problem s haveti

[bigben]

zdarec mam jeden problem.V compu mam nejakou havet ,kterou nemuzu odstranit.Mam Spyware terminator,spyware doctor,super anti spyware + mam hozenyho noda a zkousel sem dalsich 5 programu.U noda a doctora me ten hajzlik nedovoli aktualizovat a nemuzu ani nainstalovat spybot.
Napada vas nejakej dalsi programek bo jine reseni.dikes

[Karlos.s]

Tak asi by to chtělo napsat jakou havěť, ne? Víš to?
Jinak můžeš pro začátek nahodit log z Hijackthis.

[Capioca]

Pokud máš víc jak jeden antivir tak se hádaj a nic nezjistěj
1.Jseš si jistěj že je to spyware?
2.stáhni si comod je zadarmo http://www.personalfirevall.comodo.com/ sice na 30 dní ale měl by na ten vir stačit

[bigben]

co je to za mrchu nevim,jen vim ze tata mel stejnej problem a nej se mu to podarilo,ale klasicky uz nevi jak.jo mam sice vic programku ale povypinany a zapim je postupne.projeduto a hodim to sem

[jansv]

Ahoj, jméno havěti nás až tak nezajímá, ale vyčistím PC. Prvně jsem prosím vlož log z HijackThis.

Stáhni si HijackThis např. odtud - http://www.stahuj.centrum.cz/internet_a ... ijackthis/

Použití
1. Spusť program a stiskněte tlačítko "Do a system scan and save a log"
2. Celý obsah textového dokumentu, který po chvilce sám "vyskočí" sem vlož normálně do příspěvku a já Ti to zkontroluju, a poté uvidíme, co dále.

[bigben]

tady to je-
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\a-squared Free\a2service.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\PnkBstrA.exe
e:\Spyware Doctor\pctsAuxs.exe
e:\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
e:\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
E:\QIP\qip.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
e:\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.qip.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = start.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.qip.ru/search?query=%s&from=IE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.karneval.cz:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {F53BAFE5-CE7A-4E95-95AC-A3912EFD3739} - (no file)
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ISTray] "e:\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8BA7090-6950-4066-8D15-60B50FCC20C1}: NameServer = 81.27.192.33,81.27.192.97
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - E:\a-squared Free\a2service.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - e:\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - e:\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6877 bytes

[jansv]

OK, ještě vlož log z MBAMu.

Citace:
Nyní stahněte a spusťte
Stáhněte Malwarebytes' Anti-Malware - http://viry.cz/forum/viewtopic.php?f=29&t=67229
Dejte úplný sken C systém
Log sem, nic nemazat až po posouzení logu

[bigben]

myslis toto?
Malwarebytes' Anti-Malware 1.34
Verze databáze: 1749
Windows 5.1.2600 Service Pack 3

15.3.2009 21:38:30
mbam-log-2009-03-15 (21-38-26).txt

Typ skenu: Rychlý sken
Objektu skenováno: 63128
Uplynulý cas: 3 minute(s), 6 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 3
Infikované hodnoty registru: 1
Infikované položky dat registru: 1
Infikované složky: 0
Infikované soubory: 0

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\coolplay (Trojan.DNSChanger) -> No action taken.

Infikované hodnoty registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> No action taken.

Infikované položky dat registru:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: (regedit.exe "%1") -> No action taken.

Infikované složky:
(Žádné zákerné položky nebyly zjišteny)

Infikované soubory:
(Žádné zákerné položky nebyly zjišteny)

[jansv]

OK, spust ještě jednou (ale Kompletní sken, ne jenom Rychlý) a vše co najde, smaž a vlož nový log.

[bigben]

ok tak snad je to teda tento

17.3.2009 21:19:02
mbam-log-2009-03-17 (21-18-57).txt

Typ skenu: Úplný sken (C:\|E:\|G:\|)
Objektu skenováno: 128891
Uplynulý cas: 32 minute(s), 0 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 3
Infikované hodnoty registru: 1
Infikované položky dat registru: 1
Infikované složky: 0
Infikované soubory: 2

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\coolplay (Trojan.DNSChanger) -> No action taken.

