Prosím o kontrolu logu HijackThis Vyřešeno

[Kobuk]

Dnes mi rodinka asi infikovala počítač - mám problémy s internetem, Avast hlásí infekci v operační paměti (kterou při restartu neodstraní) a ve Spybotu byla narušená imunizace. Předem děkuji za kontrolu logu:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:09:41, on 9.6.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\GetRight\GetRight.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: rncsys32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GetRight.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8496538765
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Služba inteligentního přenosu na pozadí (BITS) (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Automatické aktualizace (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 7077 bytes

[Reklama]

[jaro3]

stáhni SuperAntiSpyware, aktualizuj databázi , proveď sken a následně nákazy smaž:
http://www.superantispyware.com/downloa ... PYWAREFREE

Poté:
Stáhni si Malwarebytes' Anti-Malware
Nainstaluj a spusť ho
- na konci instalace se ujisti že máš zvoleny/zatrhnuty obě možnosti:
Aktualizace Malwarebytes' Anti-Malware a Spustit aplikaci Malwarebytes' Anti-Malware, pokud jo tak klikni na tlačítko konec
- pokud bude nalezena aktualizace, tak se stáhne a nainstaluje
- program se po té spustí a nech vybranou možnost Provést rychlý sken a klikni na tlačítko Skenovat
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Zobrazit výsledky
- pak zvol možnost uložit log a ulož si log na plochu
- po té klikni na tlačítko Exit, objeví se ti hláška tak zvol Ano
(zatím nic nemaž!).
Vlož sem pak obsah toho logu.

[Kobuk]

Chvíli ty skeny trvaly... Tady je ten log:

Malwarebytes' Anti-Malware 1.37
Verze databáze: 2255
Windows 5.1.2600 Service Pack 3

9.6.2009 20:29:19
mbam-log-2009-06-09 (20-29-11).txt

Typ skenu: Rychlý sken
Objektu skenováno: 79281
Uplynulý cas: 2 minute(s), 34 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 0
Infikované hodnoty registru: 0
Infikované položky dat registru: 0
Infikované složky: 0
Infikované soubory: 3

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované hodnoty registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované položky dat registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované složky:
(Žádné zákerné položky nebyly zjišteny)

Infikované soubory:
c:\documents and settings\User\local settings\Temp\~TME.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\Temp\wpv491243627542.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\User\Data aplikací\wiaserva.log (Malware.Trace) -> No action taken.

[jaro3]

. Takže spusť znovu MbAM a dej Scan
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Ukaž výsledky
- ujistit se že máš zatrhnuté všechny vypsané nálezy a klikni na tlačítko Odstranit označené
- když skončí odstraňování tak se ti zobrazí log, tak ho sem dej.
- pak zvol v programu OK a pak program ukonči přes Exit

Můžeš sem pak vložit log z MbAM.

Vypni rez. ochranu u Avastu+deaktivuj Spybot.
Stáhni si ComboFix (by sUBs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[Kobuk]

Tak tady je ten log z MBAM:

Malwarebytes' Anti-Malware 1.37
Verze databáze: 2255
Windows 5.1.2600 Service Pack 3

9.6.2009 20:50:03
mbam-log-2009-06-09 (20-50-03).txt

Typ skenu: Rychlý sken
Objektu skenováno: 79376
Uplynulý cas: 1 minute(s), 43 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 0
Infikované hodnoty registru: 0
Infikované položky dat registru: 0
Infikované složky: 0
Infikované soubory: 3

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované hodnoty registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované položky dat registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované složky:
(Žádné zákerné položky nebyly zjišteny)

Infikované soubory:
c:\documents and settings\User\local settings\Temp\~TME.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv491243627542.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\User\Data aplikací\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.


A tady log z ComboFix:

ComboFix 09-06-09.01 - User 09.06.2009 21:07.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.660 [GMT 2:00]
Spuštěný z: c:\documents and settings\User\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090608-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-05-09 do 2009-06-09 )))))))))))))))))))))))))))))))
.

