HijackThis (Asmon)

[Asmon]

Ahoj,
můžu se sem přifařit, když jste to tak rychle vyřídili?
Před několika dny jsem měl poplach v Avastu, smazal jsem všechny infikované soubory, projel celkový test, Spybot, CCleaner, ale stále pozoruji zajímavou věc a to že mám názvy některých složek modře. Přikládám log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:40:56, on 20.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programy\Alwil Software\Avast4\aswUpdSv.exe
C:\Programy\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programy\Alwil Software\Avast4\ashMaiSv.exe
C:\Programy\Alwil Software\Avast4\ashWebSv.exe
C:\Programy\ALWILS~1\Avast4\ashDisp.exe
C:\Programy\uTorrent\utorrent.exe
C:\Programy\ZoneAlarm\zlclient.exe
C:\Programy\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programy\ICQ6\ICQ.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programy\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programy\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O4 - HKLM\..\Run: [avast!] C:\Programy\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [uTorrent] C:\\Programy\\uTorrent\\utorrent.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programy\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [PeerGuardian] C:\Programy\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Siemens Dial-Up PPP Connection.lnk = ?
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\Programy\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programy\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programy\ICQ6\ICQ.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFBAA090-A131-449A-AFF2-9B2AB327023D}: NameServer = 212.158.128.2,212.158.128.3
O21 - SSODL: DriveSys - {1966654c-895e-43bb-8baa-9c06e3f13bfa} - C:\WINDOWS\Installer\{1966654c-895e-43bb-8baa-9c06e3f13bfa}\DriveSys.dll
O21 - SSODL: DriveComponent - {485df745-335f-4627-bdbc-5f7ca126b13d} - C:\WINDOWS\Installer\{485df745-335f-4627-bdbc-5f7ca126b13d}\DriveComponent.dll
O21 - SSODL: zip - {4072597b-5c1a-4057-97ec-16eba436902c} - C:\WINDOWS\Installer\{4072597b-5c1a-4057-97ec-16eba436902c}\zip.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programy\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programy\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programy\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programy\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: NBService - Nero AG - C:\Programy\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4471 bytes

[Reklama]

[Baron Prášil]

vítám Tě na fóru PC-HELP

každý problém má svá specifika,proto zakládej

Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log, který se ti zobrazí, jinak ho najdeš zde: C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[Asmon]

Díky moc za vřelé přijetí

Nechal jsem to proběhnout a něco to smazalo, dokonce i Avast kvičel, že byl nalezel virus. Přitom jsem ho nechával předtím proběhnout 2x důkladný test a nic nenašel. Log níže:




