Podezření na trojan.downloader - prosba o pomoc

[zidekmartinek]

jo, mám providera společnost nasi.cz. pořád to nejde. log z čistícího procesu je: ComboFix 10-05-24.07 - Martin Žídek 25.05.2010 22:37:43.2.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.420.1029.18.351.213 [GMT 2:00]
Spuštěný z: C:\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Martin Žídek\Plocha\CFScript.txt

FILE ::
"C:\esetsmartinstaller_csy.exe"
"C:\Pareto_AV_Setup_RW(2).exe"
"C:\Pareto_AV_Setup_RW.exe"
"c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe"
"c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk"
"C:\setupcze(2).exe"
"C:\setupcze.exe"
"c:\windows\iun6002.exe"
"c:\windows\system32\drivers\fidbox.dat"
"c:\windows\system32\drivers\fidbox.idx"
"c:\windows\system32\drivers\fidbox2.dat"
"c:\windows\system32\drivers\fidbox2.idx"
"c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job"
"c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job"
"c:\windows\Tasks\ParetoLogic Update Version2.job"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\esetsmartinstaller_csy.exe
C:\Pareto_AV_Setup_RW(2).exe
C:\Pareto_AV_Setup_RW.exe
c:\program files\Alwil Software
c:\program files\Common Files\ParetoLogic
c:\program files\Spybot - Search & Destroy
c:\program files\Spybot - Search & Destroy\advcheck.dll
c:\program files\Spybot - Search & Destroy\aports.dll
c:\program files\Spybot - Search & Destroy\blindman.exe
c:\program files\Spybot - Search & Destroy\borlndmm.dll
c:\program files\Spybot - Search & Destroy\Default configuration.ini
c:\program files\Spybot - Search & Destroy\delphimm.dll
c:\program files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
c:\program files\Spybot - Search & Destroy\Dummies\dummy.dap.gif
c:\program files\Spybot - Search & Destroy\Dummies\dummy.data.xml
c:\program files\Spybot - Search & Destroy\Dummies\dummy.default.gif
c:\program files\Spybot - Search & Destroy\Dummies\dummy.related.htm
c:\program files\Spybot - Search & Destroy\Help\Brasil.license.txt
c:\program files\Spybot - Search & Destroy\Help\Cesky.license.txt
c:\program files\Spybot - Search & Destroy\Help\Deutsch.license.txt
c:\program files\Spybot - Search & Destroy\Help\English.chm
c:\program files\Spybot - Search & Destroy\Help\English.license.txt
c:\program files\Spybot - Search & Destroy\Help\English.Resident.chm
c:\program files\Spybot - Search & Destroy\Help\Espanol.license.txt
c:\program files\Spybot - Search & Destroy\Help\Francais.license.txt
c:\program files\Spybot - Search & Destroy\Help\Italiano.license.txt
c:\program files\Spybot - Search & Destroy\Help\Japanese.license.txt
c:\program files\Spybot - Search & Destroy\Help\Nederlands.license.txt
c:\program files\Spybot - Search & Destroy\Help\Polski.license.txt
c:\program files\Spybot - Search & Destroy\Help\Slovensky.license.txt
c:\program files\Spybot - Search & Destroy\Help\Srpski.license.txt
c:\program files\Spybot - Search & Destroy\Includes\CLSIDs.sbs
c:\program files\Spybot - Search & Destroy\Includes\LSP.sbs
c:\program files\Spybot - Search & Destroy\Includes\OperaPlugins.sbs
c:\program files\Spybot - Search & Destroy\Includes\Startup.tnfo
c:\program files\Spybot - Search & Destroy\Includes\Targets.nfo
c:\program files\Spybot - Search & Destroy\Languages\Arabic.sbl
c:\program files\Spybot - Search & Destroy\Languages\Bosanski.sbl
c:\program files\Spybot - Search & Destroy\Languages\Brasil.sbl
c:\program files\Spybot - Search & Destroy\Languages\Bulgarski.sbl
c:\program files\Spybot - Search & Destroy\Languages\Catalan.sbl
c:\program files\Spybot - Search & Destroy\Languages\Cesky.sbl
c:\program files\Spybot - Search & Destroy\Languages\Dansk.sbl
c:\program files\Spybot - Search & Destroy\Languages\Deutsch.sbl
