Moc prosím o kontrolu logu Vyřešeno

[štefy]

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 23.3.2008 11:13:38 for strings:
; 'webdsnah'
; 'p2ptor'
; 'cabpii'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iftcprom]
"item"="p2ptor"
"command"="rundll32.exe \"C:\\WINDOWS\\TEMP\\p2ptor.sys\" WLEntryPoint"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ndqgdsdl]
"item"="p2ptor"
"command"="rundll32.exe \"C:\\WINDOWS\\TEMP\\p2ptor.sys\" WLEntryPoint"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\retsfahg]
"item"="p2ptor"
"command"="rundll32.exe \"C:\\WINDOWS\\TEMP\\p2ptor.sys\" WLEntryPoint"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"taskman"="rundll32.exe \"C:\\WINDOWS\\system32\\webdsnah.sys\" WLEntryPoint"

; End Of The Log...

[Reklama]

[štefy]

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 23.3.2008 11:13:38 for strings:
; 'webdsnah'
; 'p2ptor'
; 'cabpii'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iftcprom]
"item"="p2ptor"
"command"="rundll32.exe \"C:\\WINDOWS\\TEMP\\p2ptor.sys\" WLEntryPoint"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ndqgdsdl]
"item"="p2ptor"
"command"="rundll32.exe \"C:\\WINDOWS\\TEMP\\p2ptor.sys\" WLEntryPoint"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\retsfahg]
"item"="p2ptor"
"command"="rundll32.exe \"C:\\WINDOWS\\TEMP\\p2ptor.sys\" WLEntryPoint"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"taskman"="rundll32.exe \"C:\\WINDOWS\\system32\\webdsnah.sys\" WLEntryPoint"

; End Of The Log...

[fredik]

Hmm

Dodrž přesné pořadí kroků:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

#Krok 1:
Jdi přes Start -> Spustit... a napiš do okna tento příkaz označený modře: ComboFix /u
(mezi comobofix a /u musí být mezera) a dej Ok.

#Krok 2:
Stáhni si Avenger (by Swandog46), T-cleaner a znovu ComboFix

#Krok 3:
Poznámka: Nepoužij k označení funkci VYBRAT VŠE (nefunguje korektně pod FireFox v2)

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

@echo off
set lvyp=C:\vypt.txt
if exist %lvyp% del %lvyp%

cd\
echo ------------- VypAdr ------------- >> %lvyp%
dir /s /a /-p /o:gen "%windir%\temp" >> %lvyp%
echo. >> %lvyp%
start notepad %lvyp%

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: vypt.bat
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.

#Krok 4:
Spusť Avenger pod účtem administrátora.
- objeví se ti hláška kterou odklikni přes Ok
Vlož si tam tento celý skript označený zeleně:
Drivers to delete:
grande48

Files to delete:
C:\Documents and Settings\LocalService\ftpdll.dll
C:\Documents and Settings\ucatchme.zip
C:\Documents and Settings\uživatel\ftpdll.dll
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CM5FBI9T\rbfgg[1].htm
C:\WINDOWS\system32\ftpdll.dll
C:\WINDOWS\system32\gnitsrqt.dll
C:\WINDOWS\system32\msdgjmlof.dll
C:\WINDOWS\system32\ritgrqt.dll
C:\SDFix\backups\backups.zip
C:\WINDOWS\system32\webdsnah.sys
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\TEMP\kbddsipna.dll
C:\WINDOWS\TEMP\netdchnrk.nls
C:\WINDOWS\TEMP\vgaikqcmj.nls
C:\WINDOWS\TEMP\iasfgjahd.drv
C:\-2132409765
C:\WINDOWS\TEMP\ctlhmme.nls
C:\WINDOWS\TEMP\p2ptor.sys
C:\WINDOWS\system32\alt.exe.exe
C:\Program Files\antiviirus.exe
c:\program files\divx\divx pro codec\gain_trickler_3202.exe
C:\WINDOWS\TEMP\cabpii.sys
C:\WINDOWS\TEMP\kbdlk.nls
C:\WINDOWS\TEMP\webqoho.drv

