Kontrolu prosím

[Kocik]

Logfile of HijackThis v1.99.1
Scan saved at 15:24:35, on 26.1.2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\rsy32.exe
C:\WINDOWS\System32\mlsdf8h2100869.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Documents and Settings\Lucie\Plocha\Kerio.exe
C:\WINDOWS\System32\MSIEXEC.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Documents and Settings\Lucie\Dokumenty\ICQ Lite\250618245\DEATHBLACK_283499489\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://seznam.cz/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\btkbhqto.dll",setvm
O4 - HKLM\..\Run: [95BE8744] C:\WINDOWS\System32\mlsdf8h2100869.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6039D4E8-C99D-4D45-A33B-94A62F1B087F}: NameServer = 80.87.176.1 80.87.178.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{F431961A-3122-4A10-BC44-7DF1353B0B09}: NameServer = 195.113.44.11,195.113.0.2
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Print Spooler Service (ou1jdkcmufemy) - Unknown owner - C:\WINDOWS\System32\rsy32.exe

[Reklama]

[Kocik]

jěště mi to háže hlášku že to nemůže najít btkbhqto.dll rundll

[fredik]

Ukonči v TaskManageru (zmáčkni zároveň klávesy ctrl+alt+delete) otevře se ti okno a v něm se přepni na záložku Procesy a v ní ukonči:
rsy32.exe
mlsdf8h2100869.exe

Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\btkbhqto.dll",setvm
O4 - HKLM\..\Run: [95BE8744] C:\WINDOWS\System32\mlsdf8h2100869.exe
po zaškrtnutí klikni na tlačítko Fix Checked


Otestuj co jsi měl udělat už minule na VirusTotall a dej sem výsledky + nový log z HJT. (pro lepší nalezení si zapni zobrazení systémových a skrytých souborů)
C:\WINDOWS\System32\rsy32.exe
C:\WINDOWS\System32\btkbhqto.dll
C:\WINDOWS\system32\mlsdf8h2100869.exe

[Kocik]

omplete scanning result of "rsy32.exe_", received in VirusTotal at 01.26.2007, 16:07:02 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.32 01.26.2007 TR/Agent.ABL.1
Authentium 4.93.8 01.26.2007 no virus found
Avast 4.7.936.0 01.26.2007 no virus found
AVG 386 01.26.2007 BackDoor.Generic4.IVU
BitDefender 7.2 01.26.2007 Trojan.Agent.ABL
CAT-QuickHeal 9.00 01.26.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 01.26.2007 no virus found
DrWeb 4.33 01.26.2007 Trojan.Spambot
eSafe 7.0.14.0 01.26.2007 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.124 01.26.2007 no virus found
eTrust-Vet 30.3.3352 01.26.2007 no virus found
Ewido 4.0 01.26.2007 Trojan.Agent.abl
Fortinet 2.85.0.0 01.26.2007 suspicious
F-Prot 4.2.1.29 01.25.2007 no virus found
Ikarus T3.1.0.27 01.26.2007 Trojan.Agent.ABL
Kaspersky 4.0.2.24 01.26.2007 no virus found
McAfee 4949 01.26.2007 BackDoor-DIZ
Microsoft 1.2101 01.26.2007 no virus found
NOD32v2 2009 01.26.2007 Win32/HacDef.NAJ
Norman 5.80.02 01.26.2007 no virus found
Panda 9.0.0.4 01.26.2007 Bck/HacDef.FX
Prevx1 V2 01.26.2007 Dropper.Payload
Sophos 4.13.0 01.24.2007 no virus found
Sunbelt 2.2.907.0 01.26.2007 Trojan.Agent.ABL
TheHacker 6.0.3.158 01.26.2007 no virus found
UNA 1.83 01.26.2007 no virus found
VBA32 3.11.2 01.26.2007 no virus found
VirusBuster 4.3.19:9 01.26.2007 no virus found

Aditional Information
File size: 54272 bytes
MD5: 75e23b3cf06d3423dfd76ba57080bf0b
SHA1: ee06cb57f5802fcf2d38acfda81826aed1dbe0bc
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=50c157451698

[Kocik]

Complete scanning result of "btkbhqto.dll_", received in VirusTotal at 01.26.2007, 16:19:10 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.32 01.26.2007 no virus found
Authentium 4.93.8 01.26.2007 no virus found
Avast 4.7.936.0 01.26.2007 no virus found
AVG 386 01.26.2007 no virus found
BitDefender 7.2 01.26.2007 no virus found
CAT-QuickHeal 9.00 01.26.2007 no virus found
ClamAV devel-20060426 01.26.2007 no virus found
DrWeb 4.33 01.26.2007 no virus found
eSafe 7.0.14.0 01.26.2007 no virus found
eTrust-InoculateIT 23.73.124 01.26.2007 no virus found
eTrust-Vet 30.3.3352 01.26.2007 no virus found
Ewido 4.0 01.26.2007 no virus found
Fortinet 2.85.0.0 01.26.2007 no virus found
F-Prot 4.2.1.29 01.25.2007 no virus found
Ikarus T3.1.0.27 01.26.2007 no virus found
Kaspersky 4.0.2.24 01.26.2007 no virus found
McAfee 4949 01.26.2007 no virus found
Microsoft 1.2101 01.26.2007 no virus found
NOD32v2 2009 01.26.2007 no virus found
Norman 5.80.02 01.26.2007 no virus found
Panda 9.0.0.4 01.26.2007 no virus found
Prevx1 V2 01.26.2007 no virus found
Sophos 4.13.0 01.24.2007 no virus found
Sunbelt 2.2.907.0 01.26.2007 no virus found
TheHacker 6.0.3.158 01.26.2007 no virus found
UNA 1.83 01.26.2007 no virus found
VBA32 3.11.2 01.26.2007 no virus found
VirusBuster 4.3.19:9 01.26.2007 no virus found

Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

[fredik]

Tuto službu zastav: měla by se jmenovat Print Spooler Service (ou1jdkcmufemy) možná to bude bez té závorky.

