Prosím o kontrolu logu

[Petr2]

Ahoj,
NOD 32 mi našel Win 32/TrojanDropper.Agent.DGO, který jsem se pokoušel smazat, a dále v oper. paměti Win32/Adware.Virtumonde.FP. Oper. paměť infikována ze souboru C:\WINDOWS\system 32\nnnon.dll
Díky

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:42:43, on 28.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Petr\Plocha\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {40542B8E-FCA0-4DC4-B450-143B0C2A9BC3} - C:\WINDOWS\system32\nnnon.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7C14D2A2-6DE3-4B97-9653-E45A03F77ED4} - (no file)
O2 - BHO: (no name) - {81DBB777-D36B-4C0A-B8DC-440747412DFD} - (no file)
O2 - BHO: (no name) - {B0EEDC94-E177-43D2-B600-84E7AC69969B} - (no file)
O2 - BHO: (no name) - {CE5222CC-A078-4B32-BBE4-2A30DADA4B37} - (no file)
O3 - Toolbar: &S-Rank - {B71B15CF-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam\Postak\SRank.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Akcelerátor spuštění AutoCADu.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B19DF509-B134-4A18-9C70-CE95095A7111}: NameServer = 10.10.10.10,10.10.11.11
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///E:/zabava/tapety/tapeta5.jpg
O24 - Desktop Component 1: (no name) - file:///E:/zabava/tapety/tapeta9.jpg

--
End of file - 4628 bytes

[Reklama]

[Anonym]

můžeš fixnout toto:

O2 - BHO: (no name) - {7C14D2A2-6DE3-4B97-9653-E45A03F77ED4} - (no file)
O2 - BHO: (no name) - {81DBB777-D36B-4C0A-B8DC-440747412DFD} - (no file)
O2 - BHO: (no name) - {B0EEDC94-E177-43D2-B600-84E7AC69969B} - (no file)
O2 - BHO: (no name) - {CE5222CC-A078-4B32-BBE4-2A30DADA4B37} - (no file)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

chybí firewall!

[fredik]

Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[Petr2]

