Small-BLF, APN, Agent-CQJ, Small.dxm, ...

[Jagud]

Měl jsem v PC Small-BLF, Small-APN, Agent-CQJ, Adware-gen. Podařilo se mi vyčistit PC pomocí Avast, CCleaner, RegCleaner, Spybot-Search&Destroy. Teď se ale stává, že po spuštění systému Win XP a po přihlášení uživatele, vytuhne počítač a je nutný restart. Prosím o kontrolu logu z Mwav a HijackThis. Děkuji

File c:\windows\system32\ldcore.dll infected by "Trojan-Downloader.Win32.Small.dxm" Virus! Action Taken: No Action Taken.
File c:\windows\system32\ldcore.dll infected by "Trojan-Downloader.Win32.Small.dxm" Virus! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "UnSpyPC adware" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.

File C:\WINDOWS\system32\ldcore.dll infected by "Trojan-Downloader.Win32.Small.dxm" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\durvil1.exe infected by "Trojan.Win32.Kolweb.b" Virus! Action Taken: No Action Taken.


Logfile of HijackThis v1.99.1
Scan saved at 8:46:39, on 30. 11. 2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Metacafe\MetacafeAgent.exe
C:\TOTALCMD\TOTALCMD.EXE
c:\INSTALL\Hijac\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\cs-cz\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\cs-cz\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Ubisoft register.lnk = C:\Program Files\Ubisoft\Register\schedule.exe
O4 - Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D251DE9-48FE-487F-90D9-47FCDF0D132A}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D251DE9-48FE-487F-90D9-47FCDF0D132A}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS3\Services\Tcpip\..\{0D251DE9-48FE-487F-90D9-47FCDF0D132A}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[Reklama]

[fredik]

Stáhni si Killbox. Spusť Killbox a do okénka zkopíruj modře označený řádek (přetáhnout myší a CTRL+C a potom kurzor do okénka a dej CTRL+V)

C:\WINDOWS\system32\ldcore.dll

Nastav volby Delete On Reboot a Unregister .dll Before deleting a stiskni červený kruh s křížem.Počítač bude chtít restart, tak jej povol a restartuj.

Najdi a smaž také červeně označený soubor (možná bude potřeba si zapnout zobrazení skrytých souborů aby si jej našel).
C:\WINDOWS\system32\durvil1.exe

Stáhni si Fixwareout
Restartuj do nouzáku a spusť Fixwareout, klikni na Next, potom na Install, zvolíš možnost Run fixit a klikni na Finish.
▪ Začne čistící proces a ty postupuj dle instrukcí.
▪ V případě odolnějších variant je vyžadován restart počítače, takže restartuj.
▪ Počítač může trochu déle nabíhat, po vstupu do Windows by mělo vyběhnout okno s logem z Fixwareoutu, tento log vlož zde do fóra. Jestliže se výpis neobjeví, najdeš jej v C:\fixwareout\report.txt

Vlož sem pak ještě nový log z HJT.

[Jagud]

Dodržel jsem skvěle popsaný postup. Vyzkoušel jsem restart i vypnutí a zapnutí a vždy po přihlášení uživatele vytuhnul. Po resetu se provedl scan a pak windows naběhl bez problému. Posílám výpisy. Zatím díky.


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSSRM.EXE 51 714 2006-11-10
C:\WINDOWS\SYSTEM32\DMSZP.EXE 61 018 2004-08-17
C:\WINDOWS\SYSTEM32\DMDBX.EXE 61 018 2004-08-17

Other suspects.
Directory of C:\WINDOWS\system32
{AC233089-2985-40C6-981D-3DC5C4C59996}.exe
{0B32F652-99AE-410F-9AEF-5436D00B11BC}.exe
{2ED54B6A-8778-4BAD-BB79-F372495AB61F}.exe
{88F2F9B7-0766-443E-B179-750629D7430C}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