2009-06-09 18:53 . 2009-06-09 19:09 88766 ----a-w- c:\windows\system32\drivers\2438331e.sys
2009-06-09 18:25 . 2009-05-26 11:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 18:25 . 2009-06-09 18:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 18:25 . 2009-05-26 11:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 17:48 . 2009-06-09 17:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-09 17:48 . 2009-06-09 17:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-09 17:44 . 2009-06-09 18:22 -------- d-----w- C:\Cleaning

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 19:01 . 2006-06-16 15:51 -------- d-----w- c:\program files\SpeedFan
2009-06-09 18:36 . 2008-04-05 14:43 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-08 16:34 . 2007-08-31 16:12 -------- d-----w- c:\program files\mIRC
2009-06-07 17:29 . 2008-12-13 16:18 -------- d-----w- c:\program files\eMule
2009-05-02 11:43 . 2008-11-10 20:52 -------- d-----w- c:\program files\CCleaner
2009-05-02 11:21 . 2009-05-02 11:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-02 10:52 . 2006-05-31 17:07 -------- d-----w- c:\program files\GetRight
2009-04-25 09:55 . 2009-04-25 09:55 -------- d-----w- c:\program files\Tale of Tales
2009-04-24 16:57 . 2004-08-18 12:00 478086 ----a-w- c:\windows\system32\perfh005.dat
2009-04-24 16:57 . 2004-08-18 12:00 101988 ----a-w- c:\windows\system32\perfc005.dat
2009-03-14 17:59 . 2006-09-24 08:50 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
2002-08-27 16:57 . 2006-10-18 17:38 65974 ----a-w- c:\program files\viewsonicinstruct_xp.pdf
.

------- Sigcheck -------

[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-18 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2007-01-05 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-10-25 988565]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-10-25 118784]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-18 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-18 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-18 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-18 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-10 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-15 77824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\User\Nabˇdka Start\Programy\Po spuçtŘnˇ\
rncsys32.exe [2008-4-14 30720]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2006-2-8 2510336]
Start GetRight.lnk - c:\program files\GetRight\GetRight.exe [2009-5-2 4240448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10.11.2008 23:26 114768]
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26.5.2009 10:05 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26.5.2009 10:05 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10.11.2008 23:26 20560]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26.5.2009 10:05 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Obsah adresáře 'Naplánované úlohy'

2009-06-09 c:\windows\Tasks\User_Feed_Synchronization-{B030C29C-2DFA-43D0-B5CB-65B1E97A8799}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

SafeBoot-procexp90.sys


.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.spiegel.de/
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-09 21:09
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\2438331e]
"ImagePath"="\SystemRoot\System32\drivers\2438331e.sys"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\s-1-5-21-2052111302-1972579041-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:24,47,f0,7d,f2,36,fd,b8,fa,a7,50,0f,27,d5,70,cd,49,6f,63,e1,46,e1,0f,
75,c6,40,59,db,51,27,61,42,31,90,41,b6,b5,38,bd,9a,b0,10,a8,48,f7,d5,3d,97,\
"??"=hex:3b,6c,67,01,06,2e,02,d0,f6,82,d5,25,cf,b1,5c,9a

