!HELP! TrojanDropper.Agent.DGO virus

warstar · Příspěvek od **warstar** » pát 11. led 2008, 00:11

Někde jsem si natáhnul tenhle hnusný šmejd. S pomocí Combofixu se mi jej podařilo trochu usměrnit, ale pořád to není ono:
-po restartu mi vyskakuje přes 10 DOSových oken, s tím, že nejde něco spustit (teď už jen problesknou a samy zmizí)
-musel jsem znovuinstalovat/opravit NOD32
-v NODu ale zůstávají pořád v karanténě nějaké soubory(trojani)
-bohužel nejde pomocí bodu obnovení vrátit systém zpět

můžete mi prosím někdo poradit, co mám dělat, jak se toho zbavit?

Díky všem

warstar · Příspěvek od **warstar** » pát 11. led 2008, 09:38

ještě přidávám log:

Logfile of HijackThis v1.99.1
Scan saved at 9:36:16, on 11.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Others\Dočasně\activesync 4_5\Wcescomm.exe
C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\WinZip\WZQKPICK.EXE
D:\Others\DOASN~1\ACTIVE~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\AnyDATA\EasyWirelessNet\EasyWirelessNet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\Plocha\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EdWizard] "C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe" as
O4 - HKLM\..\Run: [SgeEcView] "C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe"
O4 - HKLM\..\Run: [FIPSMON] "C:\Program Files\Utimaco\SafeGuard Easy\FIPSMon.exe" /SYSTRAY
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Others\Dočasně\activesync 4_5\Wcescomm.exe"
O4 - Startup: Thoosje Vista Sidebar.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Others\DOASN~1\ACTIVE~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Others\DOASN~1\ACTIVE~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Vytvořit mobilní oblíbenou položku… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Others\DOASN~1\ACTIVE~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C02EC32-13F0-43E8-9989-609662CFDD52}: NameServer = 160.218.10.200 160.218.43.200
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll
O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\SYSTEM32\SGLogNotification.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

BUBINO · Příspěvek od **BUBINO** » pát 11. led 2008, 23:08

Pekny den. Urobte log z ComboFixu:

stahnete a ulozte na plochu ComboFix

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, stisknete klavesu 1 pro pokracovani

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), postupujte dle pokynu na obrazovce, behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate Spyware Terminator, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze se pri skenu Combofix pokousi infikovane soubory smazat a Spyware Terminator tomu muze branit

po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem

warstar · Příspěvek od **warstar** » ned 13. led 2008, 15:27

Projel jsem to programem MWAV a ten napsal: 1.
Potom jsem dal Combofix a log je tady: 2.
Je tam ještě něco? (případně co s tím?
Díky moc

1.
Soubor C:\WINDOWS\system32\svchost.exe:ext.exe je infikovaný virem Trojan.Win32.Agent.dur !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\svcd\svchost.exe je infikovaný virem Trojan-Proxy.Win32.Fackemo.g !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\alt.exe.exe je infikovaný virem Trojan.Win32.Agent.dvv !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\alt.exe.exe je infikovaný virem Trojan.Win32.Agent.dvv !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\svchost.exe:ext.exe je infikovaný virem Trojan.Win32.Agent.dur !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\svchost.exe:ext.exe je infikovaný virem Trojan.Win32.Agent.dur !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\System32\svchost.exe:ext.exe je infikovaný virem Trojan.Win32.Agent.dur !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\svchost.exe:ext.exe je infikovaný virem Trojan.Win32.Agent.dur !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\svchost.exe:ext.exe je infikovaný virem Trojan.Win32.Agent.dur !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\svchost.exe:ext.exe je infikovaný virem Trojan.Win32.Agent.dur !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\svchost.exe:ext.exe je infikovaný virem Trojan.Win32.Agent.dur !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\svchost.exe:ext.exe je infikovaný virem Trojan.Win32.Agent.dur !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\System32\svchost.exe:ext.exe je infikovaný virem Trojan.Win32.Agent.dur !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\svchost.exe:ext.exe je infikovaný virem Trojan.Win32.Agent.dur !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\System32\svchost.exe:ext.exe je infikovaný virem Trojan.Win32.Agent.dur !! Provedené akce: Nic nebylo provedeno.

2.
ComboFix 08-01-09.2 - david 2008-01-13 15:15:14.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1628 [GMT 1:00]
Running from: C:\Documents and Settings\david\Plocha\ComboFix.exe
.
ADS - svchost.exe: deleted 25600 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1.tmp
C:\7.tmp
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\drivers\LEL36.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\shift.exe.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tmp32.tmp
C:\WINDOWS\system32\winsub.xml

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FCI
-------\LEGACY_LEL36
-------\LEGACY_PROTECT
-------\LEGACY_SYMAVC32
-------\LEGACY_SYSLIBRARY
-------\FCI
-------\protect

