Smitfraud-C.CoreService - prosím také o pomoc Vyřešeno

[jirkaaaa]

Zdravím Vás,
vím, že zde tento problém již byl popsané, ale mne se nedaří jej odstranit - prosím o pomoc. Níže přikládám log z HijackThis v2.0.2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:08, on 2008-04-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\QIP\qip.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\wincmd\WinCmd32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spy Class - {1DBB09FF-5697-4E4A-B138-1428E2DB5B20} - C:\WINDOWS\system32\blocker.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Reader Link Helper - {B782EDE4-CCB3-4E3E-981F-96C68116F38C} - C:\WINDOWS\system32\AcroIeHelpU3.dll
O3 - Toolbar: &Seznam Lištička - {B71B15CE-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam\Listicka\Toolbar.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunOnce: [SpybotDeletingA4897] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9067] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB4452] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD645] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Přelož do češtiny - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5034
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Hlede&j v ČR - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5033
O8 - Extra context menu item: Hledej v &encyklopedii - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5108
O8 - Extra context menu item: Hledej ve &světě - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5035
O8 - Extra context menu item: Hledej ve &zboží - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5107
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bleskově - {141D2E4F-F313-4991-B61A-EE5D6D849361} - http://bleskove.centrum.cz (file missing)
O9 - Extra button: Centrum.cz - {2A5CFB1C-AAA2-4760-8462-1B61CF74B7D8} - http://www.centrum.cz (file missing)
O9 - Extra button: Xchat - {2BCB61BF-DC41-4738-A149-BDAAAD7FF0BD} - http://www.xchat.cz (file missing)
O9 - Extra button: Aktuálně - {2E01031B-AB09-4455-823D-25F1A1C11F48} - http://aktualne.centrum.cz (file missing)
O9 - Extra button: Slovníky - {2F741D0A-150E-40F9-A602-1B2421475F1D} - http://slovniky.centrum.cz (file missing)
O9 - Extra button: Supermapy - {309176E6-E204-40A0-8D13-7F19C0498C40} - http://www.supermapy.cz (file missing)
O9 - Extra button: mp3.centrum.cz - {49681216-5BF4-41A2-AAFA-129A6BD625DA} - http://mp3.centrum.cz/ (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Žena - {8B6E8E01-D262-4980-8C27-B8B2802285C1} - http://www.zena.cz (file missing)
O9 - Extra button: Fotoalba - {8FD64249-590C-4FBC-B181-12A6BAF516AF} - http://www.fotoalba.cz (file missing)
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Počasí - {A5050656-2286-454F-A489-C605ED1B461C} - http://pocasi.centrum.cz (file missing)
O9 - Extra button: Sportplus - {BC78516C-9DC9-40C5-A91E-74593222EF89} - http://sportplus.centrum.cz (file missing)
O9 - Extra button: Digitálně - {DAE865E8-970E-4931-A172-119CB56BBAF5} - http://www.digitalne.cz/ (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Stahuj.cz - {FC29EB7D-EDBA-4299-AEE4-D1BDC70EFA15} - http://www.stahuj.cz/ (file missing)
O16 - DPF: {3190CE28-0B6E-4133-A7D3-87D29CB92120} (ToolbarInetInstall Control) - http://software.seznam.cz/listicka/toolbar.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1215340422
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acomware.local
O17 - HKLM\Software\..\Telephony: DomainName = acomware.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acomware.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = acomware.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = acomware.local
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9450 bytes

[Reklama]

[fredik]

Vítej na fóru

Před použitím vypni rez. ochranu u SpyBota:
- spusť Spybot - Search & Destroy
- nahoře v menu zvol: Režim => Pro pokročilé
- objeví se ti varovné okno kde zvol Ano
- okno programu se ti přepne do pokročilého zobrazení a tam zvol: Nástroje => Rezidentní
- tam zruš zatržení pokud bude u položky: Rezidentní program "TeaTimer" (Ochrana ...)