Logfile of HijackThis v1.99.1
Scan saved at 11:10:52, on 30. 11. 2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Metacafe\MetacafeAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TOTALCMD\TOTALCMD.EXE
c:\INSTALL\Hijac\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\cs-cz\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\cs-cz\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Ubisoft register.lnk = C:\Program Files\Ubisoft\Register\schedule.exe
O4 - Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D251DE9-48FE-487F-90D9-47FCDF0D132A}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D251DE9-48FE-487F-90D9-47FCDF0D132A}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS3\Services\Tcpip\..\{0D251DE9-48FE-487F-90D9-47FCDF0D132A}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[fredik]

Otestuj tady tyto soubory označené tučně na Virustotall

C:\WINDOWS\SYSTEM32\CSSRM.EXE
C:\WINDOWS\SYSTEM32\DMSZP.EXE
C:\WINDOWS\SYSTEM32\DMDBX.EXE
C:\WINDOWS\system32\{AC233089-2985-40C6-981D-3DC5C4C59996}.exe
C:\WINDOWS\system32\{0B32F652-99AE-410F-9AEF-5436D00B11BC}.exe
C:\WINDOWS\system32\{2ED54B6A-8778-4BAD-BB79-F372495AB61F}.exe
C:\WINDOWS\system32\{88F2F9B7-0766-443E-B179-750629D7430C}.exe

a dej sem jejich výsledky.

Ta knihovna se tam furt drží. Psal něco Killbox? Zkusíme to jinak.

Stáhni si a spusť pod účtem administrátora Avenger
- Zvol možnost Input script manually a klikni na ikonku lupy
- Do nového prázdného okna zkopíruj celý modrý text:

Files to delete:
c:\windows\system32\ldcore.dll

- Poté klikni na Done
- Klikni na ikonu semaforu ke spuštění programu, nakonec klikni na OK a tvůj počítač se restartuje

Pak sem z výsledky dej i nový log z HJT.

[Jagud]

Postup jsem dodržel a posílám výpisy. U zbývajících souborů vypsal Virustotall vždy: no virus found. Kontrolní vypnutí a zapnutí PC proběhlo bez problému.

STATUS: FINISHEDComplete scanning result of "cssrm.exe"
AntiVir 7.2.0.46 11.30.2006 TR/Small.JH
Authentium 4.93.8 11.30.2006 could be a corrupted executable file
Avast 4.7.892.0 11.29.2006 no virus found
AVG 386 11.30.2006 PSW.Generic2.SQS
BitDefender 7.2 11.30.2006 Trojan.Downloader.Mohbpork.A
CAT-QuickHeal 8.00 11.29.2006 TrojanDownloader.Agent.uj
ClamAV devel-20060426 11.30.2006 no virus found
DrWeb 4.33 11.30.2006 Trojan.DnsChange
eSafe 7.0.14.0 11.30.2006 Win32.Polipos.sus
eTrust-InoculateIT 23.73.72 11.29.2006 no virus found
eTrust-Vet 30.3.3223 11.30.2006 no virus found
Ewido 4.0 11.29.2006 Downloader.Agent.uj
Fortinet 2.82.0.0 11.30.2006 Agent.BC!tr.spy
F-Prot 3.16f 11.30.2006 Possibly a new variant of W32/new-malware!Maximus
F-Prot4 4.2.1.29 11.30.2006 W32/new-malware!Maximus
Ikarus 0.2.65.0 11.30.2006 no virus found
Kaspersky 4.0.2.24 11.30.2006 Trojan-Downloader.Win32.Agent.uj
McAfee 4907 11.29.2006 Spy-Agent.bc
Microsoft 1.1804 11.30.2006 Win32/Alureon.gen
NOD32v2 1892 11.30.2006 a variant of Win32/Small.FB
Norman 5.80.02 11.29.2006 no virus found
Panda 9.0.0.4 11.29.2006 Trj/dmRandom.DW
Prevx1 V2 11.30.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.126 11.29.2006 no virus found
UNA 1.83 11.29.2006 no virus found
VBA32 3.11.1 11.30.2006 Trojan.DnsChange
VirusBuster 4.3.15:9 11.30.2006 no virus found

