WIN32/Alman.NAD

Ahojte, cize uz sa dva dni trapim s vyssie uvedenym "kamaratom" (WIN32/Alman.NOD), nasla sm si aj nejake veci na forach, no ani podla tamtych navodov sa ho zbavit neviem. uz si zavolal na pomoc aj "kamosov" WIN32/PSW.OnLineGames.MUG a WIN32/TrojanDownloader.Murto.NN. nod ich sice zakazdym najde, ja ich dam zmazat, ale oni su tam znova. kedze ten Alman napada absolutne vsetky subory .exe,tak sa chcem opytat, ci je vobec mozne si este pred uplnym preinstalovanim Windowsu urobit zalohu instalaciek, kedze aj to su vsetko .exe subory. uz som sa nejako vzdala moznosti,ze by som ich iba tak dala von z pc. dufam,ze mi pomozete nejako. tak prajem pekny den a hlavne malo "kamaratov"

poprosim o log z Hijackthis a Combofix:
navod: http://www.pcforum.sk/cistime-napadnuty ... 27265.html

poslem,vsetko poslem,,ale az vecer,, som momentalne totiz v parci.. inak tym programom Hijackthis som vymazala vsetko,,co podla navodu ten virus vytvara, potom som to dala prebehnut nodom a bolo vsetko v poriadku.no asi o 20 minut to bolo vsetko spat. si ochotny mi pomoct vecer? asi okolo deviatej?

vtedy budem v praci pridem az o 02:00, ale tak budu tuna dalsi ludia a urcite pomozu....hlavne tie logy nezabudni

aaaaach, my pracujuci ludia ( dobre,dakujem a nech ti to v praci zbehne

tak teda posielam,,dakujem za pomoc ))

Logfile of HijackThis v1.99.1
Scan saved at 20:11:02, on 28. 5. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\MagicRotation\MagicPvt.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\totalcmd\TOTALCMD.EXE
c:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MagicRotation] C:\Program Files\MagicRotation\MagicPvt.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Fixni:


O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll


O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll


INAC MAS 2 ANITIVIRUSAKY, NACO?? ODINSTALUJ AVASTA, NECHAJ NOD

Je potrebny aj log z combofixu, nech vyhodime toho zlteho smejda

navod: http://www.pcforum.sk/cistime-napadnuty ... 27265.html

dobre dakujem,,ja zas az vecer,som cely den v robote,asi sa zas nestretneme DD inak dva antiviraky mam,lebo som uz zufala a ten vas navod uz viem aj o polnoci

tuna je log z komobfixu :