- zavři program
Restartuj PC.

Po té si stáhni ResetTeaTimer.bat a ulož si ho na disku.
- spusť ho a po vyzvání zmáčkni libovolnou klávesu
- po proběhnutí a výzvě opět zmáčkni libovolnou klávesu a program se zavře.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Pak si stáhni ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[jirkaaaa]

Díky, jdu na to, za chviličku dám vědět.

[jirkaaaa]

Zdravim,
tak vse jsem udelal jak jsi popsal, nize prikladam ten log.
Pro jistotu jen doplnuju, ze pri spusteni Combofixu na me vyskocilo cerveny okno NODu, ktery jsem zavrel. Program dobehl, pocitac se mi zrestartoval a pak vyhodil tenhle log:

ComboFix 08-04-22.5 - jtraxler 2008-04-24 17:52:21.4 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.213 [GMT 2:00]
Running from: C:\Documents and Settings\jtraxler\Plocha\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 17:55 . 2008-04-24 17:55 932 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-24 16:07 . 2008-04-24 16:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 09:12 . 2008-04-24 09:12 4,536 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-23 18:12 . 2008-04-23 18:11 41,472 --a------ C:\Terminy-Pikant-2008.xls
2008-04-18 15:37 . 2008-01-24 19:24 991,744 --a------ C:\sablona-nabidka.doc
2008-04-18 15:37 . 2007-08-29 11:27 32,256 --a------ C:\sablona-nabidka.xls
2008-04-15 17:26 . 2008-04-15 17:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 17:26 . 2008-04-15 17:26 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 14:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-22 11:06 --------- d-----w C:\Program Files\Vario11
2008-04-21 13:53 --------- d-----w C:\Program Files\PDFCreator
2008-04-03 06:51 --------- d-----w C:\Program Files\ICQ
2008-03-11 16:58 --------- d-----w C:\Program Files\Java
2008-03-04 07:08 --------- d-----w C:\Program Files\ESET
2008-03-02 09:31 --------- d-----w C:\Program Files\Webteh
2008-02-27 08:47 --------- d-----w C:\Program Files\Azureus
2008-02-21 08:13 131,072 ----a-w C:\WINDOWS\system32\AcroIeHelpU3.dll
2008-02-21 08:11 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-01-29 10:22 120,320 ----a-w C:\WINDOWS\system32\AcroIeHelpU2.dll
2008-01-28 13:04 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-01-24 09:47 120,832 ----a-w C:\WINDOWS\system32\AcroIeHelp.dll
2008-01-23 16:30 23,552 ----a-w C:\Documents and Settings\jtraxler\957123845.exe
2008-01-23 16:30 23,552 ----a-w C:\Documents and Settings\jtraxler\957123844.exe
2008-01-23 16:30 23,552 ----a-w C:\Documents and Settings\jtraxler\81744.exe
2008-01-23 16:30 23,552 ----a-w C:\Documents and Settings\jtraxler\40470.exe
2008-01-23 16:30 23,552 ----a-w C:\Documents and Settings\jtraxler\28582.exe
2007-05-02 08:40 457 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_16.05.54.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 14:03:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 15:55:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-17 13:17:41 3,482 ----a-w C:\WINDOWS\im32st.dat
+ 2008-04-24 07:43:50 3,482 ----a-w C:\WINDOWS\im32st.dat
- 2008-04-23 06:32:02 47,584 ----a-w C:\WINDOWS\system32\perfc005.dat
+ 2008-04-24 15:46:33 47,584 ----a-w C:\WINDOWS\system32\perfc005.dat
- 2008-04-23 06:32:02 41,170 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-24 15:46:33 41,170 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-23 06:32:02 313,482 ----a-w C:\WINDOWS\system32\perfh005.dat
+ 2008-04-24 15:46:33 313,482 ----a-w C:\WINDOWS\system32\perfh005.dat
- 2008-04-23 06:32:02 314,842 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-24 15:46:33 314,842 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DBB09FF-5697-4E4A-B138-1428E2DB5B20}]
2004-07-31 15:36 159744 --a------ C:\WINDOWS\system32\blocker.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B782EDE4-CCB3-4E3E-981F-96C68116F38C}]
2008-02-21 10:13 131072 --a------ C:\WINDOWS\system32\AcroIeHelpU3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 14:00 15360]
"MSMSGS"="c:\program files\messenger\msmsgs.exe" [2004-08-17 15:58 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 14:02 40960]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 15:13 472776]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-09-05 23:34 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-09-05 23:34 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-09-05 23:34 94208]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 14:36 827392]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 10:58 159744]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-26 22:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-28 15:04 949376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 14:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 600 (0x258)
"LogonType"= 0 (0x0)
"DisableCAD"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ\\Icq.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 dmloadd;dmloadd;C:\WINDOWS\system32\drivers\dmloadd.sys [2008-01-21 10:38]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 14:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 12:18:34 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 17:56:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????F??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Eset\pr_imon.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\nod32krn.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-04-24 17:58:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 15:58:01
ComboFix2.txt 2008-04-23 14:19:44
ComboFix3.txt 2008-04-23 14:06:12