O23 - Service: Print Spooler Service (ou1jdkcmufemy) - Unknown owner - C:\WINDOWS\System32\rsy32.exe

Start -> Spustit - > napiš services.msc a dej OK. Otevře se ti okno Služby. V ní ji najdi a ve vlastnostech nastavte typ spouštění na zakázáno.

Pak tento soubor označený červeně najdi a smaž:
C:\WINDOWS\System32\rsy32.exe

[Kocik]

VirusTotal
VirusTotal is a free file analisys service that works using several antivirus engines.


Select file :

Distribute
SSL


Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.
Menu:

* News Hot news in the virus/antivirus sector.
* Estadisticas Statistics of VirusTotal procesing.
* Virustotal More info about Virustotal.

STATUS: FINISHED
Complete scanning result of "mlsdf8h2100869.exe", received in VirusTotal at 01.26.2007, 16:23:03 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.32 01.26.2007 HEUR/Crypted
Authentium 4.93.8 01.26.2007 no virus found
Avast 4.7.936.0 01.26.2007 no virus found
AVG 386 01.26.2007 no virus found
BitDefender 7.2 01.26.2007 no virus found
CAT-QuickHeal 9.00 01.26.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 01.26.2007 Trojan.Spambot-23
DrWeb 4.33 01.26.2007 Trojan.Spambot
eSafe 7.0.14.0 01.26.2007 no virus found
eTrust-InoculateIT 23.73.124 01.26.2007 no virus found
eTrust-Vet 30.3.3352 01.26.2007 no virus found
Ewido 4.0 01.26.2007 no virus found
Fortinet 2.85.0.0 01.26.2007 suspicious
F-Prot 4.2.1.29 01.25.2007 no virus found
Ikarus T3.1.0.27 01.26.2007 no virus found
Kaspersky 4.0.2.24 01.26.2007 no virus found
McAfee 4949 01.26.2007 no virus found
Microsoft 1.2101 01.26.2007 no virus found
NOD32v2 2009 01.26.2007 no virus found
Norman 5.80.02 01.26.2007 no virus found
Panda 9.0.0.4 01.26.2007 Bck/Agent.DJR
Prevx1 V2 01.26.2007 Win32.Malware.gen
Sophos 4.13.0 01.24.2007 no virus found
Sunbelt 2.2.907.0 01.26.2007 VIPRE.Suspicious
TheHacker 6.0.3.158 01.26.2007 no virus found
UNA 1.83 01.26.2007 no virus found
VBA32 3.11.2 01.26.2007 no virus found
VirusBuster 4.3.19:9 01.26.2007 no virus found

Aditional Information
File size: 70656 bytes
MD5: 87042a5eda002bbbfb28318d2f8811a1
SHA1: a6e15994c7742a803aa6526d64607593e7cac421
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=604760988439
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

[Kocik]

Logfile of HijackThis v1.99.1
Scan saved at 16:26:52, on 26.1.2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lucie\Dokumenty\ICQ Lite\250618245\DEATHBLACK_283499489\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://seznam.cz/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\btkbhqto.dll",setvm
O4 - HKLM\..\Run: [F36BAEAC] C:\WINDOWS\System32\mlsdf8h2100869.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{48F1873C-3128-4C4A-A686-C9FE6F92AFC8}: NameServer = 80.87.176.1 80.87.178.44
O17 - HKLM\System\CCS\Services\Tcpip\..\{F431961A-3122-4A10-BC44-7DF1353B0B09}: NameServer = 195.113.44.11,195.113.0.2
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

[Kocik]

Print Spooler Service (ou1jdkcmufemy)

[fredik]

Ještě fixni v HJT toto:
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\btkbhqto.dll",setvm
O4 - HKLM\..\Run: [F36BAEAC] C:\WINDOWS\System32\mlsdf8h2100869.exe

Pak smaž tento soubor:
C:\WINDOWS\System32\mlsdf8h2100869.exe

Stáhni si Killbox
do volného řádku zkopíruj tento tučně označený text:
C:\WINDOWS\System32\btkbhqto.dll

a zaškrtne Delete on Reboot a Unregister .dll Before Deleting
pak stiskni bílý křížek v červeném kolečku. PC bude chtít restart tak to povol.

Projeď ještě pc tímto Mwav

Pak pošli nový log z HJT.

//V logu už ta služba vidět není jmenovala se jen: Print Spooler Service nebo byl i v názvu ta závorka (ou1jdkcmufemy)

[Kocik]

pendingfilerenameoperations registry data has been removed by external process jo a kdyz jsme pustil mvaw tak to se sekne v registrech a nci to nedela 10 min :(

[fredik]

U toho Mwav zkus zatrhnou položku Scan Only a pak klikni na tlačítko Scan pak postupuj podle návodu.

Zkus tedy toto:
Stáhněte si a spusťte pod účtem administrátora Avenger - http://swandog46.geekstogo.com/avenger.exe
- Zvolte možnost Input script manually a klikni na ikonu lupy
- Do nového prázdného okna zkopírujte celý tento text označený červeně:

Files to delete:
C:\WINDOWS\System32\btkbhqto.dll

Poté klikněte na Done
Klikněte na ikonu semaforu ke spuštění programu, nakonec klikněte na OK a tvůj počítač se restartuje.