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="3EB0CD58987400CF5D0B6A9C2A13E05D8034CEF604C978D50080F98673AE83895F891D232CF8EA91D3AB446332BB15601A7A5135193084DF1562BC820E0ECC2049BEB868B2FCCB149E1391FB5005436371CAE7A54E22AEC3800F3D7FFED801EF94A3C6564064969B10DE1BA6E46C130ABCA9A3B66F57F428F392EE3FA21E143F8FEEC020DDB6D4AE358E7E254492C23CE08067DE3FA9E975D15F9B07488F8C983CBBF47C8520A198CB08B14038BD22287A1C6B95F396B158B5CDDEA13204074ACE8A83A5AA70AC684611F8C4FD5499BAFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555A9C6AECB7A5D1407A2D97226D213B55512579275A68758D09344FD71E55925C638F95302CC965A9273350E099F34D564E676716CA7E3D2202837ED5AE38CF8ADD426D7A28054C3D4F601701AA9BE2BACB8F04192A152A99D698041E1B0538A6AD09CCF7A62958A4FD727FA8A8E4BC8B6F61D99B83A7A057001C0356C4171360432E5BC9D51D1E18C973C15BFBC2CD52C42376AB68EAAA1044F7DDDDF7ECA6CC6B56F7925A6A8105970337DA418D78E7AF05C75672FCFCF85E49EA1A94567B3C4C88BAFADABD9EEC5CD68C3A5776842D20C934F281F00F3EA8A70BBB76675A4CE916EDFD71C4EEDA8D01BCCB6259ED3AD50C1635D567205E8B8233AFE28C3EB80E6325D492D8C8D994E6BD14ADF5CBA44AF336DEB4202917B1FCB0177C2494CB3D255512904C5E4764EE15FDBDCA88114D01700BF413037639FE1C51B63201A0916B736A3B84A9EDF0DE7D6E9412E48608B8102C728202CA0D1C293E92B81BEE4259EDAEB5B8F783C7C4BEAF4293D422E6F682CF43E9938FC7E2FC8E82ED0B7EF2534E434ECB0C5B3BFBFA682A2C6B6C8BC280DBEC009B603A549999FF5129695F306CCB6E46AEAB32F5BE59B3162013E687F84205FFD1A02F91B8B18806E00061F85DAAFAB1F646D5897594F4BCA8F5F9C934A183E2C640C60127A63BDB32DB56C07B2DE9FD4BED57BD3862FDC60E6C23769E728746B2F78F47C141513516BDC51C4468992359C268C52C450C4A39DC4496E3A580F38A66306905B43D95D9C77F95C5C794C0F345BB5B8424CD4BDDE00987074B10D3389AB9464A60C5E0FB5C5C54E927984D25137D192FEC0567769D91F249BC4631E2FF359F6228D62C540CA490158DB6A17CFBD714DD0CF82C1127608A08823F9E27C243EA7CBEB9A805850CABCF073A096A33959BB5F9E88AEBEBF39E0E9632C8BEFE660BAF54E30E3B1624631739A3C2DD237031527578CF3EB65C343C19F4BC9992B145748E0BFBA0F50EBECCDACC65F77871A727AA7A36E2858F38DE5789AEF1C245E0C3D52DAF0CAAE1E673E0B40504040FE53FCC0DB1C96D0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3348)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2009-06-09 21:11
ComboFix-quarantined-files.txt 2009-06-09 19:10

Před spuštěním: Volných bajtů: 58 903 625 728
Po spuštění: Volných bajtů: 58 904 043 520

150

[jaro3]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

KillAll::
File::
c:\windows\system32\drivers\2438331e.sys
c:\program files\viewsonicinstruct_xp.pdf
c:\documents and settings\User\Nabˇdka Start\Programy\Po spuçtŘnˇ\
rncsys32.exe

Driver::
2438331e

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\2438331e]


Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

[Kobuk]

Tady je log z ComboFix:

ComboFix 09-06-09.01 - User 09.06.2009 21:35.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.658 [GMT 2:00]
Spuštěný z: c:\documents and settings\User\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\User\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090608-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"c:\documents and settings\User\Nabˇdka Start\Programy\Po spuçtŘnˇ\"
"c:\program files\viewsonicinstruct_xp.pdf"
"c:\windows\system32\drivers\2438331e.sys"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\viewsonicinstruct_xp.pdf
c:\windows\system32\drivers\2438331e.sys

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_2438331e


((((((((((((((((((((((((( Soubory vytvořené od 2009-05-09 do 2009-06-09 )))))))))))))))))))))))))))))))
.