Adresářů: 8, Volných bajtů: 12,310,216,704
Adres ý…: 12, Volněch bajt…: 12,300,423,168

142

[fredik]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

Driver::
dmloadd

File::
C:\WINDOWS\system32\drivers\dmloadd.sys
C:\Documents and Settings\jtraxler\957123845.exe
C:\Documents and Settings\jtraxler\957123844.exe
C:\Documents and Settings\jtraxler\81744.exe
C:\Documents and Settings\jtraxler\40470.exe
C:\Documents and Settings\jtraxler\28582.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\blocker.dll

Suspect::
C:\WINDOWS\system32\AcroIeHelpU3.dll
C:\WINDOWS\system32\AcroIeHelpU2.dll
C:\WINDOWS\system32\AcroIeHelp.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DBB09FF-5697-4E4A-B138-1428E2DB5B20}]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu
+
Na ploše se ti vytvoří soubor Submit(Datum+Čas).zip, vlož ho jako přílohu ke svému dalšímu příspěvku.

[jirkaaaa]

Ahoj,
vse jsem opet udelal jak pises a nize prikladam log a soubory. Nechci nic zakriknout, ale na prvni pohled to vypada lepe. Please dej vedet co a jak dal.

ComboFix 08-04-22.5 - jtraxler 2008-04-25 7:58:53.5 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.203 [GMT 2:00]
Running from: C:\Documents and Settings\jtraxler\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\jtraxler\Plocha\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\jtraxler\28582.exe
C:\Documents and Settings\jtraxler\40470.exe
C:\Documents and Settings\jtraxler\81744.exe
C:\Documents and Settings\jtraxler\957123844.exe
C:\Documents and Settings\jtraxler\957123845.exe
C:\WINDOWS\system32\blocker.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\dmloadd.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\jtraxler\28582.exe
C:\Documents and Settings\jtraxler\40470.exe
C:\Documents and Settings\jtraxler\81744.exe
C:\Documents and Settings\jtraxler\957123844.exe
C:\Documents and Settings\jtraxler\957123845.exe
C:\WINDOWS\system32\blocker.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\dmloadd.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DMLOADD
-------\Service_dmloadd


