NOD32 - zasekne system pri pripojeni USB

[tomperys]

Zdravim,
mel jsem problem pripojit k memu novemu NB jakykoliv USB disk. Flashky sly, usb myska, mp3 prehravac... ale jakmile se jednalo treba o 200GB disk, byl konec. V safe modu fungoval, v dosu fungoval. Nakonec jsem zjistil, ze to dela NOD32 v.3+. Kdyz ho uplne vypnu tak bez problemu najede. Kdyz je ale zapnuty, tak nejen ze nenajede disk, ale zatuhne system. Muzu otevirat okna jako ovladaci panely, tento pocitac... ale jakmile chci neco spustit nebo vypnout/restartovat tak se nic nedeje musim natvrdo tlacitkem OFF.

Zkousel jsem si pohravat v nastaveni NODu a v rezidentni ochrane odskrtnout vymenna zarizeni a sitove disky, lokalni jsem nechal, pac jinak by mi to nechranilo ani ten systemovy ze. Ale nepomohlo to. Nevim co s tim

[BUBINO]

Ahoj.

Urob log z HJT a daj ho sem.

Klikni na odkaz tu:
http://www.trendsecure.com/portal/en-US ... hijackthis

Stiahni na plochu, spusti, v menu klik na "DO A SYSTEM SCAN AND SAVE A LOGFILE" Naskoci log v poznamkovom bloku. Ten cely skopiruj sem.

[tomperys]

TADY JE
PS: Nutno poznamenat ze je to cista instalace primo od dellu predevcirem mi prisel...nebyl sem s tim na netu, nic sem tam nekopiroval a jedine co sem tam naistaloval byl ten nod32


Logfile of HijackThis v1.99.1
Scan saved at 21:35:23, on 21.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Tomi\Desktop\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/defau ... l=cs&s=bsd
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/defau ... l=cs&s=bsd
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/defau ... l=cs&s=bsd
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Unknown owner - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

[BUBINO]

Urob este log z combofixu, navod tu:

stahnete a ulozte na plochu [http://download.bleepingcomputer.com/sUBs/ComboFix.exe]ComboFix[/url]

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, stisknete klavesu 1 pro pokracovani

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), postupujte dle pokynu na obrazovce, behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate Spyware Terminator, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze se pri skenu Combofix pokousi infikovane soubory smazat a Spyware Terminator tomu muze branit


po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem

[tomperys]