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 15:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 11:25 . 2004-08-17 14:49 147,968 --a------ C:\WINDOWS\R.COM
2008-01-13 11:25 . 2004-08-17 14:49 137,216 --a------ C:\WINDOWS\system32\T.COM
2008-01-13 11:25 . 2008-01-13 11:30 50 --a------ C:\WINDOWS\Lic.xxx
2008-01-12 09:50 . 2008-01-12 09:50 29 --a------ C:\WINDOWS\system32\idaufuqd.tmp
2008-01-12 09:48 . 2008-01-12 09:48 540 --a------ C:\9.tmp
2008-01-12 09:48 . 2008-01-12 09:48 0 --a------ C:\E.tmp
2008-01-12 09:48 . 2008-01-12 09:48 0 --a------ C:\D.tmp
2008-01-12 09:48 . 2008-01-12 09:48 0 --a------ C:\C.tmp
2008-01-12 09:48 . 2008-01-12 09:48 0 --a------ C:\B.tmp
2008-01-12 09:48 . 2008-01-12 09:48 0 --a------ C:\A.tmp
2008-01-11 22:17 . 2008-01-11 22:17 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-01-11 22:17 . 2008-01-11 22:17 34,816 --a------ C:\winwwhc.exe
2008-01-11 22:17 . 2008-01-13 15:06 114 --a------ C:\WINDOWS\system32\url3
2008-01-11 22:17 . 2008-01-13 15:06 102 --a------ C:\WINDOWS\system32\url2
2008-01-11 22:17 . 2008-01-13 15:06 102 --a------ C:\WINDOWS\system32\url1
2008-01-11 22:17 . 2008-01-13 15:06 8 --a------ C:\WINDOWS\system32\CID
2008-01-11 22:17 . 2008-01-11 22:17 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-11 22:03 . 2008-01-11 22:12 <DIR> d-------- C:\Program Files\ICQ6
2008-01-11 17:20 . 2008-01-11 17:20 <DIR> d-------- C:\Program Files\Rockstar Games
2008-01-09 21:22 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-01-09 19:38 . 2008-01-09 19:38 <DIR> d---s---- C:\Documents and Settings\david\UserData
2008-01-09 19:05 . 2005-04-06 03:22 100,096 --a------ C:\WINDOWS\system32\nvtcp.sys
2008-01-09 19:04 . 2008-01-09 19:04 <DIR> d-------- C:\Program Files\AMD
2008-01-07 23:19 . 2008-01-09 20:51 <DIR> d-------- C:\Program Files\OpenAL
2008-01-07 23:15 . 2008-01-07 23:15 <DIR> d-------- C:\Program Files\Bohemia Interactive
2008-01-06 19:37 . 2008-01-07 21:45 <DIR> d-------- C:\Program Files\TrackMania Nations ESWC
2008-01-06 17:14 . 2008-01-12 13:53 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-06 12:53 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-06 12:45 . 2008-01-05 17:12 <DIR> d--h----- C:\Documents and Settings\martin\ćablony
2008-01-06 12:45 . 2008-01-11 22:27 <DIR> d-------- C:\Documents and Settings\martin\Plocha
2008-01-06 12:45 . 2008-01-05 18:04 <DIR> d--h----- C:\Documents and Settings\martin\Okolnˇ tisk rny
2008-01-06 12:45 . 2008-01-05 18:04 <DIR> d--h----- C:\Documents and Settings\martin\Okolnˇ sˇś
2008-01-06 12:45 . 2008-01-06 12:45 <DIR> dr------- C:\Documents and Settings\martin\Oblˇben‚ polo§ky
2008-01-06 12:45 . 2008-01-05 18:04 <DIR> dr------- C:\Documents and Settings\martin\Nabˇdka Start
2008-01-06 12:45 . 2008-01-11 22:42 <DIR> dr------- C:\Documents and Settings\martin\Dokumenty
2008-01-06 12:45 . 2008-01-12 20:07 <DIR> dr-h----- C:\Documents and Settings\martin\Data aplikacˇ
2008-01-06 12:41 . 2008-01-06 12:41 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2008-01-06 12:41 . 2008-01-06 12:40 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-01-06 12:13 . 2008-01-06 12:14 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-06 10:59 . 2008-01-06 10:59 <DIR> d-------- C:\Program Files\Nero
2008-01-06 00:47 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-06 00:47 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-06 00:46 . 2004-06-15 07:00 116,736 --a------ C:\WINDOWS\system32\CNMLM61.DLL
2008-01-06 00:46 . 2004-06-04 17:34 86,016 -ra------ C:\WINDOWS\system32\CNMCP61.exe
2008-01-06 00:46 . 2004-06-15 07:00 7,680 --a------ C:\WINDOWS\system32\CNMVS61.DLL
2008-01-06 00:45 . 2008-01-06 00:47 <DIR> d-------- C:\Program Files\Canon
2008-01-06 00:41 . 2008-01-06 12:53 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-06 00:41 . 2005-10-21 02:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-01-06 00:41 . 2005-10-21 02:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-01-06 00:30 . 2003-06-19 01:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-06 00:30 . 2008-01-06 00:30 390 --a------ C:\WINDOWS\ODBC.INI
2008-01-06 00:29 . 2008-01-06 00:30 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-06 00:16 . 2005-08-18 17:52 289,792 --a------ C:\WINDOWS\system32\idecoins.dll
2008-01-06 00:16 . 2005-08-18 10:52 289,792 --a------ C:\WINDOWS\system32\idecoi.dll
2008-01-06 00:16 . 2005-09-28 11:08 176,128 --a------ C:\WINDOWS\system32\nvusmb.exe
2008-01-06 00:16 . 2005-09-28 11:08 176,128 --------- C:\WINDOWS\system32\nvuide.exe
2008-01-06 00:16 . 2005-08-18 17:52 93,568 --a------ C:\WINDOWS\system32\drivers\nvata.sys
2008-01-06 00:16 . 2005-08-03 07:52 33,280 --a------ C:\WINDOWS\system32\NVCOI.DLL
2008-01-06 00:16 . 2005-06-30 00:26 1,537 --------- C:\WINDOWS\system32\nvide.nvu
2008-01-06 00:16 . 2005-09-22 16:29 1,391 --a------ C:\WINDOWS\system32\nvsmb.nvu
2008-01-06 00:14 . 2004-01-03 12:45 635,094 --a------ C:\WINDOWS\system32\MS7125.bmp
2008-01-06 00:14 . 2005-03-09 15:53 42,496 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2008-01-06 00:14 . 2004-01-03 13:39 258 --a------ C:\WINDOWS\system32\raidmgmt.ini
2008-01-06 00:01 . 2008-01-06 00:01 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-01-06 00:01 . 2008-01-06 00:01 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-01-06 00:01 . 2008-01-06 00:01 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-01-06 00:01 . 2008-01-07 13:53 60,416 --a------ C:\WINDOWS\ALCFDRTM.VER
2008-01-06 00:01 . 2008-01-06 00:01 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2008-01-05 23:57 . 2008-01-05 23:57 <DIR> d-------- C:\Program Files\Realtek AC97
2008-01-05 23:57 . 2008-01-11 22:07 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-01-05 23:02 . 2008-01-05 23:02 <DIR> d-------- C:\Program Files\Eraser
2008-01-05 23:02 . 2008-01-05 23:02 155,648 --a------ C:\WINDOWS\system32\stuninstall.exe
2008-01-05 22:25 . 2005-07-14 20:37 217,159 --a------ C:\WINDOWS\Grassy.jpg
2008-01-05 22:19 . 2008-01-05 22:19 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-01-05 22:19 . 2008-01-05 22:19 <DIR> d-------- C:\Program Files\ACD Systems
2008-01-05 22:17 . 2008-01-05 22:17 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-05 21:58 . 2008-01-09 19:03 <DIR> d-------- C:\ovladaźe
2008-01-05 21:51 . 2008-01-05 21:51 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-05 21:50 . 2008-01-05 21:50 <DIR> d-------- C:\WINDOWS\nview
2008-01-05 21:50 . 2008-01-05 21:50 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-01-05 21:50 . 2008-01-05 21:50 <DIR> d-------- C:\NVIDIA
2008-01-05 21:50 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-01-05 21:50 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-01-05 21:50 . 2008-01-05 22:06 163,353 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-05 21:50 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-05 18:31 . 2008-01-05 18:31 512 --a------ C:\WINDOWS\system32\DcppOLBS.dat
2008-01-05 18:07 . 2004-08-17 16:49 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-05 18:07 . 2001-08-17 22:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-01-05 18:06 . 2004-08-17 16:49 75,264 --a------ C:\WINDOWS\system32\usbui.dll
2008-01-05 18:06 . 2004-08-17 16:43 58,240 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-01-05 18:06 . 2001-08-17 22:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-01-05 18:04 . 2008-01-12 13:37 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-01-05 18:04 . 2008-01-05 17:12 <DIR> d--h----- C:\Documents and Settings\Default User\ćablony
2008-01-05 18:04 . 2008-01-05 18:04 <DIR> d-------- C:\Documents and Settings\Default User\Plocha
2008-01-05 18:04 . 2008-01-05 18:04 <DIR> d--h----- C:\Documents and Settings\Default User\Okolnˇ tisk rny
2008-01-05 18:04 . 2008-01-05 18:04 <DIR> d--h----- C:\Documents and Settings\Default User\Okolnˇ sˇś
2008-01-05 18:04 . 2008-01-05 18:04 <DIR> d-------- C:\Documents and Settings\Default User\Oblˇben‚ polo§ky
2008-01-05 18:04 . 2008-01-05 18:04 <DIR> dr------- C:\Documents and Settings\Default User\Nabˇdka Start
2008-01-05 18:04 . 2008-01-05 18:04 <DIR> d-------- C:\Documents and Settings\Default User\Dokumenty

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 08:48 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-01-09 20:22 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-01-09 20:22 110,592 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-01-05 16:23 --------- d-----w C:\Program Files\DIFX
2008-01-05 16:23 --------- d-----w C:\Program Files\AnyDATA
2008-01-05 16:16 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-05 00:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 00:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 00:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 00:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 00:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 00:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 00:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 00:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 00:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 00:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 00:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 00:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 00:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 00:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 00:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 00:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 00:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 00:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 00:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 00:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 00:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 00:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 00:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 00:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 00:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 00:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 00:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 00:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 00:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 00:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 00:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 16:50 1289000]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 15:55 1628208]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 15:55 1057328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 14:49 15360]

