Win32:Trojan-gen (UPX)

[zdenek2305]

Ahoj, mám menší problém s win32:trojan-gen (UPX). Po spuštění počítače mi ho Avast hlásí v souboru C:\WINDOWS\system32\totour.exe, a když ho smáznu, stejně se tam objeví znovu. Nevíte někdo co s tím?
Dík moc za radu.

Logfile of HijackThis v1.99.1
Scan saved at 7:11:27, on 11.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\windows\system32\uvnx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\OETRN.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Zdeněk\Plocha\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WebTransBHO Class - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - C:\WINDOWS\WebIE.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\WINDOWS\WebIE.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Sendeachfragslow] C:\Documents and Settings\All Users\Data aplikací\Copy bags send each\Time Memo.exe
O4 - HKLM\..\Run: [uvnx] c:\windows\system32\uvnx.exe
O4 - HKLM\..\Run: [dmnxr.exe] C:\WINDOWS\system32\dmnxr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SurfTeam] C:\DOCUME~1\ZDENK~1\DATAAP~1\GLOBAL~1\Keep cast.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [OEXPRESS] C:\WINDOWS\OETRN.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: WebTran - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - C:\WINDOWS\WebIE.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Slovník - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2812361A-9D16-4D39-B6B2-44923B41C8B8}: NameServer = 85.255.116.35,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FFE45D5-6699-49BB-8FFE-EA31ABF82311}: NameServer = 85.255.116.35,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{82797945-5D0F-49B7-8138-FFC7294CE89D}: NameServer = 85.255.116.35,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A38AE82-DB94-40C4-8F1F-DA8B0732B1C7}: NameServer = 85.255.116.35,85.255.112.65
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.35 85.255.112.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{2812361A-9D16-4D39-B6B2-44923B41C8B8}: NameServer = 85.255.116.35,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.35 85.255.112.65
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

[Reklama]

[Baron Prášil]

příšerný!

nejdřív nainstaluj firewall
vyber tady-Comodo doporučím
http://viry.cz/forum/viewtopic.php?t=65 ... b226c523ee

a pak to projeď MWAVem(máš tam několik typů nákazy,tak uvidíme co veme)

http://www.mwti.com/products/mwav/mwav.asp

Po spuštění MWAV dej Update.Nezatrhávej volbu Scan Only Po update klikni na Scan & Clean začne scanování.Co najde to odstraní.
Po skončení scanování možná bude chtít restart tak ho povol.

pak pošli novej log

[zdenek2305]

Tak ta potvora je tam pořád...nainstaloval jsem firewall, projel to tím prográmkem, ale ten soubor mi tam skáče dál. Tady je novej log.

Logfile of HijackThis v1.99.1
Scan saved at 12:36:07, on 11.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\OETRN.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Comodo\Firewall\cpfupdat.exe
C:\Documents and Settings\Zdeněk\Plocha\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WebTransBHO Class - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - C:\WINDOWS\WebIE.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\WINDOWS\WebIE.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [OEXPRESS] C:\WINDOWS\OETRN.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: WebTran - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - C:\WINDOWS\WebIE.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Slovník - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2812361A-9D16-4D39-B6B2-44923B41C8B8}: NameServer = 85.255.116.35
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FFE45D5-6699-49BB-8FFE-EA31ABF82311}: NameServer = 85.255.116.35
O17 - HKLM\System\CCS\Services\Tcpip\..\{82797945-5D0F-49B7-8138-FFC7294CE89D}: NameServer = 85.255.116.35
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A38AE82-DB94-40C4-8F1F-DA8B0732B1C7}: NameServer = 85.255.116.35
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.35 85.255.112.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{2812361A-9D16-4D39-B6B2-44923B41C8B8}: NameServer = 85.255.116.35
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.35 85.255.112.65
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

[Damned]

Starý známý totour.

No nevím jestli to pomůže.