Registry keys to delete:
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ritgrqt
HKLM\software\microsoft\shared tools\msconfig\startupreg\antiviirus
HKLM\software\microsoft\shared tools\msconfig\startupreg\autoload
HKLM\software\microsoft\shared tools\msconfig\startupreg\BSplayer_WhenUSave_Installer
HKLM\software\microsoft\shared tools\msconfig\startupreg\iftcprom
HKLM\software\microsoft\shared tools\msconfig\startupreg\ndqgdsdl
HKLM\software\microsoft\shared tools\msconfig\startupreg\PromoReg
HKLM\software\microsoft\shared tools\msconfig\startupreg\retsfahg
HKLM\software\microsoft\shared tools\msconfig\startupreg\ntuser
HKLM\software\microsoft\shared tools\msconfig\startupreg\VVSN

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | lhoend
HKLM\software\microsoft\windows\currentversion\policies\explorer\run | mshgm
- označ si celý skript a zkopíruj do schránky
- pak si ho vlož do avengeru přes toto tlačítko
- skrip se ti vloží do prázdného okna pod nadpisem: Input script here:
- pak klikni na tlačítko Execute
Budeš dotázán na to jestli chceš provést skript tak zvol Ano
- po proběhnutí prvního kroku budeš dotázán na na restart počítače tak zvol znovu Ano
Po restartu Pc a opětovném najetí do Win. se ti zobrazí log tak ho sem vlož.

Poznámak: Avenger se ti 2x restartuje.

#Krok 5:
Spusť soubor Vypt.bat, který sis vytvořil a po chvilce se ti zobrazí log tak ho sem vlož.

#Krok 6:
Spusť znovu ComboFix a vlož sem z něho log.

#Krok 7:
Jdi přes Start -> Spustit... a napiš do okna tento příkaz označený modře:
regedit /e "C:\winLogv.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
a dej Ok.
- na disku C se ti objeví soubor winLogv.txt tak sem vlož jeho obsah, pokud by se se nevešel, tak ho zabal a pošli mi ho jako přílohu přes SZ.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

V následujícím příspěvku sem vlož tyto logy/výsledky:
- log z Avengeru
- log ze skriptu Vypt.bat
- log z ComboFix
- log ze winLogv.txt

[štefy]

NASTAL PROBLÉM
Postupoval sem podle pokynů ke kroku4. Po restartu se na plose objevilo asi 10oken se stejnou hláškou-
CHYBA PŘI NAČÍTÁNÍ SOUBORU C:\WINDOWS\TEMP\vgaikqcmj.nls
Zadny program (exac) nesel spustit jen hodilo dalsi okno s tou chybou
Tak sem ten soubor ''vgaikqcmj.nls'' zkopiroval ze slozky C:\Avenger do C:\WINDOWS\TEMP\ abych spustil firefoxe a poreferoval o tom zde.
Cekam na radu uz mi z toho hrabe
Jo a po restartu se zadny log neobjevil.

[fredik]

Spusť znvou Avenger a dej:
Fíle -> Open Log File a otevře se ti log, tak sem vlož jeho obsah. Jinak je umístěný v souboru na C:\avenger.txt.
Tak ho sem vlož.

Dej sem taky logy z kroku 5 a 7.

Stáhni si Deckard's System Scanner (DSS) a ulož si ho na plochu
Jdi přes Start -> Spustit... a napiš do okna tento příkaz označený modře "%userprofile%\plocha\dss.exe" /config
- Otevře se ti okno kde v sekci Main Log zruš všechny zatržené položky a nech zatržené/zatrhni jen tyto dvě (ostatní části nech jak jsou viz. obr.):

Drivers
Services
File Associations

- Pak dole klikni na tlačítko Scan!
Za chvíli se ti objeví log main.txt tak sem vlož jeho obsah (jinak ho najdeš zde: C:\Deckard\System Scanner\main.txt)

[štefy]

-------------------AVENGER LOG-----------------------------------
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "grande48" deleted successfully.
File "C:\Documents and Settings\LocalService\ftpdll.dll" deleted successfully.
File "C:\Documents and Settings\ucatchme.zip" deleted successfully.
File "C:\Documents and Settings\uživatel\ftpdll.dll" deleted successfully.
File "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CM5FBI9T\rbfgg[1].htm" deleted successfully.
File "C:\WINDOWS\system32\ftpdll.dll" deleted successfully.
File "C:\WINDOWS\system32\gnitsrqt.dll" deleted successfully.
File "C:\WINDOWS\system32\msdgjmlof.dll" deleted successfully.
File "C:\WINDOWS\system32\ritgrqt.dll" deleted successfully.