c:\program files\Spybot - Search & Destroy\Languages\Eesti.sbl
c:\program files\Spybot - Search & Destroy\Languages\English.sbl
c:\program files\Spybot - Search & Destroy\Languages\Espanol.sbl
c:\program files\Spybot - Search & Destroy\Languages\Esperanto.sbl
c:\program files\Spybot - Search & Destroy\Languages\Euskera.sbl
c:\program files\Spybot - Search & Destroy\Languages\Farsi.sbl
c:\program files\Spybot - Search & Destroy\Languages\Francais.sbl
c:\program files\Spybot - Search & Destroy\Languages\Galego.sbl
c:\program files\Spybot - Search & Destroy\Languages\Greek.sbl
c:\program files\Spybot - Search & Destroy\Languages\Hebrew.sbl
c:\program files\Spybot - Search & Destroy\Languages\Hrvatski.sbl
c:\program files\Spybot - Search & Destroy\Languages\Chinese (simplified).sbl
c:\program files\Spybot - Search & Destroy\Languages\Chinese (traditional).sbl
c:\program files\Spybot - Search & Destroy\Languages\Italiano.sbl
c:\program files\Spybot - Search & Destroy\Languages\Japanese.sbl
c:\program files\Spybot - Search & Destroy\Languages\Korean.sbl
c:\program files\Spybot - Search & Destroy\Languages\Latvian.sbl
c:\program files\Spybot - Search & Destroy\Languages\Letzebuergesch.sbl
c:\program files\Spybot - Search & Destroy\Languages\Lietuviu.sbl
c:\program files\Spybot - Search & Destroy\Languages\Magyar.sbl
c:\program files\Spybot - Search & Destroy\Languages\Makedonski.sbl
c:\program files\Spybot - Search & Destroy\Languages\Melayu.sbl
c:\program files\Spybot - Search & Destroy\Languages\Nederlands.sbl
c:\program files\Spybot - Search & Destroy\Languages\Norsk.sbl
c:\program files\Spybot - Search & Destroy\Languages\Polski.sbl
c:\program files\Spybot - Search & Destroy\Languages\Portugues.sbl
c:\program files\Spybot - Search & Destroy\Languages\Romaneste.sbl
c:\program files\Spybot - Search & Destroy\Languages\Russkiy.sbl
c:\program files\Spybot - Search & Destroy\Languages\Shqip.sbl
c:\program files\Spybot - Search & Destroy\Languages\Slovenscina.sbl
c:\program files\Spybot - Search & Destroy\Languages\Slovensky.sbl
c:\program files\Spybot - Search & Destroy\Languages\Srpski.sbl
c:\program files\Spybot - Search & Destroy\Languages\Suomi.sbl
c:\program files\Spybot - Search & Destroy\Languages\Svenska.sbl
c:\program files\Spybot - Search & Destroy\Languages\Thai.sbl
c:\program files\Spybot - Search & Destroy\Languages\Turkce.sbl
c:\program files\Spybot - Search & Destroy\Languages\Ukrainian.sbl
c:\program files\Spybot - Search & Destroy\Languages\Uzbek.sbl
c:\program files\Spybot - Search & Destroy\messages.zres
c:\program files\Spybot - Search & Destroy\OptOut.ini
c:\program files\Spybot - Search & Destroy\SDHelper.dll
c:\program files\Spybot - Search & Destroy\Skins\Colorblind.ini
c:\program files\Spybot - Search & Destroy\Skins\Italia.ini
c:\program files\Spybot - Search & Destroy\Skins\Italia.jpg
c:\program files\Spybot - Search & Destroy\Skins\Peace.ini
c:\program files\Spybot - Search & Destroy\Skins\Peace.jpg
c:\program files\Spybot - Search & Destroy\SpybotSD.exe
c:\program files\Spybot - Search & Destroy\TeaTimer.exe
c:\program files\Spybot - Search & Destroy\Tools.dll
c:\program files\Spybot - Search & Destroy\unins000.dat
c:\program files\Spybot - Search & Destroy\unins000.exe
c:\program files\Spybot - Search & Destroy\UnzDll.dll
c:\program files\Spybot - Search & Destroy\Update.exe
c:\program files\Spybot - Search & Destroy\Updates\downloaded.ini
c:\program files\Spybot - Search & Destroy\ZipDll.dll
C:\setupcze(2).exe
C:\setupcze.exe
c:\windows\iun6002.exe
c:\windows\system32\drivers\fidbox.dat
c:\windows\system32\drivers\fidbox.idx
c:\windows\system32\drivers\fidbox2.dat
c:\windows\system32\drivers\fidbox2.idx