ComboFix 08-02-20.2 - Administrator 2008-02-20 21:55:48.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1544 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Plocha\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\wvutqrs.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\winrnt32.dll
C:\WINDOWS\system32\wvutqrs.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-20 20:36 . 2008-02-20 20:37 3,376,388 --a------ C:\WINDOWS\{00000007-00000000-00000001-00001102-00000002-80651102}.BAK
2008-02-20 20:05 . 2001-10-25 15:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-20 20:04 . 2001-10-25 15:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-20 20:03 . 2004-08-17 14:49 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-02-20 20:01 . 2008-02-20 20:01 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-20 20:01 . 2008-02-20 20:01 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-20 20:01 . 2008-02-20 20:01 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-20 20:01 . 2008-02-20 20:01 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-02-20 20:01 . 2008-02-20 20:01 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-20 20:01 . 2008-02-20 20:01 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-18 17:03 . 2004-08-18 13:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-18 17:01 . 2001-10-25 15:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-02-18 16:48 . 2004-08-18 13:00 1,086,058 -ra------ C:\WINDOWS\SET91.tmp
2008-02-18 16:48 . 2004-08-18 13:00 1,014,483 -ra------ C:\WINDOWS\SET8F.tmp
2008-02-18 16:48 . 2004-08-18 13:00 14,043 -ra------ C:\WINDOWS\SET99.tmp
2008-02-18 16:48 . 2008-02-18 17:08 4,382 --a------ C:\WINDOWS\imsins.BAK
2008-02-18 16:47 . 2008-02-18 17:11 306,426 --a------ C:\WINDOWS\setupapi.old
2008-02-18 14:27 . 2008-02-18 14:27 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-02-18 14:27 . 2008-02-18 14:27 <DIR> d-------- C:\Documents and Settings\Administrator\SystemRequirementsLab
2008-02-18 14:26 . 2008-02-18 14:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 10:10 . 2007-09-05 22:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-17 10:10 . 2008-02-16 19:46 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-17 10:10 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-17 10:10 . 2007-10-03 22:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-17 09:12 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-17 09:12 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-17 09:12 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-17 09:12 . 2008-02-20 21:12 1,640 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-16 11:30 . 2008-02-16 11:30 <DIR> d-------- C:\Program Files\Cyberlink
2008-02-14 11:33 . 2008-02-14 11:33 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-14 11:33 . 2001-03-22 00:00 995,136 --a------ C:\WINDOWS\system\MSAJT200.DLL
2008-02-14 11:08 . 2008-02-14 11:09 <DIR> d-------- C:\Program Files\Common Files\Bentley Shared
2008-02-14 09:10 . 1996-04-02 05:50 425,472 --a------ C:\WINDOWS\system32\QESQL04.DLL
2008-02-14 09:10 . 1996-04-02 05:50 203,264 --a------ C:\WINDOWS\system32\QELIB.DLL
2008-02-14 09:10 . 1996-04-02 05:50 169,984 --a------ C:\WINDOWS\system32\QEUTL04.DLL
2008-02-14 09:10 . 1996-04-02 05:50 16,896 --a------ C:\WINDOWS\system32\QEMDS04.DLL
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 21:05 16,621,600 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-20 21:04 198,944 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-18 07:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 21:58 --------- d-----w C:\Program Files\Java
2008-01-11 21:56 --------- d-----w C:\Program Files\Common Files\Java
2008-01-07 13:01 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-12-31 14:48 73,728 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-31 14:48 253,952 ----a-w C:\WINDOWS\Setup1.exe
2007-12-23 14:12 --------- d-----w C:\Program Files\ViaVoice TTS
2007-12-23 12:09 --------- d-----w C:\Program Files\MSXML 6.0
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Programy\PeerGuardian2\pg2.exe" [2005-09-18 17:40 1421824]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\Programy\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"uTorrent"="C:\\Programy\\uTorrent\\utorrent.exe" [2008-01-30 19:52 219952]
"ZoneAlarm Client"="C:\Programy\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 14:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DriveSys"= {1966654c-895e-43bb-8baa-9c06e3f13bfa} - C:\WINDOWS\Installer\{1966654c-895e-43bb-8baa-9c06e3f13bfa}\DriveSys.dll [2008-02-16 11:36 14374]
"DriveComponent"= {485df745-335f-4627-bdbc-5f7ca126b13d} - C:\WINDOWS\Installer\{485df745-335f-4627-bdbc-5f7ca126b13d}\DriveComponent.dll [2008-02-18 08:05 14374]
"zip"= {4072597b-5c1a-4057-97ec-16eba436902c} - C:\WINDOWS\Installer\{4072597b-5c1a-4057-97ec-16eba436902c}\zip.dll [2008-02-18 08:07 38438]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"Uniblue SpyEraser"="C:\Programy\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Programy\PowerDVD\000.fcl [2006-11-02 16:51]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 22:04]
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-17 14:49]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-28 23:54]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2007-12-30 12:44]

*Newly Created Service* - PGFILTER
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 22:06:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\WINDOWS\Installer\{1966654c-895e-43bb-8baa-9c06e3f13bfa}\DriveSys.dll
-> C:\WINDOWS\Installer\{485df745-335f-4627-bdbc-5f7ca126b13d}\DriveComponent.dll
-> C:\WINDOWS\Installer\{4072597b-5c1a-4057-97ec-16eba436902c}\zip.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Programy\Alwil Software\Avast4\aswUpdSv.exe
C:\Programy\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programy\Alwil Software\Avast4\ashMaiSv.exe
C:\Programy\Alwil Software\Avast4\ashWebSv.exe
C:\Programy\uTorrent\utorrent.exe
.
**************************************************************************
.
Completion time: 2008-02-20 22:09:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 21:09:29