Infikované hodnoty registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> No action taken.

Infikované položky dat registru:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: (regedit.exe "%1") -> No action taken.

Infikované složky:
(Žádné zákerné položky nebyly zjišteny)

Infikované soubory:
C:\System Volume Information\_restore{72E4CA34-EE4A-479D-87D8-5EAF73106110}\RP337\A0296842.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{72E4CA34-EE4A-479D-87D8-5EAF73106110}\RP337\A0296843.dll (Trojan.Vundo) -> No action taken.

[jansv]

Nesmazal jsi tu havěť. Dle návodu http://viry.cz/forum/viewtopic.php?f=29&t=67229 smaž vše, co po skenu najde.

[bigben]

psal:Log sem, nic nemazat až po posouzení logu


tak sem to zatim nemazl ikdyz sem chtel,tak to maznu

[Karlos.s]

psal:Log sem, nic nemazat až po posouzení logu

to jo, ale pak psal:

OK, spust ještě jednou (ale Kompletní sken, ne jenom Rychlý) a vše co najde, smaž a vlož nový log.

[jansv]

JJ, ted už je to třeba smazat, protože tam není žádný legitimní soubor/proces, ....
Zkus to smazat přes MBAM, a pošli nový log.

[bigben]

tak po odstraneni

19.3.2009 18:41:58
mbam-log-2009-03-19 (18-41-58).txt

Typ skenu: Úplný sken (C:\|)
Objektu skenováno: 101243
Uplynulý cas: 23 minute(s), 59 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 3
Infikované hodnoty registru: 1
Infikované položky dat registru: 1
Infikované složky: 0
Infikované soubory: 2

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coolplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Infikované hodnoty registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> Quarantined and deleted successfully.

Infikované položky dat registru:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Infikované složky:
(Žádné zákerné položky nebyly zjišteny)

Infikované soubory:
C:\System Volume Information\_restore{72E4CA34-EE4A-479D-87D8-5EAF73106110}\RP337\A0296842.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{72E4CA34-EE4A-479D-87D8-5EAF73106110}\RP337\A0296843.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

[jansv]

OK, jak se nyní chová PC? Ještě vlož prosím nový log z HijackThis.

[bigben]

chova se furt stejne aktualizace to nepusti a naistalovani spybota taky ne

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:44:11, on 22.3.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\a-squared Free\a2service.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\PnkBstrA.exe
e:\Spyware Doctor\pctsAuxs.exe
e:\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\System32\alg.exe
e:\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Clock Tray Skins\ClockTraySkins.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_UR

[jansv]

OK takže ještě tam něco bude, takže vlož log z ComboFixu:

Návod (citace):
Stáhněte a uložte na plochu ComboFix.
Spusťte pod účtem s Administrátorským oprávněním, před spuštěním vypněte všechny aplikace.
Hned po startu stiskněte klávesu 1 a potvrďte Entrem.
Celá akce trvá okolo 10 minut, někdy i déle.
Nelekněte se, když Váš stroj bude restartován.
Po restartu aplikace vytvoří log, uložený na C:/Combofix.txt (Při opakovaném použití jsou logy označeny Combofix2.txt atd.), JEHO OBSAH SEM VLOŽTE.

[bigben]

:\program files\INSTALL.LOG
c:\windows\system32\avrt.dll
c:\windows\system32\D3DX10d_39.dll
H:\autorun.inf