Uz du nato hned to budeeeee


ComboFix 08-02-22 - Tomi 2008-02-21 22:08:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1543 [GMT 1:00]
Running from: F:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-22 22:10 . 2008-02-22 22:10 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-22 22:10 . 2006-08-21 10:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-02-22 22:10 . 2006-08-21 10:14 23,040 --a------ C:\WINDOWS\system32\SETC.tmp
2008-02-22 22:10 . 2006-08-21 10:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-02-22 22:10 . 2006-08-21 13:21 16,896 --a------ C:\WINDOWS\system32\SETD.tmp
2008-02-22 22:10 . 2006-08-21 13:21 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-02-21 20:09 . 2008-02-21 20:09 <DIR> d-------- C:\Documents and Settings\Tomi\Application Data\CyberLink
2008-02-21 20:09 . 2008-02-21 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-21 10:24 . 2008-02-21 10:24 <DIR> d-------- C:\Program Files\ESET
2008-02-21 10:24 . 2008-02-21 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-02-21 08:38 . 2007-10-26 04:36 8,454,656 --a------ C:\WINDOWS\system32\SETC8.tmp
2008-02-21 08:38 . 2007-10-29 11:26 115,712 --a------ C:\WINDOWS\system32\SETC9.tmp
2008-02-21 08:35 . 2007-04-18 17:12 2,854,400 --a------ C:\WINDOWS\system32\SET89.tmp
2008-02-21 08:35 . 2005-10-20 23:20 1,082,368 --a------ C:\WINDOWS\system32\SET7E.tmp
2008-02-21 08:29 . 2008-02-21 08:29 3,444 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-02-19 20:39 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-02-19 20:39 . 2008-02-19 20:39 4,128 --a------ C:\INFCACHE.1
2008-02-18 14:45 . 2008-02-14 12:38 <DIR> d-------- C:\Documents and Settings\Tomi\Application Data\Wave Systems Corp
2008-02-18 14:45 . 2008-02-14 12:26 <DIR> d-------- C:\Documents and Settings\Tomi\Application Data\InstallShield
2008-02-18 14:45 . 2008-02-21 08:29 <DIR> d--h----- C:\Documents and Settings\Tomi\Application Data\GTek
2008-02-18 14:45 . 2008-02-18 14:45 <DIR> d-------- C:\Documents and Settings\Tomi\Application Data\Dell
2008-02-18 14:41 . 2008-02-18 14:41 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-02-14 12:45 . 2008-02-14 12:45 61 --a------ C:\WINDOWS\smscfg.ini
2008-02-14 12:45 . 2008-02-14 12:45 0 --a------ C:\WINDOWS\tosOBEX.INI
2008-02-14 12:43 . 2008-02-14 12:43 <DIR> d-------- C:\Program Files\DellSupport
2008-02-14 12:43 . 2008-02-21 08:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2008-02-14 12:43 . 2008-02-14 12:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GTek
2008-02-14 12:42 . 2008-02-14 12:44 <DIR> d-------- C:\WINDOWS\system32\DLA
2008-02-14 12:42 . 2008-02-14 12:42 <DIR> d-------- C:\Program Files\Roxio
2008-02-14 12:42 . 2008-02-14 12:42 <DIR> d-------- C:\Program Files\CyberLink
2008-02-14 12:42 . 2008-02-14 12:42 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-02-14 12:42 . 2008-02-14 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-02-14 12:42 . 2006-07-21 12:21 99,176 --a------ C:\WINDOWS\system32\drivers\DRVMCDB.SYS
2008-02-14 12:42 . 2006-08-18 14:17 92,920 --a------ C:\WINDOWS\DLA.EXE
2008-02-14 12:42 . 2006-08-18 14:17 56,056 --a------ C:\WINDOWS\system32\DLAAPI_W.DLL
2008-02-14 12:42 . 2006-08-11 12:05 51,768 --a------ C:\WINDOWS\system32\drivers\DRVNDDM.SYS
2008-02-14 12:42 . 2006-10-20 18:23 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-02-14 12:42 . 2006-08-11 11:35 28,184 --a------ C:\WINDOWS\system32\drivers\DLARTL_M.SYS
2008-02-14 12:42 . 2006-08-11 11:35 12,920 --a------ C:\WINDOWS\system32\drivers\DLACDBHM.SYS
2008-02-14 12:42 . 2008-02-14 12:42 120 --a------ C:\WINDOWS\wininit.ini
2008-02-14 12:41 . 2008-02-14 12:41 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-02-14 12:41 . 2008-02-14 12:41 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-02-14 12:41 . 2008-02-14 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-02-14 12:41 . 2005-11-02 12:24 36,864 --a------ C:\WINDOWS\system32\tpmddl.dll
2008-02-14 12:38 . 2008-02-14 12:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp
2008-02-14 12:38 . 2007-11-08 23:49 1,769,472 --a------ C:\WINDOWS\system32\Tsp1.dll
2008-02-14 12:36 . 2008-02-14 12:36 <DIR> d-------- C:\Program Files\Fingerprint Sensor
2008-02-14 12:35 . 2008-02-14 12:35 <DIR> d-------- C:\WINDOWS\system32\GTwinUSB
2008-02-14 12:35 . 2008-02-14 12:35 <DIR> d-------- C:\WINDOWS\system32\GPinPad
2008-02-14 12:35 . 2008-02-14 12:35 <DIR> d-------- C:\WINDOWS\system32\GemPCKey
2008-02-14 12:35 . 2008-02-14 12:35 <DIR> d-------- C:\WINDOWS\system32\GemPCExp
2008-02-14 12:35 . 2008-02-14 12:35 <DIR> d-------- C:\WINDOWS\system32\GemPCCard
2008-02-14 12:35 . 2008-02-14 12:35 <DIR> d-------- C:\Program Files\Gemplus
2008-02-14 12:35 . 2007-09-07 10:57 80,368 --a------ C:\WINDOWS\system32\pbadrvdll.dll
2008-02-14 12:35 . 2007-09-07 10:57 26,608 --a------ C:\WINDOWS\system32\drivers\PBADRV.sys
2008-02-14 12:32 . 2008-02-14 12:32 <DIR> d-------- C:\WINDOWS\system32\Test
2008-02-14 12:32 . 2008-02-14 12:32 <DIR> d-------- C:\WINDOWS\system32\BioAPIFFDB
2008-02-14 12:32 . 2008-02-14 12:39 <DIR> d-------- C:\Program Files\Wave Systems Corp
2008-02-14 12:32 . 2008-02-14 12:32 <DIR> d-------- C:\Program Files\NTRU Cryptosystems
2008-02-14 12:32 . 2008-02-14 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
2008-02-14 12:32 . 2008-02-14 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
2008-02-14 12:32 . 2006-11-16 17:09 1,258,496 --a------ C:\WINDOWS\system\tfmessbsp.dll
2008-02-14 12:32 . 2005-10-25 19:57 143,360 --a------ C:\WINDOWS\system32\bioapi_mds300.dll
