Michal Kudlak - prosim o kontrolu logu

[Michal Kudlak]

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: &S-Rank - {B71B15CF-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam\Postak\SRank.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMail] "C:\Program Files\Seznam\Postak\Postak.exe"
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZNfox000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: lpkadvp.dll e1.dll wmnencxp.dll pmspwups.dll sisbduse.dll onksd.dll statex.dll oservmz101.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ksdmgr - C:\WINDOWS\SYSTEM32\ksdmgr32.dll
O20 - Winlogon Notify: pgptmsau - C:\WINDOWS\system32\pgptmsau.dll
O20 - Winlogon Notify: quarwups - C:\WINDOWS\system32\quarwups.dll
O20 - Winlogon Notify: vbscsysi - C:\WINDOWS\system32\vbscsysi.dll
O20 - Winlogon Notify: winnatkc - C:\WINDOWS\system32\winnatkc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[Reklama]

[fredik]

Vítej na fóru

Stáhni si Avengera spusť ho pod účtem administrátora.
- Zvol možnost Load script from internet URL:
- Do řádku pod ním zkopírujte následující adresu označenou modře
http://ne-e.eu/stration/script.txt
- Pak klikni na ikonku semafory.
- Vyskočí ti hláška kde odklikni Yes. PC se restartuje.

Dej sem pak nový log z HJT včetně hlavičky.

PS: příště si založ prosím tě vlastní téma, i kdyby jsi měl stejný problém jako se řeší v daném tématu.

[Michal Kudlak]

OK, moc díky

[Michal Kudlak]

Prosím o kontrolu logu po pouziti avengeru


Logfile of HijackThis v1.99.1
Scan saved at 17:24:22, on 16. 11. 2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Seznam\Postak\Postak.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\freeCommander2005\freeCommander.exe
D:\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: &S-Rank - {B71B15CF-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam\Postak\SRank.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMail] "C:\Program Files\Seznam\Postak\Postak.exe"
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZNfox000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: lpkadvp.dll e1.dll wmnencxp.dll pmspwups.dll sisbduse.dll onksd.dll statex.dll oservmz101.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ksdmgr - C:\WINDOWS\SYSTEM32\ksdmgr32.dll
O20 - Winlogon Notify: pgptmsau - C:\WINDOWS\system32\pgptmsau.dll
O20 - Winlogon Notify: quarwups - C:\WINDOWS\system32\quarwups.dll
O20 - Winlogon Notify: vbscsysi - C:\WINDOWS\system32\vbscsysi.dll
O20 - Winlogon Notify: winnatkc - C:\WINDOWS\system32\winnatkc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[fredik]

Odinstaluj přes Přidat nebo odebrat programy:
MyWebSearch

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/t.....p=ZNfox000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
po zaškrtnutí klikni na tlačítko Fix Checked

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Spusť znovu Avenger a udělej co je zde napsáno:
Zvol možnost - Input script manually a klikni na ikonku lupy vyskočí prázdné okno kam zkopíruj tento tučný text:
Files to delete:
%windir%\system32\lpkadvp.dll
%windir%\system32\e1.dll
%windir%\system32\wmnencxp.dll
%windir%\system32\pmspwups.dll
%windir%\system32\sisbduse.dll
%windir%\system32\onksd.dll
%windir%\system32\statex.dll
%windir%\system32\oservmz101.dll
%windir%\system32\ksdmgr32.dll
%windir%\system32\pgptmsau.dll
%windir%\system32\quarwups.dll
%windir%\system32\vbscsysi.dll
%windir%\system32\winnatkc.dll

Folders to delete:
C:\Program Files\MyWebSearch

Registry values to replace with dummy:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {07B18EA9-A523-4961-B6BB-170DE4475CCA}

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ksdmgr
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pgptmsau
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\quarwups
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vbscsysi
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnatkc

Poté klikni na Done.
Pak klikni na ikonku semafory.
Vyskočí ti hláška kde odklikni Yes. PC se restartuje po restartu by ti měl "vyskočit" výpis z Avengeru tak ho sem zkopíruj.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Projeď Pc a vlož sem log jak je popsáno v návodu: Mwav

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Poznámka:
Používáš starší verzi HijackThis, stáhni si aktuální verzi zde a tu starou před použitím vymaž a dej sem z ní nový log.