((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-24 16:07 . 2008-04-24 16:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 09:12 . 2008-04-24 09:12 4,536 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-23 18:12 . 2008-04-23 18:11 41,472 --a------ C:\Terminy-Pikant-2008.xls
2008-04-18 15:37 . 2008-01-24 19:24 991,744 --a------ C:\sablona-nabidka.doc
2008-04-18 15:37 . 2007-08-29 11:27 32,256 --a------ C:\sablona-nabidka.xls
2008-04-15 17:26 . 2008-04-15 17:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 17:26 . 2008-04-15 17:26 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 14:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-22 11:06 --------- d-----w C:\Program Files\Vario11
2008-04-21 13:53 --------- d-----w C:\Program Files\PDFCreator
2008-04-03 06:51 --------- d-----w C:\Program Files\ICQ
2008-03-11 16:58 --------- d-----w C:\Program Files\Java
2008-03-04 07:08 --------- d-----w C:\Program Files\ESET
2008-03-02 09:31 --------- d-----w C:\Program Files\Webteh
2008-02-27 08:47 --------- d-----w C:\Program Files\Azureus
2008-02-21 08:13 131,072 ----a-w C:\WINDOWS\system32\AcroIeHelpU3.dll
2008-02-21 08:11 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-01-29 10:22 120,320 ----a-w C:\WINDOWS\system32\AcroIeHelpU2.dll
2008-01-28 13:04 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-05-02 08:40 457 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_16.05.54.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 14:03:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-25 06:02:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-04-17 13:17:41 3,482 ----a-w C:\WINDOWS\im32st.dat
+ 2008-04-24 07:43:50 3,482 ----a-w C:\WINDOWS\im32st.dat
- 2008-04-23 06:32:02 47,584 ----a-w C:\WINDOWS\system32\perfc005.dat
+ 2008-04-25 05:51:17 47,584 ----a-w C:\WINDOWS\system32\perfc005.dat
- 2008-04-23 06:32:02 41,170 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-25 05:51:17 41,170 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-23 06:32:02 313,482 ----a-w C:\WINDOWS\system32\perfh005.dat
+ 2008-04-25 05:51:17 313,482 ----a-w C:\WINDOWS\system32\perfh005.dat
- 2008-04-23 06:32:02 314,842 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-25 05:51:17 314,842 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B782EDE4-CCB3-4E3E-981F-96C68116F38C}]
2008-02-21 10:13 131072 --a------ C:\WINDOWS\system32\AcroIeHelpU3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 14:00 15360]
"MSMSGS"="c:\program files\messenger\msmsgs.exe" [2004-08-17 15:58 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 14:02 40960]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 15:13 472776]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-09-05 23:34 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-09-05 23:34 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-09-05 23:34 94208]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 14:36 827392]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 10:58 159744]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-26 22:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-28 15:04 949376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 14:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 600 (0x258)
"LogonType"= 0 (0x0)
"DisableCAD"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ\\Icq.exe"=
"%windir%\\system32\\sessmgr.exe"=

R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 14:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 12:18:34 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 08:02:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????F??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Eset\pr_imon.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\nod32krn.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-04-25 8:04:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-25 06:04:31
ComboFix2.txt 2008-04-24 15:58:06
ComboFix3.txt 2008-04-23 14:19:44
ComboFix4.txt 2008-04-23 14:06:12

Adresářů: 8, Volných bajtů: 12,278,104,064
Adres ý…: 11, Volněch bajt…: 12,206,669,824

156
//dík za nahráti souboru
fredik

[jirkaaaa]

Zdravim Vas,
jak to prosim vypada?

[fredik]

Nemusíš mít starost, až se k tomu dostanu tak se ozvu

Vytvoř si nový CFScript a použij ho stejným postupem jako ten předchozí, ale s tím rozdílem že do něho vlož tentokrát toto:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
C:\WINDOWS\system32\AcroIeHelpU3.dll
C:\WINDOWS\system32\AcroIeHelpU2.dll
C:\WINDOWS\system32\AcroIeHelp.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B782EDE4-CCB3-4E3E-981F-96C68116F38C}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"=-

Vlož sem pak log po proběhnutí ComboFixu + nový log z HJT.