.
((((((((((((((((((((((((( Soubory vytvořené od 2009-02-24 do 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-21 19:32 . 2009-03-21 19:32 118 --a------ c:\windows\system32\MRT.INI
2009-03-19 19:38 . 2009-03-19 19:38 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-19 19:07 . 2008-10-16 02:03 1,499,648 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2009-03-19 19:07 . 2008-10-16 02:03 667,136 -----c--- c:\windows\system32\dllcache\wininet.dll
2009-03-19 19:07 . 2008-10-16 02:03 619,008 -----c--- c:\windows\system32\dllcache\urlmon.dll
2009-03-19 19:07 . 2008-06-14 18:35 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-19 19:06 . 2008-12-12 18:03 3,088,896 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-03-19 19:06 . 2008-08-14 14:26 2,191,360 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-19 19:06 . 2008-08-14 14:26 2,147,328 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-19 19:06 . 2008-08-14 14:26 2,068,224 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-19 19:06 . 2008-08-14 14:26 2,025,984 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-19 19:05 . 2008-04-11 20:06 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-19 19:05 . 2008-10-24 12:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-19 19:05 . 2008-12-11 11:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-03-19 19:05 . 2008-05-01 15:37 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-19 19:05 . 2008-05-08 15:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-03-19 19:04 . 2008-09-04 18:17 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-03-19 19:04 . 2008-10-15 17:38 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-19 19:03 . 2009-03-19 19:41 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-15 21:34 . 2009-03-15 21:34 <DIR> d-------- c:\documents and settings\MARA\Data aplikací\Malwarebytes
2009-03-15 21:34 . 2009-03-15 21:34 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2009-03-15 21:34 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-15 21:34 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-15 21:28 . 2009-03-15 21:28 <DIR> d-------- c:\program files\Panda Security
2009-03-15 21:28 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-12 17:11 . 2002-05-20 17:03 64,731 --a------ c:\windows\system32\drivers\TIACXLN.SYS
2009-03-12 17:11 . 2002-04-09 15:26 30,052 --a------ c:\windows\system32\drivers\TIACXSN.BIN
2009-03-12 17:11 . 2002-03-04 13:56 7,597 --a------ c:\windows\system32\drivers\TIACXLN.CAT
2009-03-07 20:59 . 2009-03-07 20:59 <DIR> d-------- c:\documents and settings\MARA\fontconfig
2009-03-07 20:25 . 2009-03-07 20:25 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Trymedia
2009-03-06 21:56 . 2009-03-06 21:56 <DIR> d-------- c:\program files\Comodo
2009-03-06 21:56 . 2009-03-06 21:56 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Comodo
2009-03-06 21:56 . 2009-03-06 21:56 216,576 --a------ c:\windows\system32\monln.dll
2009-03-06 21:06 . 2009-03-06 21:06 <DIR> d-------- C:\New Folder
2009-03-06 21:06 . 2009-03-06 21:06 <DIR> d-------- c:\documents and settings\MARA\Data aplikací\SUPERAntiSpyware.com
2009-03-06 21:06 . 2009-03-06 21:06 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\SUPERAntiSpyware.com
2009-03-06 20:58 . 2009-03-06 20:58 <DIR> d-------- C:\Computer
2009-03-06 19:22 . 2009-03-24 14:42 <DIR> d-------- c:\documents and settings\MARA\.smplayer
2009-03-06 18:29 . 2009-03-06 18:29 <DIR> d-------- c:\documents and settings\MARA\Data aplikací\PC Tools
2009-03-06 18:29 . 2008-08-25 11:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-03-06 18:29 . 2008-08-25 11:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-03-06 18:29 . 2008-08-25 11:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-03-06 18:29 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-03-06 18:01 . 2009-03-24 17:33 <DIR> d-a------ c:\documents and settings\All Users\Data aplikací\TEMP
2009-03-06 14:34 . 2009-03-06 14:34 <DIR> d-------- c:\program files\uTorrent
2009-03-06 14:34 . 2009-03-22 17:04 <DIR> d-------- c:\documents and settings\MARA\Data aplikací\uTorrent
2009-03-06 13:45 . 2007-01-18 13:00 3,968 --a------ c:\windows\system32\drivers\AvgArCln.sys
2009-03-05 22:32 . 2009-03-24 17:41 <DIR> d-------- c:\program files\Spyware Terminator
2009-03-05 22:32 . 2009-03-24 17:41 <DIR> d-------- c:\documents and settings\MARA\Data aplikací\Spyware Terminator
2009-03-05 22:32 . 2009-03-06 13:45 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Spyware Terminator
2009-03-05 22:32 . 2009-03-05 22:32 142,592 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys
2009-03-05 21:54 . 2008-04-14 08:51 33,792 -----c--- c:\windows\system32\dllcache\custsat.dll
2009-03-05 21:53 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2009-03-05 21:07 . 2009-03-05 22:02 <DIR> d-------- c:\program files\Analog Devices
2009-03-05 20:28 . 2008-04-14 00:10 96,512 --a------ c:\windows\system32\drivers\atapi.sys
2009-03-05 20:28 . 2008-04-14 00:10 24,960 --a------ c:\windows\system32\drivers\pciidex.sys
2009-03-05 20:28 . 2001-10-24 11:52 3,328 --a------ c:\windows\system32\drivers\pciide.sys
2009-03-05 20:28 . 2001-10-24 11:52 3,328 --a--c--- c:\windows\system32\dllcache\pciide.sys
2009-03-05 19:03 . 2008-04-14 08:46 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-03-05 19:02 . 2002-09-23 13:00 95,232 --a--c--- c:\windows\system32\dllcache\certmap.ocx
2009-03-05 19:02 . 2008-04-14 08:51 82,432 --a------ c:\windows\system32\cnbjmon2.dll
2009-03-05 19:02 . 2001-10-24 11:15 50,486 --a------ c:\windows\system32\CNBJHLP2.HLP
2009-03-05 19:02 . 2002-09-23 13:00 6,144 --a--c--- c:\windows\system32\dllcache\ftpsapi2.dll
2009-03-05 19:02 . 2001-10-24 11:15 1,216 --a------ c:\windows\system32\CNBJHLP2.CNT
2009-03-05 19:00 . 2008-04-14 08:51 956,928 --a------ c:\windows\system32\msdtctm.dll
2009-03-05 18:59 . 2008-04-14 08:51 2,061,824 --a------ c:\windows\system32\mstscax.dll
2009-03-05 18:33 . 2008-04-14 00:15 52,864 --a------ c:\windows\system32\drivers\dmusic.sys
2009-03-05 18:33 . 2008-04-14 00:15 6,272 --a------ c:\windows\system32\drivers\splitter.sys
2009-03-05 18:32 . 2008-04-14 07:44 58,496 --a------ c:\windows\system32\drivers\redbook.sys
2009-03-05 18:30 . 2009-03-05 19:06 <DIR> d-------- c:\windows\NV1116748.TMP
2009-03-05 18:28 . 2008-04-14 00:02 196,224 --a------ c:\windows\system32\drivers\rdpdr.sys
2009-03-05 18:28 . 2008-04-14 08:53 40,840 --a------ c:\windows\system32\drivers\termdd.sys
2009-03-01 17:31 . 2009-03-02 21:56 7,798 --a------ c:\windows\setupapi.old