Ale stáhni si Combofix a spusť ho.
postupuj dle pokynů během aplikování ComboFixu neklikej do zobrazujícího se okna může se stát totiž že to proces zastaví.
Po skončení se vytvoří log tak sem zkopíruj jeho obsah.

V tom logu budou soubory vytvořené za posledních 30 dní ve Windows složkách.

Je možné že tam uvidíme škodlivé soubory které by mohli mít něco společného s tím totour.exe.

Ale neříkám že to pomůže

[fredik]

Máš tam ještě Wareout odstraň ho podle následujícího návodu: Wareout a jeho odstranění
pak udělej log z Combofixu

[sakiri]

Funkční odkaz na stažení Combofixu je zde

[zdenek2305]

Tak tady je log z jednoho programu:
Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csuuk.exe"

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4FFE7F65DD44-7D3B-9324-4FB4-6523CF87{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A51ECD9B28F7-0E78-E924-0C36-22BA3241{" Deleted
....
»»»»» Misc files.
C:\WINDOWS\system32\{CF8DA3FA-9451-4D83-866A-F04B5EC367DB}.exe Deleted
C:\WINDOWS\System32\kernel32.exe Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe /startup"
"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"SNPSTD2"="C:\\WINDOWS\\vsnpstd2.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"PMCRemote"="C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\Remote\\Remoterm.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"DataLayer"="C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"OEXPRESS"="C:\\WINDOWS\\OETRN.EXE"
"WEBTRAN"=""
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

A tady je druhej:
"ZdenŘk" - 07-04-11 21:08:13 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\ZdenŘk\Plocha"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\regedit.com


((((((((((((((((((((((((((((((( Files Created from 2007-03-11 to 2007-04-11 ))))))))))))))))))))))))))))))))))


2007-04-11 12:28 51,328 --a------ C:\WINDOWS\system32\drivers\inspect.sys
2007-04-11 12:13 39,936 --a------ C:\WINDOWS\system32\totour.exe
2007-04-11 09:26 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-04-11 09:26 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-04-11 09:26 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-04-11 09:26 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2007-04-11 09:26 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2007-04-11 09:26 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2007-04-11 09:23 147,968 --a------ C:\WINDOWS\R.COM
2007-04-11 09:23 137,216 --a------ C:\WINDOWS\system32\T.COM
2007-04-11 09:18 <DIR> d-------- C:\Program Files\Comodo


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-25 07:08 61958 --a------ C:\WINDOWS\system32\perfc005.dat
2007-03-25 07:08 379294 --a------ C:\WINDOWS\system32\perfh005.dat
2007-03-07 17:52 -------- d-------- C:\Program Files\icqlite
2007-03-07 17:52 -------- d-------- C:\Program Files\icqlite
2007-03-02 19:50 -------- d-------- C:\Program Files\videolan
2007-03-02 19:50 -------- d-------- C:\Program Files\videolan
2007-03-02 09:47 491520 --a------ C:\WINDOWS\webie.dll
2007-03-02 09:47 45056 --a------ C:\WINDOWS\trnoeh.dll
2007-03-02 09:47 356352 --a------ C:\WINDOWS\trnoutl.dll
2007-03-02 09:47 294912 --a------ C:\WINDOWS\trnword.dll
2007-03-02 09:47 26624 --a------ C:\WINDOWS\oetrn.exe
2007-03-02 09:47 200704 --a------ C:\WINDOWS\trnoet.dll
2007-03-02 09:45 516096 --a------ C:\WINDOWS\un32.exe
2007-02-28 07:12 -------- d-------- C:\Program Files\global nurb ref
2007-02-28 07:12 -------- d-------- C:\Program Files\global nurb ref
2007-02-03 10:34 737280 --a------ C:\WINDOWS\iun6002.exe
2007-01-15 19:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe
2007-01-15 19:23 90112 --a------ C:\WINDOWS\system32\avastss.scr