Error: could not open file "C:\SDFix\backups\backups.zip"
Deletion of file "C:\SDFix\backups\backups.zip" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

File "C:\WINDOWS\system32\webdsnah.sys" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\grande48.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\grande48.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\TEMP\kbddsipna.dll" deleted successfully.
File "C:\WINDOWS\TEMP\netdchnrk.nls" deleted successfully.
File "C:\WINDOWS\TEMP\vgaikqcmj.nls" deleted successfully.

Error: file "C:\WINDOWS\TEMP\iasfgjahd.drv" not found!
Deletion of file "C:\WINDOWS\TEMP\iasfgjahd.drv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\-2132409765" deleted successfully.

Error: file "C:\WINDOWS\TEMP\ctlhmme.nls" not found!
Deletion of file "C:\WINDOWS\TEMP\ctlhmme.nls" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\TEMP\p2ptor.sys" not found!
Deletion of file "C:\WINDOWS\TEMP\p2ptor.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\alt.exe.exe" not found!
Deletion of file "C:\WINDOWS\system32\alt.exe.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Program Files\antiviirus.exe" not found!
Deletion of file "C:\Program Files\antiviirus.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "c:\program files\divx\divx pro codec\gain_trickler_3202.exe"
Deletion of file "c:\program files\divx\divx pro codec\gain_trickler_3202.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: file "C:\WINDOWS\TEMP\cabpii.sys" not found!
Deletion of file "C:\WINDOWS\TEMP\cabpii.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\TEMP\kbdlk.nls" not found!
Deletion of file "C:\WINDOWS\TEMP\kbdlk.nls" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\TEMP\webqoho.drv" not found!
Deletion of file "C:\WINDOWS\TEMP\webqoho.drv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ritgrqt" deleted successfully.
Registry key "HKLM\software\microsoft\shared tools\msconfig\startupreg\antiviirus" deleted successfully.
Registry key "HKLM\software\microsoft\shared tools\msconfig\startupreg\autoload" deleted successfully.
Registry key "HKLM\software\microsoft\shared tools\msconfig\startupreg\BSplayer_WhenUSave_Installer" deleted successfully.
Registry key "HKLM\software\microsoft\shared tools\msconfig\startupreg\iftcprom" deleted successfully.
Registry key "HKLM\software\microsoft\shared tools\msconfig\startupreg\ndqgdsdl" deleted successfully.
Registry key "HKLM\software\microsoft\shared tools\msconfig\startupreg\PromoReg" deleted successfully.
Registry key "HKLM\software\microsoft\shared tools\msconfig\startupreg\retsfahg" deleted successfully.
Registry key "HKLM\software\microsoft\shared tools\msconfig\startupreg\ntuser" deleted successfully.
Registry key "HKLM\software\microsoft\shared tools\msconfig\startupreg\VVSN" deleted successfully.

Error: could not delete registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|lhoend"
Deletion of registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|lhoend" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "HKLM\software\microsoft\windows\currentversion\policies\explorer\run|mshgm" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[štefy]

----------VYPT.BAT LOG--------------
------------- VypAdr -------------
Svazek v jednotce C je C.
Sériové číslo svazku je 80E6-025B.