2008-02-14 12:32 . 2005-10-25 19:57 106,496 --a------ C:\WINDOWS\system32\bioapi100.dll
2008-02-14 12:28 . 2008-02-14 12:35 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-14 12:28 . 2008-02-14 12:28 <DIR> d-------- C:\Program Files\Toshiba
2008-02-14 12:28 . 2007-10-09 05:17 806,912 --a------ C:\WINDOWS\system32\BCMLogon.dll
2008-02-14 12:28 . 2007-04-26 15:29 113,920 --a------ C:\WINDOWS\system32\drivers\tosrfbd.sys
2008-02-14 12:28 . 2007-04-26 15:29 73,600 --a------ C:\WINDOWS\system32\drivers\Tosrfhid.sys
2008-02-14 12:28 . 2007-04-26 15:29 64,896 --a------ C:\WINDOWS\system32\drivers\tosrfcom.sys
2008-02-14 12:28 . 2007-04-26 15:29 41,856 --a------ C:\WINDOWS\system32\drivers\tosrfusb.sys
2008-02-14 12:28 . 2007-04-26 15:29 41,600 --a------ C:\WINDOWS\system32\drivers\tosporte.sys
2008-02-14 12:28 . 2007-04-26 15:29 36,480 --a------ C:\WINDOWS\system32\drivers\tosrfbnp.sys
2008-02-14 12:28 . 2007-04-26 15:29 18,612 --a------ C:\WINDOWS\system32\drivers\tosrfnds.sys
2008-02-14 12:27 . 2008-02-14 12:27 <DIR> d-------- C:\Program Files\Broadcom
2008-02-14 12:26 . 2008-02-14 12:26 <DIR> d-------- C:\Program Files\SigmaTel
2008-02-14 12:26 . 2008-02-14 12:26 <DIR> d-------- C:\Program Files\NetWaiting
2008-02-14 12:26 . 2008-02-14 12:26 <DIR> d-------- C:\Program Files\Modem Diagnostic Tool
2008-02-14 12:26 . 2008-02-14 12:42 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-02-14 12:26 . 2008-02-14 12:26 <DIR> d-------- C:\Program Files\Digital Line Detect
2008-02-14 12:26 . 2008-02-14 12:29 <DIR> d-------- C:\Program Files\Dell
2008-02-14 12:26 . 2008-02-14 12:42 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-02-14 12:26 . 2008-02-14 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-14 12:26 . 2008-02-14 12:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-02-14 12:26 . 2007-02-19 00:26 4,939,776 --a------ C:\WINDOWS\system32\stacgui.cpl
2008-02-14 12:24 . 2008-02-14 12:24 <DIR> d-------- C:\Program Files\CONEXANT
2008-02-14 12:23 . 2004-08-04 06:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-14 12:23 . 2006-03-17 01:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-02-14 12:22 . 2005-11-10 14:03 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-02-14 12:21 . 2008-02-14 12:22 <DIR> d-------- C:\Program Files\Java
2008-02-14 12:21 . 2008-02-14 12:21 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-14 12:20 . 2008-02-14 12:20 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-14 12:20 . 2007-06-13 11:23 1,033,216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2008-02-14 12:20 . 2007-07-09 14:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-14 12:20 . 2007-04-23 11:32 364,160 --------- C:\WINDOWS\system32\dllcache\update.sys
2008-02-14 12:20 . 2007-05-30 11:47 81,664 --------- C:\WINDOWS\system32\dllcache\videoprt.sys
2008-02-14 12:20 . 2007-05-03 11:27 78,720 --------- C:\WINDOWS\system32\dllcache\sdbus.sys
2008-02-14 12:20 . 2007-05-03 11:03 12,032 --------- C:\WINDOWS\system32\dllcache\sffdisk.sys
2008-02-14 12:20 . 2007-05-03 11:03 11,008 --------- C:\WINDOWS\system32\dllcache\sffp_sd.sys
2008-02-14 12:20 . 2007-05-03 11:03 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 11:02 6,824 ----a-w C:\WINDOWS\system32\drivers\1028_Dell_LAT_D630.mrk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 13:09 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-09-19 19:25 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-31 16:50 8429568]
"nwiz"="nwiz.exe" [2007-05-31 16:50 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-31 16:50 67584 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-31 16:50 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-07-20 17:55 1228800]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 00:26 303104 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-10-09 05:17 2183168]
"WavXMgr"="C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 10:55 92160]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 11:53 218424]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 15:05 282624]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 10:00 1116920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 18:23 118784]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-01-11 21:43:46 2150400]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-02-14 12:26:31 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll 2006-11-16 16:20 73728 C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys [2007-09-07 10:57]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" [2006-12-19 15:21]
R2 TdmService;TdmService;C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [2007-09-07 18:29]
R2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe [2004-08-04 06:00]
R2 WavxDMgr;WavxDMgr;C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys [2007-09-10 10:55]
R3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 13:32]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 06:00]
R3 WaveFDE;Wave System Power Monitor Device Driver;C:\WINDOWS\system32\DRIVERS\WaveFDE.sys [2007-09-06 10:18]
S3 SecureStorageService;SecureStorageService;"C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe" [2007-08-31 18:39]
S3 WaveEnrollmentService;WaveEnrollmentService;"C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe" [2007-09-13 15:31]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 22:18:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-22 22:19:45 - machine was rebooted
.
2008-02-21 07:28:57 --- E O F ---