ComboFix 08-05-29.1 - Viki a Tanicka 2008-05-30 11:47:41.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.487 [GMT 2:00]
Running from: D:\matus\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-28 20:39 . 2008-05-28 22:55 <DIR> d-------- C:\!KillBox
2008-05-27 15:35 . 2008-05-27 15:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-27 12:54 . 2008-05-27 12:57 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-26 11:44 . 2008-05-30 08:23 186 --a------ C:\MicroSoft.vbs
2008-05-26 11:44 . 2008-05-30 08:23 30 --a------ C:\MicroSoft.bat
2008-05-23 06:53 . 2008-05-23 06:53 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\PDFCreator
2008-05-23 06:40 . 2008-05-23 06:47 <DIR> d-------- C:\Program Files\PDFCreator
2008-05-15 19:19 . 2008-05-17 18:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-15 19:19 . 2008-05-15 19:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-14 13:40 . 2008-05-14 13:40 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\ABBYY
2008-05-14 13:34 . 2008-05-14 13:35 <DIR> d-------- C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2008-05-14 13:34 . 2008-05-14 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ABBYY
2008-05-13 12:55 . 2008-05-13 12:55 <DIR> d-------- C:\Program Files\NIVEAklub
2008-04-25 13:09 . 2008-05-14 16:26 19 --a------ C:\Documents and Settings\Viki a Tanicka\Data aplikací\mdbu.bin
2008-04-25 13:08 . 2008-04-25 13:08 <DIR> d-------- C:\Program Files\HappyFoto
2008-04-19 15:52 . 2008-04-19 16:17 <DIR> d-------- C:\Program Files\ICQ6
2008-04-19 15:51 . 2008-04-19 15:51 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 06:22 9,216 ----a-w C:\WINDOWS\AppPatch\AcXtrnel.dll
2008-05-30 06:22 13,824 ----a-w C:\WINDOWS\AppPatch\Jview.dll
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\skypePM
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\Skype
2008-05-26 09:49 --------- d-----w C:\Program Files\ESET
2008-05-21 18:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-20 13:32 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\uTorrent
2008-05-20 08:50 --------- d-----w C:\Program Files\uTorrent
2008-05-15 06:24 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\ICQ
2008-05-10 09:47 --------- d-----w C:\Program Files\rc10
2008-05-08 10:06 --------- d-----w C:\Program Files\ICQLite
2008-04-19 13:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-19 13:53 --------- d-----w C:\Program Files\Opera
2008-04-19 13:50 --------- d-----w C:\Program Files\QIP
2008-03-29 16:37 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-29 16:37 --------- d--h--r C:\Documents and Settings\Viki a Tanicka\Data aplikací\SecuROM
2008-02-07 09:52 168,592 ----a-w C:\WINDOWS\FotoFusion Uninstaller.exe
2008-02-06 21:05 271,429 ----a-w C:\WINDOWS\FotoFusionV4 Uninstaller.exe
2008-02-01 21:48 32 ----a-w C:\Documents and Settings\All Users\Data aplikací\ezsid.dat
2008-02-01 20:18 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-01 19:40 274,432 ----a-w C:\WINDOWS\system32\imon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}]
2008-05-30 09:12 45056 --a------ C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07 843776]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 06:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 06:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 06:22 86016]
"MagicRotation"="C:\Program Files\MagicRotation\MagicPvt.exe" [2005-12-26 18:23 1089536]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-01 21:40 921600]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 18:34 213936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 21:21 57344]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 12:41 507904]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 18:30 864256]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-12-10 00:19 278528]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"JavaView"= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [2008-05-30 08:22 13824]
"ThunderAdvise"= {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [2008-05-30 09:12 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\rc10\\StrongDC.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"D:\\instalacky\\qipinfium9000full_slovak\\infium.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 magicpvt;magicpvt;C:\WINDOWS\system32\drivers\magicpvt.sys [2005-11-14 04:26]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 13:50]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]

*Newly Created Service* - 3983671ERRORCONTROL
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 05:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 11:49:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-05-30 11:50:13
ComboFix-quarantined-files.txt 2008-05-30 09:50:05

Adresářů: 9, Volných bajtů: 72,343,740,416
Adresářů: 12, Volných bajtů: 74,083,340,288

133

no a tuna je log z Hijacku ... tie tri procesy, su v plnej parade nazad

Logfile of HijackThis v1.99.1
Scan saved at 11:54:39, on 30. 5. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\MagicRotation\MagicPvt.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ICQ6\ICQ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\rundll32.exe
C:\totalcmd\TOTALCMD.EXE
c:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MagicRotation] C:\Program Files\MagicRotation\MagicPvt.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

najprv si vypni antivirak

Pozri si sekciu Combofix a SPUSTENIE SCRIPTU: http://www.pcforum.sk/cistime-napadnuty ... 27265.html
postupuj podla navodu a toto vloz do scriptu:



novy log vloz sem

potom toto fix v hjt logu:
O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

log z combofixu po spusteni scriptu ...