V následujícím příspěvku sem vlož tyto logy:
- log z Avengeru
- log z Mwav
- nový log z HJT

[Michal Kudlak]

Takže jsem provedl doporučené.
Avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\puhobcdr

*******************

Script file located at: \??\C:\WINDOWS\keppmhci.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\lpkadvp.dll deleted successfully.
File C:\WINDOWS\system32\e1.dll deleted successfully.
File C:\WINDOWS\system32\wmnencxp.dll deleted successfully.
File C:\WINDOWS\system32\pmspwups.dll deleted successfully.
File C:\WINDOWS\system32\sisbduse.dll deleted successfully.
File C:\WINDOWS\system32\onksd.dll deleted successfully.
File C:\WINDOWS\system32\statex.dll deleted successfully.
File C:\WINDOWS\system32\oservmz101.dll deleted successfully.
File C:\WINDOWS\system32\ksdmgr32.dll deleted successfully.
File C:\WINDOWS\system32\pgptmsau.dll deleted successfully.
File C:\WINDOWS\system32\quarwups.dll deleted successfully.
File C:\WINDOWS\system32\vbscsysi.dll deleted successfully.
File C:\WINDOWS\system32\winnatkc.dll deleted successfully.
Folder C:\Program Files\MyWebSearch deleted successfully.
Registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.


Could not delete registry value HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{07B18EA9-A523-4961-B6BB-170DE4475CCA}
Deletion of registry value HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{07B18EA9-A523-4961-B6BB-170DE4475CCA} failed!
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D} not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D} failed!
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA} not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA} failed!
Status: 0xc0000034

Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ksdmgr deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pgptmsau deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\quarwups deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vbscsysi deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnatkc deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:25:20, on 19. 11. 2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\pgptmsau.exe
C:\WINDOWS\System32\quarwups.exe
C:\WINDOWS\System32\vbscsysi.exe
C:\WINDOWS\System32\winnatkc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Seznam\Postak\Postak.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\freeCommander2005\freeCommander.exe
E:\Záchrana\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: &S-Rank - {B71B15CF-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam\Postak\SRank.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMail] "C:\Program Files\Seznam\Postak\Postak.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1957994488-448539723-1801674531-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Barunka79')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... p=ZNfox000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: lpkadvp.dll e1.dll wmnencxp.dll pmspwups.dll sisbduse.dll onksd.dll statex.dll oservmz101.dll
O20 - Winlogon Notify: ksdmgr - C:\WINDOWS\SYSTEM32\ksdmgr32.dll
O20 - Winlogon Notify: pgptmsau - C:\WINDOWS\system32\pgptmsau.dll
O20 - Winlogon Notify: quarwups - C:\WINDOWS\system32\quarwups.dll
O20 - Winlogon Notify: vbscsysi - C:\WINDOWS\system32\vbscsysi.dll
O20 - Winlogon Notify: winnatkc - C:\WINDOWS\system32\winnatkc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5205 bytes
MWAV:
Mon Nov 19 14:46:36 2007 => System found infected with funwebproducts Spyware/Adware ({147a976f-eee1-4377-8ea7-4716e4cdd239})! Action taken: Nic nebylo provedeno.
Mon Nov 19 14:46:36 2007 => System found infected with funwebproducts Spyware/Adware ({147a976f-eee1-4377-8ea7-4716e4cdd239})! Action taken: Nic nebylo provedeno.
Mon Nov 19 14:46:36 2007 => System found infected with funwebproducts Spyware/Adware ({147a976f-eee1-4377-8ea7-4716e4cdd239})! Action taken: Nic nebylo provedeno.
Mon Nov 19 14:46:36 2007 => System found infected with funwebproducts Spyware/Adware ({147a976f-eee1-4377-8ea7-4716e4cdd239})! Action taken: Nic nebylo provedeno.
Mon Nov 19 14:46:36 2007 => System found infected with funwebproducts Spyware/Adware ({147a976f-eee1-4377-8ea7-4716e4cdd239})! Action taken: Nic nebylo provedeno.
Mon Nov 19 14:46:36 2007 => System found infected with funwebproducts Spyware/Adware ({147a976f-eee1-4377-8ea7-4716e4cdd239})! Action taken: Nic nebylo provedeno.
Mon Nov 19 14:46:39 2007 => Offending Key found: HKLM\Software\focusinteractive !!!
Mon Nov 19 14:46:39 2007 => Objekt "funwebproducts Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Mon Nov 19 14:46:39 2007 => Offending Key found: HKLM\Software\fun web products !!!
Mon Nov 19 14:46:39 2007 => Objekt "funwebproducts Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Mon Nov 19 14:46:39 2007 => Offending Key found: HKLM\Software\mywebsearch !!!
Mon Nov 19 14:46:39 2007 => Objekt "mwsoemon Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Mon Nov 19 14:46:39 2007 => Offending Key found: HKCU\Software\mywebsearch !!!
Mon Nov 19 14:46:39 2007 => Objekt "mwsoemon Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Mon Nov 19 14:46:42 2007 => Offending Folder found: C:\Program Files\funwebproducts
Mon Nov 19 14:46:42 2007 => Objekt "funwebproducts Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Mon Nov 19 14:46:43 2007 => Offending file found: C:\Documents and Settings\Hanka\Plocha\internet.lnk
Mon Nov 19 14:46:43 2007 => System found infected with ezula Spyware/Adware (internet.lnk)! Action taken: Nic nebylo provedeno.