[tomperys]

nic co....?

[BUBINO]

Su tam neake nezrovnalosti na mazanie, moment.

[tomperys]

By me zajimalo co kdyz je to cista instalace a jeste k tomu od dellu ;DDDD

[BUBINO]

Do poznamkoveho bloku skopiruj toto:

File::
C:\WINDOWS\system32\SETC.tmp
C:\WINDOWS\system32\SETD.tmp
C:\WINDOWS\system32\SETC8.tmp
C:\WINDOWS\system32\SETC9.tmp
C:\WINDOWS\system32\SET89.tmp
C:\WINDOWS\system32\SET7E.tmp

Uloz na plochu ako CFScript.txt Chyt mysou CFScript.txt, presun nad combofix a pust ako na obrazku. Po skene sem daj log, ktory ti naskoci v poznamkovom bloku.




Tieto subory:
C:\WINDOWS\system32\OEMINFO.PNF
C:\WINDOWS\REGLOCS.OLD
C:\WINDOWS\smscfg.ini
C:\WINDOWS\system32\Tsp1.dll
C:\WINDOWS\system32\pbadrvdll.dll
C:\WINDOWS\system\tfmessbsp.dll
C:\WINDOWS\system32\drivers\1028_Dell_LAT_D630.mrk
C:\WINDOWS\tosOBEX.INI

Otestuj na virustotal.com Kazdy jeden uploadni a odosli. Nasledne zacne skenovanie. Vysledok jednotlivych skenov skopiruj sem.

[tomperys]

Budu pridavat postupne jo..... semhle do stejne odpovedi editem....