Nakažená kopie c:\windows\system32\qmgr.dll byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ERDNT\cache\qmgr.dll

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-04-25 do 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-25 18:03 . 2010-05-25 18:03 17144 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-05-25 04:15 . 2010-05-25 20:34 3698362 ----a-r- C:\ComboFix.exe
2010-05-24 17:23 . 2010-05-24 17:23 50688 ----a-w- C:\ATF-Cleaner.exe
2010-05-24 04:14 . 2010-05-24 04:14 1402880 ----a-w- C:\HiJackThis.msi
2010-05-23 18:54 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-23 18:54 . 2010-04-29 13:39 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 18:54 . 2010-05-23 18:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 18:53 . 2010-05-23 18:53 6153376 ----a-w- C:\mbam-setup.exe
2010-05-23 17:42 . 2010-05-24 04:14 -------- d-----w- c:\program files\Trend Micro
2010-05-23 17:28 . 2010-05-23 17:28 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 17:12 . 2009-07-19 15:54 -------- d-----w- c:\program files\uTorrent
2010-04-16 16:12 . 2010-04-16 16:12 -------- d-----w- c:\program files\Common Files\Ahead
2010-04-16 16:12 . 2010-04-16 16:12 -------- d-----w- c:\program files\Ahead
2010-04-14 14:21 . 2010-04-14 14:21 -------- d-----w- c:\program files\TomTom DesktopSuite
2010-04-06 18:28 . 2010-04-06 18:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-31 17:33 . 2010-01-12 20:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-30 16:14 . 2010-03-30 16:14 -------- d-----w- c:\program files\Realtek AC97
2010-03-30 15:49 . 2010-03-30 15:49 -------- d-----w- c:\program files\iXi Tools Software
2010-03-30 15:41 . 2009-07-17 15:48 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-30 15:36 . 2010-03-30 15:36 -------- d-----w- c:\program files\C-Media
2010-03-30 07:41 . 2010-01-28 09:47 -------- d-----w- c:\program files\Fotolab
2010-03-28 16:05 . 2010-03-28 16:05 -------- d-----w- c:\program files\Winamp
2010-03-28 13:56 . 2001-10-25 12:00 46016 ----a-w- c:\windows\system32\perfc005.dat
2010-03-28 13:56 . 2001-10-25 12:00 309716 ----a-w- c:\windows\system32\perfh005.dat
2010-03-27 09:32 . 2010-03-27 09:31 -------- d-----w- c:\program files\EasyFrom
2010-03-27 09:32 . 2010-03-27 09:32 -------- d-----w- c:\program files\Microsoft Visual FoxPro OLE DB Provider
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-29 321328]
"DriverUpdaterPro"="c:\program files\iXi Tools Software\Driver Updater Pro\DriverUpdaterPro.exe" [2010-03-29 4353024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-07-12 7626752]
"nwiz"="nwiz.exe" [2006-07-12 1519616]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-07-12 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-20 13312]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Settings,ProxyOverride = <local>
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {160AE1E6-D18B-441A-84F1-010F65024626} = 172.23.76.1,10.153.195.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Martin Žídek\Data aplikací\Mozilla\Firefox\Profiles\5aojw4um.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.seznam.cz
FF - prefs.js: network.proxy.ftp - proxy.nasi.ova.czf
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - proxy.nasi.ova.czf
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - proxy.nasi.ova.czf
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - proxy.nasi.ova.czf
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - proxy.nasi.ova.czf
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 1

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-Cool's_Codec_pack_4.12 - c:\windows\iun6002.exe
AddRemove-Spybot - Search & Destroy_is1 - c:\program files\Spybot - Search & Destroy\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 22:43
Windows 5.1.2600 Service Pack 1 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(536)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(3016)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\program files\Common Files\Microsoft Shared\Web Components\10\1029\OWCI10.DLL
c:\windows\System32\MSCTF.dll
c:\windows\System32\MLANG.dll
c:\windows\System32\mshtml.dll
c:\windows\System32\msimtf.dll
c:\windows\System32\MSLS31.DLL
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\nvsvc32.exe
c:\windows\System32\RUNDLL32.EXE
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Celkový čas: 2010-05-25 22:45:35 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-05-25 20:45
ComboFix2.txt 2010-05-25 13:34

Před spuštěním: 411 443 200
Po spuštění: 169 672 704

- - End Of File - - 565B13BB00586EC4F7AF59A36015121E

nový log z HJT je
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:52:12, on 25.5.2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\iXi Tools Software\Driver Updater Pro\DriverUpdaterPro.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools Software\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{160AE1E6-D18B-441A-84F1-010F65024626}: NameServer = 172.23.76.1,10.153.195.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{160AE1E6-D18B-441A-84F1-010F65024626}: NameServer = 172.23.76.1,10.153.195.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{160AE1E6-D18B-441A-84F1-010F65024626}: NameServer = 172.23.76.1,10.153.195.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3172 bytes

[Reklama]

[jaro3]

ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix /Uninstall

vyčisti systém CCleanerem

a použij i T-Cleaner
smaže vše po Combu,MWAVu atd.-stáhneš>spustíš

V možnostech složky si povol zobrazování skrytých souborů a složek+ odškrtni zatržítko skrýt chráněné soubory operačního systému

Toto otestuj na Virustotal
c:\windows\system32\qmgr.dll
Pokud už byl soubor testován-klikni na otestovat znovu.