[jirkaaaa]

Ahoj,
diky moc :-). Vse jsem udelal jak jsi psal - prikladam tedy novy log z Combofix + Hijackthis, viz. nize.
P.S.: Tentokrat se mi ani nerestartoval komp....
Please napis zas jak to vypada - jeste jednou diky za tvou pomoc

Log z Combofixu:

ComboFix 08-04-22.5 - jtraxler 2008-04-25 16:30:59.6 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.210 [GMT 2:00]
Running from: C:\Documents and Settings\jtraxler\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\jtraxler\Plocha\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\AcroIeHelp.dll
C:\WINDOWS\system32\AcroIeHelpU2.dll
C:\WINDOWS\system32\AcroIeHelpU3.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\AcroIeHelp.dll
C:\WINDOWS\system32\AcroIeHelpU2.dll
C:\WINDOWS\system32\AcroIeHelpU3.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-24 16:07 . 2008-04-24 16:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 09:12 . 2008-04-24 09:12 4,536 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-23 18:12 . 2008-04-23 18:11 41,472 --a------ C:\Terminy-Pikant-2008.xls
2008-04-18 15:37 . 2008-01-24 19:24 991,744 --a------ C:\sablona-nabidka.doc
2008-04-18 15:37 . 2007-08-29 11:27 32,256 --a------ C:\sablona-nabidka.xls
2008-04-15 17:26 . 2008-04-15 17:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 17:26 . 2008-04-15 17:26 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 14:28 --------- d-----w C:\Program Files\Vario11
2008-04-23 15:33 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2008-04-23 14:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-21 13:53 --------- d-----w C:\Program Files\PDFCreator
2008-04-10 14:39 --------- d-----w C:\Documents and Settings\jtraxler\Data aplikací\Azureus
2008-04-10 14:39 --------- d-----w C:\Documents and Settings\jtraxler\Data aplikací\Azureus
2008-04-10 14:39 --------- d-----w C:\Documents and Settings\jtraxler\Data aplikací\Azureus
2008-04-03 06:51 --------- d-----w C:\Program Files\ICQ
2008-03-11 16:58 --------- d-----w C:\Program Files\Java
2008-03-04 07:08 --------- d-----w C:\Program Files\ESET
2008-03-02 09:32 --------- d-----w C:\Documents and Settings\jtraxler\Data aplikací\BSplayer Pro
2008-03-02 09:32 --------- d-----w C:\Documents and Settings\jtraxler\Data aplikací\BSplayer Pro
2008-03-02 09:32 --------- d-----w C:\Documents and Settings\jtraxler\Data aplikací\BSplayer Pro
2008-03-02 09:31 --------- d-----w C:\Program Files\Webteh
2008-02-27 08:47 --------- d-----w C:\Program Files\Azureus
2008-02-21 08:11 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-01-28 13:04 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-08-08 09:49 47,360 ----a-w C:\Documents and Settings\jtraxler\Data aplikací\pcouffin.sys
2007-08-08 09:49 47,360 ----a-w C:\Documents and Settings\jtraxler\Data aplikací\pcouffin.sys
2007-08-08 09:49 47,360 ----a-w C:\Documents and Settings\jtraxler\Data aplikací\pcouffin.sys
2007-05-02 08:40 457 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_16.05.54.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 14:03:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-25 06:02:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-04-17 13:17:41 3,482 ----a-w C:\WINDOWS\im32st.dat
+ 2008-04-24 07:43:50 3,482 ----a-w C:\WINDOWS\im32st.dat
- 2008-04-23 06:32:02 47,584 ----a-w C:\WINDOWS\system32\perfc005.dat
+ 2008-04-25 06:06:34 47,584 ----a-w C:\WINDOWS\system32\perfc005.dat
- 2008-04-23 06:32:02 41,170 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-25 06:06:34 41,170 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-23 06:32:02 313,482 ----a-w C:\WINDOWS\system32\perfh005.dat
+ 2008-04-25 06:06:34 313,482 ----a-w C:\WINDOWS\system32\perfh005.dat
- 2008-04-23 06:32:02 314,842 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-25 06:06:34 314,842 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 14:00 15360]
"MSMSGS"="c:\program files\messenger\msmsgs.exe" [2004-08-17 15:58 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 14:02 40960]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 15:13 472776]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-09-05 23:34 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-09-05 23:34 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-09-05 23:34 94208]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 14:36 827392]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 10:58 159744]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-26 22:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-28 15:04 949376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 14:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 600 (0x258)
"LogonType"= 0 (0x0)
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ\\Icq.exe"=
"%windir%\\system32\\sessmgr.exe"=