R0 pe3agmlb;Armed Assault Environment Driver (pe3agmlb);C:\WINDOWS\system32\drivers\pe3agmlb.sys [2007-06-04 20:01]
R0 ps6agmlb;Armed Assault Synchronization Driver (ps6agmlb);C:\WINDOWS\system32\drivers\ps6agmlb.sys [2007-06-04 20:01]
R0 sfdrv02;FrontLine Environment Driver (v2);C:\WINDOWS\system32\drivers\sfdrv02.sys [2006-09-11 12:57]
R0 sfsync05;FrontLine Synchronization Driver (v5);C:\WINDOWS\system32\drivers\sfsync05.sys [2006-08-11 17:09]
R2 FGQM;Security Service;C:\WINDOWS\system32\svcd\svchost.exe [2008-01-11 22:17]
R3 adusbser;AnyDATA USB Device for Legacy Serial Communication;C:\WINDOWS\system32\DRIVERS\adusbser.sys [2006-10-23 02:36]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 22:04]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 22:08]
R3 usbstor;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]
S2 pr2agmlb;Armed Assault Drivers Auto Removal (pr2agmlb);C:\WINDOWS\system32\pr2agmlb.exe svc []
S2 sfrem02;FrontLine Drivers Auto Removal (v2);C:\WINDOWS\system32\sfrem02.exe svc []
S3 SetupNTGLM7X;SetupNTGLM7X;H:\NTGLM7X.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 15:18:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\lrito.ini 32493 bytes
C:\WINDOWS\system32\lrito6e56-2f5f.sys 129792 bytes executable
C:\WINDOWS\system32\drivers\ntio922.sys 37632 bytes executable
C:\WINDOWS\system32\drivers\ndisaluo.sys 7040 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\lrito6e56-2f5f]
"ImagePath"="\??\C:\WINDOWS\system32\lrito6e56-2f5f.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ndisaluo]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\ndisaluo.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ntio922]
"ImagePath"="system32\Drivers\ntio922.sys"
.
Completion time: 2008-01-13 15:19:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 14:19:09

BUBINO · Příspěvek od **BUBINO** » ned 13. led 2008, 18:29

Chlape, kde ste preboha lezl? Vas pocitac je na neuverenie.

Stiahnite si avenger tu :
http://www.viry.cz/forum/viewtopic.php?t=19832
Ulozte ho do c:\ a restartujte pocitac do nudzoveho rezimu.

Podla navodu sa dopracujte k tomu bielemu oknu a do neho skopirujte toto dole :

Files to delete:
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\NirCmd.exe
C:\WINDOWS\system32\T.COM
C:\WINDOWS\Lic.xxx
C:\WINDOWS\system32\idaufuqd.tmp
C:\E.tmp
C:\E.tmp
C:\D.tmp
C:\C.tmp
C:\B.tmp
C:\A.tmp
C:\winwwhc.exe
C:\WINDOWS\system32\url3
C:\WINDOWS\system32\url2
C:\WINDOWS\system32\url1
C:\WINDOWS\system32\CID
C:\WINDOWS\system32\SvcNm
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\DcppOLBS.dat
C:\WINDOWS\system32\lrito.ini
C:\WINDOWS\system32\lrito6e56-2f5f.sys
C:\WINDOWS\system32\drivers\ntio922.sys
C:\WINDOWS\system32\drivers\ndisaluo.sys

Folders to delete:
C:\WINDOWS\system32\svcd

Registry values to delete:
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\lrito6e56-2f5f |ImagePath
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ntio922 |ImagePath
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ndisaluo |ImagePath

Registry keys to delete:
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NDIS

DONE >> SEMAFOR >> OK
Po restarte sem dajte log, ktory vam nabehne (c:\avenger.txt)

Spustite HiJackThis, postupně klik na tlačítka: "Main Menu" - "Open the Misc Tools section" - "Open ADS Spy…" Od označte „Quick scan“ .

( Quick scan, je defaultne nastavene, ale vy ho odznacte.Nesmie byt oznacene!)

klik na „Scan“, poukončení hledání se zobrazí výsledky. Vyhladajte zo zoznamu tieto subory:
C:\WINDOWS\system32\svchost.exe:ext.exe
C:\WINDOWS\system32\alt.exe.exe
Ak ich najdete, tak ich na lavej strane oznacte, kliknite na „Remove selected“ a nasledne na "ANO". Restart pocitaca a po nom tu dajte log z avengera, combofixu a hijackthis.

Zlozky v c:\avenger
c:\combofix
c:\quarantine zrarujte. Potom potrebujem keby ste mi ich poslal, to sa dohodneme, ale nemazte ich zatial .

warstar · Příspěvek od **warstar** » pon 14. led 2008, 11:40

Díky za informace, protáhl jsem to tím Avengerem podle Vašeho scriptu a už mi nenaběhlo nic (ani v nouzovém režimu).
Takže format a nová instalace.
Byljsem ale rád, protože se to vyřešilo důkladně a na 100%.
Přesto díky za pomoc a rady.

BUBINO · Příspěvek od **BUBINO** » pon 14. led 2008, 13:31

Ako nesiel pocitac, Co vam vypisalo?

Mrzi ma to, ze to takto dopadlo, pretoze sa nesmu diat taketo chyby, ale obcas sa to stane, a to, co ste mal zmazat pomocou avengera boli vsetko smejdy. Ak si to vyhladate, tak zistite, takze jediny zaver je ten, ze neaky zo suborov vam pocitac stiahol a ja len dufam, ze vas to moc neposkodilo.

Ak vam mozem do buducna poradit, tak nestahujte keygeny, atd aj ked viem, ze sme ludia a ked uz stahujete, skuste stahovat z neakych overenych for, urcite nie z neakych srackov co su tie pochybne stranky.Z neakych overenych a ak stahujete neaky program, skuste ho najprv otestovat na virustotal.com a nasledne ho spustit.

warstar · Příspěvek od **warstar** » pon 14. led 2008, 23:43

Chci Vám ještě poděkovat, protože tohle fórum mi už několikrát pomohlo.(nebo jsem tady důležitou informaci našel)
Na tomhle compu mám ještě jeden disk s daty, takže jsem jen přeinstaloval systém a za několik hodin bylo hotovo (beze ztráty důležitých dat)

Navíc vím že teď je (na nějakou dobu) systém čistý.

Mějte se fajn, však já se zase ozvu. Díky

BUBINO · Příspěvek od **BUBINO** » úte 15. led 2008, 14:49

Tak to som rad, ze sa vam neposkodili data

Dakujeme za uznanie, od toho tu sme. V pripade problemov sa mozte na nas obratit.
Zatial dovi.

SagiCZ · Příspěvek od **SagiCZ** » úte 15. led 2008, 23:07

no nevim.. jestli natvrdo smazal nekolik systemovejch souboru (schovst.exe) tak mu tezko muze nabihat system.. to byla rada za vsechny prachy

BUBINO · Příspěvek od **BUBINO** » stř 16. led 2008, 14:38

Ukaz mi kde som dal pouzit systemovy svchost na zmaznutie v scripte.

Vidno z logu toto :
C:\WINDOWS\system32\svchost.exe

To ješ systemovy. Ja som dal zmazat tento :
C:\WINDOWS\system32\svcd\svchost.exe

Ten je v blbej zlozke a okrem ineho oznaceny ako smejd. Takze?