Až skončí test všech antivirů, vlož sem pak odkaz na stránku s výsledky.

Zavři ostatní aplikace a prohlížeče, odpoj se od netu a fixni v HJT:
Návod

Kód: Vybrat vše

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)


Doporučuji nainstalovat nějaký free antivir- třeba Avira free:
http://free-av.de/
Nebo Avast 5 , má v sobě antivir i antispyware..

[zidekmartinek]

jo mám toho providera co jsi napsal. výstup z čistícího procesu jeComboFix 10-05-24.07 - Martin Žídek 25.05.2010 22:37:43.2.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.420.1029.18.351.213 [GMT 2:00]
Spuštěný z: C:\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Martin Žídek\Plocha\CFScript.txt

FILE ::
"C:\esetsmartinstaller_csy.exe"
"C:\Pareto_AV_Setup_RW(2).exe"
"C:\Pareto_AV_Setup_RW.exe"
"c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe"
"c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk"
"C:\setupcze(2).exe"
"C:\setupcze.exe"
"c:\windows\iun6002.exe"
"c:\windows\system32\drivers\fidbox.dat"
"c:\windows\system32\drivers\fidbox.idx"
"c:\windows\system32\drivers\fidbox2.dat"
"c:\windows\system32\drivers\fidbox2.idx"
"c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job"
"c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job"
"c:\windows\Tasks\ParetoLogic Update Version2.job"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\esetsmartinstaller_csy.exe
C:\Pareto_AV_Setup_RW(2).exe
C:\Pareto_AV_Setup_RW.exe
c:\program files\Alwil Software
c:\program files\Common Files\ParetoLogic
c:\program files\Spybot - Search & Destroy
c:\program files\Spybot - Search & Destroy\advcheck.dll
c:\program files\Spybot - Search & Destroy\aports.dll
c:\program files\Spybot - Search & Destroy\blindman.exe
c:\program files\Spybot - Search & Destroy\borlndmm.dll
c:\program files\Spybot - Search & Destroy\Default configuration.ini
c:\program files\Spybot - Search & Destroy\delphimm.dll
c:\program files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
c:\program files\Spybot - Search & Destroy\Dummies\dummy.dap.gif
c:\program files\Spybot - Search & Destroy\Dummies\dummy.data.xml
c:\program files\Spybot - Search & Destroy\Dummies\dummy.default.gif
c:\program files\Spybot - Search & Destroy\Dummies\dummy.related.htm
c:\program files\Spybot - Search & Destroy\Help\Brasil.license.txt
c:\program files\Spybot - Search & Destroy\Help\Cesky.license.txt
c:\program files\Spybot - Search & Destroy\Help\Deutsch.license.txt
c:\program files\Spybot - Search & Destroy\Help\English.chm
c:\program files\Spybot - Search & Destroy\Help\English.license.txt
c:\program files\Spybot - Search & Destroy\Help\English.Resident.chm
c:\program files\Spybot - Search & Destroy\Help\Espanol.license.txt
c:\program files\Spybot - Search & Destroy\Help\Francais.license.txt
c:\program files\Spybot - Search & Destroy\Help\Italiano.license.txt
c:\program files\Spybot - Search & Destroy\Help\Japanese.license.txt
c:\program files\Spybot - Search & Destroy\Help\Nederlands.license.txt
c:\program files\Spybot - Search & Destroy\Help\Polski.license.txt
c:\program files\Spybot - Search & Destroy\Help\Slovensky.license.txt
c:\program files\Spybot - Search & Destroy\Help\Srpski.license.txt
c:\program files\Spybot - Search & Destroy\Includes\CLSIDs.sbs
c:\program files\Spybot - Search & Destroy\Includes\LSP.sbs
c:\program files\Spybot - Search & Destroy\Includes\OperaPlugins.sbs
c:\program files\Spybot - Search & Destroy\Includes\Startup.tnfo
c:\program files\Spybot - Search & Destroy\Includes\Targets.nfo
c:\program files\Spybot - Search & Destroy\Languages\Arabic.sbl
c:\program files\Spybot - Search & Destroy\Languages\Bosanski.sbl
c:\program files\Spybot - Search & Destroy\Languages\Brasil.sbl
c:\program files\Spybot - Search & Destroy\Languages\Bulgarski.sbl
c:\program files\Spybot - Search & Destroy\Languages\Catalan.sbl
c:\program files\Spybot - Search & Destroy\Languages\Cesky.sbl