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"OEXPRESS"="C:\\WINDOWS\\OETRN.EXE"
"WEBTRAN"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"="C:\\Program Files\\ICQLite\\ICQLite.exe -trayboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"C-Media Mixer"="Mixer.exe /startup"
"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"SNPSTD2"="C:\\WINDOWS\\vsnpstd2.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"PMCRemote"="C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\Remote\\Remoterm.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"DataLayer"="C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AAB076679187F0E7.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-11 21:10:27
C:\ComboFix-quarantined-files.txt ... 07-04-11 21:10

[zdenek2305]

A potom se mi tam objevil ještě soubor kde je tohle:

Kód: Vybrat vše

04-08-17 16:49      137216    --a------    C:\Qoobox\Quarantine\WINDOWS\system32\TASKMGR.COM.vir
04-08-17 16:49      147968    --a------    C:\Qoobox\Quarantine\WINDOWS\REGEDIT.COM.vir


Věpis CESTY slo§ky
S‚riov‚ źˇslo svazku je 3CAB-5D1E
C:\QOOBOX
\---Quarantine
    +---Registry_backups
    \---WINDOWS
        |   REGEDIT.COM.vir
        |   
        \---system32
                TASKMGR.COM.vir
               


[fredik]

Ještě tam máš Lop:

Stáhni si, vybal a spusť LopFind
- Po jeho spuštění se Ti během chvíle zobrazí textový dokument, jinak také uložený na disku pod umístěním C:\lop.txt, zkopíruj sem prosím celý jeho obsah.

Budem se to muset pak vzít všechno jedním vrzem protože se neskočilo ještě s tím Wareout.
Zkus si zjistit nastavení DNS serverů tvého poskytovatele, případně to může být pak potřeba.

[zdenek2305]

******************************************

1) Výpis obsahů Application Data složek pro zjištění podezřelých adresářů:

Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 3CAB-5D1E.

Věpis adres ýe C:\Documents and Settings\All Users\DATAAP~1

11.04.2007 09:20 <DIR> Comodo
17.12.2006 19:08 <DIR> Copy bags send each
12.12.2006 15:47 <DIR> CanonBJ
23.11.2006 11:30 <DIR> DVD Shrink
18.11.2006 12:18 <DIR> Adobe
17.11.2006 15:55 <DIR> CyberLink
12.11.2006 23:07 <DIR> Pinnacle
09.11.2006 21:57 <DIR> HP
09.11.2006 18:30 950 hpzinstall.log
09.11.2006 08:46 <DIR> Ahead
08.11.2006 21:38 62 desktop.ini
08.11.2006 21:37 <DIR> Microsoft
08.11.2006 21:37 <DIR> .
08.11.2006 21:37 <DIR> ..
2 soubor…, 1012 bajt…
Adres ý…: 12, Volněch bajt…: 28559052800
Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 3CAB-5D1E.