ComboFix 08-05-29.1 - Viki a Tanicka 2008-05-30 12:28:24.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.507 [GMT 2:00]
Running from: D:\matus\ComboFix.exe
Command switches used :: C:\Documents and Settings\Viki a Tanicka\Plocha\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-28 20:39 . 2008-05-30 12:20 <DIR> d-------- C:\!KillBox
2008-05-27 15:35 . 2008-05-27 15:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-27 12:54 . 2008-05-27 12:57 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-26 11:44 . 2008-05-30 08:23 186 --a------ C:\MicroSoft.vbs
2008-05-26 11:44 . 2008-05-30 08:23 30 --a------ C:\MicroSoft.bat
2008-05-23 06:53 . 2008-05-23 06:53 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\PDFCreator
2008-05-23 06:40 . 2008-05-23 06:47 <DIR> d-------- C:\Program Files\PDFCreator
2008-05-15 19:19 . 2008-05-17 18:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-15 19:19 . 2008-05-15 19:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-14 13:40 . 2008-05-14 13:40 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\ABBYY
2008-05-14 13:34 . 2008-05-14 13:35 <DIR> d-------- C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2008-05-14 13:34 . 2008-05-14 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ABBYY
2008-05-13 12:55 . 2008-05-13 12:55 <DIR> d-------- C:\Program Files\NIVEAklub
2008-04-25 13:09 . 2008-05-14 16:26 19 --a------ C:\Documents and Settings\Viki a Tanicka\Data aplikací\mdbu.bin
2008-04-25 13:08 . 2008-04-25 13:08 <DIR> d-------- C:\Program Files\HappyFoto
2008-04-19 15:52 . 2008-04-19 16:17 <DIR> d-------- C:\Program Files\ICQ6
2008-04-19 15:51 . 2008-04-19 15:51 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 10:11 9,216 ----a-w C:\WINDOWS\AppPatch\AcXtrnel.dll
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\skypePM
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\Skype
2008-05-26 09:49 --------- d-----w C:\Program Files\ESET
2008-05-21 18:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-20 13:32 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\uTorrent
2008-05-20 08:50 --------- d-----w C:\Program Files\uTorrent
2008-05-15 06:24 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\ICQ
2008-05-10 09:47 --------- d-----w C:\Program Files\rc10
2008-05-08 10:06 --------- d-----w C:\Program Files\ICQLite
2008-04-19 13:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-19 13:53 --------- d-----w C:\Program Files\Opera
2008-04-19 13:50 --------- d-----w C:\Program Files\QIP
2008-03-29 16:37 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-29 16:37 --------- d--h--r C:\Documents and Settings\Viki a Tanicka\Data aplikací\SecuROM
2008-02-07 09:52 168,592 ----a-w C:\WINDOWS\FotoFusion Uninstaller.exe
2008-02-06 21:05 271,429 ----a-w C:\WINDOWS\FotoFusionV4 Uninstaller.exe
2008-02-01 21:48 32 ----a-w C:\Documents and Settings\All Users\Data aplikací\ezsid.dat
2008-02-01 20:18 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-01 19:40 274,432 ----a-w C:\WINDOWS\system32\imon.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-30_11.49.58,59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 06:06:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 10:22:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 21:57:27 1,925 ----a-w C:\WINDOWS\system32\imon1.dat
+ 2008-05-30 10:21:17 2,863 ----a-w C:\WINDOWS\system32\imon1.dat
- 2008-05-30 06:06:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d8.dat
+ 2008-05-30 10:22:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07 843776]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 06:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 06:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 06:22 86016]
"MagicRotation"="C:\Program Files\MagicRotation\MagicPvt.exe" [2005-12-26 18:23 1089536]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-01 21:40 921600]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 18:34 213936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 21:21 57344]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 12:41 507904]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 18:30 864256]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-12-10 00:19 278528]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\rc10\\StrongDC.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"D:\\instalacky\\qipinfium9000full_slovak\\infium.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 magicpvt;magicpvt;C:\WINDOWS\system32\drivers\magicpvt.sys [2005-11-14 04:26]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 13:50]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 05:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 12:30:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-05-30 12:30:32
ComboFix-quarantined-files.txt 2008-05-30 10:30:22
ComboFix2.txt 2008-05-30 09:50:14

Adresářů: 9, Volných bajtů: 75,778,506,752
Adresářů: 11, Volných bajtů: 75,769,786,368

136


v hijacku fixnute a zaroven aj pomocou killboxu mazane (tie tri procesy) ... neviem ci trebalo ale stalo sa