c:\program files\Spybot - Search & Destroy\Languages\Dansk.sbl
c:\program files\Spybot - Search & Destroy\Languages\Deutsch.sbl
c:\program files\Spybot - Search & Destroy\Languages\Eesti.sbl
c:\program files\Spybot - Search & Destroy\Languages\English.sbl
c:\program files\Spybot - Search & Destroy\Languages\Espanol.sbl
c:\program files\Spybot - Search & Destroy\Languages\Esperanto.sbl
c:\program files\Spybot - Search & Destroy\Languages\Euskera.sbl
c:\program files\Spybot - Search & Destroy\Languages\Farsi.sbl
c:\program files\Spybot - Search & Destroy\Languages\Francais.sbl
c:\program files\Spybot - Search & Destroy\Languages\Galego.sbl
c:\program files\Spybot - Search & Destroy\Languages\Greek.sbl
c:\program files\Spybot - Search & Destroy\Languages\Hebrew.sbl
c:\program files\Spybot - Search & Destroy\Languages\Hrvatski.sbl
c:\program files\Spybot - Search & Destroy\Languages\Chinese (simplified).sbl
c:\program files\Spybot - Search & Destroy\Languages\Chinese (traditional).sbl
c:\program files\Spybot - Search & Destroy\Languages\Italiano.sbl
c:\program files\Spybot - Search & Destroy\Languages\Japanese.sbl
c:\program files\Spybot - Search & Destroy\Languages\Korean.sbl
c:\program files\Spybot - Search & Destroy\Languages\Latvian.sbl
c:\program files\Spybot - Search & Destroy\Languages\Letzebuergesch.sbl
c:\program files\Spybot - Search & Destroy\Languages\Lietuviu.sbl
c:\program files\Spybot - Search & Destroy\Languages\Magyar.sbl
c:\program files\Spybot - Search & Destroy\Languages\Makedonski.sbl
c:\program files\Spybot - Search & Destroy\Languages\Melayu.sbl
c:\program files\Spybot - Search & Destroy\Languages\Nederlands.sbl
c:\program files\Spybot - Search & Destroy\Languages\Norsk.sbl
c:\program files\Spybot - Search & Destroy\Languages\Polski.sbl
c:\program files\Spybot - Search & Destroy\Languages\Portugues.sbl
c:\program files\Spybot - Search & Destroy\Languages\Romaneste.sbl
c:\program files\Spybot - Search & Destroy\Languages\Russkiy.sbl
c:\program files\Spybot - Search & Destroy\Languages\Shqip.sbl
c:\program files\Spybot - Search & Destroy\Languages\Slovenscina.sbl
c:\program files\Spybot - Search & Destroy\Languages\Slovensky.sbl
c:\program files\Spybot - Search & Destroy\Languages\Srpski.sbl
c:\program files\Spybot - Search & Destroy\Languages\Suomi.sbl
c:\program files\Spybot - Search & Destroy\Languages\Svenska.sbl
c:\program files\Spybot - Search & Destroy\Languages\Thai.sbl
c:\program files\Spybot - Search & Destroy\Languages\Turkce.sbl
c:\program files\Spybot - Search & Destroy\Languages\Ukrainian.sbl
c:\program files\Spybot - Search & Destroy\Languages\Uzbek.sbl
c:\program files\Spybot - Search & Destroy\messages.zres
c:\program files\Spybot - Search & Destroy\OptOut.ini
c:\program files\Spybot - Search & Destroy\SDHelper.dll
c:\program files\Spybot - Search & Destroy\Skins\Colorblind.ini
c:\program files\Spybot - Search & Destroy\Skins\Italia.ini
c:\program files\Spybot - Search & Destroy\Skins\Italia.jpg
c:\program files\Spybot - Search & Destroy\Skins\Peace.ini
c:\program files\Spybot - Search & Destroy\Skins\Peace.jpg
c:\program files\Spybot - Search & Destroy\SpybotSD.exe
c:\program files\Spybot - Search & Destroy\TeaTimer.exe
c:\program files\Spybot - Search & Destroy\Tools.dll
c:\program files\Spybot - Search & Destroy\unins000.dat
c:\program files\Spybot - Search & Destroy\unins000.exe
c:\program files\Spybot - Search & Destroy\UnzDll.dll
c:\program files\Spybot - Search & Destroy\Update.exe
c:\program files\Spybot - Search & Destroy\Updates\downloaded.ini
c:\program files\Spybot - Search & Destroy\ZipDll.dll
C:\setupcze(2).exe
C:\setupcze.exe
c:\windows\iun6002.exe
c:\windows\system32\drivers\fidbox.dat
c:\windows\system32\drivers\fidbox.idx
c:\windows\system32\drivers\fidbox2.dat
c:\windows\system32\drivers\fidbox2.idx

Nakažená kopie c:\windows\system32\qmgr.dll byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ERDNT\cache\qmgr.dll