R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 14:00]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 12:18:34 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 16:32:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????F??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Eset\pr_imon.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-04-25 16:33:29
ComboFix-quarantined-files.txt 2008-04-25 14:33:16
ComboFix2.txt 2008-04-25 06:04:36
ComboFix3.txt 2008-04-24 15:58:06
ComboFix4.txt 2008-04-23 14:19:44
ComboFix5.txt 2008-04-23 14:06:12

Adresářů: 8, Volných bajtů: 12,186,939,392
Adresářů: 12, Volných bajtů: 12,176,769,024

137


Log z Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:37, on 2008-04-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\messenger\msmsgs.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Seznam Lištička - {B71B15CE-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam\Listicka\Toolbar.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Přelož do češtiny - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5034
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Hlede&j v ČR - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5033
O8 - Extra context menu item: Hledej v &encyklopedii - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5108
O8 - Extra context menu item: Hledej ve &světě - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5035
O8 - Extra context menu item: Hledej ve &zboží - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5107
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bleskově - {141D2E4F-F313-4991-B61A-EE5D6D849361} - http://bleskove.centrum.cz (file missing)
O9 - Extra button: Centrum.cz - {2A5CFB1C-AAA2-4760-8462-1B61CF74B7D8} - http://www.centrum.cz (file missing)
O9 - Extra button: Xchat - {2BCB61BF-DC41-4738-A149-BDAAAD7FF0BD} - http://www.xchat.cz (file missing)
O9 - Extra button: Aktuálně - {2E01031B-AB09-4455-823D-25F1A1C11F48} - http://aktualne.centrum.cz (file missing)
O9 - Extra button: Slovníky - {2F741D0A-150E-40F9-A602-1B2421475F1D} - http://slovniky.centrum.cz (file missing)
O9 - Extra button: Supermapy - {309176E6-E204-40A0-8D13-7F19C0498C40} - http://www.supermapy.cz (file missing)
O9 - Extra button: mp3.centrum.cz - {49681216-5BF4-41A2-AAFA-129A6BD625DA} - http://mp3.centrum.cz/ (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Žena - {8B6E8E01-D262-4980-8C27-B8B2802285C1} - http://www.zena.cz (file missing)
O9 - Extra button: Fotoalba - {8FD64249-590C-4FBC-B181-12A6BAF516AF} - http://www.fotoalba.cz (file missing)
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Počasí - {A5050656-2286-454F-A489-C605ED1B461C} - http://pocasi.centrum.cz (file missing)
O9 - Extra button: Sportplus - {BC78516C-9DC9-40C5-A91E-74593222EF89} - http://sportplus.centrum.cz (file missing)
O9 - Extra button: Digitálně - {DAE865E8-970E-4931-A172-119CB56BBAF5} - http://www.digitalne.cz/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Stahuj.cz - {FC29EB7D-EDBA-4299-AEE4-D1BDC70EFA15} - http://www.stahuj.cz/ (file missing)
O16 - DPF: {3190CE28-0B6E-4133-A7D3-87D29CB92120} (ToolbarInetInstall Control) - http://software.seznam.cz/listicka/toolbar.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1215340422
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acomware.local
O17 - HKLM\Software\..\Telephony: DomainName = acomware.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acomware.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = acomware.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = acomware.local
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8340 bytes

[fredik]

Jdi přes Start -> Spustit... a napiš do okna tento příkaz označený modře ComboFix /u a dej Ok.
- mezi comobofix a /u musí být mezera