Věpis adres ýe C:\Documents and Settings\ZdenŘk\DATAAP~1

11.04.2007 09:20 <DIR> Comodo
02.03.2007 19:55 <DIR> vlc
04.02.2007 09:39 <DIR> Stardock
26.01.2007 20:12 <DIR> Real
02.01.2007 23:46 <DIR> STOIK
19.12.2006 20:03 21976 GDIPFONTCACHEV1.DAT
17.12.2006 19:42 <DIR> Lavasoft
17.12.2006 19:08 <DIR> BitRoll
17.12.2006 19:08 <DIR> Global Nurb Ref
06.12.2006 19:11 34 pcouffin.log
06.12.2006 19:11 81920 ezpinst.exe
06.12.2006 19:11 7176 pcouffin.cat
06.12.2006 19:11 47360 pcouffin.sys
06.12.2006 19:11 1144 pcouffin.inf
06.12.2006 19:11 <DIR> Vso
05.12.2006 12:29 <DIR> AdobeUM
05.12.2006 12:28 <DIR> Adobe
24.11.2006 07:50 <DIR> SlySoft
24.11.2006 07:47 40 .zreglib
21.11.2006 17:09 <DIR> Nokia Multimedia Player
21.11.2006 16:48 <DIR> DataLayer
21.11.2006 16:48 <DIR> Nokia
21.11.2006 16:44 <DIR> PC Suite
17.11.2006 15:59 <DIR> CyberLink
16.11.2006 18:55 <DIR> Corel
14.11.2006 19:02 <DIR> Image Zone Express
12.11.2006 19:24 <DIR> Skype
09.11.2006 22:42 <DIR> Ahead
09.11.2006 18:30 <DIR> HP
09.11.2006 15:47 <DIR> Sun
09.11.2006 02:29 <DIR> Macromedia
09.11.2006 00:18 <DIR> ICQLite
08.11.2006 20:54 <DIR> Identities
08.11.2006 20:54 62 desktop.ini
08.11.2006 20:54 <DIR> Microsoft
08.11.2006 20:54 <DIR> ..
08.11.2006 20:54 <DIR> .
8 soubor…, 159712 bajt…
Adres ý…: 29, Volněch bajt…: 28559052800
Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 3CAB-5D1E.

Věpis adres ýe C:\Documents and Settings\Default User\DATAAP~1

08.11.2006 21:38 62 desktop.ini
08.11.2006 21:37 <DIR> ..
08.11.2006 21:37 <DIR> Microsoft
08.11.2006 21:37 <DIR> .
1 soubor…, 62 bajt…
Adres ý…: 3, Volněch bajt…: 28559052800
Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 3CAB-5D1E.

Věpis adres ýe C:\Documents and Settings\LocalService\DATAAP~1

08.11.2006 20:52 <DIR> ..
08.11.2006 20:52 <DIR> Microsoft
08.11.2006 20:52 <DIR> .
0 soubor…, 0 bajt…
Adres ý…: 3, Volněch bajt…: 28559052800
Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 3CAB-5D1E.

Věpis adres ýe C:\Documents and Settings\NetworkService\DATAAP~1

08.11.2006 20:52 <DIR> ..
08.11.2006 20:52 <DIR> Microsoft
08.11.2006 20:52 <DIR> .
0 soubor…, 0 bajt…
Adres ý…: 3, Volněch bajt…: 28559048704

******************************************

2) Vyhledávání a odstranění podezřelých .job souborů:

a) Soubory přítomné v C:\WINDOWS\tasks\ adresáři:

Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 3CAB-5D1E.

Věpis adres ýe C:\WINDOWS\Tasks

28.02.2007 07:12 268 AAB076679187F0E7.job
08.11.2006 20:48 6 SA.DAT
08.11.2006 20:46 65 desktop.ini
08.11.2006 20:46 <DIR> ..
08.11.2006 20:46 <DIR> .
3 soubor…, 339 bajt…
Adres ý…: 2, Volněch bajt…: 28˙559˙048˙704

––––––––––––––––––––––––––––––––––––––––––

b) Zjišťování vlastností přítomných .job souborů:

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AAB076679187F0E7.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\zdenk~1\dataap~1\global~1\pile pure pop.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Zdeněk'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 04/11/2007 9:00:00
NextRun: 04/12/2007 9:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/08/1996
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


––––––––––––––––––––––––––––––––––––––––––

c) Nalezené a odstraněné nežádoucí soubory:

AAB076679187F0E7.job

––––––––––––––––––––––––––––––––––––––––––

d) Soubory přítomné v adresáři po vymazání:

Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 3CAB-5D1E.

Věpis adres ýe C:\WINDOWS\Tasks

08.11.2006 20:48 6 SA.DAT
08.11.2006 20:46 65 desktop.ini
08.11.2006 20:46 <DIR> ..
08.11.2006 20:46 <DIR> .
2 soubor…, 71 bajt…
Adres ý…: 2, Volněch bajt…: 28˙559˙044˙608

******************************************

3) Vyhledávání podvodných programů ve složce Program files:


Adresář C:\Program Files\Adv Nepřítomen !