Oblak · Příspěvek od **Oblak** » sob 19. led 2008, 14:50

Zdravím,

prosím o kontrolu logu z Combo
nevím jak toho TROJAN.DROPPER dostat pryč, blokuje mi kolikrát i připojení k netu , nedovolí pouštění antivirových programů, blokuje přeinstalování systému.

přilkádám log:

ComboFix 08-01-09.2 - Karel 2008-01-19 14:35:22.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1587 [GMT 1:00]
Running from: C:\Documents and Settings\Karel\Plocha\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-19 13:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 15:29 . 2008-01-17 15:28 163,904 --a------ C:\WINDOWS\system32\yvdokjlt.dll.ren
2008-01-17 08:05 . 2008-01-08 22:58 664 --a------ C:\WINDOWS\win.tmp
2008-01-17 08:05 . 2007-04-01 10:30 231 --a------ C:\WINDOWS\system.tmp
2008-01-16 13:07 . 2008-01-18 13:42 <DIR> d-------- C:\Pošta
2008-01-16 12:55 . 2008-01-16 12:55 163,904 --a------ C:\WINDOWS\system32\akqaevcf.dll.ren
2008-01-14 21:50 . 2007-04-01 10:29 <DIR> d-------- C:\Documents and Settings\Administrator\Plocha
2008-01-14 21:50 . 2007-04-01 10:29 <DIR> d--h----- C:\Documents and Settings\Administrator\Okolní tiskárny
2008-01-14 21:50 . 2007-04-01 10:29 <DIR> d--h----- C:\Documents and Settings\Administrator\Okolní síť
2008-01-14 21:50 . 2007-04-01 10:29 <DIR> d-------- C:\Documents and Settings\Administrator\Oblíbené položky
2008-01-14 21:50 . 2007-04-01 08:47 <DIR> d--h----- C:\Documents and Settings\Administrator\Šablony
2008-01-14 21:50 . 2007-04-01 10:29 <DIR> dr------- C:\Documents and Settings\Administrator\Nabídka Start
2008-01-14 21:50 . 2007-04-01 10:29 <DIR> d-------- C:\Documents and Settings\Administrator\Dokumenty
2008-01-14 21:50 . 2008-01-14 21:50 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Spy Emergency
2008-01-14 21:50 . 2007-04-01 10:29 <DIR> dr-h----- C:\Documents and Settings\Administrator\Data aplikací
2008-01-14 21:34 . 2008-01-14 21:39 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-01-14 21:34 . 2008-01-14 21:36 <DIR> d-a------ C:\Documents and Settings\All Users\Data aplikací\TEMP
2008-01-14 21:06 . 2008-01-17 15:09 <DIR> d-------- C:\Program Files\Spy Emergency 2005
2008-01-14 21:06 . 2008-01-14 21:14 <DIR> d-------- C:\Documents and Settings\Karel\Data aplikací\Spy Emergency
2008-01-14 21:06 . 2008-01-14 21:06 <DIR> d-------- C:\Documents and Settings\Karel\Data aplikací\Se Analyzer Tool
2008-01-14 21:06 . 2005-02-27 10:10 5,184 --a------ C:\WINDOWS\system32\drivers\spyemrg.sys
2008-01-14 21:02 . 2008-01-14 21:02 <DIR> d-------- C:\Program Files\HD Tune
2008-01-14 13:06 . 2008-01-14 13:05 163,904 --a------ C:\WINDOWS\system32\fsexgxvd.dll.ren
2008-01-13 22:27 . 2008-01-13 22:27 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-13 22:15 . 2008-01-13 22:15 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-01-13 20:14 . 2008-01-14 11:46 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-01-13 18:08 . 2007-03-10 15:18 186,368 --a------ C:\checkDisk.exe
2008-01-13 17:41 . 2008-01-13 17:41 <DIR> dr------- C:\Documents and Settings\Karel\Oblíbené položky
2008-01-11 11:41 . 2008-01-11 11:41 30,349 --a------ C:\Program Files\1010.exe
2008-01-11 11:27 . 2008-01-15 16:24 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-10 16:48 . 2008-01-19 13:55 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-10 16:48 . 2008-01-19 13:50 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2008-01-09 20:05 . 2008-01-09 20:05 <DIR> d-------- C:\Program Files\FLVPlayer
2008-01-09 19:06 . 2008-01-09 19:06 <DIR> d-------- C:\Documents and Settings\Karel\Data aplikací\ESET
2008-01-09 19:05 . 2008-01-10 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ESET
2008-01-08 22:43 . 2008-01-08 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Adobe Systems
2008-01-08 22:41 . 2008-01-08 22:41 23,552 --a------ C:\WINDOWS\system32\winhab32.dll
2008-01-08 09:52 . 2008-01-09 20:02 <DIR> d-------- C:\Program Files\iTunes
2008-01-08 09:52 . 2008-01-08 09:52 <DIR> d-------- C:\Program Files\iPod
2008-01-08 09:51 . 2008-01-08 09:51 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-06 14:59 . 2008-01-06 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\nView_Profiles
2008-01-02 16:02 . 2008-01-02 16:09 <DIR> dr------- C:\Documents and Settings\LocalService\Dokumenty
2008-01-02 11:08 . 2008-01-02 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Apple
2007-12-29 16:42 . 2007-12-29 16:43 <DIR> d-------- C:\Program Files\RegistryFix
2007-12-29 01:58 . 2007-12-29 01:58 44 --a------ C:\WINDOWS\system32\blue.SITENAME
2007-12-29 01:53 . 2007-12-29 01:59 455 --a------ C:\WINDOWS\VFO.VST
2007-12-29 01:44 . 2007-12-29 01:44 <DIR> d-------- C:\Program Files\SmartSound Software
2007-12-29 01:44 . 2007-12-29 01:45 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\SmartSound Software Inc
2007-12-29 01:43 . 2007-12-30 12:40 1,208 --a------ C:\WINDOWS\VFO.INI
2007-12-29 01:42 . 2004-02-24 12:04 41,219 --a------ C:\WINDOWS\RSETPATH.exe
2007-12-29 01:23 . 2007-12-29 01:23 <DIR> d-------- C:\Documents and Settings\Karel\Data aplikací\Pinnacle Systems
2007-12-29 00:23 . 2007-12-29 00:24 <DIR> d-------- C:\Program Files\DivX
2007-12-29 00:21 . 2003-11-10 17:06 26,624 --a------ C:\WINDOWS\system32\PSDrvCheck.KOR
2007-12-29 00:20 . 2007-12-29 00:20 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-12-29 00:20 . 2002-12-17 17:23 33,340 --a------ C:\WINDOWS\system32\dbmsqlgc.dll
2007-12-29 00:20 . 2002-10-20 15:05 24,576 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2007-12-29 00:15 . 2007-12-29 01:45 <DIR> d-------- C:\Program Files\Pinnacle
2007-12-29 00:10 . 2006-08-09 09:10 291,200 -ra------ C:\WINDOWS\system32\drivers\emBDA.sys
2007-12-29 00:10 . 2006-08-03 07:22 61,440 -ra------ C:\WINDOWS\emMON.exe
2007-12-29 00:10 . 2006-08-09 09:10 32,768 -ra------ C:\WINDOWS\system32\emPRP.ax
2007-12-29 00:10 . 2006-08-09 09:10 28,160 -ra------ C:\WINDOWS\system32\drivers\emOEM.sys
2007-12-28 19:26 . 2008-01-18 11:49 2,092,086 --a------ C:\WINDOWS\ACD Tapeta.bmp
2007-12-20 21:07 . 2007-12-20 21:08 <DIR> d-------- C:\Documents and Settings\Karel\Data aplikací\Download Manager
2007-12-20 20:31 . 2008-01-09 19:38 37,008 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-12-20 20:27 . 2007-12-29 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikac
2007-12-20 20:26 . 2006-11-15 11:29 1,712,128 --a------ C:\WINDOWS\system32\GDIPLUS.DLL
2007-12-20 20:20 . 2007-12-20 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Pinnacle Studio
2007-12-19 13:30 . 2007-12-19 13:49 <DIR> d-------- C:\Program Files\mp3DirectCut