[Baron Prášil]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

File::
C:\WINDOWS\Installer\{1966654c-895e-43bb-8baa-9c06e3f13bfa}\DriveSys.dll
C:\WINDOWS\Installer\{485df745-335f-4627-bdbc-5f7ca126b13d}\DriveComponent.dll
C:\WINDOWS\Installer\{4072597b-5c1a-4057-97ec-16eba436902c}\zip.dll
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\drivers\fidbox.dat
C:\WINDOWS\system32\drivers\fidbox.idx
C:\WINDOWS\iun6002.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DriveSys"=-
"DriveComponent"=-
"zip"=-

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu+nový log z hijackthis+info o chování kompu

[Asmon]

Provedl jsem a jedu už v pohodě, sice jsem našel ještě ještě složku s modrým názvem, ale snad to hlavní už je pryč. Plochu vidím stabilně a ikony vedle hodin už nemizí. Koukám, že o tom jsem se původně nezmínil Přikládám logy:

Z logu HijackThis mě zaujalo, že mi tam běží tohle:
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
To je něco s PowerDVD, přitom ho téměř vůbec nepoužívám a je vypnuté. Můžu to smazat přímo? Když dám v Hijack FIX CHECKED, tak to tam je po scanu zas. Případně nějaké další nesmysly?

PS: Teď vidím, že stejně tak běží Tune Up a Nero Back Up...