Tady je log z ComboFixu

ComboFix 07-12-21.4 - Petr 2007-12-28 15:00:23.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.196 [GMT 1:00]
Running from: C:\Documents and Settings\Petr\Plocha\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\auto.exe
C:\WINDOWS\system32\jgjjuunl.ini
C:\WINDOWS\system32\lnuujjgj.dll
C:\WINDOWS\system32\nnnon.dll
C:\WINDOWS\system32\nonnn.ini
C:\WINDOWS\system32\nonnn.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-28 13:40 . 2007-12-28 14:52 326,656 --a------ C:\WINDOWS\system32\nnnon.exe
2007-12-27 21:41 . 2007-03-09 00:02 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-12-27 21:40 . 2007-03-09 00:01 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-12-27 21:40 . 2007-12-27 21:40 49,466 --a------ C:\WINDOWS\system32\vsconfig.xml
2007-12-26 12:57 . 2007-12-26 12:58 1,681 --a------ C:\WINDOWS\ST6UNST.001
2007-12-26 12:45 . 2007-12-26 12:45 <DIR> d-------- C:\Program Files\CDVPlayer
2007-12-26 12:45 . 2007-12-26 12:58 466,944 --------- C:\WINDOWS\Setup1.exe
2007-12-26 12:45 . 2003-04-16 01:10 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll
2007-12-26 12:45 . 2007-12-26 12:58 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-12-26 12:44 . 2003-06-16 07:43 1,389,595 --------- C:\WINDOWS\CDV.CAB
2007-12-26 12:44 . 2007-12-26 12:45 1,887 --a------ C:\WINDOWS\ST6UNST.000
2007-12-25 09:42 . 2007-12-25 09:44 <DIR> d-------- C:\trainztmp
2007-12-25 09:13 . 2007-12-25 09:13 <DIR> d-------- C:\Program Files\Auran
2007-12-24 12:14 . 2005-10-15 08:56 <DIR> d--h----- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\ćablony
2007-12-24 12:14 . 2006-10-27 19:52 <DIR> d-------- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Plocha
2007-12-24 12:14 . 2005-10-15 10:38 <DIR> d--h----- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Okolnˇ tisk rny
2007-12-24 12:14 . 2005-10-15 10:38 <DIR> d--h----- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Okolnˇ sˇś
2007-12-24 12:14 . 2005-10-15 10:38 <DIR> d-------- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Oblˇben‚ polo§ky
2007-12-24 12:14 . 2005-10-15 10:38 <DIR> dr------- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Nabˇdka Start
2007-12-24 12:14 . 2005-10-15 10:38 <DIR> d-------- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Dokumenty
2007-12-24 12:14 . 2007-12-28 11:00 <DIR> dr-h----- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Data aplikacˇ
2007-12-24 11:29 . 2007-12-28 11:18 <DIR> d-------- C:\VundoFix Backups
2007-12-23 13:26 . 2007-12-28 10:57 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-23 13:25 . 2007-12-24 10:11 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-21 15:38 . 2007-12-21 15:42 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 20:20 . 2007-03-08 00:51 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-18 20:20 . 2007-03-08 00:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-18 20:20 . 2007-03-08 00:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-18 20:19 . 2007-03-08 00:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-12-05 18:02 . 2007-12-05 18:19 <DIR> d-------- C:\Program Files\FlatOut2
2007-11-30 13:34 . 2004-08-04 07:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-11-30 13:34 . 2004-08-04 07:31 20,992 --a--c--- C:\WINDOWS\system32\dllcache\rtl8139.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 11:59 --------- d-----w C:\Program Files\Spyware Terminator
2007-12-26 16:36 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-26 11:23 --------- d-----w C:\Program Files\CyberLink
2007-12-25 08:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 16:15 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-09 14:23 --------- d-----w C:\Program Files\totalcmd
2007-11-25 11:15 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-11-25 10:47 --------- d-----w C:\Program Files\CCleaner
2007-11-25 09:57 --------- d-----w C:\Program Files\ABBYY FineReader 9.0
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Správa překryvné ikony digitálních podpisů AutoCADu ]
@={36A21736-36C2-4C11-8ACB-D4136F2B57BD}

[HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]
2005-03-05 13:18 136312 --a------ C:\WINDOWS\system32\AcSignIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" []
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" []
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 16:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"WinampAgent"="C:\Program Files\Winamp\winampa.exe"

R1 eusk2par;EUTRON SmartKey Parallel Driver;C:\WINDOWS\system32\Drivers\eusk2par.sys [2004-11-18 11:49]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2007-10-16 21:20]
R2 Ethpdrv;Ethernet Packet Driver;C:\WINDOWS\system32\DRIVERS\ethpdrv.sys [2005-09-08 02:18]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 07:04]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys [2005-04-12 19:21]
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys [2005-04-12 19:21]
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys [2005-04-12 19:21]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ALIEHCI.sys []
S2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ousbehci.sys [2003-08-01 00:45]
S3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys []
S3 C-Dilla;C-Dilla;C:\WINDOWS\System32\drivers\CDANT.SYS [2005-10-15 22:42]
S3 eusk3usb;SmartKey 3 USB;C:\WINDOWS\system32\Drivers\eusk3usb.sys [2004-11-18 11:49]
S3 ipw_bus;IPWireless;C:\WINDOWS\system32\DRIVERS\ipw_bus.sys [2005-09-27 10:21]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys [2005-09-27 10:21]
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys [2005-09-27 10:21]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 17:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 15:09:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2007-12-28 15:10:34 - machine was rebooted
.
2007-12-12 19:04:37 --- E O F ---

[fredik]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

File::
C:\WINDOWS\system32\nnnon.exe

Folder::
C:\VundoFix Backups

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu

+
dej sem také zároveň nový log z HJT

[Petr2]