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 16:23 --------- d-----w C:\Documents and Settings\Karel\Data aplikací\Desktop Sidebar
2008-01-17 14:19 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-16 22:00 --------- d-----w C:\Documents and Settings\Karel\Data aplikací\Skype
2008-01-16 13:57 --------- d-----w C:\Program Files\Krtecek_2_0
2008-01-15 20:32 --------- d-----w C:\Program Files\a-squared Free
2008-01-15 14:40 --------- d-----w C:\Documents and Settings\Karel\Data aplikací\uTorrent
2008-01-13 23:07 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-01-13 22:04 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-13 21:06 --------- d-----w C:\Program Files\Google
2008-01-13 21:02 --------- d-----w C:\Program Files\MOBILedit!
2008-01-13 18:10 --------- d-----w C:\Program Files\Video Convert Master
2008-01-09 21:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 21:26 --------- d-----w C:\Program Files\Canon
2008-01-09 18:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-09 10:45 --------- d-----w C:\Program Files\Desktop Sidebar
2008-01-08 21:47 --------- d-----w C:\Program Files\SlimStar R610
2008-01-08 21:47 --------- d-----w C:\Program Files\QuickTime
2008-01-08 21:47 --------- d-----w C:\Program Files\DAEMON Tools Pro
2008-01-02 14:20 --------- d-----w C:\Documents and Settings\Karel\Data aplikací\ZoomBrowser EX
2008-01-02 10:11 --------- d-----w C:\Program Files\Winamp
2008-01-02 10:09 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Apple Computer
2008-01-02 10:08 --------- d-----w C:\Program Files\Apple Software Update
2007-12-21 18:21 --------- d-----w C:\Program Files\Zoner
2007-12-20 19:27 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Pinnacle
2007-12-20 19:08 --------- d-----w C:\Program Files\TC UP
2007-12-17 21:24 2,277,888 ----a-w C:\WINDOWS\system32\TUKernel.exe
2007-12-08 22:43 --------- d-----w C:\Program Files\ICQ6
2007-12-08 14:08 --------- d-----w C:\Documents and Settings\Karel\Data aplikací\Vso
2007-12-08 13:43 --------- d-----w C:\Program Files\Creative
2007-12-02 16:26 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2007-12-02 16:25 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2007-12-02 16:11 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-02 16:07 --------- d-----w C:\Documents and Settings\Karel\Data aplikací\DAEMON Tools Pro
2007-12-02 16:07 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\DAEMON Tools Pro
2007-12-02 16:02 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-02 15:38 --------- d-----w C:\Program Files\Universal Share Downloader v1.3.4.7 Without Captcha
2007-12-02 15:29 --------- d-----w C:\Documents and Settings\Karel\Data aplikací\URSoft
2007-12-02 15:22 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\SlySoft
2007-12-02 15:14 516,096 ----a-w C:\WINDOWS\UN32.EXE
2007-12-02 15:14 491,520 ----a-w C:\WINDOWS\WebIE.dll
2007-12-02 15:14 45,056 ----a-w C:\WINDOWS\TRNOEH.DLL
2007-12-02 15:14 356,352 ----a-w C:\WINDOWS\TrnOutl.dll
2007-12-02 15:14 294,912 ----a-w C:\WINDOWS\TrnWord.dll
2007-12-02 15:14 26,624 ----a-w C:\WINDOWS\OETRN.EXE
2007-12-02 15:14 200,704 ----a-w C:\WINDOWS\TRNOET.DLL
2007-11-30 15:23 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-11-26 12:55 --------- d-----w C:\Documents and Settings\Karel\Data aplikací\HEXelon
2007-11-09 14:11 35,464 ----a-w C:\Documents and Settings\Karel\Data aplikací\GDIPFONTCACHEV1.DAT
2007-11-07 09:29 720,896 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:44 1,290,240 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-07-20 12:59 81,920 ----a-w C:\Documents and Settings\Karel\Data aplikací\ezpinst.exe
2007-07-20 12:59 47,360 ----a-w C:\Documents and Settings\Karel\Data aplikací\pcouffin.sys
2007-05-06 13:01 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

Kód: Vybrat vše

<pre>
----a-w           847,872 2008-01-13 22:59:34  C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
----a-w            58,368 2007-11-14 16:07:06  C:\Program Files\PolderbitS\Recorder\PolderbitS Sound Recorder and Editor Version 5.0 build 94 crack .exe
----a-w         1,146,880 2008-01-14 21:08:01  C:\Program Files\Spy Emergency 2005\SpyEmergency .exe
----a-w         2,776,576 2008-01-15 15:24:42  C:\Program Files\Spyware Terminator\SpywareTerminatorShield .exe
----a-w           313,864 2008-01-12 13:42:18  C:\Program Files\TuneUp Utilities 2007\MemOptimizer .exe
----a-w            15,360 2008-01-15 15:24:26  C:\WINDOWS\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-19_14.28.18.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 12:43:30 88,834 ----a-w C:\WINDOWS\system32\perfc005.dat
+ 2008-01-19 13:36:47 88,834 ----a-w C:\WINDOWS\system32\perfc005.dat
- 2008-01-19 12:43:30 77,798 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-19 13:36:47 77,798 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-19 12:43:30 450,552 ----a-w C:\WINDOWS\system32\perfh005.dat
+ 2008-01-19 13:36:47 450,552 ----a-w C:\WINDOWS\system32\perfh005.dat
- 2008-01-19 12:43:30 454,058 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-19 13:36:47 454,058 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-19 13:32:37 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_320.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}"= C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL [2007-07-06 17:37 266240]

[HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-17 15:19 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 14:05 7557120]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-01-19 13:55 1]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\akqaevcf]
akqaevcf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsexgxvd]
fsexgxvd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yvdokjlt]
yvdokjlt.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-01-13 22:15]
R1 SpyEmrg;Spy Emergency Driver;C:\WINDOWS\system32\Drivers\spyemrg.sys [2005-02-27 10:10]
R1 VD_FileDisk;VD_FileDisk;C:\WINDOWS\system32\drivers\VD_FileDisk.sys [2006-01-13 14:00]
R2 SDPASVC;SDPAUMS server service;C:\WINDOWS\system32\sdpasvc.exe [2001-08-07 13:27]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-17 14:49]
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2005-07-12 01:53]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 22:04]
S3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-05-18 12:53]
S3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 18:54]
S3 USB28xxBGA;USB 2883 Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2006-08-09 09:10]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2006-08-09 09:10]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 16:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-08 08:37:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 14:38:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 14:38:52
ComboFix-quarantined-files.txt 2008-01-19 13:38:49
.
2008-01-09 10:13:53 --- E O F ---

BUBINO · Příspěvek od **BUBINO** » sob 19. led 2008, 18:02

Vypnite rezidentnu ochranu u Spyware Terminatora, ak ju mate zapnutu.

