Vir v Notebooku se po připojení na net kousne, prosim help

[StormM]

Vkládám log z HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:24:28, on 6.10.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunServices: [Windows Service Agent] service.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Windows Clients Manager - Unknown owner - C:\WINDOWS\system32\svshost.exe

--
End of file - 2335 bytes


-Nod32 mi pri každym spusteni pocitace hlasi Trojský Koně v operační paměti.
-Po pripojení na net mi zas Nod32 nahlásí infiltraci z http://www.faka.biz ,kousne se mi komp a musim restart...

Prosím pomozte mi nekdo...

[Reklama]

[paul27]

No ani se nedívím, že máš pc zavirované, když používáš SP1 a jenom antivir.

Udělej nejdřív tohle:
ve správci úloh ukonči:
C:\WINDOWS\system32\svshost.exe

fixni v hjt:
O4 - HKLM\..\RunServices: [Windows Service Agent] service.exe

a zastav službu Windows Clients Manager.

Pokus se pak smazat tohle z disku:
C:\WINDOWS\system32\svshost.exe

+ doinstaluj SP2, firewall, antispyware a pošli nový log. Když čtu, to co si napsal, tak to bude jen začátek.

[StormM]

-Ve správci úloh nevim který z těch čtyř svshost ukončit...
-vypnul jsem tři a když vypnu i ten poslední tak se mi napíše hláška že se za 90 vteřin vypne počítač...
-necham tam jen ten jeden a po chvíli jsou tam zaplý zase dva...

-V HJT fixnuto

-Zastavil jsem službu Windows Clients Manager

-C:\WINDOWS\system32\svchost.exe nelze odstranit

-Jakej AntiSpyware si mam stáhnout když se mi nedaří nainstalovat Spybot search and destroy který pro instalaci vyžaduje pripojení na net... a to já nemužu...

-Nainstaloval jsem Kerio firewall
-Po restartu mi opakovaně vyskakuje okno Keria s nápisem Zablokovín pokus o průnik
-porad a porad... zbavim se toho jen vypnutim Keria...

-Se SP2 si nevim rady... nemam tak uplne legalni windows...

-Kvuli tomuhle problemu nemužu na nic stáhnout žádnou aktualizaci

Teď log z HJT vypadá takhle:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:10:01, on 6.10.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7C1123A8-ADD3-4052-851E-415C89E08A0B} - C:\WINDOWS\System32\mljjg.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - (no file)
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\System32\khfeeff.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: khfeeff - C:\WINDOWS\SYSTEM32\khfeeff.dll
O20 - Winlogon Notify: mljjg - C:\WINDOWS\System32\mljjg.dll
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 3188 bytes

Zatim díky...

[paul27]

Dobře. Snaha se cení a uvažujte někdy v budoucnu o koupi legálních Woken. Věřte, že to má své výhody.

Ale zpátky k problému.

Stáhněte si Avenger: http://www.spyware.cz/spyware.cz/download/avenger.exe
spusťe ho - zatrhněte imput script manually - klik na lupu - do prázdného okna zkopčit tento text:

Files to delete:
C:\WINDOWS\system32\svshost.exe

- klik na done - klik na semafor - pc se restartuje - po naběhnutí vyběhne log, kterej sem zkopírujte s dalším hijackthisem.

+ udělejte tohle: http://www.viry.cz/forum/viewtopic.php?t=16634 (ten VundoFix)

Jinak s tím svshostem...Měl by tam být jen jeden. Ostatní jsou svchost.exe a to je naprosto v pořádku a neukončujte je.
Jinak Kerio nechte zaplé, jinak se budou natahovat viry pořád dokola do pc a nikdy neskončíme.

[StormM]

-Stáhnul jsem si Avenger
-Jeho log mam na ploše

-Stahnul jsem VundoFix
-Reastartoval jse mi komp a po restartu zase najel VundoFix... už popátý...
-pokazdý tam jsou nejaký tři rádky a když dám "Remove Vundo" tak mi to píše:
C:\WINDOWS\System32\khfeeff.dll could not be deleted, Vundofix will load on reboot to attempt removal. Please Click Remove Vundo once your machine has rebooted.