STATUS: FINISHEDComplete scanning result of "dmszp.exe"
Antivirus Version Update Result
AntiVir 7.2.0.46 11.30.2006 TR/Dldr.DNSChanger.Gen
Authentium 4.93.8 11.30.2006 could be a corrupted executable file
Avast 4.7.892.0 11.29.2006 no virus found
AVG 386 11.30.2006 no virus found
BitDefender 7.2 11.30.2006 no virus found
CAT-QuickHeal 8.00 11.29.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 11.30.2006 no virus found
DrWeb 4.33 11.30.2006 Trojan.DnsChange
eSafe 7.0.14.0 11.30.2006 Win32.Polipos.sus
eTrust-InoculateIT 23.73.72 11.29.2006 no virus found
eTrust-Vet 30.3.3223 11.30.2006 Win32/Alureon!generic
Ewido 4.0 11.30.2006 no virus found
Fortinet 2.82.0.0 11.30.2006 PossibleThreat
F-Prot 3.16f 11.30.2006 Possibly a new variant of W32/new-malware!Maximus
F-Prot4 4.2.1.29 11.30.2006 W32/new-malware!Maximus
Ikarus 0.2.65.0 11.30.2006 no virus found
Kaspersky 4.0.2.24 11.30.2006 no virus found
McAfee 4907 11.29.2006 no virus found
Microsoft 1.1804 11.30.2006 Win32/Alureon.gen
NOD32v2 1892 11.30.2006 a variant of Win32/Small.FB
Norman 5.80.02 11.29.2006 no virus found
Panda 9.0.0.4 11.29.2006 Trj/dmRandom.DW
Prevx1 V2 11.30.2006 Covert.Sys.Exec
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.126 11.29.2006 no virus found
UNA 1.83 11.29.2006 no virus found
VBA32 3.11.1 11.30.2006 Trojan.DnsChange
VirusBuster 4.3.15:9 11.30.2006 no virus found

STATUS: FINISHEDComplete scanning result of "dmszp.exe"
Antivirus Version Update Result
AntiVir 7.2.0.46 11.30.2006 TR/Dldr.DNSChanger.Gen
Authentium 4.93.8 11.30.2006 could be a corrupted executable file
Avast 4.7.892.0 11.29.2006 no virus found
AVG 386 11.30.2006 no virus found
BitDefender 7.2 11.30.2006 no virus found
CAT-QuickHeal 8.00 11.29.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 11.30.2006 no virus found
DrWeb 4.33 11.30.2006 Trojan.DnsChange
eSafe 7.0.14.0 11.30.2006 Win32.Polipos.sus
eTrust-InoculateIT 23.73.72 11.29.2006 no virus found
eTrust-Vet 30.3.3223 11.30.2006 Win32/Alureon!generic
Ewido 4.0 11.30.2006 no virus found
Fortinet 2.82.0.0 11.30.2006 PossibleThreat
F-Prot 3.16f 11.30.2006 Possibly a new variant of W32/new-malware!Maximus
F-Prot4 4.2.1.29 11.30.2006 W32/new-malware!Maximus
Ikarus 0.2.65.0 11.30.2006 no virus found
Kaspersky 4.0.2.24 11.30.2006 no virus found
McAfee 4907 11.29.2006 no virus found
Microsoft 1.1804 11.30.2006 Win32/Alureon.gen
NOD32v2 1892 11.30.2006 a variant of Win32/Small.FB
Norman 5.80.02 11.29.2006 no virus found
Panda 9.0.0.4 11.29.2006 Trj/dmRandom.DW
Prevx1 V2 11.30.2006 Covert.Sys.Exec
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.126 11.29.2006 no virus found
UNA 1.83 11.29.2006 no virus found
VBA32 3.11.1 11.30.2006 Trojan.DnsChange
VirusBuster 4.3.15:9 11.30.2006 no virus found