Do poznamkoveho bloku skopirujte nasledovne:

File::
C:\WINDOWS\system32\yvdokjlt.dll.ren
C:\WINDOWS\system32\akqaevcf.dll.ren
C:\WINDOWS\system32\fsexgxvd.dll.ren
C:\Program Files\1010.exe
C:\checkDisk.exe
C:\WINDOWS\system32\winhab32.dll

Registry::
[-HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\akqaevcf]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yvdokjlt]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fsexgxvd]

Ulozte na plochu ako CFScript.txt . Chytte mysou a presunte blok nad combofix a nasledne pustite ako na obrazku dole. Po skene sem dajte log, ktory vam naskoci.
Obrázek

Toto otestujte na virustotal.com :
C:\WINDOWS\system32\drivers\atksgt.sys
C:\WINDOWS\system32\drivers\lirsgt.sys
C:\WINDOWS\win.tmp
C:\WINDOWS\system.tmp
C:\WINDOWS\system32\TUKernel.exe
Uploadnite a vysledky sem dajte.

Otestujte aj obsah :
C:\Program Files\PandoBar

Odinstalujte :
Spy Emergency

Urobte aj log z HijackThisu.

Oblak · Příspěvek od **Oblak** » ned 20. led 2008, 19:22

doufam ze se mi to vse spravne povedlo

log z COMBOFIXU:

Start Time= 2008-01-20 19:13:28.31

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-01-17 15:29:00 163904 ( A.... ) "C:\WINDOWS\system32\yvdokjlt.dll.ren"
2008-01-17 15:19:52 15360 ( A.... ) "C:\WINDOWS\system32\ctfmon.exe"
2008-01-16 12:55:46 163904 ( A.... ) "C:\WINDOWS\system32\akqaevcf.dll.ren"
2008-01-15 16:24:28 15360 ( A.... ) "C:\WINDOWS\system32\ctfmon .exe"
2008-01-14 21:34:08 ( .D... ) "C:\Program Files\Your Uninstaller 2008"
2008-01-14 21:06:18 ( .D... ) "C:\Program Files\Spy Emergency 2005"
2008-01-14 21:02:30 ( .D... ) "C:\Program Files\HD Tune"
2008-01-14 13:05:50 163904 ( A.... ) "C:\WINDOWS\system32\fsexgxvd.dll.ren"
2008-01-13 22:27:12 ( .D... ) "C:\Program Files\Enigma Software Group"
2008-01-13 20:14:56 ( .D... ) "C:\Program Files\NoAdware5.0"
2008-01-11 11:41:16 30349 ( A.... ) "C:\Program Files\1010.exe"
2008-01-10 16:48:18 ( .D... ) "C:\Program Files\Spyware Terminator"
2008-01-09 20:05:56 ( .D... ) "C:\Program Files\FLVPlayer"
2008-01-09 19:06:56 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\ESET"
2008-01-08 22:58:24 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\Opera"
2008-01-08 22:41:36 23552 ( A.... ) "C:\WINDOWS\system32\winhab32.dll"
2008-01-08 09:52:16 ( .D... ) "C:\Program Files\iPod"
2008-01-08 09:52:12 ( .D... ) "C:\Program Files\iTunes"
2008-01-08 09:51:34 ( .D... ) "C:\Program Files\Common Files\Apple"
2008-01-02 19:21:36 17642616 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2007-12-29 16:42:46 ( .D... ) "C:\Program Files\RegistryFix"
2007-12-29 01:44:48 ( .D... ) "C:\Program Files\SmartSound Software"
2007-12-29 01:43:56 95 ( A.... ) "C:\AUTOEXEC.BAT"
2007-12-29 01:23:12 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\Pinnacle Systems"
2007-12-29 00:24:00 ( .D... ) "C:\Program Files\DivX"
2007-12-29 00:20:28 ( .D... ) "C:\Program Files\Microsoft SQL Server"
2007-12-29 00:15:24 ( .D... ) "C:\Program Files\Pinnacle"
2007-12-20 21:07:28 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\Download Manager"
2007-12-19 13:30:16 ( .D... ) "C:\Program Files\mp3DirectCut"
2007-12-17 22:24:26 2277888 ( A.... ) "C:\WINDOWS\system32\TUKernel.exe"
2007-12-08 14:37:10 ( .D... ) "C:\Program Files\Creative"
2007-12-02 17:11:04 ( .D... ) "C:\Program Files\DAEMON Tools"
2007-12-02 17:07:22 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\DAEMON Tools Pro"
2007-12-02 17:07:04 9728 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2007-12-02 17:04:54 ( .D... ) "C:\Program Files\DAEMON Tools Pro"
2007-12-02 16:29:34 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\URSoft"
2007-12-02 16:14:58 491520 ( A.... ) "C:\WINDOWS\WebIE.dll"
2007-12-02 16:14:58 356352 ( A.... ) "C:\WINDOWS\TrnOutl.dll"
2007-12-02 16:14:58 294912 ( A.... ) "C:\WINDOWS\TrnWord.dll"
2007-12-02 16:14:58 200704 ( A.... ) "C:\WINDOWS\TRNOET.DLL"
2007-12-02 16:14:58 45056 ( A.... ) "C:\WINDOWS\TRNOEH.DLL"
2007-12-02 16:14:58 26624 ( A.... ) "C:\WINDOWS\OETRN.EXE"
2007-12-02 16:14:36 516096 ( A.... ) "C:\WINDOWS\UN32.EXE"
2007-11-29 13:40:34 69 ( A.... ) "C:\Documents and Settings\Karel\Data aplikacˇ\Printer.ini"
2007-11-26 13:55:20 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\HEXelon"
2007-11-26 13:50:16 ( .D... ) "C:\Program Files\TC UP"
2007-11-19 12:53:22 43 ( ..SH. ) "C:\Documents and Settings\Karel\Data aplikacˇ\.zreglib"
2007-11-13 12:31:12 60416 ( A.... ) "C:\WINDOWS\system32\tzchange.exe"
2007-11-09 15:11:02 35464 ( A.... ) "C:\Documents and Settings\Karel\Data aplikacˇ\GDIPFONTCACHEV1.DAT"
2007-11-07 10:29:20 720896 ( A.... ) "C:\WINDOWS\system32\lsasrv.dll"
2007-10-31 04:57:04 3590656 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2007-10-29 23:44:32 1290240 ( A.... ) "C:\WINDOWS\system32\quartz.dll"
2007-10-29 16:07:08 357888 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2007-10-25 17:44:08 8464384 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2007-10-25 09:28:30 222720 ( A.... ) "C:\WINDOWS\system32\wmasf.dll"
2007-05-06 14:01:58 774144 ( A.... ) "C:\Program Files\RngInterstitial.dll"

((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SpywareTerminator"="\"C:\\Program Files\\Spyware Terminator\\SpywareTerminatorShield.exe\""
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\\\PSDrvCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SIDEBAR"="\"C:\\Program Files\\Desktop Sidebar\\dsidebar.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Proces mezipaměti kategorií součástí"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 2008-01-20 19:15:40.90
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

OTESTOVANI SOUBORU NA VIRUSTOTAL.COM:

C:\WINDOWS\system32\drivers\atksgt.sys
C:\WINDOWS\system32\drivers\lirsgt.sys
C:\WINDOWS\win.tmp
C:\WINDOWS\system.tmp
C:\WINDOWS\system32\TUKernel.exe

u těchto bylo 0/32 (0%)

soubory v adresáři PANDOBAR

Soubor P4PLUGIN.DLL přijatý 2007.09.22 00:19:33 (CET)
Současný stav: Dokončeno
Výsledek: 1/32 (3.12%)
Ikarus - - AdWare.ToolBar.MyWebSearch

Soubor PANDOBAR.DLL přijatý 2007.10.15 11:41:07 (CET)
Současný stav: Dokončeno
Výsledek: 2/32 (6.25%)
Ikarus - - not-a-virus:AdWare.Win32.MySearch.g
Panda - - Suspicious file