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-04-25 do 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-25 18:03 . 2010-05-25 18:03 17144 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-05-25 04:15 . 2010-05-25 20:34 3698362 ----a-r- C:\ComboFix.exe
2010-05-24 17:23 . 2010-05-24 17:23 50688 ----a-w- C:\ATF-Cleaner.exe
2010-05-24 04:14 . 2010-05-24 04:14 1402880 ----a-w- C:\HiJackThis.msi
2010-05-23 18:54 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-23 18:54 . 2010-04-29 13:39 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 18:54 . 2010-05-23 18:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 18:53 . 2010-05-23 18:53 6153376 ----a-w- C:\mbam-setup.exe
2010-05-23 17:42 . 2010-05-24 04:14 -------- d-----w- c:\program files\Trend Micro
2010-05-23 17:28 . 2010-05-23 17:28 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 17:12 . 2009-07-19 15:54 -------- d-----w- c:\program files\uTorrent
2010-04-16 16:12 . 2010-04-16 16:12 -------- d-----w- c:\program files\Common Files\Ahead
2010-04-16 16:12 . 2010-04-16 16:12 -------- d-----w- c:\program files\Ahead
2010-04-14 14:21 . 2010-04-14 14:21 -------- d-----w- c:\program files\TomTom DesktopSuite
2010-04-06 18:28 . 2010-04-06 18:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-31 17:33 . 2010-01-12 20:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-30 16:14 . 2010-03-30 16:14 -------- d-----w- c:\program files\Realtek AC97
2010-03-30 15:49 . 2010-03-30 15:49 -------- d-----w- c:\program files\iXi Tools Software
2010-03-30 15:41 . 2009-07-17 15:48 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-30 15:36 . 2010-03-30 15:36 -------- d-----w- c:\program files\C-Media
2010-03-30 07:41 . 2010-01-28 09:47 -------- d-----w- c:\program files\Fotolab
2010-03-28 16:05 . 2010-03-28 16:05 -------- d-----w- c:\program files\Winamp
2010-03-28 13:56 . 2001-10-25 12:00 46016 ----a-w- c:\windows\system32\perfc005.dat
2010-03-28 13:56 . 2001-10-25 12:00 309716 ----a-w- c:\windows\system32\perfh005.dat
2010-03-27 09:32 . 2010-03-27 09:31 -------- d-----w- c:\program files\EasyFrom
2010-03-27 09:32 . 2010-03-27 09:32 -------- d-----w- c:\program files\Microsoft Visual FoxPro OLE DB Provider
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-29 321328]
"DriverUpdaterPro"="c:\program files\iXi Tools Software\Driver Updater Pro\DriverUpdaterPro.exe" [2010-03-29 4353024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-07-12 7626752]
"nwiz"="nwiz.exe" [2006-07-12 1519616]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-07-12 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-20 13312]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Settings,ProxyOverride = <local>
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {160AE1E6-D18B-441A-84F1-010F65024626} = 172.23.76.1,10.153.195.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Martin Žídek\Data aplikací\Mozilla\Firefox\Profiles\5aojw4um.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.seznam.cz
FF - prefs.js: network.proxy.ftp - proxy.nasi.ova.czf
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - proxy.nasi.ova.czf
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - proxy.nasi.ova.czf
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - proxy.nasi.ova.czf
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - proxy.nasi.ova.czf
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 1

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-Cool's_Codec_pack_4.12 - c:\windows\iun6002.exe
AddRemove-Spybot - Search & Destroy_is1 - c:\program files\Spybot - Search & Destroy\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 22:43
Windows 5.1.2600 Service Pack 1 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(536)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(3016)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\program files\Common Files\Microsoft Shared\Web Components\10\1029\OWCI10.DLL
c:\windows\System32\MSCTF.dll
c:\windows\System32\MLANG.dll
c:\windows\System32\mshtml.dll
c:\windows\System32\msimtf.dll
c:\windows\System32\MSLS31.DLL
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\nvsvc32.exe
c:\windows\System32\RUNDLL32.EXE
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Celkový čas: 2010-05-25 22:45:35 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-05-25 20:45
ComboFix2.txt 2010-05-25 13:34

Před spuštěním: 411 443 200
Po spuštění: 169 672 704

- - End Of File - - 565B13BB00586EC4F7AF59A36015121E

z HJT je to

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:29:26, on 25.5.2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\iXi Tools Software\Driver Updater Pro\DriverUpdaterPro.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools Software\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{160AE1E6-D18B-441A-84F1-010F65024626}: NameServer = 172.23.76.1,10.153.195.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{160AE1E6-D18B-441A-84F1-010F65024626}: NameServer = 172.23.76.1,10.153.195.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{160AE1E6-D18B-441A-84F1-010F65024626}: NameServer = 172.23.76.1,10.153.195.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3104 bytes

[zidekmartinek]

já to omylem poslal dvakrát. jo už jdu udělat, co jsi napsal.