Výpis adresáře C:\WINDOWS\temp

24.03.2008 20:29 <DIR> .
24.03.2008 20:29 <DIR> ..
17.08.2004 14:49 114 688 connnog.dll
17.08.2004 14:49 114 688 vgaikqcmj.nls
17.08.2004 14:49 114 688 timeqaeen.sys
23.03.2008 11:11 0 3589f25c39d9a28be99269f7554ab39d.tmp
4 souborů, 344 064 bajtů

Počet souborů v seznamu:
4 souborů, 344 064 bajtů
Adresářů: 2, Volných bajtů: 5 765 988 352

[štefy]

---------LOG Z KROKU 7-------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultDomainName"="A7FK390P9A24MG4"
"DefaultUserName"="uživatel"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"ReportBootOk"="1"
"Shell"="Explorer.exe"
"ShutdownWithoutLogon"="0"
"System"=""
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"forceunlocklogon"=dword:00000000
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"AllowMultipleTSSessions"=dword:00000001
"UIHost"="logonui.exe"
"LogonType"=dword:00000001
"Background"="0 0 0"
"DebugServerCommand"="no"
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001
"ShowLogonOptions"=dword:00000000
"AltDefaultUserName"="uživatel"
"AltDefaultDomainName"="A7FK390P9A24MG4"
"AutoAdminLogon"="0"
"SFCDisable"=dword:00000000
"SFCScan"=dword:00000000
"SFCShowProgress"=dword:00000000
"EnableQuickReboot"="1"
"DisableCAD"=dword:00000001
"AutoRestartShell"=dword:00000001
"PowerdownAfterShutdown"="1"
"KeepRasConnections"=dword:00000001
"taskman"="rundll32.exe \"C:\\WINDOWS\\system32\\msvcmbcpq.drv\" WLEntryPoint"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@="Bezdrátové"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoGPOListChanges"=dword:00000001
"NoUserPolicy"=dword:00000001
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=hex(2):66,00,64,00,65,00,70,00,6c,00,6f,00,79,00,2e,00,64,00,6c,00,\
6c,00,00,00
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=hex(7):28,00,46,00,6f,00,6c,00,64,00,65,00,72,00,20,00,52,00,65,\
00,64,00,69,00,72,00,65,00,63,00,74,00,69,00,6f,00,6e,00,2c,00,41,00,70,00,\
70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,29,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Disková kvóta Microsoft"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):64,00,73,00,6b,00,71,00,75,00,6f,00,74,00,61,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="Plánovač paketů technologie QoS"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Skripty"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Mapování zón aplikace Internet Explorer"
"DllName"=hex(2):69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
00,00
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=hex(2):69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,00,64,00,\
6c,00,6c,00,00,00
@="Značka aplikace Internet Explorer"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
00,00
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Instalace softwaru"
"DllName"=hex(2):61,00,70,00,70,00,6d,00,67,00,6d,00,74,00,73,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=hex(7):28,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
00,6f,00,6e,00,20,00,4d,00,61,00,6e,00,61,00,67,00,65,00,6d,00,65,00,6e,00,\
74,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,\
00,29,00,00,00,28,00,4d,00,73,00,69,00,49,00,6e,00,73,00,74,00,61,00,6c,00,\
6c,00,65,00,72,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
00,6f,00,6e,00,29,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="Zabezpečení protokolu IP"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WBSrv]
"Impersonate"=dword:00000000
"Logoff"="LogOut"
"DllName"="C:\\PROGRA~1\\WindowBlinds\\wbsrv.dll"
"LogOn"="StartSys"
"Unlock"="Sys"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SCLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000

[štefy]

Deckard's System Scanner v20071014.68
Run by uživatel on 2008-03-24 20:36:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.

System Drive C: has 5.34 GiB (less than 15%) free.


-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
.exe - exefile - shell\open\command - rundll32.exe "C:\WINDOWS\TEMP\vgaikqcmj.nls" WLEntry %1 %*
.ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,70


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R2 atksgt - c:\windows\system32\drivers\atksgt.sys
R2 lirsgt - c:\windows\system32\drivers\lirsgt.sys
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 Pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 vaxscsi - c:\windows\system32\drivers\vaxscsi.sys