Soubor search2 přijatý 2007.03.01 09:21:20 (CET)
Současný stav: Dokončeno
Výsledek: 1/30 (3.33%)
FileAdvisor - - Not analyzed yet

LOG Z HIJACKTHINGS:

Logfile of HijackThis v1.99.1
Scan saved at 18:44, on 2008-01-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Desktop Sidebar\dsidebar.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\totalcmd\TOTALCMD.EXE
C:\Documents and Settings\Karel\Plocha\hijackthis.exe

R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WebTransBHO Class - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - C:\WINDOWS\WebIE.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe"
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - (no file)
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FE2902D-EBA0-41E0-AEE9-1B5642F7362A}: NameServer = 81.30.224.2,81.30.225.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: akqaevcf - akqaevcf.dll (file missing)
O20 - Winlogon Notify: fsexgxvd - fsexgxvd.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: yvdokjlt - yvdokjlt.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

BUBINO · Příspěvek od **BUBINO** » ned 20. led 2008, 20:00

V prvom rade odinstalujte
Spy Emergenci
Spy Emergenci 2005
NoAdware5.0
PandoBar

Stiahnite si avenger :
http://www.viry.cz/forum/viewtopic.php?t=19832
Podla navodu sa dopracujte k tomu okne a do neho dajte toto:

Files to delete:
C:\WINDOWS\system32\yvdokjlt.dll.ren
C:\WINDOWS\system32\akqaevcf.dll.ren
C:\WINDOWS\system32\fsexgxvd.dll.ren
C:\Program Files\1010.exe
C:\checkDisk.exe
C:\WINDOWS\system32\winhab32.dll

DONE >> SEMAFOR >> OK
Po restarte sem vlozte log, ktory vam nabehne (c:\avenger.txt)

Toto otestujte na virustotal.com:
C:\WINDOWS\system32\ctfmon .exe
C:\Documents and Settings\Karel\Data aplikacˇ\Printer.ini

Potom, ako urobite tieto veci, urobte combofix.

Oblak · Příspěvek od **Oblak** » ned 20. led 2008, 20:36

Děkuji za help

AVENGER

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tslwpdms

*******************

Script file located at: \??\C:\WINDOWS\system32\unmpkbpe.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\yvdokjlt.dll.ren deleted successfully.
File C:\WINDOWS\system32\akqaevcf.dll.ren deleted successfully.
File C:\WINDOWS\system32\fsexgxvd.dll.ren deleted successfully.
File C:\Program Files\1010.exe deleted successfully.
File C:\checkDisk.exe deleted successfully.
File C:\WINDOWS\system32\winhab32.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

VIRUSTOTAL

C:\WINDOWS\system32\ctfmon .exe 0/32 (0%)
C:\Documents and Settings\Karel\Data aplikacˇ\Printer.ini 0/32 (0%)

COMBOFIX

Start Time= 2008-01-20 20:30:49.68

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-01-17 15:19:52 15360 ( A.... ) "C:\WINDOWS\system32\ctfmon.exe"
2008-01-15 16:24:28 15360 ( A.... ) "C:\WINDOWS\system32\ctfmon .exe"
2008-01-14 21:34:08 ( .D... ) "C:\Program Files\Your Uninstaller 2008"
2008-01-14 21:02:30 ( .D... ) "C:\Program Files\HD Tune"
2008-01-13 22:27:12 ( .D... ) "C:\Program Files\Enigma Software Group"
2008-01-10 16:48:18 ( .D... ) "C:\Program Files\Spyware Terminator"
2008-01-09 20:05:56 ( .D... ) "C:\Program Files\FLVPlayer"
2008-01-09 19:06:56 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\ESET"
2008-01-08 22:58:24 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\Opera"
2008-01-08 09:52:16 ( .D... ) "C:\Program Files\iPod"
2008-01-08 09:52:12 ( .D... ) "C:\Program Files\iTunes"
2008-01-08 09:51:34 ( .D... ) "C:\Program Files\Common Files\Apple"
2008-01-02 19:21:36 17642616 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2007-12-29 16:42:46 ( .D... ) "C:\Program Files\RegistryFix"
2007-12-29 01:44:48 ( .D... ) "C:\Program Files\SmartSound Software"
2007-12-29 01:43:56 95 ( A.... ) "C:\AUTOEXEC.BAT"
2007-12-29 01:23:12 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\Pinnacle Systems"
2007-12-29 00:24:00 ( .D... ) "C:\Program Files\DivX"
2007-12-29 00:20:28 ( .D... ) "C:\Program Files\Microsoft SQL Server"
2007-12-29 00:15:24 ( .D... ) "C:\Program Files\Pinnacle"
2007-12-20 21:07:28 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\Download Manager"
2007-12-19 13:30:16 ( .D... ) "C:\Program Files\mp3DirectCut"
2007-12-17 22:24:26 2277888 ( A.... ) "C:\WINDOWS\system32\TUKernel.exe"
2007-12-08 14:37:10 ( .D... ) "C:\Program Files\Creative"
2007-12-02 17:11:04 ( .D... ) "C:\Program Files\DAEMON Tools"
2007-12-02 17:07:22 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\DAEMON Tools Pro"
2007-12-02 17:07:04 9728 ( A.... ) "C:\WINDOWS\system32\BASSMOD.dll"
2007-12-02 17:04:54 ( .D... ) "C:\Program Files\DAEMON Tools Pro"
2007-12-02 16:29:34 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\URSoft"
2007-12-02 16:14:58 491520 ( A.... ) "C:\WINDOWS\WebIE.dll"
2007-12-02 16:14:58 356352 ( A.... ) "C:\WINDOWS\TrnOutl.dll"
2007-12-02 16:14:58 294912 ( A.... ) "C:\WINDOWS\TrnWord.dll"
2007-12-02 16:14:58 200704 ( A.... ) "C:\WINDOWS\TRNOET.DLL"
2007-12-02 16:14:58 45056 ( A.... ) "C:\WINDOWS\TRNOEH.DLL"
2007-12-02 16:14:58 26624 ( A.... ) "C:\WINDOWS\OETRN.EXE"
2007-12-02 16:14:36 516096 ( A.... ) "C:\WINDOWS\UN32.EXE"
2007-11-29 13:40:34 69 ( A.... ) "C:\Documents and Settings\Karel\Data aplikacˇ\Printer.ini"
2007-11-26 13:55:20 ( .D... ) "C:\Documents and Settings\Karel\Data aplikacˇ\HEXelon"
2007-11-26 13:50:16 ( .D... ) "C:\Program Files\TC UP"
2007-11-19 12:53:22 43 ( ..SH. ) "C:\Documents and Settings\Karel\Data aplikacˇ\.zreglib"
2007-11-13 12:31:12 60416 ( A.... ) "C:\WINDOWS\system32\tzchange.exe"
2007-11-09 15:11:02 35464 ( A.... ) "C:\Documents and Settings\Karel\Data aplikacˇ\GDIPFONTCACHEV1.DAT"
2007-11-07 10:29:20 720896 ( A.... ) "C:\WINDOWS\system32\lsasrv.dll"
2007-10-31 04:57:04 3590656 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2007-10-29 23:44:32 1290240 ( A.... ) "C:\WINDOWS\system32\quartz.dll"
2007-10-29 16:07:08 357888 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2007-10-25 17:44:08 8464384 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2007-10-25 09:28:30 222720 ( A.... ) "C:\WINDOWS\system32\wmasf.dll"
2007-05-06 14:01:58 774144 ( A.... ) "C:\Program Files\RngInterstitial.dll"

((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SpywareTerminator"="\"C:\\Program Files\\Spyware Terminator\\SpywareTerminatorShield.exe\""
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\\\PSDrvCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SIDEBAR"="\"C:\\Program Files\\Desktop Sidebar\\dsidebar.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Proces mezipaměti kategorií součástí"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 2008-01-20 20:33:17.43
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

BUBINO · Příspěvek od **BUBINO** » ned 20. led 2008, 20:57

Vypada to omnoho lepsie.