[zidekmartinek]

výsledky z virustotal zšiřující informace
File size: 221184 bytes
MD5 : d8681f65568ac0c6c7ed11e028ee3503
SHA1 : 339c538892a4a28b8122a19c57838f50b1aed5ad
SHA256: bc8e515c6630301fe884764de86dfd43656498a955e91c4e00bac55e2508ee66
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x58BB
timedatestamp.....: 0x3D8BC4D6 (Sat Sep 21 03:01:10 2002)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2E3C1 0x2E400 6.54 e01ec4e7afd00b2261a1b5fc0a5bef33
.data 0x30000 0x101E4 0x200 2.81 cac898696d46de43757e026e2cd865f1
.rsrc 0x41000 0x2E7C 0x3000 3.79 ec4eb61bb6aecac1f5fa273dc9a3b70b
.reloc 0x44000 0x441E 0x4600 6.21 11b908560e87d87d25abe61b74fef4f3

( 16 imports )

> advapi32.dll: OpenThreadToken, RegOpenKeyExW, GetSidSubAuthorityCount, GetSidSubAuthority, AllocateAndInitializeSid, FreeSid, CopySid, StartTraceW, EnableTrace, ControlTraceW, UnregisterTraceGuids, RegisterTraceGuidsW, GetTraceLoggerHandle, GetTraceEnableLevel, RegisterServiceCtrlHandlerExW, SetServiceStatus, CloseServiceHandle, ChangeServiceConfigW, OpenServiceW, OpenSCManagerW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, SetThreadToken, RevertToSelf, ImpersonateLoggedOnUser, SetSecurityDescriptorDacl, SetEntriesInAclW, GetTokenInformation, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, ImpersonateSelf, AccessCheck, MakeSelfRelativeSD, MakeAbsoluteSD, CheckTokenMembership, GetLengthSid, EqualSid, CreateProcessAsUserW, LogonUserW, OpenProcessToken, ConvertStringSidToSidW, ConvertSidToStringSidW, MapGenericMask, TraceEvent, RegSetValueExW, RegCreateKeyExW, GetTraceEnableFlags
> crypt32.dll: CryptProtectData, CryptUnprotectData
> iphlpapi.dll: GetBestInterface, GetIpForwardTable, GetIfTable, GetIfEntry
> kernel32.dll: GlobalMemoryStatus, GetFileTime, GetVersionExW, lstrlenW, CompareFileTime, UnhandledExceptionFilter, QueueUserWorkItem, CreateDirectoryW, QueryPerformanceFrequency, DeleteFileW, FreeLibrary, InterlockedDecrement, InterlockedIncrement, GetLastError, DisableThreadLibraryCalls, Sleep, SetEvent, CloseHandle, WaitForSingleObject, CreateEventW, GetSystemTimeAsFileTime, LockResource, LoadResource, FindResourceW, GetProcAddress, LoadLibraryW, ExpandEnvironmentStringsW, InterlockedCompareExchange, HeapAlloc, HeapFree, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetWaitableTimer, LocalFree, LoadLibraryExW, FormatMessageW, GetModuleFileNameW, GetCurrentThreadId, DuplicateHandle, GetCurrentProcess, CreateFileW, CreateWaitableTimerW, SetLastError, GetExitCodeThread, WaitForMultipleObjects, CreateThread, CancelWaitableTimer, FileTimeToSystemTime, SystemTimeToFileTime, GetTickCount, ReleaseMutex, ReleaseSemaphore, TlsGetValue, CreateSemaphoreW, TlsSetValue, WaitForMultipleObjectsEx, TlsFree, ResetEvent, CreateMutexW, TlsAlloc, GetCurrentThread, LocalAlloc, GetCurrentProcessId, SetEndOfFile, SetFilePointerEx, GetFileSizeEx, FlushFileBuffers, WriteFile, ReadFile, InitializeCriticalSection, SleepEx, CancelIo, WideCharToMultiByte, SetFilePointer, SetThreadPriority, GetFileType, GetVolumeInformationW, MoveFileExW, SetFileAttributesW, GetFileAttributesW, SetFileTime, GetVolumePathNameW, GetFullPathNameW, GetVolumeNameForVolumeMountPointW, GetTempFileNameW, GetFileInformationByHandle, GetDriveTypeW, GlobalFree, QueryPerformanceCounter, lstrcmpW
> msvcrt.dll: malloc, _adjust_fdiv, __1type_info@@UAE@XZ, _terminate@@YAXXZ, _except_handler3, wcslen, __CxxFrameHandler, free, _initterm, _wfullpath, wcsstr, _ftol, iswalpha, wcsncmp, _wcsicmp, memmove, swscanf, wcschr, wcstok, _CxxThrowException, wcsncpy, wcscmp, _purecall, _vsnwprintf
> ntdll.dll: RtlCreateHeap, NtRaiseException
> ole32.dll: CoTaskMemAlloc, CoRegisterClassObject, CoImpersonateClient, CoTaskMemFree, IIDFromString, CoRevokeClassObject, StringFromGUID2, CoInitializeEx, CoCreateInstance, StringFromIID, CoInitializeSecurity, CoUninitialize
> oleaut32.dll: -, -, -, -
> rpcrt4.dll: UuidCreate, RpcBindingFree, RpcBindingSetAuthInfoExW, RpcBindingFromStringBindingW, NdrClientCall2
> shfolder.dll: SHGetFolderPathW
> user32.dll: PeekMessageW, MsgWaitForMultipleObjectsEx, DispatchMessageW, PostThreadMessageW, RegisterDeviceNotificationW, UnregisterDeviceNotification, TranslateMessage
> userenv.dll: CreateEnvironmentBlock, DestroyEnvironmentBlock
> version.dll: VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
> winhttp.dll: WinHttpOpenRequest, WinHttpGetIEProxyConfigForCurrentUser, WinHttpReceiveResponse, WinHttpSendRequest, WinHttpCloseHandle, WinHttpTimeFromSystemTime, WinHttpSetOption, WinHttpAddRequestHeaders, WinHttpQueryHeaders, WinHttpSetCredentials, WinHttpConnect, WinHttpOpen, WinHttpQueryAuthSchemes, WinHttpSetStatusCallback, WinHttpReadData, WinHttpCrackUrl, WinHttpGetProxyForUrl
> ws2_32.dll: -, -, WSASocketW, -, WSAIoctl, -, -, -
> wtsapi32.dll: WTSEnumerateSessionsW, WTSQuerySessionInformationW, WTSFreeMemory