takze znova chybicka se vloudila urob to iste a bude to ok

ComboFix 08-05-29.1 - Viki a Tanicka 2008-05-30 12:38:34.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.511 [GMT 2:00]
Running from: D:\matus\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-28 20:39 . 2008-05-30 12:20 <DIR> d-------- C:\!KillBox
2008-05-27 15:35 . 2008-05-27 15:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-27 12:54 . 2008-05-27 12:57 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-26 11:44 . 2008-05-30 08:23 186 --a------ C:\MicroSoft.vbs
2008-05-26 11:44 . 2008-05-30 08:23 30 --a------ C:\MicroSoft.bat
2008-05-23 06:53 . 2008-05-23 06:53 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\PDFCreator
2008-05-23 06:40 . 2008-05-23 06:47 <DIR> d-------- C:\Program Files\PDFCreator
2008-05-15 19:19 . 2008-05-17 18:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-15 19:19 . 2008-05-15 19:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-14 13:40 . 2008-05-14 13:40 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\ABBYY
2008-05-14 13:34 . 2008-05-14 13:35 <DIR> d-------- C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2008-05-14 13:34 . 2008-05-14 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ABBYY
2008-05-13 12:55 . 2008-05-13 12:55 <DIR> d-------- C:\Program Files\NIVEAklub
2008-04-25 13:09 . 2008-05-14 16:26 19 --a------ C:\Documents and Settings\Viki a Tanicka\Data aplikací\mdbu.bin
2008-04-25 13:08 . 2008-04-25 13:08 <DIR> d-------- C:\Program Files\HappyFoto
2008-04-19 15:52 . 2008-04-19 16:17 <DIR> d-------- C:\Program Files\ICQ6
2008-04-19 15:51 . 2008-04-19 15:51 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 10:11 9,216 ----a-w C:\WINDOWS\AppPatch\AcXtrnel.dll
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\skypePM
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\Skype
2008-05-26 09:49 --------- d-----w C:\Program Files\ESET
2008-05-21 18:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-20 13:32 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\uTorrent
2008-05-20 08:50 --------- d-----w C:\Program Files\uTorrent
2008-05-15 06:24 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\ICQ
2008-05-10 09:47 --------- d-----w C:\Program Files\rc10
2008-05-08 10:06 --------- d-----w C:\Program Files\ICQLite
2008-04-19 13:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-19 13:53 --------- d-----w C:\Program Files\Opera
2008-04-19 13:50 --------- d-----w C:\Program Files\QIP
2008-03-29 16:37 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-29 16:37 --------- d--h--r C:\Documents and Settings\Viki a Tanicka\Data aplikací\SecuROM
2008-02-07 09:52 168,592 ----a-w C:\WINDOWS\FotoFusion Uninstaller.exe
2008-02-06 21:05 271,429 ----a-w C:\WINDOWS\FotoFusionV4 Uninstaller.exe
2008-02-01 21:48 32 ----a-w C:\Documents and Settings\All Users\Data aplikací\ezsid.dat
2008-02-01 20:18 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-01 19:40 274,432 ----a-w C:\WINDOWS\system32\imon.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-30_11.49.58,59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 06:06:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 10:34:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 21:57:27 1,925 ----a-w C:\WINDOWS\system32\imon1.dat
+ 2008-05-30 10:21:17 2,863 ----a-w C:\WINDOWS\system32\imon1.dat
+ 2008-05-30 10:34:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07 843776]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 06:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 06:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 06:22 86016]
"MagicRotation"="C:\Program Files\MagicRotation\MagicPvt.exe" [2005-12-26 18:23 1089536]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-01 21:40 921600]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 18:34 213936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 21:21 57344]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 12:41 507904]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 18:30 864256]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-12-10 00:19 278528]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\rc10\\StrongDC.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"D:\\instalacky\\qipinfium9000full_slovak\\infium.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 magicpvt;magicpvt;C:\WINDOWS\system32\drivers\magicpvt.sys [2005-11-14 04:26]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 13:50]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 05:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 12:40:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-05-30 12:40:47
ComboFix-quarantined-files.txt 2008-05-30 10:40:39
ComboFix2.txt 2008-05-30 10:30:33
ComboFix3.txt 2008-05-30 09:50:14

Adresářů: 9, Volných bajtů: 75,776,208,896
Adresářů: 11, Volných bajtů: 75,767,455,744

134
combofix log
tamto v hijacku fixnute a nasledne este zmazane v killboxe

ale musis to urobit s tymto scriptom co je hore cize rovnaky postup so scriptom, ale do scriptu vlozis to, co je nadomnou...ale predtym si vypni Antivirak..