2009-06-09 18:25 . 2009-05-26 11:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 18:25 . 2009-06-09 18:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 18:25 . 2009-05-26 11:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 17:48 . 2009-06-09 17:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-09 17:48 . 2009-06-09 17:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-09 17:44 . 2009-06-09 18:22 -------- d-----w- C:\Cleaning

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 19:38 . 2006-06-16 15:51 -------- d-----w- c:\program files\SpeedFan
2009-06-09 18:36 . 2008-04-05 14:43 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-08 16:34 . 2007-08-31 16:12 -------- d-----w- c:\program files\mIRC
2009-06-07 17:29 . 2008-12-13 16:18 -------- d-----w- c:\program files\eMule
2009-05-02 11:43 . 2008-11-10 20:52 -------- d-----w- c:\program files\CCleaner
2009-05-02 11:21 . 2009-05-02 11:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-02 10:52 . 2006-05-31 17:07 -------- d-----w- c:\program files\GetRight
2009-04-25 09:55 . 2009-04-25 09:55 -------- d-----w- c:\program files\Tale of Tales
2009-04-24 16:57 . 2004-08-18 12:00 478086 ----a-w- c:\windows\system32\perfh005.dat
2009-04-24 16:57 . 2004-08-18 12:00 101988 ----a-w- c:\windows\system32\perfc005.dat
2009-03-14 17:59 . 2006-09-24 08:50 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
.

------- Sigcheck -------

[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-18 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9425B72F40257B45D45D24773273DAD0 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-06-09_19.09.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-09 19:37 . 2009-06-09 19:37 16384 c:\windows\temp\Perflib_Perfdata_5b0.dat
+ 2009-06-09 19:38 . 2009-06-09 19:38 16384 c:\windows\temp\Perflib_Perfdata_26c.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2007-01-05 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-10-25 988565]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-10-25 118784]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-18 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-18 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-18 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-18 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-10 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-15 77824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\User\Nabˇdka Start\Programy\Po spuçtŘnˇ\
rncsys32.exe [2008-4-14 30720]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2006-2-8 2510336]
Start GetRight.lnk - c:\program files\GetRight\GetRight.exe [2009-5-2 4240448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10.11.2008 23:26 114768]
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26.5.2009 10:05 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26.5.2009 10:05 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10.11.2008 23:26 20560]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26.5.2009 10:05 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Obsah adresáře 'Naplánované úlohy'

2009-06-09 c:\windows\Tasks\User_Feed_Synchronization-{B030C29C-2DFA-43D0-B5CB-65B1E97A8799}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.spiegel.de/
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-09 21:38
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-2052111302-1972579041-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:24,47,f0,7d,f2,36,fd,b8,fa,a7,50,0f,27,d5,70,cd,49,6f,63,e1,46,e1,0f,
75,c6,40,59,db,51,27,61,42,31,90,41,b6,b5,38,bd,9a,b0,10,a8,48,f7,d5,3d,97,\
"??"=hex:3b,6c,67,01,06,2e,02,d0,f6,82,d5,25,cf,b1,5c,9a