Soubor smscfg.ini přijatý 2008.02.22 13:15:16 (CET)
Současný stav: Dokončeno
Výsledek: 0/31 (0%)

Soubor 1028_Dell_LAT_D630.mrk_ přijatý 2008.02.22 14:41:57 (CET)
Současný stav: Dokončeno
Výsledek: 0/32 (0%)

Soubor tfmessbsp.dll_ přijatý 2008.02.22 14:51:42 (CET)
Současný stav: Dokončeno
Výsledek: 0/32 (0%)

Soubor pbadrvdll.dll přijatý 2008.02.22 15:00:41 (CET)
Současný stav: Dokončeno
Výsledek: 0/32 (0%)

Soubor Tsp1.dll přijatý 2008.02.22 15:05:55 (CET)
Současný stav: Dokončeno
Výsledek: 0/32 (0%)

Soubor REGLOCS.OLD_ přijatý 2008.02.22 15:18:10 (CET)
Současný stav: Dokončeno
Výsledek: 0/32 (0%)

Soubor OEMINFO.PNF přijatý 2008.02.22 15:29:27 (CET)
Současný stav: Dokončeno
Výsledek: 0/32 (0%)

ten posledni byl 0b tak sem ho tam ani neuploadoval
jinak co se tyce toho combofixu tak se mi to restartlo a nic mi nenaskocilo ale ve slozce na C: bylo v txt tohle

ComboFix 08-02-22 - Tomi 2008-02-23 15:44:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.420.1033.18.1432 [GMT 1:00]
Running from: C:\Documents and Settings\Tomi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tomi\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\SET7E.tmp
C:\WINDOWS\system32\SET89.tmp
C:\WINDOWS\system32\SETC.tmp
C:\WINDOWS\system32\SETC8.tmp
C:\WINDOWS\system32\SETC9.tmp
C:\WINDOWS\system32\SETD.tmp
.
a ddruhy a jediny txt soubor obsahuje

\??\C:\ntdetect.com\0\0
\??\C:\boot.ini\0\0
\??\C:\ntldr\0\0
\??\C:\WINDOWS\0\0
\??\C:\WINDOWS\explorer.exe\0\0
\??\C:\WINDOWS\system32\csrss.exe\0\0
\??\C:\WINDOWS\system32\lsass.exe\0\0
\??\C:\WINDOWS\system32\services.exe\0\0
\??\C:\WINDOWS\system32\smss.exe\0\0
\??\C:\WINDOWS\system32\svchost.exe\0\0
\??\C:\WINDOWS\system32\userinit.exe\0\0
\??\C:\WINDOWS\system32\winlogon.exe\0\0
\??\C:\WINDOWS\system32\hal.dll\0\0
\??\C:\WINDOWS\system32\ntdll.dll\0\0
\??\C:\WINDOWS\system32\config\0\0
\??\C:\WINDOWS\system32\drivers\0\0
\??\C:\WINDOWS\system32\wbem\0\0

[BUBINO]

Operaciu s CFScript.txt urob este raz.

[tomperys]

To samy.... co to ma jako udelat ?? ja nevim me to tam vypisuje nejake stage 1, 2, 3 ....... pak asi ejste neci nevim pak se ro restartuje a ten soubor txt co sem pretah uz tam neni a na C: primo ani na te plose nic jinyho neni a v te slozce je porad to co sem posilal.....

[BUBINO]

Ked pretiahnes ten script, tak ho zoberie a zacne skenovanie. Ked skonci, na plochu vyhodi log. Tento log je ulozeny aj v c:\ Skus to urobit v nudzovom rezime.

[tomperys]

ComboFix 08-02-22 - Administrator 2008-02-23 17:26:18.5 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1810 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\SET7E.tmp
C:\WINDOWS\system32\SET89.tmp
C:\WINDOWS\system32\SETC.tmp
C:\WINDOWS\system32\SETC8.tmp
C:\WINDOWS\system32\SETC9.tmp
C:\WINDOWS\system32\SETD.tmp
.

tohle jedine.... a pak

s/\x3b //g
s/C:\\WINDOWS\\system32\\rundll32\.exe //I
s/C:\\WINDOWS\\system32\\rundll32 //I
s/rundll32\.exe //I
s/rundll32 //I
s/\x22//g
s/^ +//
s/,.*//
s/<NO NAME>/@/
s/\t.*\t/\t/
s/\.exe .*/.exe/I
s/\.dll .*/.dll/I
s/\x25ProgramFiles\x25/C:\\Program Files/I
s/\x25systemroot\x25/C:\\WINDOWS/I


tohle jedine je v e slozce combofix v C ..... na plose ani na C primo neni nic ani po spusteni v safe modu.... to dokonci a restartuje a pak tam neni nic