Mon Nov 19 14:46:55 2007 => Soubor C:\WINDOWS\chat1302.exe//PE_Patch.UPX//UPX je infikovaný virem Email-Worm.Win32.Warezov.ra !! Provedené akce: Nic nebylo provedeno.
Mon Nov 19 14:46:57 2007 => Soubor C:\WINDOWS\redstk.exe je infikovaný virem Email-Worm.Win32.Warezov.pk !! Provedené akce: Nic nebylo provedeno.

Mon Nov 19 14:46:58 2007 => Soubor C:\WINDOWS\skt68.exe//PE_Patch.UPX//UPX indentifikován jako "IM-Worm.Win32.Agent.ae". Provedené akce: Nic nebylo provedeno.

Mon Nov 19 14:46:58 2007 => Testování souboru C:\WINDOWS\skt70.exe
Mon Nov 19 14:46:58 2007 => Testování souboru C:\WINDOWS\stk70.exe
Mon Nov 19 14:46:58 2007 => Soubor C:\WINDOWS\stk70.exe//PE_Patch.UPX//UPX indentifikován jako "IM-Worm.Win32.Agent.ae". Provedené akce: Nic nebylo provedeno.
Mon Nov 19 14:46:59 2007 => Soubor C:\WINDOWS\system32\2i1R4.dll je infikovaný virem Email-Worm.Win32.Warezov.su !! Provedené akce: Nic nebylo provedeno.Mon Nov 19 14:46:59 2007 => Testování souboru C:\WINDOWS\system32\2i1R4.dll
Mon Nov 19 14:46:59 2007 => Soubor C:\WINDOWS\system32\2i1R4.dll je infikovaný virem Email-Worm.Win32.Warezov.su !! Provedené akce: Nic nebylo provedeno.

Mon Nov 19 14:46:59 2007 => Testování souboru C:\WINDOWS\system32\3H3736ku.dll
Mon Nov 19 14:46:59 2007 => Soubor C:\WINDOWS\system32\3H3736ku.dll je infikovaný virem Email-Worm.Win32.Warezov.sw !! Provedené akce: Nic nebylo provedeno.

Mon Nov 19 14:46:59 2007 => Testování souboru C:\WINDOWS\system32\57D4tsu6.dll
Mon Nov 19 14:46:59 2007 => Soubor C:\WINDOWS\system32\57D4tsu6.dll je infikovaný virem Email-Worm.Win32.Warezov.sw !! Provedené akce: Nic nebylo provedeno.

Mon Nov 19 14:46:59 2007 => Testování souboru C:\WINDOWS\system32\65e424n.dll
Mon Nov 19 14:46:59 2007 => Testování souboru C:\WINDOWS\system32\65w134oi.dll
Mon Nov 19 14:46:59 2007 => Soubor C:\WINDOWS\system32\65w134oi.dll je infikovaný virem Email-Worm.Win32.Warezov.sw !! Provedené akce: Nic nebylo provedeno.

Mon Nov 19 14:46:59 2007 => Testování souboru C:\WINDOWS\system32\6akF1c.dll
Mon Nov 19 14:46:59 2007 => Soubor C:\WINDOWS\system32\6akF1c.dll je infikovaný virem Email-Worm.Win32.Warezov.sw !! Provedené akce: Nic nebylo provedeno.