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O9 - Extra button: Bleskově - {141D2E4F-F313-4991-B61A-EE5D6D849361} - http://bleskove.centrum.cz (file missing)
O9 - Extra button: Centrum.cz - {2A5CFB1C-AAA2-4760-8462-1B61CF74B7D8} - http://www.centrum.cz (file missing)
O9 - Extra button: Xchat - {2BCB61BF-DC41-4738-A149-BDAAAD7FF0BD} - http://www.xchat.cz (file missing)
O9 - Extra button: Aktuálně - {2E01031B-AB09-4455-823D-25F1A1C11F48} - http://aktualne.centrum.cz (file missing)
O9 - Extra button: Slovníky - {2F741D0A-150E-40F9-A602-1B2421475F1D} - http://slovniky.centrum.cz (file missing)
O9 - Extra button: Supermapy - {309176E6-E204-40A0-8D13-7F19C0498C40} - http://www.supermapy.cz (file missing)
O9 - Extra button: mp3.centrum.cz - {49681216-5BF4-41A2-AAFA-129A6BD625DA} - http://mp3.centrum.cz/ (file missing)
O9 - Extra button: Žena - {8B6E8E01-D262-4980-8C27-B8B2802285C1} - http://www.zena.cz (file missing)
O9 - Extra button: Fotoalba - {8FD64249-590C-4FBC-B181-12A6BAF516AF} - http://www.fotoalba.cz (file missing)
O9 - Extra button: Počasí - {A5050656-2286-454F-A489-C605ED1B461C} - http://pocasi.centrum.cz (file missing)
O9 - Extra button: Sportplus - {BC78516C-9DC9-40C5-A91E-74593222EF89} - http://sportplus.centrum.cz (file missing)
O9 - Extra button: Digitálně - {DAE865E8-970E-4931-A172-119CB56BBAF5} - http://www.digitalne.cz/ (file missing)
O9 - Extra button: Stahuj.cz - {FC29EB7D-EDBA-4299-AEE4-D1BDC70EFA15} - http://www.stahuj.cz/ (file missing)
po zaškrtnutí klikni na tlačítko Fix Checked

=> pokud nepoužívá Messenger od MS, můžeš ho rovnou odinstalovat

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Pro lepší zabezpečení by bylo dobré si doinstalovat firewall, můžeš si vybrat některý zde uvedený nebo některý jiný z odkazu: Přehled osobních firewallů
Firewally zdarma:
Comodo - kvalitní, pokročilý, s mnoha funkcemi, originálně v angličtině
Kerio - přehledný, větší možnosti nastavení, náročnější na systémové prostředky, v češtině
ZoneAlarm - jednoduchý, kompatibilní, nenáročný na systémové prostředky, málo možností nastavení, v angličtině + návod

Můžeš si zapnout zpět rezidentní ochranu ve SpyBot S&D
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Stáhni si a spusť T-cleaner a postupuj podle instrukcí.

Případně můžeš také pročistit Pc od dočasných souborů např. pomocí: CCleaner

Máš ještě nějaké problémy?

[jirkaaaa]

ahoj frediku,
o vikendu jsem byl mimo pocitac, takze jsem se k tomu dostal az dnes....

Jeste jednou strasne moc diky za tvou pomoc. Jses borec!

Vse jsem opet udelal dle kroku jak pises:
1) ComboFix /u - spustilo se mi miniokno combifixu a na zaver mi napsalo, ze combofix byl odinstalovan
2) HijackThis - vsechny radky jsem zaskrtl a potvrdil
3) T-Cleaner - spustil a nechal procisit
4) SpyBot - znovu sjem si zapnul rezidentní ochranu
5) SpyBot - pro jistotu jsem si znova spustil kontrolu a vse je o.k. (nic nenalezno)

Kazdopadne zadny problem se mi nijak nejevi.

Strasne moc ti dekuju - jsem rad za tvuj pristup a pomc - opravdu si toho moc vazim.

Jirkaaaa

[fredik]

Nemá za co , kdyby byl nějaký problém tak dej vědět.