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 20:11 --------- d-----w c:\program files\ESET
2009-03-12 16:11 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 20:56 499,712 ----a-w c:\windows\system32\msvcp71.dll
2009-03-06 20:56 434,252 ----a-w c:\windows\system32\MSVCRTD.DLL
2009-03-06 20:56 348,160 ----a-w c:\windows\system32\msvcr71.dll
2009-03-06 20:56 1,060,864 ----a-w c:\windows\system32\mfc71.dll
2009-03-06 18:15 --------- d-----w c:\program files\InterActual
2009-02-28 21:23 324 ----a-w C:\autorun.inf.vir
2009-02-09 14:07 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-02 16:32 --------- d-----w c:\documents and settings\All Users\Data aplikací\ESET
2009-02-02 11:55 --------- d-----w c:\documents and settings\MARA\Data aplikací\ESET
2008-03-09 06:25 236 ---ha-w c:\program files\Common Files\dx.reg
2008-01-07 18:33 22,328 ----a-w c:\documents and settings\MARA\Data aplikací\PnkBstrK.sys
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SkinClock"="c:\program files\Clock Tray Skins\ClockTraySkins.exe" [2005-07-29 806912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRTCLK"="c:\windows\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 24576]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-25 8527872]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-10-18 1598720]
"SpywareTerminator"="c:\progra~1\SPYWAR~1\SpywareTerminatorShield.exe" [2009-03-05 2233856]
"ISTray"="e:\spyware doctor\pctsTray.exe" [2008-08-25 1168264]
"RivaTunerStartupDaemon"="e:\ovladace\RivaTuner v2.06\RivaTuner.exe" [2007-10-30 2650112]
"nwiz"="nwiz.exe" [2007-10-25 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0sprestrt

