Prosim o kontrolu logu

[snapcase]

Ahoj,
kamarat ma poprosil o vycistenie PC. bohuzial si s tym neviem rady. SmitfraudFix nejde akosi stiahnut a v HijackThis je vela poloziek, ktore nepoznam a bojim sa ich odstranit. za pomoc vopred dakujem.

Logfile of HijackThis v1.99.1
Scan saved at 15:15:32, on 8.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video Add-on\icthis.exe
C:\Program Files\Video Add-on\isfmntr.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Video Add-on\icmntr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Video Add-on\isfmm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\Shimy\Desktop\HUTO\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Online TV Toolbar - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - C:\Program Files\Online_TV\tbOnl1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Online TV Toolbar - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - C:\Program Files\Online_TV\tbOnl1.dll
O2 - BHO: (no name) - {43BF8E0C-886D-4103-8DDB-2DFE0E8A0168} - C:\Program Files\Video Add-on\isfmdl.dll
O3 - Toolbar: Online TV Toolbar - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - C:\Program Files\Online_TV\tbOnl1.dll
O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinSecureAv\bm.exe" dm=http://winsecureav.com; ad=http://winsecureav.com
O4 - HKLM\..\Run: [rtasks] C:\Program Files\WinSecureAv\rtasks.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [8hands] "C:\Program Files\8hands\8hands.exe"
O4 - Startup: Personal Player.lnk = C:\Program Files\Web Hottest Videos Personal Player\Gina Lynn Web hottest videos personal player.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[BUBINO]

Dost blbe !

Urobte toto podla poradia.

Stiahnite si a spuste SmitFrautFix :
http://www.viry.cz/forum/viewtopic.php?t=16475

Po nom aplikujte Combofix:

Stiahnite si ComboFix
Behom skenu bude vas pocitac restartovany.
Po restartu vytvori log, uložený v C:/Combofix.txt .
Jeho obsah vlozte sem.

Urobte novy log z HijackThis.

Logy z ComboFix a HijackThis dajte sem . Log v HJT urobte ako posledny !

[snapcase]

smitfraudfix nejde stiahnut, respektive napise, ze sa nedokaze zapisat na disk. bohuzial nejde, aj ked som ho stiahol doma a doniesol na USB kluci.

tak zatial combofix a HjT:

ComboFix 07-11-08.1 - Shimy 2007-11-09 14:50:02.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.287 [GMT 1:00]
Running from: C:\Documents and Settings\Shimy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\Shimy\Application Data\macromedia\Flash Player\#SharedObjects\R6K6686T\www.broadcaster.com
C:\Documents and Settings\Shimy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Shimy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\fnczfh.dll
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-09 14:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 14:57 <DIR> d-------- C:\Program Files\AntiSpywareShield
2007-11-07 13:34 <DIR> d-------- C:\Documents and Settings\Shimy\Application Data\WinSecureAv
2007-11-07 13:34 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-07 13:34 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-04 18:13 6,743,992 --a------ C:\Documents and Settings\Shimy\bsplayer223.953_clip.exe
2007-11-04 18:13 6,308,088 --a------ C:\Documents and Settings\Shimy\Firefox Setup 2.0.0.3.exe
2007-11-04 18:13 5,635,584 --a------ C:\Documents and Settings\Shimy\icq5_1_zoznam.exe
2007-10-28 23:00 <DIR> d-------- C:\Program Files\Online_TV
2007-10-28 23:00 <DIR> d-------- C:\Program Files\8hands
2007-10-28 21:32 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-10-28 21:31 <DIR> d-------- C:\NVIDIA
2007-10-28 21:31 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-10-28 20:47 <DIR> d-------- C:\WINDOWS\system32\1051
2007-10-28 20:47 61,440 --a------ C:\WINDOWS\system32\WMErrSKY.dll
2007-10-28 20:39 <DIR> d-------- C:\Program Files\totalcmd
2007-10-28 20:39 545 --a------ C:\WINDOWS\UC.PIF
2007-10-28 20:39 545 --a------ C:\WINDOWS\RAR.PIF
2007-10-28 20:39 545 --a------ C:\WINDOWS\PKZIP.PIF
2007-10-28 20:39 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2007-10-28 20:39 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2007-10-28 20:39 545 --a------ C:\WINDOWS\LHA.PIF
2007-10-28 20:39 545 --a------ C:\WINDOWS\ARJ.PIF
2007-10-28 20:00 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-10-28 20:00 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-10-28 20:00 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-10-28 19:45 <DIR> d-------- C:\WINDOWS\pss
2007-10-28 19:08 <DIR> d-------- C:\Program Files\RealVNC
2007-10-28 19:08 19,968 --a------ C:\WINDOWS\system32\vncmirror.dll
2007-10-28 19:08 3,072 --a------ C:\WINDOWS\system32\drivers\vncmirror.sys
2007-10-19 12:12 <DIR> d-------- C:\Program Files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 13:51 --------- d-----w C:\Documents and Settings\Shimy\Application Data\Skype
2007-11-08 13:29 --------- d-----w C:\Program Files\RevConnect
2007-10-28 19:15 --------- d-----w C:\Documents and Settings\Shimy\Application Data\BSplayer Pro
2007-10-28 19:11 --------- d-----w C:\Program Files\Webteh
2007-10-28 18:51 --------- d-----w C:\Program Files\Spyware Terminator
2007-10-28 18:51 --------- d-----w C:\Program Files\Google
2007-10-28 18:51 --------- d-----w C:\Program Files\Comodo
2007-10-28 18:40 --------- d-----w C:\Program Files\Winamp
2007-10-28 18:38 --------- d-----w C:\Documents and Settings\Shimy\Application Data\BSplayer
2007-10-19 11:12 --------- d-----w C:\Program Files\Skype
2007-10-19 11:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-09-26 14:10 --------- d-----w C:\Program Files\Crawler
2007-09-17 20:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-12 19:51 --------- d-----w C:\Program Files\Easy CD-DA Extractor 10
2007-09-11 18:36 --------- d-----w C:\Program Files\ICQLite
2007-09-11 18:36 --------- d-----w C:\Documents and Settings\Shimy\Application Data\ICQLite
2007-05-05 20:00 6,308,088 ----a-w C:\Program Files\Firefox Setup 2.0.0.3.exe
2007-03-30 15:35 11,323 ----a-w C:\Program Files\help.html
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-28 19:59]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-07 23:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"IETI"=C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comodo Firewall]
"C:\Program Files\Comodo\Firewall\CPF.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"C:\Program Files\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall_CToolbar]
"C:\WINDOWS\Temp\CTun.exe" "/remove"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 vncmirror;vncmirror;C:\WINDOWS\system32\DRIVERS\vncmirror.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 14:52:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 14:53:37 - machine was rebooted
.
--- E O F ---






Logfile of HijackThis v1.99.1
Scan saved at 14:58:08, on 9.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Shimy\Desktop\HUTO\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



inak som si vsimol, ze pravdepodobne je vypnuty firewall aj antivir, neviem, co to sposobuje. zatial dakujem a ak by sa este niekomu chcelo, tak prijmem dalsie navrhy.

[BUBINO]

Toto v hjt fixnite :
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)

Toto otestuje na virustotal.com
C:\WINDOWS\system32\WMErrSKY.dll
C:\Program Files\Skype\Phone\IEPlugin\unins000.exe
C:\WINDOWS\system32\DRIVERS\vncmirror.sys