S3 adusbmdm6501 (AnyDATA CDMA USB Modem Driver (PID 6501)) - c:\windows\system32\drivers\adusbmdm65.sys <Not Verified; AnyDATA Corporation; AnyDATA CDMA USB Modem/Serial Device Driver>
S3 adusbser6501 (AnyDATA CDMA USB Serial Port (PID 6501)) - c:\windows\system32\drivers\adusbser65.sys <Not Verified; AnyDATA Corporation; AnyDATA CDMA USB Modem/Serial Device Driver>
S3 catchme - c:\docume~1\uivate~1\locals~1\temp\catchme.sys (file missing)
S3 dtscsi - c:\windows\system32\drivers\dtscsi.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 MSICPL - d:\install4\msicpl.sys (file missing)
S3 NTACCESS - d:\ntaccess.sys (file missing)
S3 pgfilter - c:\program files\peerguardian2\pgfilter.sys
S3 SetupNTGLM7X - d:\ntglm7x.sys (file missing)
S3 usb2vcom (USB Data Cable) - c:\windows\system32\drivers\usb2vcom.sys <Not Verified; USB World; USB Data Cable>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 IviRegMgr - c:\program files\common files\intervideo\regmgr\iviregmgr.exe
R2 LicCtrlService (LicCtrl Service) - rundll32.exe c:\windows\mmfs.dll,service

S4 NOD32krn (NOD32 Kernel Service) - "c:\program files\nod32\nod32krn.exe" (file missing)


-- End of Deckard's System Scanner: finished at 2008-03-24 20:37:57 ------------

[fredik]

Jdi přes Start -> Spustit... a napiš do okna tento příkaz označený modře:
"%userprofile%\plocha\dss.exe" /daft

Otevře se ti okno, kde klikni na tlačítko Scan.
- počkej až proběhne kontrola
- v okně se ti objeví tyto červeně vypsané položky,
.bat
.exe
.ini
.txt
tak před nimi zatrhni ty čtverečky klikni na tlačítko Fix

Pak znovu spusť Scan a po jeho proběhnutí klikni na tlačítko Save Log.
- ulož si log na disk a vlož ho sem.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Jdi přes Start -> Spustit... a napiš do okna tento příkaz: regedit a dej Ok
Otevře se ti Editor registru.
- označ si klikni na Tento počítač (viz. obr.)

Er.JPG (8.36 KiB) Zobrazeno 1297 x

Pak jdi přes Soubor -> Exportovat... a nastav tyto parametry:
Název souboru: zde napiš: zalreg
Uložit jako typ: tak tam vyber: Registrační soubory (*.reg)
Ulož soubor na disk C
- počkej až proběhne záloha

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Použij znovu Avenger stejným způsobem, ale tentokrát tam vlož tento skript.
Files to delete:
C:\WINDOWS\temp\connnog.dll
C:\WINDOWS\temp\vgaikqcmj.nls
C:\WINDOWS\temp\timeqaeen.sys
C:\WINDOWS\temp\3589f25c39d9a28be99269f7554ab39d.tmp
C:\WINDOWS\\system32\msvcmbcpq.drv

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | taskman
Pak sem vlož z něho log.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Pokud sis stáhl už znovu ComboFix, tak ho smaž a stáhni si ho znovu. Spusť ho a dej sem pak z něho nový log.
Také sem dej nový log z Kasperáku.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Vlož sem tedy pak tyto logy.
- nový výpis z Vypt.bat
- log z Avengeru
- log z ComboFix
- log z Kasperáku
- log z DAFT

[štefy]

DAFT Log saved on 2008-03-25 18:36:04
-----------------------------------------------------------------------
.exe - exefile - shell\open\command - rundll32.exe "C:\WINDOWS\TEMP\vgaikqcmj.nls" WLEntry %1 %*

[štefy]

OPĚT TEN SAMÝ PROBLÉM SE SOUBOREM vgaikqcmj.nls tak sem ho musel zkopirovat zase zpatky.
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\temp\connnog.dll" deleted successfully.
File "C:\WINDOWS\temp\vgaikqcmj.nls" deleted successfully.
File "C:\WINDOWS\temp\timeqaeen.sys" deleted successfully.
File "C:\WINDOWS\temp\3589f25c39d9a28be99269f7554ab39d.tmp" deleted successfully.
File "C:\WINDOWS\\system32\msvcmbcpq.drv" deleted successfully.
Registry value "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|taskman" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.