Toto v programe HijackThis fixnite:
R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - (no file)
O20 - Winlogon Notify: akqaevcf - akqaevcf.dll (file missing)
O20 - Winlogon Notify: fsexgxvd - fsexgxvd.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: yvdokjlt - yvdokjlt.dll (file missing)

Je mozne, ze tie prve tam uz nebudu, je to ok.

Urobte este tento sken :
http://www.viry.cz/forum/viewtopic.php?t=4097
Updatujte a nastavte.Po skene sem dajte log z dolneho okna.

Toto este prosim otestujte:
C:\WINDOWS\system32\MRT.exe
C:\AUTOEXEC.BAT

Oblak · Příspěvek od **Oblak** » ned 20. led 2008, 22:25

HijackThis fixnite. povedlo se

log z programu MWAV:

Objekt "grokster Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Objekt "NULLBYTE Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Objekt "grokster Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Objekt "everad Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Objekt "smitfraud Browser Hijacker" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Objekt "ezula Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Objekt "savenow Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Objekt "Possible Fujacks-type Worm" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Záznam "HKCR\ChilkatXml.ChilkatXml" odkazuje na neplatný objekt "{CE2E4226-494A-4DB2-9B45-7C8586CC01A3}". Provedené akce: Nic nebylo provedeno.

Záznam "HKCR\ChilkatXml.ChilkatXml.1" odkazuje na neplatný objekt "{CE2E4226-494A-4DB2-9B45-7C8586CC01A3}". Provedené akce: Nic nebylo provedeno.

Záznam "HKCR\ChilkatXml.XmlFactory" odkazuje na neplatný objekt "{7FAB24D9-F81A-49A3-A0E9-A3198DEDF454}". Provedené akce: Nic nebylo provedeno.

Záznam "HKCR\ChilkatXml.XmlFactory.1" odkazuje na neplatný objekt "{7FAB24D9-F81A-49A3-A0E9-A3198DEDF454}". Provedené akce: Nic nebylo provedeno.

Záznam "HKCR\SpyDoctor.EMClient" odkazuje na neplatný objekt "{C7976BEB-AB1E-46F7-8CCD-D4C9CD83BF49}". Provedené akce: Nic nebylo provedeno.

Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" odkazuje na neplatný objekt "C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.ocx". Provedené akce: Nic nebylo provedeno.

Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" odkazuje na neplatný objekt "C:\WINDOWS\Downloaded Program Files\MVSGif.ocx". Provedené akce: Nic nebylo provedeno.

Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" odkazuje na neplatný objekt "C:\WINDOWS\system32\lnod32apiA.dll". Provedené akce: Nic nebylo provedeno.

Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" odkazuje na neplatný objekt "C:\WINDOWS\system32\lnod32apiW.dll". Provedené akce: Nic nebylo provedeno.

Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" odkazuje na neplatný objekt "C:\WINDOWS\system32\lnod32umc.dll". Provedené akce: Nic nebylo provedeno.

Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" odkazuje na neplatný objekt "C:\WINDOWS\system32\lnod32upd.dll". Provedené akce: Nic nebylo provedeno.

Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" odkazuje na neplatný objekt "C:\WINDOWS\system32\OnlineScanner.ocx". Provedené akce: Nic nebylo provedeno.

Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" odkazuje na neplatný objekt "C:\WINDOWS\system32\OnlineScannerDLLA.dll". Provedené akce: Nic nebylo provedeno.

Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" odkazuje na neplatný objekt "C:\WINDOWS\system32\OnlineScannerDLLW.dll". Provedené akce: Nic nebylo provedeno.

Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" odkazuje na neplatný objekt "C:\WINDOWS\system32\OnlineScannerLang.dll". Provedené akce: Nic nebylo provedeno.

Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" odkazuje na neplatný objekt "C:\WINDOWS\system32\OnlineScannerUninstaller.exe". Provedené akce: Nic nebylo provedeno.

Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" odkazuje na neplatný objekt "C:\WINDOWS\system32\unicows.dll". Provedené akce: Nic nebylo provedeno.

Záznam "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" odkazuje na neplatný objekt "C:\Program Files\Real\RealArcade\RNArcade.exe /m application/vnd.rn-rn_game_package". Provedené akce: Nic nebylo provedeno.

Záznam "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" odkazuje na neplatný objekt "C:\Program Files\Real\RealArcade\RNArcade.exe /m application/vnd.rn-rn_game_info". Provedené akce: Nic nebylo provedeno.

Záznam "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" odkazuje na neplatný objekt "C:\Program Files\Real\RealArcade\RNArcade.exe /m application/vnd.rn-rn_secured_installer". Provedené akce: Nic nebylo provedeno.

Soubor C:\avenger\backup.zip/avenger/akqaevcf.dll.ren indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.dnn". Provedené akce: Nic nebylo provedeno.
Soubor C:\Stahování\ComboFix.exe je infikovaný virem NULL.Corrupted !! Provedené akce: Nic nebylo provedeno.

VIRUSTOTAL.COM

C:\AUTOEXEC.BAT 0/32 (0%)
C:\WINDOWS\system32\MRT.exe
Bigger than max permited size / Mayor del tamano máximo permitido
je větši než povolená velokost, totalcomander hlasi že má 17,64 Mb

BUBINO · Příspěvek od **BUBINO** » ned 20. led 2008, 22:33

Do avengera este napiste toto:

Files to delete:
C:\WINDOWS\system32\TUKernel.exe

Done >> Semafor >> OK

C:\WINDOWS\system32\MRT.exe otestujte na tomto:
http://www.viry.cz/forum/viewtopic.php?t=5846

Pocitac precistite s ccleanerom:
http://www.viry.cz/forum/viewtopic.php?t=7478
(NIEKOLKO KRAT)

Zmazte rucne zlozku
C:\avenger

Po tychto krokov prosim preferujte, ako sa chova pocitac.

Oblak · Příspěvek od **Oblak** » ned 20. led 2008, 23:13

pres avengera to se povedlo

C:\WINDOWS\system32\MRT.exe

Na dvou serverech mají omezení příchozího souboru, takže nevezmou větší soubor. na ten jeden se porad to pokousim nahrat.

CCLEANER - cistil jsem.

Systém je rychlejší, antivirový program se mi nespustí po spuštění windows. (eset smart sec.) a porad mi při nábehu počítače vybíhá CPU FAN ERROR, pokračujte po stisku F1. (používám vlastní řízené chlazení s manuálním ovládáním.) Při nenapadnutém systému nikdy nic takového nehlásil.

Nevím zda-li pomůže reinstal celého XP? Předtím byl blokován (vždy vyhlásilo že disk C je používán a přerušil instalaci), zatím jsem to opět nezkoušel. Chtěl jsem první dokončit všechno toto.

pomůže celý přeinstal?

!HELP! TrojanDropper.Agent.DGO virus

!HELP! TrojanDropper.Agent.DGO virus

log z HijackThis

Re: log z HijackThis

Vyřešeno

Re: Vyřešeno

Prosím o kontrolu LOGu

Re: Prosím o kontrolu LOGu

udelal jsem jak jste rikal

Re: udelal jsem jak jste rikal

logy

Re: logy

next

Re: next