Tady je log z ComboFixu + HJT

ComboFix 07-12-21.4 - Petr 2007-12-28 19:28:08.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.191 [GMT 1:00]
Running from: C:\Documents and Settings\Petr\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Petr\Plocha\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\nnnon.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\nonnn.ini.bad
C:\VundoFix Backups\nonnn.ini2.bad
C:\VundoFix Backups\wineek32.dll.bad
C:\WINDOWS\system32\nnnon.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-27 21:41 . 2007-03-09 00:02 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-12-27 21:40 . 2007-03-09 00:01 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-12-27 21:40 . 2007-12-27 21:40 49,466 --a------ C:\WINDOWS\system32\vsconfig.xml
2007-12-26 15:42 . 2007-12-26 15:42 <DIR> d-------- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Data aplikací\Talkback
2007-12-26 12:57 . 2007-12-26 12:58 1,681 --a------ C:\WINDOWS\ST6UNST.001
2007-12-26 12:45 . 2007-12-26 12:45 <DIR> d-------- C:\Program Files\CDVPlayer
2007-12-26 12:45 . 2007-12-26 12:58 466,944 --------- C:\WINDOWS\Setup1.exe
2007-12-26 12:45 . 2003-04-16 01:10 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll
2007-12-26 12:45 . 2007-12-26 12:58 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-12-26 12:44 . 2003-06-16 07:43 1,389,595 --------- C:\WINDOWS\CDV.CAB
2007-12-26 12:44 . 2007-12-26 12:45 1,887 --a------ C:\WINDOWS\ST6UNST.000
2007-12-25 09:42 . 2007-12-25 09:44 <DIR> d-------- C:\trainztmp
2007-12-25 09:13 . 2007-12-25 09:13 <DIR> d-------- C:\Program Files\Auran
2007-12-24 12:14 . 2006-10-27 19:52 <DIR> d-------- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Plocha
2007-12-24 12:14 . 2005-10-15 10:38 <DIR> d--h----- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Okolní tiskárny
2007-12-24 12:14 . 2005-10-15 10:38 <DIR> d--h----- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Okolní síť
2007-12-24 12:14 . 2005-10-15 10:38 <DIR> d-------- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Oblíbené položky
2007-12-24 12:14 . 2005-10-15 08:56 <DIR> d--h----- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Šablony
2007-12-24 12:14 . 2005-10-15 10:38 <DIR> dr------- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Nabídka Start
2007-12-24 12:14 . 2005-10-15 10:38 <DIR> d-------- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Dokumenty
2007-12-24 12:14 . 2007-12-28 11:00 <DIR> dr-h----- C:\Documents and Settings\Administrator.HEROLD-3CFMGN35\Data aplikací
2007-12-23 13:26 . 2007-12-28 10:57 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-23 13:25 . 2007-12-24 10:11 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-21 15:38 . 2007-12-21 15:42 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-20 17:22 . 2007-12-20 17:24 <DIR> d-------- C:\Documents and Settings\Petr\Data aplikací\DAEMON Tools
2007-12-20 17:22 . 2007-12-20 17:24 <DIR> d-------- C:\Documents and Settings\Petr\Data aplikací\DAEMON Tools
2007-12-20 17:22 . 2007-12-20 17:24 <DIR> d-------- C:\Documents and Settings\Petr\Data aplikací\DAEMON Tools
2007-12-18 20:20 . 2007-03-08 00:51 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-18 20:20 . 2007-03-08 00:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-18 20:20 . 2007-03-08 00:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-18 20:19 . 2007-03-08 00:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-12-05 18:02 . 2007-12-05 18:19 <DIR> d-------- C:\Program Files\FlatOut2
2007-11-30 13:34 . 2004-08-04 07:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-11-30 13:34 . 2004-08-04 07:31 20,992 --a--c--- C:\WINDOWS\system32\dllcache\rtl8139.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 11:59 --------- d-----w C:\Program Files\Spyware Terminator
2007-12-28 11:59 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2007-12-26 16:36 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-26 11:23 --------- d-----w C:\Program Files\CyberLink
2007-12-25 08:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 16:15 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-12 18:14 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\CyberLink
2007-12-09 14:23 --------- d-----w C:\Program Files\totalcmd
2007-11-25 11:15 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-11-25 10:47 --------- d-----w C:\Program Files\CCleaner
2007-11-25 09:57 --------- d-----w C:\Program Files\ABBYY FineReader 9.0
2007-11-25 09:56 --------- d---a-w C:\Documents and Settings\All Users\Data aplikací\TEMP
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:44 1,290,240 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 17:02 49,936 ----a-w C:\Documents and Settings\Petr\Data aplikací\GDIPFONTCACHEV1.DAT
2007-10-25 17:02 49,936 ----a-w C:\Documents and Settings\Petr\Data aplikací\GDIPFONTCACHEV1.DAT
2007-10-25 17:02 49,936 ----a-w C:\Documents and Settings\Petr\Data aplikací\GDIPFONTCACHEV1.DAT
2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-05-11 20:12 476,752 ----a-w C:\Documents and Settings\All Users\Data aplikací\pswi_preloaded.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Správa překryvné ikony digitálních podpisů AutoCADu ]
@={36A21736-36C2-4C11-8ACB-D4136F2B57BD}

[HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]
2005-03-05 13:18 136312 --a------ C:\WINDOWS\system32\AcSignIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" []
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" []
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 16:15]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-26 17:37:07]
Akceler tor spuçtŘnˇ AutoCADu.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 14:18:22]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"WinampAgent"="C:\Program Files\Winamp\winampa.exe"

R1 eusk2par;EUTRON SmartKey Parallel Driver;C:\WINDOWS\system32\Drivers\eusk2par.sys [2004-11-18 11:49]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2007-10-16 21:20]
R2 Ethpdrv;Ethernet Packet Driver;C:\WINDOWS\system32\DRIVERS\ethpdrv.sys [2005-09-08 02:18]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 07:04]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys [2005-04-12 19:21]
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys [2005-04-12 19:21]
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys [2005-04-12 19:21]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ALIEHCI.sys []
S2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ousbehci.sys [2003-08-01 00:45]
S3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys []
S3 C-Dilla;C-Dilla;C:\WINDOWS\System32\drivers\CDANT.SYS [2005-10-15 22:42]
S3 eusk3usb;SmartKey 3 USB;C:\WINDOWS\system32\Drivers\eusk3usb.sys [2004-11-18 11:49]
S3 ipw_bus;IPWireless;C:\WINDOWS\system32\DRIVERS\ipw_bus.sys [2005-09-27 10:21]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys [2005-09-27 10:21]
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys [2005-09-27 10:21]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 17:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 19:31:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2007-12-28 19:31:38
C:\ComboFix2.txt ... 2007-12-28 15:10
.
2007-12-12 19:04:37 --- E O F ---






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:33:27, on 28.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Petr\Plocha\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &S-Rank - {B71B15CF-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam\Postak\SRank.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Akcelerátor spuštění AutoCADu.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B19DF509-B134-4A18-9C70-CE95095A7111}: NameServer = 10.10.10.10,10.10.11.11
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///E:/zabava/tapety/tapeta5.jpg
O24 - Desktop Component 1: (no name) - file:///E:/zabava/tapety/tapeta9.jpg

--
End of file - 3975 bytes

[fredik]