Adresář C:\Program Files\Adverts Nepřítomen !

Adresář C:\Program Files\BitDownload Nepřítomen !

Adresář C:\Program Files\BitGrabber Nepřítomen !

Adresář C:\Program Files\BitRoll Přítomen !

Adresář C:\Program Files\C2Media Nepřítomen !

Adresář C:\Program Files\Download Plugin Nepřítomen !

Adresář C:\Program Files\Messenger Plus! 3 Nepřítomen !

Adresář C:\Program Files\NetPumper Nepřítomen !

Adresář C:\Program Files\Proxy download Nepřítomen !

Adresář C:\Program Files\SuperTorrent Nepřítomen !

Adresář C:\Program Files\Torrent101 Nepřítomen !

Adresář C:\Program Files\TorrentQ Nepřítomen !

[fredik]

Pokud jsi od vložení logu z Lopfind restartoval Pc tak spusť znovu Lopfind (log sem nemusíš dávat) a pokračuj dál podle návodu.

Zkus odinstalovat jestli tam bude přes Přidat nebo Odebrat programy:
BitRoll
global nurb ref

Stáhni si a spusť program OTMoveIT
- Do levého sloupce zkopíruj tyto cesty:
C:\Documents and Settings\All Users\DATAAP~1\Copy bags send each
C:\Documents and Settings\ZdenŘk\DATAAP~1\Global Nurb Ref
C:\Documents and Settings\ZdenŘk\DATAAP~1\BitRoll
C:\Program Files\BitRoll

- Po zkopírování klikni na tlačítko MoveIt a zkopíruj následně celý obsah z pravého sloupce, který bude informovat o výsledcích.
Je možné, že pokud nebudou moci být adresáře odstraněny, budeš dotázán na restart počítače, v tom případě restart potvrď .

Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{2812361A-9D16-4D39-B6B2-44923B41C8B8}: NameServer = 85.255.116.35
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FFE45D5-6699-49BB-8FFE-EA31ABF82311}: NameServer = 85.255.116.35
O17 - HKLM\System\CCS\Services\Tcpip\..\{82797945-5D0F-49B7-8138-FFC7294CE89D}: NameServer = 85.255.116.35
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A38AE82-DB94-40C4-8F1F-DA8B0732B1C7}: NameServer = 85.255.116.35
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.35 85.255.112.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{2812361A-9D16-4D39-B6B2-44923B41C8B8}: NameServer = 85.255.116.35
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.35 85.255.112.65
po zaškrtnutí klikni na tlačítko Fix Checked

Po té restartuj PC. Pokud ti nepůjde internet tak bude potřeba aby jsi ručně nastavil IP adresy DNS serverů podle tvého poskytovatele, případně může stačit nastavení na získávání adresy automaticky. Jak na to, je popsané v tom návodu co jsem ti dával odkaz na něj v části nazvané Dodatek:

Pak sem vlož log z OTMoveIT a nový log z HijackThis.

[zdenek2305]

C:\Documents and Settings\All Users\DATAAP~1\Copy bags send each moved successfully.
File/Folder C:\Documents and Settings\ZdenŘk\DATAAP~1\Global Nurb Ref not found.
File/Folder C:\Documents and Settings\ZdenŘk\DATAAP~1\BitRoll not found.
C:\Program Files\BitRoll\ZM moved successfully.
C:\Program Files\BitRoll moved successfully.

Created on 04.12.2007 11:00:21



Logfile of HijackThis v1.99.1
Scan saved at 11:08:10, on 12.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\OETRN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Zdeněk\Plocha\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WebTransBHO Class - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - C:\WINDOWS\WebIE.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\WINDOWS\WebIE.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [OEXPRESS] C:\WINDOWS\OETRN.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: WebTran - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - C:\WINDOWS\WebIE.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Slovník - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe