Prosím o pomoc win32/AutoRun.IRCBot.CS červ

[georgdj]

Dobrý den,
celý počítač jsem překontroloval eset smart security a malwarebytes a zádná infiltrace nenalezena.
Jakmile připojím flashku nebo foťák tak mi esetsmart security napíše:

Object: H:/autorun.inf
Infiltrace: win32/AutoRun.IRCBot.CS červ
vyléčen smazáním

a znovu a znovu se vytváří a znovu a zno mi píše eset tu tabulku

Prosím někoho o kontrolu log. Mockrát děkuji

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:53:42, on 13.1.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EXPERTool\TBPanel.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\msnmsgupdater.exe
C:\Documents and Settings\Jirka\Data aplikací\Microsoft\winlog.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ICQ6.5\ICQ.exe
C:\Programy\Total\TOTALCMD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jirka\Local Settings\Temporary Internet Files\Content.IE5\FIIJOZK6\hijackthis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.5:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnmsgupdate] msnmsgupdater.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GAINWARD] C:\Program Files\EXPERTool\TBPanel.exe /A
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [winlog.exe] C:\Documents and Settings\Jirka\Data aplikací\Microsoft\winlog.exe
O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "C:\Program Files\Common Files\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MSI" TRANSFORMS="C:\Program Files\Common Files\Wise Installation Wizard\WISDD1865F0AD7340FBB23E1822E02396FF_9_09_0203.MST" WISE_SETUP_EXE_PATH="d:\win2kxp\PhysX_9.02.03_9.09.0203_SystemSoftware.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

--
End of file - 8925 bytes

[Rudy]

Dejte log z ComboFRix.

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim s rezidentem antispyware

[georgdj]

ComboFix 10-01-13.06 - Jirka 13.01.2010 21:50:02.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.3326.2896 [GMT 1:00]
Spuštěný z: c:\documents and settings\Jirka\Plocha\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Rezidentní štít AV je zapnutý


VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\Jirka\Data aplikací\Microsoft\winlog.exe
c:\program files\ICQ6.5\ICQLRun.exe
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\ieuinit.inf
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
c:\windows\temps.exe

Nakažená kopie c:\windows\system32\midimap.dll byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\VistaMizer\old\midimap.dll

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Soubory vytvořené od 2009-12-13 do 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-13 15:42 . 2010-01-13 15:51 214231 ----a-w- C:\RapidUploader.exe
2010-01-13 10:18 . 2010-01-13 10:18 -------- d-----w- c:\program files\Common Files\Skype
2010-01-12 20:31 . 2009-06-11 21:43 -------- d-----w- C:\wifi
2010-01-10 18:42 . 2010-01-10 18:42 -------- d-----w- c:\program files\Intelore
2010-01-09 20:16 . 2009-12-23 03:10 971030 --sh--r- c:\windows\msnmsgupdater.exe
2010-01-02 21:49 . 2010-01-02 21:49 -------- d-----w- c:\documents and settings\Jirka\galet
2010-01-02 21:08 . 2009-09-23 08:41 26176 ---ha-w- c:\windows\system32\drivers\hamachi.sys
2010-01-02 19:47 . 2010-01-02 19:47 -------- d-----w- c:\documents and settings\Jirka\Data aplikacˇ
2010-01-02 19:31 . 2008-12-30 23:43 23480 ----a-w- c:\windows\system32\drivers\wip0204.sys
2010-01-02 19:31 . 2010-01-02 21:13 -------- d-----w- c:\program files\Wippien
2010-01-02 19:28 . 2010-01-02 21:12 -------- d-----w- c:\program files\n2n Gui
2010-01-02 19:24 . 2010-01-02 21:02 -------- d-----w- c:\program files\OpenVPN
2010-01-01 14:22 . 2010-01-01 14:26 -------- d-----w- C:\VP-EYE
2009-12-27 10:01 . 2010-01-10 09:14 -------- d-----w- C:\MULTIPLAYER
2009-12-24 22:50 . 2004-12-03 11:19 102400 ----a-w- c:\windows\MMVEM.EXE
2009-12-24 22:50 . 2002-05-28 08:52 106496 ----a-w- c:\windows\JAPI.DLL
2009-12-24 22:50 . 2001-06-24 16:32 172032 ----a-w- c:\windows\JAPI2.DLL
2009-12-24 22:50 . 1999-07-26 09:47 109840 ----a-w- c:\windows\VidCap32.exe
2009-12-24 22:48 . 2007-04-03 14:50 77824 ----a-r- c:\windows\VM305Cap.exe
2009-12-24 22:46 . 2007-04-09 15:46 57344 ----a-w- c:\windows\vm305_sti.exe
2009-12-24 22:46 . 2009-12-24 22:46 -------- d-----w- c:\windows\EffectResources
2009-12-24 22:46 . 2006-05-08 09:24 391688 ----a-w- c:\windows\system32\drivers\usbVM305.sys
2009-12-24 22:46 . 2005-08-05 17:36 81920 ----a-w- c:\windows\system32\VM305STI.dll
2009-12-24 22:46 . 2005-05-03 14:51 176128 ----a-w- c:\windows\amcap.exe
2009-12-24 22:46 . 2009-12-24 22:46 -------- d-----w- c:\program files\Vimicro
2009-12-17 20:47 . 2009-12-30 19:51 -------- d-----w- c:\program files\SweetIM
2009-12-15 16:37 . 2009-12-15 16:37 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 20:51 . 2009-08-08 11:46 -------- d-----w- c:\program files\ICQ6.5
2010-01-13 19:16 . 2002-02-19 15:43 79504 ----a-w- c:\windows\system32\perfc005.dat
2010-01-13 19:16 . 2002-02-19 15:43 432728 ----a-w- c:\windows\system32\perfh005.dat
2010-01-13 10:18 . 2009-03-25 08:01 -------- d-----r- c:\program files\Skype
2010-01-09 15:18 . 2009-08-11 18:18 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-01-09 15:18 . 2009-08-11 18:18 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-01-09 10:37 . 2009-03-24 18:07 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-01-08 19:22 . 2009-03-24 18:08 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-01-06 15:05 . 2009-11-18 15:58 -------- d-----w- c:\program files\rajce
2010-01-01 19:21 . 2009-03-24 22:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-30 19:52 . 2009-04-23 15:04 -------- d-----w- c:\program files\Mobiola Web Camera 2 for S60 3rd Edition
2009-12-30 19:51 . 2009-04-27 09:20 -------- d-----w- c:\program files\Testy Autoškola
2009-12-30 19:50 . 2009-09-14 08:58 -------- d-----w- c:\program files\EDDICA
2009-12-27 18:53 . 2009-03-24 18:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-29 10:14 . 2009-09-02 17:53 8 ----a-w- c:\windows\system32\nvModes.dat
.

------- Sigcheck -------

[-] 2008-04-14 . 471341D353962A35DA3C6324D59D09C4 . 547328 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . 471341D353962A35DA3C6324D59D09C4 . 547328 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2008-04-14 . CDDB1F8E1AEA356F3AD106F2CF9B7FEA . 507904 . . [5.1.2600.5512] . . c:\windows\VistaMizer\old\winlogon.exe
[-] 2004-08-17 . 96112B362A1F419384CE57E5D92C6267 . 541696 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 . 347A58792F9322CCAB5ED09FAB72803B . 111104 . . [5.4.3790.5512] . . c:\windows\ServicePackFiles\i386\wuauclt.exe
[-] 2008-04-14 . 347A58792F9322CCAB5ED09FAB72803B . 111104 . . [5.4.3790.5512] . . c:\windows\system32\wuauclt.exe
[7] 2008-04-14 . DF7917138B80C79D15B3E8520D565311 . 111104 . . [5.4.3790.5512] . . c:\windows\VistaMizer\old\wuauclt.exe
[-] 2004-08-17 . D236E3B128029D7A01EB50F778FFF414 . 111104 . . [5.4.3790.2180] . . c:\windows\$NtServicePackUninstall$\wuauclt.exe

[-] 2008-04-14 . 92FAE100B7A31616DEBF6F91175000AA . 724992 . . [5.82] . . c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 . 92FAE100B7A31616DEBF6F91175000AA . 724992 . . [5.82] . . c:\windows\system32\comctl32.dll
[7] 2008-04-14 . 4F993463DC5F3F80D77A3D34D7BFBFED . 617472 . . [5.82] . . c:\windows\VistaMizer\old\comctl32.dll
[-] 2004-08-17 . 530FA054A59B141441144141EA3B0BF0 . 718848 . . [5.82] . . c:\windows\$NtServicePackUninstall$\comctl32.dll

[-] 2008-04-14 . 5A80B641C10230FDE03DEAB04DCF5E0D . 3459072 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\mshtml.dll
[-] 2008-04-14 . 5A80B641C10230FDE03DEAB04DCF5E0D . 3459072 . . [6.00.2900.5512] . . c:\windows\system32\mshtml.dll
[7] 2008-04-14 . DAF9947DE2A6EA20AE524B7C50487E57 . 3066880 . . [6.00.2900.5512] . . c:\windows\VistaMizer\old\mshtml.dll
[-] 2004-08-17 . 66AFA007315E576CDC967FEA67600B51 . 3396096 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\mshtml.dll

[-] 2008-04-14 . D132F083D135AD60372D9A635F1D09F1 . 2404864 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2008-04-14 . D132F083D135AD60372D9A635F1D09F1 . 2404864 . . [5.1.2600.5512] . . c:\windows\system32\ntoskrnl.exe
[7] 2008-04-14 . 27C7A7AED8A477F6A0C7D3AD00AB9419 . 2147328 . . [5.1.2600.5512] . . c:\windows\VistaMizer\old\ntoskrnl.exe
[-] 2004-08-17 . 3AC37CC753B2B1AC54803EBBDB9FD371 . 2407936 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ntoskrnl.exe

[-] 2008-04-14 . 37C25AFBBB754900D7A0ECE12A1D93A2 . 812032 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2008-04-14 . 37C25AFBBB754900D7A0ECE12A1D93A2 . 812032 . . [6.00.2900.5512] . . c:\windows\system32\wininet.dll
[7] 2008-04-14 . 3FE5E65A7ED9EC98AEE9167CA07812D3 . 667136 . . [6.00.2900.5512] . . c:\windows\VistaMizer\old\wininet.dll
[-] 2004-08-17 . 23563739DC3C1E6D31D5DC154C6C67C4 . 802304 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\wininet.dll

[-] 2008-04-14 . B720487896E2D91DA23E59820F718E34 . 1552384 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . B720487896E2D91DA23E59820F718E34 . 1552384 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 . 27AFD587C462E280EE046B8CCA3C2CD1 . 1034240 . . [6.00.2900.5512] . . c:\windows\VistaMizer\old\explorer.exe
[-] 2004-08-17 . 48D7D12BBCB99024FC792628AC1AA7B9 . 1550848 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe

[-] 2008-04-14 . D8152865F2A59D765AF8317E38AA5FB4 . 25088 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 . D8152865F2A59D765AF8317E38AA5FB4 . 25088 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[7] 2008-04-14 . A756B8F0F7BAFBA6DFE39F7D169F2519 . 15360 . . [5.1.2600.5512] . . c:\windows\VistaMizer\old\ctfmon.exe
[-] 2004-08-17 . 5050A0B550CCF3FFBC3DAD33524A4DC1 . 25088 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 . 160A38F8D31AE8B7702F363432556741 . 2283520 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2008-04-14 . 160A38F8D31AE8B7702F363432556741 . 2283520 . . [5.1.2600.5512] . . c:\windows\system32\ntkrnlpa.exe
[7] 2008-04-14 . 9F12E026DC0B0C43F521114EFB3A3ACC . 2025984 . . [5.1.2600.5512] . . c:\windows\VistaMizer\old\ntkrnlpa.exe
[-] 2004-08-17 . 8B9DE3C360966A1F959B07EDE7C56A72 . 2274816 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GAINWARD"="c:\program files\EXPERTool\TBPanel.exe" [2009-02-03 2181672]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WiseStubReboot"="MSIEXEC" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-12 13680640]
"nwiz"="nwiz.exe" [2009-02-12 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-12 86016]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"BigDog305"="c:\windows\VM305_STI.EXE" [2007-04-09 57344]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2009-10-20 111928]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 25088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-04-14 100352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgupdate]
2009-12-23 03:10 971030 --sh--r- c:\windows\msnmsgupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2009-04-17 12:33 54576 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-03-24 16:01 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-30 01:04 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Games\\C&C First decade\\Command & Conquer(tm) Generals\\game.dat"=
"d:\\Games\\Red Alert 3\\Data\\ra3_1.0.game"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"d:\\Games\\Steam\\Steam.exe"=
"d:\\Games\\Steam\\steamapps\\common\\zero gear\\Server\\iw4mp.exe"=
"d:\\Games\\Steam\\steamapps\\common\\zero gear\\Server\\iw4mp.174.exe"=
"d:\\Games\\Steam\\steamapps\\common\\zero gear\\Server\\iw4mp.166.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Games\\Steam\\steamapps\\common\\zero gear\\ZeroGear.bat"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [26.3.2009 17:23 721904]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21.12.2007 8:21 468224]
R3 ZSMC0305;A4 TECH PC Camera V;c:\windows\system32\drivers\usbVM305.sys [24.12.2009 23:46 391688]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Jirka\LOCALS~1\Temp\AQNE1E.tmp --> c:\docume~1\Jirka\LOCALS~1\Temp\AQNE1E.tmp [?]
S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [16.1.2008 9:58 65024]
S3 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [21.4.2007 13:54 52080]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [1.10.2006 13:37 26624]
S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [2.1.2010 20:31 23480]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-01-24 11:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'

2010-01-08 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 13:13]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Settings,ProxyServer = 192.168.1.5:3128
uInternet Settings,ProxyOverride = <local>
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
FF - ProfilePath - c:\documents and settings\Jirka\Data aplikací\Mozilla\Firefox\Profiles\ixm6nexx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2148694&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - www.seznam.cz
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
AddRemove-HijackThis - c:\documents and settings\Jirka\Local Settings\Temporary Internet Files\Content.IE5\FIIJOZK6\HijackThis.exe
AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-13 21:53
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog305 = c:\windows\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)???????????????????0?????????@??????????????

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spcy.sys >>UNKNOWN [0x8B007938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9e66cb8
\Driver\atapi -> atapi.sys @ 0xb9dfbb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb9d16bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d23a21
SendHandler -> NDIS.sys @ 0xb9d0187b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Jirka\LOCALS~1\Temp\AQNE1E.tmp"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1196)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1252)
c:\windows\system32\setupapi.dll
c:\windows\system32\psbase.dll

- - - - - - - > 'explorer.exe'(3364)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\COMRes.dll
c:\windows\System32\cscui.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\MSVCP60.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2010-01-13 21:55:05 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-01-13 20:55

Před spuštěním: Volných bajtů: 13 692 813 312
Po spuštění: Volných bajtů: 13 639 954 432

- - End Of File - - AD6EBEC96582B4F2F1CCF920DF46EC00

[Rudy]

Pod "Ostatní výmazy" najdete smazané infikované položky. Ještě poprosím o sken MBR: http://www2.gmer.net/mbr/mbr.exe a log z něj.

[georgdj]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[Rudy]

Je čistý a tím i PC.

[georgdj]

Opravdu moc děkuji. Jste jednička

[georgdj]

Opravdu moc děkuji. Jste jednička

[Rudy]

Rádo se stalo!