STATUS: FINISHEDComplete scanning result of "dmdbx.exe", received in VirusTotal at 11.30.2006, 13:14:46 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.46 11.30.2006 TR/Dldr.DNSChanger.Gen
Authentium 4.93.8 11.30.2006 could be a corrupted executable file
Avast 4.7.892.0 11.29.2006 no virus found
AVG 386 11.30.2006 no virus found
BitDefender 7.2 11.30.2006 no virus found
CAT-QuickHeal 8.00 11.29.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 11.30.2006 no virus found
DrWeb 4.33 11.30.2006 Trojan.DnsChange
eSafe 7.0.14.0 11.30.2006 Win32.Polipos.sus
eTrust-InoculateIT 23.73.72 11.29.2006 no virus found
eTrust-Vet 30.3.3223 11.30.2006 Win32/Alureon!generic
Ewido 4.0 11.30.2006 no virus found
Fortinet 2.82.0.0 11.30.2006 PossibleThreat
F-Prot 3.16f 11.30.2006 Possibly a new variant of W32/new-malware!Maximus
F-Prot4 4.2.1.29 11.30.2006 W32/new-malware!Maximus
Ikarus 0.2.65.0 11.30.2006 no virus found
Kaspersky 4.0.2.24 11.30.2006 no virus found
McAfee 4907 11.29.2006 no virus found
Microsoft 1.1804 11.30.2006 Win32/Alureon.gen
NOD32v2 1892 11.30.2006 a variant of Win32/Small.FB
Norman 5.80.02 11.30.2006 no virus found
Panda 9.0.0.4 11.29.2006 Trj/dmRandom.DW
Prevx1 V2 11.30.2006 Covert.Sys.Exec
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.126 11.29.2006 no virus found
UNA 1.83 11.29.2006 no virus found
VBA32 3.11.1 11.30.2006 Trojan.DnsChange
VirusBuster 4.3.15:9 11.30.2006 no virus found



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xvluibca
*******************
Script file located at: \??\C:\hobqcmmn.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File c:\windows\system32\ldcore.dll not found!
Deletion of file c:\windows\system32\ldcore.dll failed!

Could not process line:
c:\windows\system32\ldcore.dll
Status: 0xc0000034

Completed script processing.
*******************
Finished! Terminate.


Logfile of HijackThis v1.99.1
Scan saved at 13:20:53, on 30. 11. 2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Metacafe\MetacafeAgent.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TOTALCMD\TOTALCMD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
c:\INSTALL\Hijac\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\cs-cz\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\cs-cz\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Ubisoft register.lnk = C:\Program Files\Ubisoft\Register\schedule.exe
O4 - Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D251DE9-48FE-487F-90D9-47FCDF0D132A}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D251DE9-48FE-487F-90D9-47FCDF0D132A}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS3\Services\Tcpip\..\{0D251DE9-48FE-487F-90D9-47FCDF0D132A}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[sakiri]

takže to zkusíme jinak na tu ldcore.dll a rovnou při tom smažeme ty nakažený soubory.

Tohle si raději vytiskni, nebo ulož na plochu v Notepadu.

takže vytvoř soubor s názvem avenger1.txt (je to jenom proto aby jsme ho lépe našli) kam zkopíruj tenhle tučnej text:
Files to delete:
C:\WINDOWS\SYSTEM32\CSSRM.EXE
C:\WINDOWS\SYSTEM32\DMSZP.EXE
C:\WINDOWS\SYSTEM32\DMDBX.EXE
c:\windows\system32\ldcore.dll

Poté PC restartuj do nouzového režimu.Kde nespouštěj ani na okamžik nespouštěj žádný prohlížeč internetu.

kde spusť avenger pod účtem administrátora.
Zvol možnost Load script from file a klikni na tu malou ikonku té složky a najdi ten avenger1.txt označ ho a dej open.
Poté klikni na ikonku semafory kde ti vyskočí hláška kde dej ANO poté další kde dej OK.
PC se restartuje.Nech mu volnej průběh aby jsi se dostal do normálního režimu.
Měl by ti vyskočit Poznámkový blok tak jsem zkopíruj jeho obsah + nový Hijackthis log na kontrolu.

[fredik]

Udělej to co psal sakiri

+

Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D251DE9-48FE-487F-90D9-47FCDF0D132A}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D251DE9-48FE-487F-90D9-47FCDF0D132A}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CS3\Services\Tcpip\..\{0D251DE9-48FE-487F-90D9-47FCDF0D132A}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146

po zaškrtnutí klikni na FixChecked

restartuj Pc a dej nový log z HJT.

