PC-HELP.CZ

České diskuzní fórum o počítačích
https://pc-help.cnews.cz/

Prosím o kontrolu logu z mwav a hjt

https://pc-help.cnews.cz/viewtopic.php?f=70&t=27624

Stránka 1 z 1

Prosím o kontrolu logu z mwav a hjt

Napsal: 21 kvě 2008 16:07
od Sneckie
Dobry den, pc je desne zpomaleny. Mohli byste se mi prosim kouknout na vypisy z mwav a hjt a navrhnout nejake reseni? Dekuji predem za pomoc.

Mwav:
Soubor C:\PROGRA~1\UltraVNC\WinVNC.exe byl indentifikován jako "not-a-virus:RemoteAdmin.Win32.WinVNC.c". Ponecháno, neodstraněno!
Soubor C:\PROGRA~1\UltraVNC\WinVNC.exe byl indentifikován jako "not-a-virus:RemoteAdmin.Win32.WinVNC.c". Ponecháno, neodstraněno!
Soubor C:\PROGRA~1\UltraVNC\WinVNC.exe byl indentifikován jako "not-a-virus:RemoteAdmin.Win32.WinVNC.c". Ponecháno, neodstraněno!
Soubor C:\WINDOWS\system32\biopeagb.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.srg". Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\WINDOWS\system32\cicutdtv.dll je infikovaný virem Trojan.Win32.Monder.gen !! Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\WINDOWS\system32\dfjkahnl.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.sca". Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\WINDOWS\system32\ilkukjho.dll je infikovaný virem Trojan.Win32.Monder.gen !! Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\WINDOWS\system32\kiaoccha.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.srh". Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\WINDOWS\system32\oltaxurj.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.sfm". Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\WINDOWS\system32\pxgyqbwf.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.sby". Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\DOKUMENTY\Install DDM\rserv31.exe byl indentifikován jako "not-a-virus:RemoteAdmin.Win32.RAdmin.n". Ponecháno, neodstraněno!
Soubor C:\DOKUMENTY\Install DDM\rview31.exe byl indentifikován jako "not-a-virus:RemoteAdmin.Win32.RAdmin.n". Ponecháno, neodstraněno!
Soubor C:\INSTALL\UltraVNC-102-Setup.exe//file04 byl indentifikován jako "not-a-virus:RemoteAdmin.Win32.WinVNC.1102". Ponecháno, neodstraněno!
Soubor C:\Program Files\UltraVNC\vncviewer.exe byl indentifikován jako "not-a-virus:RemoteAdmin.Win32.WinVNC.1102". Ponecháno, neodstraněno!
Soubor C:\System Volume Information\_restore{5B1C6E42-F7BB-44F8-B434-8D8D76225309}\RP310\A0072967.exe je infikovaný virem NULL.Corrupted !! Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\System Volume Information\_restore{5B1C6E42-F7BB-44F8-B434-8D8D76225309}\RP312\A0073046.exe je infikovaný virem NULL.Corrupted !! Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\System Volume Information\_restore{5B1C6E42-F7BB-44F8-B434-8D8D76225309}\RP312\A0073062.exe je infikovaný virem NULL.Corrupted !! Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\System Volume Information\_restore{5B1C6E42-F7BB-44F8-B434-8D8D76225309}\RP312\A0073995.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.rtf". Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\WINDOWS\system32\biopeagb.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.srg". Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\WINDOWS\system32\cicutdtv.dll je infikovaný virem Trojan.Win32.Monder.gen !! Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\WINDOWS\system32\dfjkahnl.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.sca". Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\WINDOWS\system32\ilkukjho.dll je infikovaný virem Trojan.Win32.Monder.gen !! Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\WINDOWS\system32\kiaoccha.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.srh". Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\WINDOWS\system32\oltaxurj.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.sfm". Provedené akce: Ponecháno, neodstraněno!.
Soubor C:\WINDOWS\system32\pxgyqbwf.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.sby". Provedené akce: Ponecháno, neodstraněno!.

HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:59:49, on 21.5.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CIGLER SOFTWARE\NetLicence\CSW_NetSWKeyNTService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CIGLER SOFTWARE\Money S3\MonS3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\DOCUME~1\PC\LOCALS~1\Temp\mexe.com
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://shop.og.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.money.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NetLockMngr] C:\Program Files\CIGLER SOFTWARE\NetLicence\CSW_NetSWKeyNTMngr.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [8c0a61fb] rundll32.exe "C:\WINDOWS\system32\albtqotu.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.sws.cz
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - https://obchod.essox.cz/essox/_woi/mcsimenu.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se9563.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://85.207.76.73:3131/activex/AxisCamControl.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file:///D:/CDVIEWER/CdViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6197797-DFA7-4729-9E6C-FA9567F76F91}: NameServer = 10.0.0.138
O23 - Service: Plánovač automatické aktualizace LiveUpdate (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SWLock Server (SWLckServer) - Unknown owner - C:\Program Files\CIGLER SOFTWARE\NetLicence\CSW_NetSWKeyNTService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7772 bytes

Re: Prosím o kontrolu logu z mwav a hjt

Napsal: 21 kvě 2008 20:49
od fredik
Před použitím ComboFix vypni rezidentní štít ve Spyware Terminátoru:
Spusť Spywater Terminátora, nahoře klikni na ikonu Rezidentní štít
- program se přepne do okna Natavení rezidentního štítu
- tam na záložce Nastavení štítu zruš zatržení u položky: Aktivovat Rezidentní štít
- klikni dole na tlačítko: Uložit změny
- zavři program

Bylo by také dobré před spuštěním ComboFix vypnout Norton Internet Security, po jeho proběhnutí si ho zapni zpět.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Pak si stáhni ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

Re: Prosím o kontrolu logu z mwav a hjt

Napsal: 23 kvě 2008 10:19
od Sneckie
Ahoj, zde je log z ComboFix :wink:

ComboFix 08-05-21.3 - PC 2008-05-23 9:40:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.107 [GMT 2:00]
Running from: C:\Documents and Settings\PC\Plocha\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8f395267.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\ahccoaik.ini
C:\WINDOWS\system32\biopeagb.dll
C:\WINDOWS\system32\dfjkahnl.dll
C:\WINDOWS\system32\hmlwxdlg.ini
C:\WINDOWS\system32\kiaoccha.dll
C:\WINDOWS\system32\lnhakjfd.ini
C:\WINDOWS\system32\lpubtetc.ini
C:\WINDOWS\system32\mbykxfij.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MVFMmnpo.ini
C:\WINDOWS\system32\MVFMmnpo.ini2
C:\WINDOWS\system32\obsbboci.ini
C:\WINDOWS\system32\opnmMFVM.dll
C:\WINDOWS\system32\pxgyqbwf.dll
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\utoqtbla.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-23 09:55 . 2008-05-23 09:55 370,688 --a------ C:\WINDOWS\system32\wvULfCRl.dll
2008-05-23 09:55 . 2008-05-23 09:55 345 --ahs---- C:\WINDOWS\system32\lRCfLUvw.ini2
2008-05-23 09:55 . 2008-05-23 09:59 345 --ahs---- C:\WINDOWS\system32\lRCfLUvw.ini
2008-05-23 09:30 . 2008-05-23 09:30 115,200 --a------ C:\WINDOWS\system32\gldxwlmh.dll
2008-05-23 09:24 . 2008-05-23 09:24 126,464 --a------ C:\WINDOWS\system32\wjrpqbgk.dll
2008-05-22 17:24 . 2008-05-22 17:24 126,976 --a------ C:\WINDOWS\system32\uxuoiwbf.dll
2008-05-21 15:50 . 2008-05-21 15:50 0 --a------ C:\23990098.$$$
2008-05-21 15:37 . 2008-05-21 15:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-21 10:24 . 2008-05-21 10:24 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-05-21 10:24 . 2008-05-21 10:24 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-05-21 10:24 . 2008-05-21 10:24 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-05-21 10:24 . 2008-05-21 10:24 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-05-21 10:24 . 2008-05-21 10:24 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-05-21 10:24 . 2008-05-21 10:24 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-05-21 10:22 . 2008-05-21 10:24 50 --a------ C:\WINDOWS\Lic.xxx
2008-05-21 10:21 . 2006-03-02 14:00 147,968 --a------ C:\WINDOWS\R.COM
2008-05-21 10:21 . 2006-03-02 14:00 137,216 --a------ C:\WINDOWS\system32\T.COM
2008-05-21 09:57 . 2008-05-21 09:58 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-21 09:57 . 2008-05-21 09:59 <DIR> d-------- C:\Program Files\CCleaner
2008-05-21 09:12 . 2008-05-21 09:12 126,464 --a------ C:\WINDOWS\system32\usuhjgeb.dll
2008-05-20 15:17 . 2008-05-20 15:17 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-20 15:08 . 2008-05-20 16:12 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-05-20 14:56 . 2008-05-20 15:54 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-20 14:56 . 2008-05-20 15:54 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-20 14:56 . 2008-05-20 15:54 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-20 14:56 . 2008-05-20 15:54 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-20 14:55 . 2008-05-20 15:54 <DIR> d-------- C:\Program Files\Symantec
2008-05-20 14:54 . 2008-05-23 09:51 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-19 13:14 . 2008-05-19 13:14 30,720 --a------ C:\rofl.exe
2008-05-17 10:48 . 2008-05-20 12:39 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-05-17 10:48 . 2008-05-17 10:48 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-05-17 10:47 . 2008-05-17 10:47 57,344 --a------ C:\WINDOWS\system32\fcccyXNd.dll
2008-05-17 09:03 . 2008-05-17 09:03 57,344 --a------ C:\WINDOWS\system32\opnnmnMd.dll
2008-05-16 08:30 . 2008-05-16 08:30 57,344 --a------ C:\WINDOWS\system32\rqRjkHyX.dll
2008-05-10 10:59 . 2008-05-10 10:59 <DIR> d-------- C:\Program Files\DivX
2008-05-10 10:49 . 2008-05-10 10:49 <DIR> d-------- C:\RP6
2008-05-10 10:46 . 2008-05-10 10:46 <DIR> d-------- C:\Program Files\CDex_170b2
2008-05-10 09:46 . 2008-05-10 12:07 <DIR> d-------- C:\video
2008-05-10 09:36 . 2008-05-10 09:36 <DIR> d-------- C:\Program Files\Xvid CZ
2008-05-02 14:08 . 2008-05-02 14:08 <DIR> d-------- C:\Program Files\GameTop.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 07:40 --------- d-----w C:\Program Files\ESET
2008-05-22 15:42 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-05-21 12:54 --------- d-----w C:\Program Files\UltraVNC
2008-05-21 08:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 08:09 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 15:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 15:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 15:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 14:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 14:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-05-11 07:29 6,010,880 ----a-w C:\Program Files\icq5_1_Atlas.exe
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{444FC7D1-8F08-4377-B39B-4D75AE0E9F70}]
2008-05-16 08:30 57344 --a------ C:\WINDOWS\system32\rqRjkHyX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-05-20 15:51 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC0E0DB2-C752-4069-B636-38738BB5390C}]
2008-05-23 09:55 370688 --a------ C:\WINDOWS\system32\wvULfCRl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 20:40 2048000]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 13:24 167368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 10:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-05-03 17:42 949376]
"NetLockMngr"="C:\Program Files\CIGLER SOFTWARE\NetLicence\CSW_NetSWKeyNTMngr.exe" [2007-01-09 10:07 735744]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 21:21 57344]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53 714608]
"8c0a61fb"="C:\WINDOWS\system32\gldxwlmh.dll" [2008-05-23 09:30 115200]
"BM8f395267"="C:\WINDOWS\system32\wjrpqbgk.dll" [2008-05-23 09:24 126464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{444FC7D1-8F08-4377-B39B-4D75AE0E9F70}"= C:\WINDOWS\system32\rqRjkHyX.dll [2008-05-16 08:30 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRjkHyX]
rqRjkHyX.dll 2008-05-16 08:30 57344 C:\WINDOWS\system32\rqRjkHyX.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\wvULfCRl