toto je log po tom druhom scripte ... tamto bol preklep mensi :/

ComboFix 08-05-29.1 - Viki a Tanicka 2008-05-30 12:45:06.4 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.494 [GMT 2:00]
Running from: D:\matus\ComboFix.exe
Command switches used :: C:\Documents and Settings\Viki a Tanicka\Plocha\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\MicroSoft.bat
C:\MicroSoft.vbs
C:\WINDOWS\AppPatch\AcXtrnel.dll
C:\WINDOWS\AppPatch\Jview.dll
C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\MicroSoft.bat
C:\MicroSoft.vbs
C:\WINDOWS\AppPatch\AcXtrnel.dll
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-28 20:39 . 2008-05-30 12:20 <DIR> d-------- C:\!KillBox
2008-05-27 15:35 . 2008-05-27 15:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-27 12:54 . 2008-05-27 12:57 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-23 06:53 . 2008-05-23 06:53 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\PDFCreator
2008-05-23 06:40 . 2008-05-23 06:47 <DIR> d-------- C:\Program Files\PDFCreator
2008-05-14 13:40 . 2008-05-14 13:40 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\ABBYY
2008-05-14 13:34 . 2008-05-14 13:35 <DIR> d-------- C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2008-05-14 13:34 . 2008-05-14 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ABBYY
2008-05-13 12:55 . 2008-05-13 12:55 <DIR> d-------- C:\Program Files\NIVEAklub
2008-04-25 13:09 . 2008-05-14 16:26 19 --a------ C:\Documents and Settings\Viki a Tanicka\Data aplikací\mdbu.bin
2008-04-25 13:08 . 2008-04-25 13:08 <DIR> d-------- C:\Program Files\HappyFoto
2008-04-19 15:52 . 2008-04-19 16:17 <DIR> d-------- C:\Program Files\ICQ6
2008-04-19 15:51 . 2008-04-19 15:51 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\skypePM
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\Skype
2008-05-26 09:49 --------- d-----w C:\Program Files\ESET
2008-05-21 18:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-20 13:32 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\uTorrent
2008-05-20 08:50 --------- d-----w C:\Program Files\uTorrent
2008-05-15 06:24 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\ICQ
2008-05-10 09:47 --------- d-----w C:\Program Files\rc10
2008-05-08 10:06 --------- d-----w C:\Program Files\ICQLite
2008-04-19 13:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-19 13:53 --------- d-----w C:\Program Files\Opera
2008-04-19 13:50 --------- d-----w C:\Program Files\QIP
2008-03-29 16:37 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-29 16:37 --------- d--h--r C:\Documents and Settings\Viki a Tanicka\Data aplikací\SecuROM
2008-02-07 09:52 168,592 ----a-w C:\WINDOWS\FotoFusion Uninstaller.exe
2008-02-06 21:05 271,429 ----a-w C:\WINDOWS\FotoFusionV4 Uninstaller.exe
2008-02-01 21:48 32 ----a-w C:\Documents and Settings\All Users\Data aplikací\ezsid.dat
2008-02-01 20:18 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-01 19:40 274,432 ----a-w C:\WINDOWS\system32\imon.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-30_11.49.58,59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 06:06:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 10:34:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 21:57:27 1,925 ----a-w C:\WINDOWS\system32\imon1.dat
+ 2008-05-30 10:21:17 2,863 ----a-w C:\WINDOWS\system32\imon1.dat
+ 2008-05-30 10:34:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07 843776]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 06:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 06:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 06:22 86016]
"MagicRotation"="C:\Program Files\MagicRotation\MagicPvt.exe" [2005-12-26 18:23 1089536]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-01 21:40 921600]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 18:34 213936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 21:21 57344]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 12:41 507904]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 18:30 864256]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-12-10 00:19 278528]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\rc10\\StrongDC.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"D:\\instalacky\\qipinfium9000full_slovak\\infium.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 magicpvt;magicpvt;C:\WINDOWS\system32\drivers\magicpvt.sys [2005-11-14 04:26]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 13:50]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 05:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 12:46:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-05-30 12:46:41
ComboFix-quarantined-files.txt 2008-05-30 10:46:32
ComboFix2.txt 2008-05-30 10:40:49
ComboFix3.txt 2008-05-30 10:30:33
ComboFix4.txt 2008-05-30 09:50:14

Adresářů: 9, Volných bajtů: 75,753,979,904
Adresářů: 11, Volných bajtů: 75,746,234,368

148


v hijacku uy neni nic z tej trojice ... akurat potom Nod este vyhadzuje nejaky Eicar testovaci subor ze sa mu nepaci

trojana uz nemas, teraz si uz len prescanuj PC Nodom, vycisti Temp adresar, prejdi system CCleanerom....antispywarom nejakym,,, pravidelna udrzba dolezita:)

//inak si to nemusela ani mazat v killboxe, combofix by to vyriesil ale zase aspon si sa naucila nieco nove

tak tento kamos je tu este vzdy na nepozvanej navsteve WIN32/TrojanDownloader.Murto.NN

WIN32/TrojanDownloader.Murlo.NN pardoon

postupuj podla navodu:
http://www.viry.cz/forum/viewtopic.php?t=16475

WIN32/TrojanDownloader.Murlo.NN, nejako sa mu tu paci frajerovi ... este stale je tu ...
SmitFraud bol spusteny presne podla navodu, no nepomohlo, pri scane Nodom ho stale najde

ale kde ti ho najde? daj vypis o infiltracii