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
--a------ 2008-12-19 19:28 1434864 c:\ccleaner\ccleaner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanDiskAutoRun]
--a------ 2005-09-16 08:53 1595904 c:\yenicag\cleandiskse\cleandisk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 11:48 157592 e:\daemon tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-06-16 05:03 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 05:03 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-10-25 17:17 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
--a------ 2004-06-03 20:51 131072 c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
--a------ 2006-07-10 21:10 137216 c:\windows\system32\nvraidservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon]
--a------ 2007-10-30 19:05 2650112 e:\ovladace\RivaTuner v2.06\RivaTuner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2006-12-18 21:34 868352 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\video\\win dvd\\WinDVD.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-09-21 119808]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2007-06-15 143256]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-15 28544]
R1 ntiowp;ntiowp;c:\windows\system32\drivers\ntiowp.sys [2005-01-03 9408]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-03-05 142592]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-10-18 455936]
R2 lladrv;LLAdrv;c:\windows\system32\drivers\lladrv.sys [2004-08-22 32544]
R2 sdAuxService;PC Tools Auxiliary Service;e:\spyware doctor\pctsAuxs.exe [2009-03-06 356920]
R3 axvbusx;axvbusx;c:\windows\system32\drivers\axvbusx.sys [2002-12-27 8384]
R3 axvscsi;axvscsi;c:\windows\system32\drivers\axvscsi.sys [2002-12-27 98560]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2002-09-23 69120]
S1 SASKUTIL;SASKUTIL;\??\c:\new folder\aaaaa\SASKUTIL.sys --> c:\new folder\aaaaa\SASKUTIL.sys [?]
S2 MRUWebService;MRU Web Service;c:\program files\Marvell\61xx\Apache2\bin\Apache.exe [2007-05-23 20539]
S2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\DRIVERS\nvtvsnd.sys --> c:\windows\system32\DRIVERS\nvtvsnd.sys [?]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\MARA\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\MARA\LOCALS~1\Temp\ALSysIO.sys [?]
S3 CrystalCpuInfo;CrystalCpuInfo;\??\c:\docume~1\MARA\LOCALS~1\Temp\CpuInfo.sys --> c:\docume~1\MARA\LOCALS~1\Temp\CpuInfo.sys [?]
S3 Marvell RAID;Marvell RAID Event Agent;c:\program files\Marvell\61xx\svc\mvraidsvc.exe [2007-06-12 61440]
S3 RTCore32;RTCore32;\??\e:\cpu tun\RTCore32.sys --> e:\cpu tun\RTCore32.sys [?]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\c:\docume~1\MARA\LOCALS~1\Temp\TCCpuInfo.sys --> c:\docume~1\MARA\LOCALS~1\Temp\TCCpuInfo.sys [?]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e84a504e-cac3-11da-9a79-000ea6074615}]
\Shell\AutoRun\command - M:\setupSNK.exe
.
Obsah adresáře 'Naplánované úlohy'

2009-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1532298954-839522115-1003.job
- c:\documents and settings\MARA\Local Settings\Data aplikac []
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

Notify-AtiExtEvent - (no file)
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-nod32kui - c:\nog\nod32kui.exe
MSConfigStartUp-NVIDIA nTune - e:\ovladace\nTune\nTuneCmd.exe


.
------- Doplňkový sken -------
.
uStart Page = start.qip.ru
uDefault_Search_URL = hxxp://search.qip.ru
mStart Page = hxxp://www.microsoft.com
uInternet Settings,ProxyServer = proxy.karneval.cz:3128
uSearchURL,(Default) = hxxp://search.qip.ru/search?query=%s&from=IE
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
TCP: {B8BA7090-6950-4066-8D15-60B50FCC20C1} = 81.27.192.33,81.27.192.97
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\MARA\Data aplikací\Mozilla\Firefox\Profiles\ewdr1vih.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - QIP Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.cz/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - prefs.js: network.proxy.type - 4

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 17:48:13
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

[jansv]

Je špatně vložený, není celý, zkus ho ještě jednou vložit z C:/, popř. ještě jednou aplikuj ComboFix.