Mon Nov 19 14:46:59 2007 => Testování souboru C:\WINDOWS\system32\6to4svc.dll
Mon Nov 19 14:46:59 2007 => Testování souboru C:\WINDOWS\system32\7l5ef.dll
Mon Nov 19 14:46:59 2007 => Soubor C:\WINDOWS\system32\7l5ef.dll je infikovaný virem Email-Worm.Win32.Warezov.sw !! Provedené akce: Nic nebylo provedeno.

Mon Nov 19 15:24:26 2007 => ***** Kontrola pro specifické ITW viry *****
Mon Nov 19 15:24:26 2007 => Kontrola na přítomnost viru Welchia ...
Mon Nov 19 15:24:26 2007 => Kontrola na přítomnost viru LovGate ...
Mon Nov 19 15:24:26 2007 => Kontrola na přítomnost viru CodeRed ...
Mon Nov 19 15:24:26 2007 => Kontrola na přítomnost viru OpaServ ...
Mon Nov 19 15:24:26 2007 => Kontrola na přítomnost viru Sobig.e ...
Mon Nov 19 15:24:26 2007 => Kontrola na přítomnost viru Winupie ...
Mon Nov 19 15:24:26 2007 => Kontrola na přítomnost viru Swen ...
Mon Nov 19 15:24:26 2007 => Kontrola na přítomnost viru JS.Fortnight ...
Mon Nov 19 15:24:26 2007 => Kontrola na přítomnost viru Novarg ...
Mon Nov 19 15:24:26 2007 => Kontrola na přítomnost viru Pagabot ...
Mon Nov 19 15:24:26 2007 => Kontrola na přítomnost viru Parite.b ...
Mon Nov 19 15:24:26 2007 => Kontrola na přítomnost viru Parite.a ...
Mon Nov 19 15:24:26 2007 => Kontrola na přítomnost viru Adware.SeekSeek ...

Mon Nov 19 15:24:26 2007 => ***** Test dokončen, kontrolu proveďte na http://www.viry.cz. *****

Mon Nov 19 15:24:26 2007 => Testovaných objektů: 90615
Mon Nov 19 15:24:26 2007 => Kritických objektů: 967
Mon Nov 19 15:24:26 2007 => Celkem vyléčených objektů: 0
Mon Nov 19 15:24:26 2007 => Celkem přejmenováno: 0
Mon Nov 19 15:24:26 2007 => Smazaných objektů: 0
Mon Nov 19 15:24:26 2007 => Celkem chyb: 1
Mon Nov 19 15:24:26 2007 => Uplynulý čas: 00:38:03
Mon Nov 19 15:24:26 2007 => Datum vydání databáze: 11/12/2007
Mon Nov 19 15:24:26 2007 => Verze virové databáze: 456801

Mon Nov 19 15:24:26 2007 => Test je dokončen, kontrolu lze provést na http://www.viry.cz.

[fredik]

Fixni v HJT tyto položky:
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/t.....p=ZNfox000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O20 - AppInit_DLLs: lpkadvp.dll e1.dll wmnencxp.dll pmspwups.dll sisbduse.dll onksd.dll statex.dll oservmz101.dll
O20 - Winlogon Notify: ksdmgr - C:\WINDOWS\SYSTEM32\ksdmgr32.dll
O20 - Winlogon Notify: pgptmsau - C:\WINDOWS\system32\pgptmsau.dll
O20 - Winlogon Notify: quarwups - C:\WINDOWS\system32\quarwups.dll
O20 - Winlogon Notify: vbscsysi - C:\WINDOWS\system32\vbscsysi.dll
O20 - Winlogon Notify: winnatkc - C:\WINDOWS\system32\winnatkc.dll

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Pro lepší zabezpečení by bylo dobré si doinstalovat firewall, můžeš si vybrat některý zde uvedený nebo některý jiný z odkazu: Přehled osobních firewallů
Firewally zdarma:
Comodo - kvalitní, pokročilý, s mnoha funkcemi, originálně v angličtině, čeština by měla být asi až od verze 3 která by se měl objevit v brzké době
Kerio - přehledný, větší možnosti nastavení, náročnější na systémové prostředky, v češtině
ZoneAlarm - jednoduchý, kompatibilní, nenáročný na systémové prostředky, málo možností nastavení, v angličtině

