160 370940e124256d20de4ca7e51377335c c:\windows\SoftwareDistribution\Download\83f190f9e0a95cb6bf971f6d27f9deef\SP3QFE\wininet.dll
2008-04-14 05:22 667136 3fe5e65a7ed9ec98aee9167ca07812d3 c:\windows\SoftwareDistribution\Download\ab04a73630759d84a46114bfca20f64c\wininet.dll
2008-08-26 10:27 826368 0930f57122ff74739e3684d0016877f1 c:\windows\SoftwareDistribution\Download\b036fb87dc9cfdb88c64df1ddd121b4f\SP2GDR\wininet.dll
2008-08-26 11:12 827904 a74381b8d7024b2d8bb5691a93f825b8 c:\windows\SoftwareDistribution\Download\b036fb87dc9cfdb88c64df1ddd121b4f\SP2QFE\wininet.dll
2008-12-21 01:03 817152 755047861018f8e84be05346e7392606 c:\windows\system32\wininet.dll
2008-12-21 01:03 826368 793da751c812efc3c6786bbd3b8489a8 c:\windows\system32\dllcache\wininet.dll

2008-04-14 05:22 976384 13e794e5591776cbc71055a7b3cc1d5f c:\windows\explorer.exe
2004-08-17 15:49 974848 4d32d7ffc2f583fe21ef0a4f99eabb12 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-14 05:22 976384 13e794e5591776cbc71055a7b3cc1d5f c:\windows\ServicePackFiles\i386\explorer.exe
2008-04-14 05:22 1034240 27afd587c462e280ee046b8cca3c2cd1 c:\windows\SoftwareDistribution\Download\ab04a73630759d84a46114bfca20f64c\explorer.exe

2004-08-17 15:49 100864 dc0447eda50475e6eb9aa14c308efd9b c:\windows\$NtServicePackUninstall$\wuauclt.exe
2008-10-16 14:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\ServicePackFiles\i386\wuauclt.exe
2008-04-14 05:22 111104 df7917138b80c79d15b3e8520d565311 c:\windows\SoftwareDistribution\Download\ab04a73630759d84a46114bfca20f64c\wuauclt.exe
2008-10-16 14:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-01_ 7.23.59,31 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-01 04:49:29 46,196 ----a-w c:\windows\system32\perfc005.dat
+ 2009-04-01 05:36:39 46,196 ----a-w c:\windows\system32\perfc005.dat
- 2009-04-01 04:49:29 40,128 ----a-w c:\windows\system32\perfc009.dat
+ 2009-04-01 05:36:39 40,128 ----a-w c:\windows\system32\perfc009.dat
- 2009-04-01 04:49:29 309,990 ----a-w c:\windows\system32\perfh005.dat
+ 2009-04-01 05:36:39 309,990 ----a-w c:\windows\system32\perfh005.dat
- 2009-04-01 04:49:29 311,740 ----a-w c:\windows\system32\perfh009.dat
+ 2009-04-01 05:36:39 311,740 ----a-w c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-08-16 167368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-04-01 917504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kerio\\Personal Firewall 4\\kpf4gui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2004-11-02 262144]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-04-01 39424]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2002-08-29 69120]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - PROCEXP100
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.centrum.cz/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: imon.dll
TCP: {10FB5C9F-C1D4-4B2B-AA8B-640DAE9DFF94} = 192.168.2.133,217.197.152.135
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 07:40:11
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'lsass.exe'(1028)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2009-04-01 7:40:55
ComboFix-quarantined-files.txt 2009-04-01 05:40:53
ComboFix2.txt 2009-04-01 05:24:22

Před spuštěním: Volných bajtů: 239 558 320 128
Po spuštění: Volných bajtů: 239,545,405,440

173 --- E O F --- 2009-04-01 01:22:24







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:47, on 1.4.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.centrum.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{10FB5C9F-C1D4-4B2B-AA8B-640DAE9DFF94}: NameServer = 192.168.2.133,217.197.152.135
O17 - HKLM\System\CS1\Services\Tcpip\..\{10FB5C9F-C1D4-4B2B-AA8B-640DAE9DFF94}: NameServer = 192.168.2.133,217.197.152.135
O17 - HKLM\System\CS2\Services\Tcpip\..\{10FB5C9F-C1D4-4B2B-AA8B-640DAE9DFF94}: NameServer = 192.168.2.133,217.197.152.135
O17 - HKLM\System\CS3\Services\Tcpip\..\{10FB5C9F-C1D4-4B2B-AA8B-640DAE9DFF94}: NameServer = 192.168.2.133,217.197.152.135
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3935 bytes

[jaro3]

Logy O.K:

ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix[mezera]/u

takže jestli nejsou problémy,tak vyčisti systém CCleanerem

a použij i T-Cleaner
smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš>spustíš

Stáhni si ATF Cleaner
Poklepej na ATF Cleaner.exe, klikni select all found, pak klik empty selected.
Pokud chceš zachovat svoje uložená hesla, klikni na No.
ATF-Cleaner je jednoduchý nástroj na odstranění historie z webového prohlížeče. Program dokáže odstranit cache, cookies, historii a další stopy po surfování na Internetu. Mezi podporované prohlížeče patří Internet Explorer, Firefox a Opera. Aplikace navíc umí odstranit dočasné soubory Windows, vysypat koš atd.

Aktualizuj javu:
Java SE Runtime Environment 6u13
Vyber OS ( předpokládám Windows), zatržítko agree-continue
Vyber:
Windows Offline Installation
jre-6u13-windows-i586-p.exe
Ostatní javy odeber v přidat/odebrat programy.
Pokud nejsou problémy , je to vše.

[wichin]

Mnohokrát děkuji. Ještě mám dotaz. Proč v logu z hijack mám tolik 17tek? K čemu to je? dík

[jaro3]

Nemáš zač, můžeš dát vyřešeno , fajfku.
Add 017:
O17 Section

This section corresponds to Lop.com Domain Hacks.

When you go to a web site using an hostname, like www.bleepingcomputer.com, instead of an IP address, your computer uses a DNS server to resolve the hostname into an IP address like 192.168.1.0. Domain hacks are when the Hijacker changes the DNS servers on your machine to point to their own server, where they can direct you to any site they want. By adding google.com to their DNS server, they can make it so that when you go to www.google.com, they redirect you to a site of their choice.Example Listing 017 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175

If you see entries for this and do not recognize the domain as belonging to your ISP or company, and the DNS servers do not belong to your ISP or company, then you should have HijackThis fix it. You can go to Arin to do a whois a on the DNS server IP addresses to determine what company they belong to.