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\QIP\\qip.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\UltraVNC\\vncviewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"511:TCP"= 511:TCP:Money NetSWkey

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-05-17 10:48]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 SWLckServer;SWLock Server;C:\Program Files\CIGLER SOFTWARE\NetLicence\CSW_NetSWKeyNTService.exe [2007-01-09 10:07]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]
R3 Di1610VM11;KONICA MINOLTA Di1610;C:\WINDOWS\system32\Drivers\Di1610.sys [2001-08-17 00:00]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 14:00]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbhub;Ovladač standardního rozbočovače USB;C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 23:08]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bf82b3e-369f-11dc-86a8-001109701e5d}]
\Shell\AutoRun\command - PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50d95b3d-547a-11dc-86d4-001109701e5d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffcc1f21-5534-11dc-86d6-001109701e5d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 13:40:04 C:\WINDOWS\Tasks\Norton Internet Security - Prověřit tento počítač - PC.job"

Re: Prosím o kontrolu logu z mwav a hjt

Napsal: 23 kvě 2008 12:13
od fredik
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

KillAll::

File::
C:\WINDOWS\system32\wvULfCRl.dll
C:\WINDOWS\system32\lRCfLUvw.ini2
C:\WINDOWS\system32\lRCfLUvw.ini
C:\WINDOWS\system32\gldxwlmh.dll
C:\WINDOWS\system32\wjrpqbgk.dll
C:\WINDOWS\system32\uxuoiwbf.dll
C:\WINDOWS\system32\usuhjgeb.dll
C:\rofl.exe
C:\WINDOWS\system32\fcccyXNd.dll
C:\WINDOWS\system32\opnnmnMd.dll
C:\WINDOWS\system32\rqRjkHyX.dll
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe

Folder::
C:\Recycled
D:\Recycled
E:\Recycled
F:\Recycled
G:\Recycled

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{444FC7D1-8F08-4377-B39B-4D75AE0E9F70}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC0E0DB2-C752-4069-B636-38738BB5390C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"8c0a61fb"=-
"BM8f395267"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{444FC7D1-8F08-4377-B39B-4D75AE0E9F70}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRjkHyX]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50d95b3d-547a-11dc-86d4-001109701e5d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffcc1f21-5534-11dc-86d6-001109701e5d}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť
Obrázek
- Automaticky se spustí ComboFix (Pc se ti pak restartuje tak se nelekni)
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

Re: Prosím o kontrolu logu z mwav a hjt

Napsal: 23 kvě 2008 12:52
od Sneckie
Tady to mam :evil: :

MWAV:

ComboFix 08-05-21.3 - PC 2008-05-23 12:20:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.172 [GMT 2:00]
Running from: C:\Documents and Settings\PC\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\PC\Plocha\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
C:\rofl.exe
C:\WINDOWS\system32\fcccyXNd.dll
C:\WINDOWS\system32\gldxwlmh.dll
C:\WINDOWS\system32\lRCfLUvw.ini
C:\WINDOWS\system32\lRCfLUvw.ini2
C:\WINDOWS\system32\opnnmnMd.dll
C:\WINDOWS\system32\rqRjkHyX.dll
C:\WINDOWS\system32\usuhjgeb.dll
C:\WINDOWS\system32\uxuoiwbf.dll
C:\WINDOWS\system32\wjrpqbgk.dll
C:\WINDOWS\system32\wvULfCRl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
C:\rofl.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\fcccyXNd.dll
C:\WINDOWS\system32\gldxwlmh.dll
C:\WINDOWS\system32\lRCfLUvw.ini
C:\WINDOWS\system32\lRCfLUvw.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\opnnmnMd.dll
C:\WINDOWS\system32\rqRjkHyX.dll
C:\WINDOWS\system32\usuhjgeb.dll
C:\WINDOWS\system32\uxuoiwbf.dll
C:\WINDOWS\system32\wjrpqbgk.dll
C:\WINDOWS\system32\wvULfCRl.dll
.
---- Previous Run -------
.
C:\WINDOWS\BM8f395267.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\ahccoaik.ini
C:\WINDOWS\system32\biopeagb.dll
C:\WINDOWS\system32\dfjkahnl.dll
C:\WINDOWS\system32\hmlwxdlg.ini
C:\WINDOWS\system32\kiaoccha.dll
C:\WINDOWS\system32\lnhakjfd.ini
C:\WINDOWS\system32\lpubtetc.ini
C:\WINDOWS\system32\mbykxfij.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MVFMmnpo.ini
C:\WINDOWS\system32\MVFMmnpo.ini2
C:\WINDOWS\system32\obsbboci.ini
C:\WINDOWS\system32\opnmMFVM.dll
C:\WINDOWS\system32\pxgyqbwf.dll
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\utoqtbla.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-23 10:10 . 2008-05-23 10:10 294 --ahs---- C:\WINDOWS\system32\hmlwxdlg.ini
2008-05-23 10:09 . 2008-05-23 10:09 0 --a------ C:\WINDOWS\BM8f395267.xml
2008-05-23 10:07 . 2008-05-23 10:07 115,200 --a------ C:\WINDOWS\system32\wdrmaomy.dll
2008-05-23 09:59 . 2008-05-23 09:59 126,464 --a------ C:\WINDOWS\system32\ihjsjdvh.dll
2008-05-21 15:50 . 2008-05-21 15:50 0 --a------ C:\23990098.$$$
2008-05-21 15:37 . 2008-05-21 15:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-21 10:24 . 2008-05-21 10:24 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-05-21 10:24 . 2008-05-21 10:24 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-05-21 10:24 . 2008-05-21 10:24 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-05-21 10:24 . 2008-05-21 10:24 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-05-21 10:24 . 2008-05-21 10:24 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-05-21 10:24 . 2008-05-21 10:24 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-05-21 10:22 . 2008-05-21 10:24 50 --a------ C:\WINDOWS\Lic.xxx
2008-05-21 10:21 . 2006-03-02 14:00 147,968 --a------ C:\WINDOWS\R.COM
2008-05-21 10:21 . 2006-03-02 14:00 137,216 --a------ C:\WINDOWS\system32\T.COM
2008-05-21 09:57 . 2008-05-21 09:58 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-21 09:57 . 2008-05-21 09:59 <DIR> d-------- C:\Program Files\CCleaner
2008-05-20 15:17 . 2008-05-20 15:17 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-20 15:08 . 2008-05-20 16:12 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-05-20 14:56 . 2008-05-20 15:54 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-20 14:56 . 2008-05-20 15:54 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-20 14:56 . 2008-05-20 15:54 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-20 14:56 . 2008-05-20 15:54 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-20 14:55 . 2008-05-20 15:54 <DIR> d-------- C:\Program Files\Symantec
2008-05-20 14:54 . 2008-05-23 09:51 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-17 10:48 . 2008-05-20 12:39 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-05-17 10:48 . 2008-05-17 10:48 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-05-10 10:59 . 2008-05-10 10:59 <DIR> d-------- C:\Program Files\DivX
2008-05-10 10:49 . 2008-05-10 10:49 <DIR> d-------- C:\RP6
2008-05-10 10:46 . 2008-05-10 10:46 <DIR> d-------- C:\Program Files\CDex_170b2
2008-05-10 09:46 . 2008-05-10 12:07 <DIR> d-------- C:\video
2008-05-10 09:36 . 2008-05-10 09:36 <DIR> d-------- C:\Program Files\Xvid CZ
2008-05-02 14:08 . 2008-05-02 14:08 <DIR> d-------- C:\Program Files\GameTop.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 07:40 --------- d-----w C:\Program Files\ESET
2008-05-22 15:42 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-05-21 12:54 --------- d-----w C:\Program Files\UltraVNC
2008-05-21 08:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-11 07:29 6,010,880 ----a-w C:\Program Files\icq5_1_Atlas.exe
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-23_10.00.39.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-23 07:53:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 10:34:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-05-20 15:51 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-10 20:40 2048000]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 13:24 167368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 10:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-05-03 17:42 949376]
"NetLockMngr"="C:\Program Files\CIGLER SOFTWARE\NetLicence\CSW_NetSWKeyNTMngr.exe" [2007-01-09 10:07 735744]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 21:21 57344]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53 714608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\QIP\\qip.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\UltraVNC\\vncviewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"511:TCP"= 511:TCP:Money NetSWkey