Máš tam starou verzi Javy tak proveď její update:
- Stáhni si poslení verzi Java Runtime Environment (JRE) 6 Update 3
- Posuň se dolů kde je napsáno Java Runtime Environment (JRE) 6 Update 3 a klikni na tlačítko Download
- Zatrhni možnost kde je napsáno: Accept License Agreement
- Stránka se ti znovu načte.
- Klikni na odkaz pro stažení: Windows Offline Installation, Multi-language a ulož si ho na disk
- Ukonči běžící programy které máš spuštěné, hlavě webový prohlížeč
- Jdi přes Start -> Ovládací panely -> Přidat nebo odebrat programy a odinstaluj všechny staré verze Javy
- Podívej se po položkách s názvem Java Runtime Environment (JRE or J2SE)
* příklady starých verzí v Přidat nebo odebrat programy:

J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2

- Odinstaluj je přes tlačítko Změnit nebo odebrat nebo Odebrat
- Odinstaluj postupně po sobě případné všechny staré verze Javy
- Po skončení odinstalovaní restartuj Pc.
- Pak už jen spusť instalaci poslední verze ze souboru jre-6u3-windows-i586-p.exe, který sis stáhl na začátku.

Ve službách ti běží ZoneAlarm ale neběží ti ve procesech. Máš ho vypnutý?

Stáhni si RenV (by sUBs)
- spusť ho a za chvíli se ti zobrazí log, zkopíruj sem prosím celý jeho obsah

[Petr2]

Z Přidat nebo odebrat programy zmizelo spousta nainstalovaných programů, u těch zbývajících teď není tlačítko Změnit nebo odebrat, takže zde nejdou odinstalovat staré verze Javy. Tlačítko Změnit nebo odebrat je pouze u Zone Alarm, který jsem teď přeinstaloval, protože nešel spustit. Rovněž zmizela z oznamovací oblasti hlavního panelu ikona NOD 32 a dále panel jazyků. NOD 32 se ale v Centru zabezpečení jeví jako spuštěný.

[fredik]

Použij ten RenV a dej sem z něho log.

[Petr2]

Takže tady je.

Kód: Vybrat vše

Ran on so 29.12.2007 - 12:07:16,38

----a-w           180,269 2007-12-28 06:56:16  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            32,768 2007-12-26 12:08:41  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w           949,376 2007-12-28 06:56:19  C:\Program Files\ESET\nod32kui .exe
----a-w           241,664 2007-12-28 06:56:17  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w         1,694,208 2007-12-28 06:56:23  C:\Program Files\Messenger\msmsgs .exe
----a-w           450,560 2007-12-28 06:56:18  C:\Program Files\Seznam\Postak\Postak .exe
----a-w         2,778,112 2007-12-28 06:56:24  C:\Program Files\Spyware Terminator\SpywareTerminatorShield .exe
----a-w           919,016 2007-12-27 20:25:52  C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
----a-w            15,360 2007-12-28 09:57:23  C:\WINDOWS\system32\ctfmon .exe
----a-w           155,648 2007-12-24 09:11:27  C:\WINDOWS\system32\NeroCheck .exe
----a-w           483,328 2007-12-24 09:11:25  C:\WINDOWS\system32\spool\drivers\w32x86\3\fppdis2a .exe

 Entries:               11  (11)
 Directories:            0  Files:            11
 Bytes:          7,900,309  Blocks:       15,432


[fredik]

Na stejném místě (ve stejném složce/adresáři) kde jsi spustil RenV se vytvořil soubor Log.txt
- uchop myší uvedený soubor (Log.txt ) a přemísti ho nad RenV.exe a když se oba soubory překryjí, log upusť (stejný postup jako v případě ComboFix a CFScript.txt)

- Program se znovu spustí a po proběhnutí ti zobrazí opět log - zkopíruj ho prosím sem

[Petr2]

Tady je výsledek.

Kód: Vybrat vše

Ran on so 29.12.2007 - 15:26:41,01

------w         2,778,112 2007-12-28 06:56:24  C:\Program Files\Spyware Terminator\SpywareTerminatorShield .exe
------w           919,016 2007-12-27 20:25:52  C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe

 Entries:                2  (2)
 Directories:            0  Files:             2
 Bytes:          3,697,128  Blocks:        7,221