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Použij znovu avenger s tímto skriptem:
Files to delete:
%windir%\system32\lpkadvp.dll
%windir%\system32\e1.dll
%windir%\system32\wmnencxp.dll
%windir%\system32\pmspwups.dll
%windir%\system32\sisbduse.dll
%windir%\system32\onksd.dll
%windir%\system32\statex.dll
%windir%\system32\oservmz101.dll
%windir%\system32\ksdmgr32.dll
%windir%\system32\pgptmsau.dll
%windir%\system32\quarwups.dll
%windir%\system32\vbscsysi.dll
%windir%\system32\winnatkc.dll
%windir%\system32\pgptmsau.exe
%windir%\system32\quarwups.exe
%windir%\system32\vbscsysi.exe
%windir%\system32\winnatkc.exe
%windir%\chat1302.exe
%windir%\redstk.exe
%windir%\system32\2i1R4.dll
%windir%\system32\3H3736ku.dll
%windir%\system32\57D4tsu6.dll
%windir%\system32\65w134oi.dll
%windir%\system32\6akF1c.dll
%windir%\system32\7l5ef.dll

Registry values to replace with dummy:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ksdmgr
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pgptmsau
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\quarwups
H[/u]KLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vbscsysi
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnatkc

Vlož sem výpis z Avengeru + dej sem nový log z HJT + udělej nový log z Mwav a dej sem obsah spodního okna Informace o nalezených hrozbách jak je napsáno v návodu, ale vynech tam řádky kde bude napsáno (odkazuje na neplatný objekt)

[Michal Kudlak]

Zdravím, po delší době jsem opět u tohoto zahnojeného PC(dělám to pro kamarádku) a posílám ke kontrole logy.Díky za ochotu a pomoc.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wqhhhxyi

*******************

Script file located at: \??\C:\Documents and Settings\fqggeyxt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\lpkadvp.dll not found!
Deletion of file C:\WINDOWS\system32\lpkadvp.dll failed!

Could not process line:
C:\WINDOWS\system32\lpkadvp.dll
Status: 0xc0000034



File C:\WINDOWS\system32\e1.dll not found!
Deletion of file C:\WINDOWS\system32\e1.dll failed!

Could not process line:
C:\WINDOWS\system32\e1.dll
Status: 0xc0000034



File C:\WINDOWS\system32\wmnencxp.dll not found!
Deletion of file C:\WINDOWS\system32\wmnencxp.dll failed!

Could not process line:
C:\WINDOWS\system32\wmnencxp.dll
Status: 0xc0000034



File C:\WINDOWS\system32\pmspwups.dll not found!
Deletion of file C:\WINDOWS\system32\pmspwups.dll failed!

Could not process line:
C:\WINDOWS\system32\pmspwups.dll
Status: 0xc0000034



File C:\WINDOWS\system32\sisbduse.dll not found!
Deletion of file C:\WINDOWS\system32\sisbduse.dll failed!

Could not process line:
C:\WINDOWS\system32\sisbduse.dll
Status: 0xc0000034



File C:\WINDOWS\system32\onksd.dll not found!
Deletion of file C:\WINDOWS\system32\onksd.dll failed!

Could not process line:
C:\WINDOWS\system32\onksd.dll
Status: 0xc0000034



File C:\WINDOWS\system32\statex.dll not found!
Deletion of file C:\WINDOWS\system32\statex.dll failed!

Could not process line:
C:\WINDOWS\system32\statex.dll
Status: 0xc0000034



File C:\WINDOWS\system32\oservmz101.dll not found!
Deletion of file C:\WINDOWS\system32\oservmz101.dll failed!

Could not process line:
C:\WINDOWS\system32\oservmz101.dll
Status: 0xc0000034



File C:\WINDOWS\system32\ksdmgr32.dll not found!
Deletion of file C:\WINDOWS\system32\ksdmgr32.dll failed!

Could not process line:
C:\WINDOWS\system32\ksdmgr32.dll
Status: 0xc0000034



File C:\WINDOWS\system32\pgptmsau.dll not found!
Deletion of file C:\WINDOWS\system32\pgptmsau.dll failed!

Could not process line:
C:\WINDOWS\system32\pgptmsau.dll
Status: 0xc0000034



File C:\WINDOWS\system32\quarwups.dll not found!
Deletion of file C:\WINDOWS\system32\quarwups.dll failed!

Could not process line:
C:\WINDOWS\system32\quarwups.dll
Status: 0xc0000034



File C:\WINDOWS\system32\vbscsysi.dll not found!
Deletion of file C:\WINDOWS\system32\vbscsysi.dll failed!

Could not process line:
C:\WINDOWS\system32\vbscsysi.dll
Status: 0xc0000034



File C:\WINDOWS\system32\winnatkc.dll not found!
Deletion of file C:\WINDOWS\system32\winnatkc.dll failed!

Could not process line:
C:\WINDOWS\system32\winnatkc.dll
Status: 0xc0000034



File C:\WINDOWS\system32\pgptmsau.exe not found!
Deletion of file C:\WINDOWS\system32\pgptmsau.exe failed!

Could not process line:
C:\WINDOWS\system32\pgptmsau.exe
Status: 0xc0000034



File C:\WINDOWS\system32\quarwups.exe not found!
Deletion of file C:\WINDOWS\system32\quarwups.exe failed!

Could not process line:
C:\WINDOWS\system32\quarwups.exe
Status: 0xc0000034



File C:\WINDOWS\system32\vbscsysi.exe not found!
Deletion of file C:\WINDOWS\system32\vbscsysi.exe failed!

Could not process line:
C:\WINDOWS\system32\vbscsysi.exe
Status: 0xc0000034



File C:\WINDOWS\system32\winnatkc.exe not found!
Deletion of file C:\WINDOWS\system32\winnatkc.exe failed!

Could not process line:
C:\WINDOWS\system32\winnatkc.exe
Status: 0xc0000034



File C:\WINDOWS\chat1302.exe not found!
Deletion of file C:\WINDOWS\chat1302.exe failed!

Could not process line:
C:\WINDOWS\chat1302.exe
Status: 0xc0000034



File C:\WINDOWS\redstk.exe not found!
Deletion of file C:\WINDOWS\redstk.exe failed!

Could not process line:
C:\WINDOWS\redstk.exe
Status: 0xc0000034



File C:\WINDOWS\system32\2i1R4.dll not found!
Deletion of file C:\WINDOWS\system32\2i1R4.dll failed!

Could not process line:
C:\WINDOWS\system32\2i1R4.dll
Status: 0xc0000034



File C:\WINDOWS\system32\3H3736ku.dll not found!
Deletion of file C:\WINDOWS\system32\3H3736ku.dll failed!

Could not process line:
C:\WINDOWS\system32\3H3736ku.dll
Status: 0xc0000034



File C:\WINDOWS\system32\57D4tsu6.dll not found!
Deletion of file C:\WINDOWS\system32\57D4tsu6.dll failed!

Could not process line:
C:\WINDOWS\system32\57D4tsu6.dll
Status: 0xc0000034



File C:\WINDOWS\system32\65w134oi.dll not found!
Deletion of file C:\WINDOWS\system32\65w134oi.dll failed!

Could not process line:
C:\WINDOWS\system32\65w134oi.dll
Status: 0xc0000034



File C:\WINDOWS\system32\6akF1c.dll not found!
Deletion of file C:\WINDOWS\system32\6akF1c.dll failed!

Could not process line:
C:\WINDOWS\system32\6akF1c.dll
Status: 0xc0000034



File C:\WINDOWS\system32\7l5ef.dll not found!
Deletion of file C:\WINDOWS\system32\7l5ef.dll failed!

Could not process line:
C:\WINDOWS\system32\7l5ef.dll
Status: 0xc0000034

Registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.


Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ksdmgr not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ksdmgr failed!
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pgptmsau not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pgptmsau failed!
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\quarwups not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\quarwups failed!
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnatkc not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnatkc failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:42:01, on 27. 11. 2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Seznam\Postak\Postak.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\freeCommander2005\freeCommander.exe
C:\Program Files\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: &S-Rank - {B71B15CF-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam\Postak\SRank.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMail] "C:\Program Files\Seznam\Postak\Postak.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3932 bytes
Tue Nov 27 14:49:02 2007 => Testovaných objektů: 28630
Tue Nov 27 14:49:02 2007 => Kritických objektů: 38
Tue Nov 27 14:49:02 2007 => Celkem vyléčených objektů: 0
Tue Nov 27 14:49:02 2007 => Celkem přejmenováno: 0
Tue Nov 27 14:49:02 2007 => Smazaných objektů: 0
Tue Nov 27 14:49:02 2007 => Celkem chyb: 36
Tue Nov 27 14:49:02 2007 => Uplynulý čas: 00:04:45
Tue Nov 27 14:49:02 2007 => Datum vydání databáze: 11/12/2007
Tue Nov 27 14:49:02 2007 => Verze virové databáze: 456801
Objekt "funwebproducts Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Objekt "funwebproducts Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Objekt "funwebproducts Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Objekt "mwsoemon Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Objekt "mwsoemon Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Objekt "funwebproducts Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