( 1 exports )

> BITSServiceMain, ServiceMain
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 3072:nLJe0yEvzw12GwQuUPEUlSA5y6mQMBQaEI6p6/289C1w/aUihqNjAHIpund+Uz:Dt8kDQBN5y6mQMBgIMU+UihT7
sigcheck: publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. V_echna pr_va vyhrazena.
product......: Opera_n_ syst_m Microsoft_ Windows_
description..: Slu_ba inteligentn_ho p_enosu na pozad_
original name: qmgr.dll
internal name: qmgr.dll
file version.: 6.2.2600.1106 (xpsp1.020828-1920)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
RDS : NSRL Reference Data Set
-

[zidekmartinek]

tak jsem vše udělal, ta antivira ani avast nejde stáhnout, chce to SP4 a pořád ten disk d: myslíš, že se to ještě nějak povede?

[jaro3]

Znovu udělej ten Virustotal, čti:
Toto otestuj na Virustotal
c:\windows\system32\qmgr.dll
Pokud už byl soubor testován-klikni na otestovat znovu.

Až skončí test všech antivirů, vlož sem pak odkaz na stránku s výsledky.
Dal si to brzo , musíš počkat až skončí test všech antivirů, pak teprve označit stránku.

ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix /Uninstall

vyčisti systém CCleanerem

a použij i T-Cleaner
smaže vše po Combu,MWAVu atd.-stáhneš>spustíš

Stáhni si OTH
na svojí plochu( pokud používáš Firefox , pravým klikni na OTH link a vyber uložit jako (Save as..).

Stáhni si OTL
na svojí plochu (pokud používáš Firefox , pravým klikni na OTL link a vyber uložit jako (Save as..).

Stáhni si soubor Scan.txt
na svojí plochu (pokud používáš Firefox , pravým klikni na OTL link a vyber uložit jako (Save as..).

Poklepej na soubor OTH na ploše , po spuštění programu klikni na Kill All Processes.Poté klikni na Start OTL .Poklepej Do prázdného okna pod Vlastní skenování /opravy ( Custom Scans box). Objeví se zpráva: Kliknutím na OK vyberete cestu k souboru, kliknutím na Zrušit zrušíte výběr.
Klikni na OK. Objeví se okno průzkumníku , zde klikneš na plochu a najdeš na ní soubor Scan.txt .Klikni na Otevřít.
Poté klikni na Rychle prohledat (Quick Scan). Neměň žádná jiná nastavení . Sken může trvat dlouho.
Kdy sken skončí , objeví se na ploše dva logy:
OTL.Txt a Extras.Txt , jsou uloženy ve stejném místě jako OTL.
Zkopíruj sem prosím celý obsah obou logů.