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-05-17 10:48]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 SWLckServer;SWLock Server;C:\Program Files\CIGLER SOFTWARE\NetLicence\CSW_NetSWKeyNTService.exe [2007-01-09 10:07]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-06-26 13:22]
R3 Di1610VM11;KONICA MINOLTA Di1610;C:\WINDOWS\system32\Drivers\Di1610.sys [2001-08-17 00:00]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 14:00]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbhub;Ovladač standardního rozbočovače USB;C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 23:08]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bf82b3e-369f-11dc-86a8-001109701e5d}]
\Shell\AutoRun\command - PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 13:40:04 C:\WINDOWS\Tasks\Norton Internet Security - Prověřit tento počítač - PC.job"

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46, on 2008-05-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\CIGLER SOFTWARE\NetLicence\CSW_NetSWKeyNTService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CIGLER SOFTWARE\NetLicence\CSW_NetSWKeyNTMngr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://shop.og.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.money.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NetLockMngr] C:\Program Files\CIGLER SOFTWARE\NetLicence\CSW_NetSWKeyNTMngr.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.sws.cz
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - https://obchod.essox.cz/essox/_woi/mcsimenu.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se9563.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://85.207.76.73:3131/activex/AxisCamControl.cab
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file:///D:/CDVIEWER/CdViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6197797-DFA7-4729-9E6C-FA9567F76F91}: NameServer = 10.0.0.138
O23 - Service: Plánovač automatické aktualizace LiveUpdate (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SWLock Server (SWLckServer) - Unknown owner - C:\Program Files\CIGLER SOFTWARE\NetLicence\CSW_NetSWKeyNTService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7819 bytes

Re: Prosím o kontrolu logu z mwav a hjt

Napsal: 23 kvě 2008 15:16
od fredik
Máš tam dva antiviry (NIS & NOD32), tak si tam nech jen jeden a ten druhý odinstaluj.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Vytvoř si nový CFScript a použij ho stejným způsobem jako ten předchozí, ale s tím rozdílem, že do něj vlož tentokrát toto:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
C:\WINDOWS\system32\hmlwxdlg.ini
C:\WINDOWS\BM8f395267.xml
C:\WINDOWS\system32\wdrmaomy.dll
C:\WINDOWS\system32\ihjsjdvh.dll

Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

Re: Prosím o kontrolu logu z mwav a hjt

Napsal: 23 kvě 2008 15:33
od Sneckie
Diky moc za pomoc Frediku, ale vzhledem k tomu, ze mi windows co dve minuty pada, rozhodl jsem se udelat natvrdo format a reinstal os. Kazdopadne dik :bigups:
Časové pásmo: UTC+02:00
Stránka 1 z 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/