[BUBINO]

Tie subory deletni pomocou avengera: http://www.viry.cz/forum/viewtopic.php?t=19832

Do okna, podla navodu skopiruj toto:

Files to delete:
C:\WINDOWS\system32\SET7E.tmp
C:\WINDOWS\system32\SET89.tmp
C:\WINDOWS\system32\SETC.tmp
C:\WINDOWS\system32\SETC8.tmp
C:\WINDOWS\system32\SETC9.tmp
C:\WINDOWS\system32\SETD.tmp

DONE >> SEMAFOR >> OK
Pocitac sa restartuje. Po restarte naskoci log, ten skopci sem.

[tomperys]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fxwqecep

*******************

Script file located at: \??\C:\Program Files\houytbdh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\SET7E.tmp not found!
Deletion of file C:\WINDOWS\system32\SET7E.tmp failed!

Could not process line:
C:\WINDOWS\system32\SET7E.tmp
Status: 0xc0000034



File C:\WINDOWS\system32\SET89.tmp not found!
Deletion of file C:\WINDOWS\system32\SET89.tmp failed!

Could not process line:
C:\WINDOWS\system32\SET89.tmp
Status: 0xc0000034



File C:\WINDOWS\system32\SETC.tmp not found!
Deletion of file C:\WINDOWS\system32\SETC.tmp failed!

Could not process line:
C:\WINDOWS\system32\SETC.tmp
Status: 0xc0000034



File C:\WINDOWS\system32\SETC8.tmp not found!
Deletion of file C:\WINDOWS\system32\SETC8.tmp failed!

Could not process line:
C:\WINDOWS\system32\SETC8.tmp
Status: 0xc0000034



File C:\WINDOWS\system32\SETC9.tmp not found!
Deletion of file C:\WINDOWS\system32\SETC9.tmp failed!

Could not process line:
C:\WINDOWS\system32\SETC9.tmp
Status: 0xc0000034



File C:\WINDOWS\system32\SETD.tmp not found!
Deletion of file C:\WINDOWS\system32\SETD.tmp failed!

Could not process line:
C:\WINDOWS\system32\SETD.tmp
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[Baron Prášil]

ty soubory co se tak vehementně snažíte smazat patřej win instaleru.

[tomperys]

Ja ale nechapu proc tu kazdy resi nejakou kontrolu antivirem a spyware a podobne veci...nechapu...

je to CISTA instalace XP, jeste pripomenu, ze jsem to na internet vubec nepripojovalj ani tam nic nenahravalj takze se tam ani nic dostat nemohlo... nehlede nato, ze jsem to projel uz vsim moznym a proste to dela jenom, kdyz je nainstalovany a zapnuty nod v3.0., kdyz ho odinstaluju vsechno je v poradku.

[Baron Prášil]

že by to bylo pro to mistické místo Viry, antiviry a bezpečnost?
hele jestli si nemyslíš,že to dělá šmejd,tak ti rovnou řeknu,pa

[tomperys]

hele a co jineho by to mohlo byt kdyz mam instalaci XP z vyroby jak mi to doslo udelal sem si IMG disku ... nainstaloval sem NOD v.3.0. a nejde mi pripojit ani ejden z USB disku, flashka co ma jen 512MB zahadne jde....

ale kdyz ten IMG prethnu zpatky do ciste instalace bez nodu tak to nedela, kdyz nod nainstaluju zase to dela, kdyz ho odinstaluju zase to nedela.....

ten NB i ty disky jsem projel vsim moznym co mi tu kdo doporucoval... nic nenaslo to zhola nic krome programu IPscan na tom vymenem disku kteryzto to oznacilo za nebezpecny.... na druhem disku ale neni, ten vysel v nekolika programech jako uplne cisty a dela to to same kdyz ho pripojim k aktivnimu nodu

EDIT:
ja nevim ale me to pripada jako kdyby nekdo rikal ze mu v aute nefunguje nove autoradio a ja bych mu rekl az si zkontroluje jestli ma dost oleje.... me tot ak prijde ;DDDDDDD jako ocividne evidentni co ten problem zpusobuje