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="3EB0CD58987400CF5D0B6A9C2A13E05D8034CEF604C978D50080F98673AE83895F891D232CF8EA91D3AB446332BB15601A7A5135193084DF1562BC820E0ECC2049BEB868B2FCCB149E1391FB5005436371CAE7A54E22AEC3800F3D7FFED801EF94A3C6564064969B10DE1BA6E46C130ABCA9A3B66F57F428F392EE3FA21E143F8FEEC020DDB6D4AE358E7E254492C23CE08067DE3FA9E975D15F9B07488F8C983CBBF47C8520A198CB08B14038BD22287A1C6B95F396B158B5CDDEA13204074ACE8A83A5AA70AC684611F8C4FD5499BAFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555A9C6AECB7A5D1407A2D97226D213B55512579275A68758D09344FD71E55925C638F95302CC965A9273350E099F34D564E676716CA7E3D2202837ED5AE38CF8ADD426D7A28054C3D4F601701AA9BE2BACB8F04192A152A99D698041E1B0538A6AD09CCF7A62958A4FD727FA8A8E4BC8B6F61D99B83A7A057001C0356C4171360432E5BC9D51D1E18C973C15BFBC2CD52C42376AB68EAAA1044F7DDDDF7ECA6CC6B56F7925A6A8105970337DA418D78E7AF05C75672FCFCF85E49EA1A94567B3C4C88BAFADABD9EEC5CD68C3A5776842D20C934F281F00F3EA8A70BBB76675A4CE916EDFD71C4EEDA8D01BCCB6259ED3AD50C1635D567205E8B8233AFE28C3EB80E6325D492D8C8D994E6BD14ADF5CBA44AF336DEB4202917B1FCB0177C2494CB3D255512904C5E4764EE15FDBDCA88114D01700BF413037639FE1C51B63201A0916B736A3B84A9EDF0DE7D6E9412E48608B8102C728202CA0D1C293E92B81BEE4259EDAEB5B8F783C7C4BEAF4293D422E6F682CF43E9938FC7E2FC8E82ED0B7EF2534E434ECB0C5B3BFBFA682A2C6B6C8BC280DBEC009B603A549999FF5129695F306CCB6E46AEAB32F5BE59B3162013E687F84205FFD1A02F91B8B18806E00061F85DAAFAB1F646D5897594F4BCA8F5F9C934A183E2C640C60127A63BDB32DB56C07B2DE9FD4BED57BD3862FDC60E6C23769E728746B2F78F47C141513516BDC51C4468992359C268C52C450C4A39DC4496E3A580F38A66306905B43D95D9C77F95C5C794C0F345BB5B8424CD4BDDE00987074B10D3389AB9464A60C5E0FB5C5C54E927984D25137D192FEC0567769D91F249BC4631E2FF359F6228D62C540CA490158DB6A17CFBD714DD0CF82C1127608A08823F9E27C243EA7CBEB9A805850CABCF073A096A33959BB5F9E88AEBEBF39E0E9632C8BEFE660BAF54E30E3B1624631739A3C2DD237031527578CF3EB65C343C19F4BC9992B145748E0BFBA0F50EBECCDACC65F77871A727AA7A36E2858F38DE5789AEF1C245E0C3D52DAF0CAAE1E673E0B40504040FE53FCC0DB1C96D0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(248)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\ATKKBService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\oodag.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Celkový čas: 2009-06-09 21:41 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-06-09 19:40
ComboFix2.txt 2009-06-09 19:11

Před spuštěním: Volných bajtů: 58 916 339 712
Po spuštění: Volných bajtů: 58 874 052 608

180

[Kobuk]

A tady HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:42:49, on 9.6.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\GetRight\GetRight.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: rncsys32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GetRight.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8496538765
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Služba inteligentního přenosu na pozadí (BITS) (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Automatické aktualizace (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 6742 bytes

[jaro3]

Zavři ostatní aplikace a prohlížeče, odpoj se od netu a fixni v HJT:

Kód: Vybrat vše

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Startup: rncsys32.exe


ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix[mezera]/u

Stáhni si program OTMoveIt3 (by OldTimer) a ulož si ho na disk C a spusť ho.
- Do levého sloupce (Paste Instructions for Items to be Moved) zkopíruj tyto cesty:
Poznámka: Nepoužij k označení funkci VYBRAT VŠE

Kód: Vybrat vše

:Processes
explorer.exe

:Services

:Reg

:Files
c:\documents and settings\User\Nabˇdka Start\Programy\Po spuçtŘnˇ\rncsys32.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]


- Po zkopírování klikni na tlačítko MoveIt! a vlož sem následně celý obsah z pravého sloupce, jinak uložený ve složce C:\_OTMoveIt\MovedFiles\, který bude informovat o výsledcích
- Je možné, že pokud nebudou moci být soubory odstraněny, budeš dotázán na restart počítače, v tom případě restart potvrď.

[Kobuk]

Ten link na OTMoveIt3 bohužel nefunguje, nemáš nějaký jiný?
Zkoušel jsem to najít, ale snad všude mají ten samý link...

[Kobuk]

Už jsem ho našel, jdu na to.

[Kobuk]

Log z OTM:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder c:\documents and settings\User\Nabˇdka Start\Programy\Po spuçtŘnˇ\rncsys32.exe not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\User\LOCALS~1\Temp\Perflib_Perfdata_d40.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_26c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5b0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTM by OldTimer - Version 2.1.0.1 log created on 06092009_223036

Files moved on Reboot...
File C:\DOCUME~1\User\LOCALS~1\Temp\Perflib_Perfdata_d40.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_26c.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_5b0.dat not found!

Registry entries deleted on Reboot...