Objekt "ezula Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.

,Soubor C:\WINDOWS\skt68.exe//PE_Patch.UPX//UPX indentifikován jako "IM-Worm.Win32.Agent.ae". Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\stk70.exe//PE_Patch.UPX//UPX indentifikován jako "IM-Worm.Win32.Agent.ae". Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\dsaurasr.dll je infikovaný virem Email-Worm.Win32.Warezov.sz !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\e0lR8f8.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\edL1T.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\g5w00q0.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\Hea2P.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\iNVFf5IVuW.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\ipsetlnt.exe je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\jobekbdn.exe je infikovaný virem Email-Worm.Win32.Warezov.gen !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\Kx8SKDXc.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\L7x122t.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\nb5LHQS3.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\netuencd.exe je infikovaný virem Email-Worm.Win32.Warezov.gen !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\nSj7RR5A.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\OD8hfdA8NC.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\OgC4TeS8.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\P543ARQsGyn.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\perfex.exe je infikovaný virem Email-Worm.Win32.Warezov.tv !! Provedené akce: Nic nebylo provedeno
.
Soubor C:\WINDOWS\system32\PuePMs15dL.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\S8A85umh.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\SR40T.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\UcgF5CY7.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\UK132n0.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\uyKd0.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\vdE73rABqp.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\wanpsysi.dll je infikovaný virem Email-Worm.Win32.Warezov.sz !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\x0p3B74je.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\XIJCf.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\XiR3LL6t8.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\Y0G6lP.dll je infikovaný virem BkCln.Unknown !! Provedené akce: Nic nebylo provedeno.

[fredik]

Použij znovu avenger s tímto skriptem:
Files to delete:
C:\WINDOWS\skt68.exe
C:\WINDOWS\stk70.exe
C:\WINDOWS\system32\dsaurasr.dll
C:\WINDOWS\system32\e0lR8f8.dll
C:\WINDOWS\system32\edL1T.dll
C:\WINDOWS\system32\g5w00q0.dll
C:\WINDOWS\system32\Hea2P.dll
C:\WINDOWS\system32\iNVFf5IVuW.dll
C:\WINDOWS\system32\ipsetlnt.exe
C:\WINDOWS\system32\jobekbdn.exe
C:\WINDOWS\system32\Kx8SKDXc.dll
C:\WINDOWS\system32\L7x122t.dll
C:\WINDOWS\system32\nb5LHQS3.dll
C:\WINDOWS\system32\netuencd.exe
C:\WINDOWS\system32\nSj7RR5A.dll
C:\WINDOWS\system32\OD8hfdA8NC.dll
C:\WINDOWS\system32\OgC4TeS8.dll
C:\WINDOWS\system32\P543ARQsGyn.dll
C:\WINDOWS\system32\perfex.exe
C:\WINDOWS\system32\PuePMs15dL.dll
C:\WINDOWS\system32\S8A85umh.dll
C:\WINDOWS\system32\SR40T.dll
C:\WINDOWS\system32\UcgF5CY7.dll
C:\WINDOWS\system32\UK132n0.dll
C:\WINDOWS\system32\uyKd0.dll
C:\WINDOWS\system32\vdE73rABqp.dll
C:\WINDOWS\system32\wanpsysi.dll
C:\WINDOWS\system32\x0p3B74je.dll
C:\WINDOWS\system32\XIJCf.dll
C:\WINDOWS\system32\XiR3LL6t8.dll
C:\WINDOWS\system32\Y0G6lP.dll

Vlož sem výpis z Avengeru

[Michal Kudlak]

Díky, zas to bude chvíli trvat než se k tomu compu dostanu. Tak zatím....