[Jagud]

Udělal jsem to co psal sakiri + FixChecked všech popsaných 017. Už několikrát jsem měl dnes dojem, že při vypínání systému problikne v dolní části obrazovky řádek se žlutým podkladem a červenými písmeny. Tak jsem ještě spustil CCleaner, RegCleaner a Avast. Ten Avast mi napsal nález viru Agent-DIK [Trj] v souborech C:\Windows\system32\vxga4mel.exe a c:\Documents and Settings\...\Temp\ v3x1.g22m. Nechal jsem je smazat. Pak jsem restartoval (dával jsem pozor, žádný žlutý řádek) a spustil HJT:

Logfile of HijackThis v1.99.1
Scan saved at 18:45:55, on 30. 11. 2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Metacafe\MetacafeAgent.exe
C:\TOTALCMD\TOTALCMD.EXE
C:\WINDOWS\system32\wuauclt.exe
c:\INSTALL\Hijac\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\cs-cz\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\cs-cz\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Ubisoft register.lnk = C:\Program Files\Ubisoft\Register\schedule.exe
O4 - Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[fredik]

Fixni v HJT
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll

Zkus ještě projet znovu Pc a dej sem log z Mwav (před samotným scanem proveď Update). A mrkni jestli najdeš ještě ten soubor (c:\windows\system32\ldcore.dll)

[sakiri]

pokud by jsi ten ldcore.dll našel tak postupuj takhle:
stáhni Unlocker
a zapni si zobrazovat skryté a systémové soubory

toto si ulož do Notepadu.
a restartuj PC do nouzového režimu.

c:\windows\system32\ldcore.dll

ten červeně označený soubor najdi a klikni pravým tlačítkem na ten soubor a vyber Unlocker a vyber akci smazat a klikni na ok.
Pokud ti vyskočí hláška že soubor nemohl být smazán a bude smazán až při dalším spuštění PC tak klikni na Yes.PC se restartuje opět mu nech volný průběh aby jsi se dostal do normálu.Pokud by se ti nic takového neobjevilo tak to restartuj sám.

A zkopíruj sem jeho obsah toho to souboru avenger.txt měl by jsi ho najít v tomhle umístění C:\avenger.txt

+ jak ti říkal fredik tak udělej scan MWAVem

[Jagud]

Fixnul jsem v HJT
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
Projel jsem PC vším možným, nikdo nic nehlásil. Idcore.dll nebyl nalezen. Provedl jsem update Mwav a posílám log. PC nevykazuje zjevné problémy. Občas jako by chvíli ztuhnul a pak jede dál. Posílám i log z HJT.

Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "UnSpyPC adware" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.

File C:\WINDOWS\system32\ss.exe.exe infected by "Trojan-Proxy.Win32.Lager.ea" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\adirss.exe infected by "Trojan-Proxy.Win32.Lager.ea" Virus! Action Taken: No Action Taken
File C:\WINDOWS\system32\w.exe.exe infected by "Email-Worm.Win32.Glowa.g" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\wservice.exe infected by "Email-Worm.Win32.Glowa.g" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\taskdir~.exe infected by "Email-Worm.Win32.Glowa.g" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\vxga1me4t1.exe infected by "Email-Worm.Win32.Banwarum.f" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\vxg4am1et2.exe infected by "Trojan-Downloader.Win32.Small.dam" Virus! Action Taken: No Action Taken.

Logfile of HijackThis v1.99.1
Scan saved at 0:16:27, on 1. 12. 2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Metacafe\MetacafeAgent.exe
C:\TOTALCMD\TOTALCMD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\INSTALL\Hijac\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\cs-cz\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\cs-cz\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu1\toolbaru.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\cs-cz\msnappau.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Ubisoft register.lnk = C:\Program Files\Ubisoft\Register\schedule.exe
O4 - Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[fredik]

Smaž všechny červeně označené soubory:
C:\WINDOWS\system32\ss.exe.exe
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\w.exe.exe
C:\WINDOWS\system32\wservice.exe
C:\WINDOWS\system32\taskdir~.exe
C:\WINDOWS\system32\vxga1me4t1.exe
C:\WINDOWS\system32\vxg4am1et2.exe
a řekni jestli se podařilo vymazat všechny.

Jestli nepoužíváš tak odinstaluj MSN Apps