ComboFix 08-02-20.2 - Administrator 2008-02-20 22:49:31.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1614 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Plocha\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Installer\{1966654c-895e-43bb-8baa-9c06e3f13bfa}\DriveSys.dll
C:\WINDOWS\Installer\{4072597b-5c1a-4057-97ec-16eba436902c}\zip.dll
C:\WINDOWS\Installer\{485df745-335f-4627-bdbc-5f7ca126b13d}\DriveComponent.dll
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\drivers\fidbox.dat
C:\WINDOWS\system32\drivers\fidbox.idx
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\VACFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Installer\{1966654c-895e-43bb-8baa-9c06e3f13bfa}\DriveSys.dll
C:\WINDOWS\Installer\{4072597b-5c1a-4057-97ec-16eba436902c}\zip.dll
C:\WINDOWS\Installer\{485df745-335f-4627-bdbc-5f7ca126b13d}\DriveComponent.dll
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\drivers\fidbox.dat . . . . failed to delete
C:\WINDOWS\system32\drivers\fidbox.idx . . . . failed to delete
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\drivers\fidbox.dat . . . . failed to delete
C:\WINDOWS\system32\drivers\fidbox.idx . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-20 20:36 . 2008-02-20 20:37 3,376,388 --a------ C:\WINDOWS\{00000007-00000000-00000001-00001102-00000002-80651102}.BAK
2008-02-20 20:05 . 2001-10-25 15:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-20 20:04 . 2001-10-25 15:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-20 20:03 . 2004-08-17 14:49 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-02-20 20:01 . 2008-02-20 20:01 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-20 20:01 . 2008-02-20 20:01 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-20 20:01 . 2008-02-20 20:01 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-20 20:01 . 2008-02-20 20:01 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-02-20 20:01 . 2008-02-20 20:01 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-20 20:01 . 2008-02-20 20:01 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-18 17:03 . 2004-08-18 13:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-18 17:01 . 2001-10-25 15:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-02-18 16:48 . 2004-08-18 13:00 1,086,058 -ra------ C:\WINDOWS\SET91.tmp
2008-02-18 16:48 . 2004-08-18 13:00 1,014,483 -ra------ C:\WINDOWS\SET8F.tmp
2008-02-18 16:48 . 2004-08-18 13:00 14,043 -ra------ C:\WINDOWS\SET99.tmp
2008-02-18 16:48 . 2008-02-18 17:08 4,382 --a------ C:\WINDOWS\imsins.BAK
2008-02-18 16:47 . 2008-02-18 17:11 306,426 --a------ C:\WINDOWS\setupapi.old
2008-02-18 14:27 . 2008-02-18 14:27 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-02-18 14:27 . 2008-02-18 14:27 <DIR> d-------- C:\Documents and Settings\Administrator\SystemRequirementsLab
2008-02-18 14:26 . 2008-02-18 14:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 10:10 . 2007-09-05 22:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-17 10:10 . 2007-10-03 22:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-17 09:12 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-17 09:12 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-17 09:12 . 2008-02-20 21:12 1,640 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-16 11:30 . 2008-02-16 11:30 <DIR> d-------- C:\Program Files\Cyberlink
2008-02-14 11:33 . 2008-02-14 11:33 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-14 11:33 . 2001-03-22 00:00 995,136 --a------ C:\WINDOWS\system\MSAJT200.DLL
2008-02-14 11:08 . 2008-02-14 11:09 <DIR> d-------- C:\Program Files\Common Files\Bentley Shared
2008-02-14 09:10 . 1996-04-02 05:50 425,472 --a------ C:\WINDOWS\system32\QESQL04.DLL
2008-02-14 09:10 . 1996-04-02 05:50 203,264 --a------ C:\WINDOWS\system32\QELIB.DLL
2008-02-14 09:10 . 1996-04-02 05:50 169,984 --a------ C:\WINDOWS\system32\QEUTL04.DLL
2008-02-14 09:10 . 1996-04-02 05:50 16,896 --a------ C:\WINDOWS\system32\QEMDS04.DLL
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 21:53 34,848 ----a-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-20 21:52 32 ----a-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-18 07:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 21:58 --------- d-----w C:\Program Files\Java
2008-01-11 21:56 --------- d-----w C:\Program Files\Common Files\Java
2007-12-31 14:48 73,728 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-31 14:48 253,952 ----a-w C:\WINDOWS\Setup1.exe
2007-12-23 14:12 --------- d-----w C:\Program Files\ViaVoice TTS
2007-12-23 12:09 --------- d-----w C:\Program Files\MSXML 6.0
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Programy\PeerGuardian2\pg2.exe" [2005-09-18 17:40 1421824]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\Programy\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"uTorrent"="C:\\Programy\\uTorrent\\utorrent.exe" [2008-01-30 19:52 219952]
"ZoneAlarm Client"="C:\Programy\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 14:49 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"Uniblue SpyEraser"="C:\Programy\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Programy\PowerDVD\000.fcl [2006-11-02 16:51]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 22:04]
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-17 14:49]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-28 23:54]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2007-12-30 12:44]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 22:53:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programy\Alwil Software\Avast4\aswUpdSv.exe
C:\Programy\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programy\Alwil Software\Avast4\ashMaiSv.exe
C:\Programy\Alwil Software\Avast4\ashWebSv.exe
C:\Programy\uTorrent\utorrent.exe
.
**************************************************************************
.
Completion time: 2008-02-20 22:56:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 21:56:00
ComboFix2.txt 2008-02-20 21:09:34



A HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:01, on 21.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programy\Alwil Software\Avast4\aswUpdSv.exe
C:\Programy\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programy\Alwil Software\Avast4\ashMaiSv.exe
C:\Programy\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programy\ALWILS~1\Avast4\ashDisp.exe
C:\Programy\uTorrent\utorrent.exe
C:\Programy\ZoneAlarm\zlclient.exe
C:\Programy\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programy\ICQ6\ICQ.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programy\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programy\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\Programy\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [uTorrent] C:\\Programy\\uTorrent\\utorrent.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programy\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [PeerGuardian] C:\Programy\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\Programy\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programy\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programy\ICQ6\ICQ.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFBAA090-A131-449A-AFF2-9B2AB327023D}: NameServer = 212.158.128.2,212.158.128.3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programy\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programy\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programy\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programy\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: NBService - Nero AG - C:\Programy\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4289 bytes

[Baron Prášil]

fajn.log je v pohodě,nebudem v tom už vrtat

vyčisti systém CCleanerem a RegCleanerem
T-Cleaner smaže vše po Combu,SDFixu,Avengeru atd.

ty věci co nechceš pořeš takto
http://www.extra-pc.cz/otravne_programy ... ra_pc_1207

[Asmon]

Mnohokrát děkuji za pomoc

Baron Prášil je

[Baron Prášil]

rádo stalo