C:\WINDOWS\System32\mljjg.dll could not be deleted, Vundofix will load on reboot to attempt removal. Please Click Remove Vundo once your machine has rebooted.

C:\WINDOWS\System32\mjjlm.dll could not be deleted, Vundofix will load on reboot to attempt removal. Please Click Remove Vundo once your machine has rebooted.

-Ted už to delam pošestý a k tomu logu z Avengeru a HJT se ted nedostanu...

[paul27]

Tak toho už nechte a zkuste ten druhej prográmek z tý stránky. Potom sem pošlete log z hijackthisu a Avengeru.

[StormM]

Po desátém pokusu

Tohle nikam nevede...
-vypínám VundoFix

Tady jsou logy z Avengeru a HJT:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rtusukvu

*******************

Script file located at: \??\C:\hoxpxhav.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\svshost.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:21:14, on 6.10.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {8A4A70D5-DE58-49D0-A332-A061DEAE364B} - C:\WINDOWS\System32\mljjg.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\system32\khfeeff.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: khfeeff - C:\WINDOWS\SYSTEM32\khfeeff.dll
O20 - Winlogon Notify: mljjg - C:\WINDOWS\System32\mljjg.dll
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 3114 bytes


OK jdu na ten druhej prográmek...

[StormM]

Spustil jsem ten druhej programek v nouzovym rezimu a po odklikani nekolika hlasek se mi komp restartoval... mam poslat znova ty logy?

[ReCall]

Hele StorMe tady is mněl být už dřív

tak se nauč čistit pravidelně PC a vše bude jak má.

PS: Hodně štěstí

[paul27]

Spustil jsem ten druhej programek v nouzovym rezimu a po odklikani nekolika hlasek se mi komp restartoval... mam poslat znova ty logy?

jo určitě

[StormM]

Hele StorMe tady is mněl být už dřív

tak se nauč čistit pravidelně PC a vše bude jak má.

PS: Hodně štěstí

Mam notebook uplne novej od začátku tohodle školního roku... koupil jsem ho bez operacniho systemu...



Tady jsou ty logy:

Avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rtusukvu

*******************

Script file located at: \??\C:\hoxpxhav.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\svshost.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:36:05, on 6.10.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 2710 bytes

VBG:
[10/06/2007, 16:30:39] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\StormM\Plocha\Nová složka\VirtumundoBeGone.exe" )
[10/06/2007, 16:30:42] - Detected System Information:
[10/06/2007, 16:30:42] - Windows Version: 5.1.2600, Service Pack 1
[10/06/2007, 16:30:42] - Current Username: StormM (Admin)
[10/06/2007, 16:30:42] - Windows is in SAFE mode with Networking.
[10/06/2007, 16:30:42] - Searching for Browser Helper Objects:
[10/06/2007, 16:30:42] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/06/2007, 16:30:42] - BHO 2: {6465875B-0DCA-457A-83F7-90F1C17D4A19} ()
[10/06/2007, 16:30:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/06/2007, 16:30:42] - Checking for HKLM\...\Winlogon\Notify\mljjg
[10/06/2007, 16:30:42] - Found: HKLM\...\Winlogon\Notify\mljjg - This is probably Virtumundo.
[10/06/2007, 16:30:42] - Assigning {6465875B-0DCA-457A-83F7-90F1C17D4A19} MSEvents Object
[10/06/2007, 16:30:42] - BHO list has been changed! Starting over...
[10/06/2007, 16:30:42] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/06/2007, 16:30:42] - BHO 2: {6465875B-0DCA-457A-83F7-90F1C17D4A19} (MSEvents Object)
[10/06/2007, 16:30:42] - ALERT: Found MSEvents Object!
[10/06/2007, 16:30:42] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/06/2007, 16:30:42] - BHO 4: {F4002052-AB29-4B33-8C8D-0E99084564EC} ()
[10/06/2007, 16:30:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/06/2007, 16:30:42] - Checking for HKLM\...\Winlogon\Notify\khfeeff
[10/06/2007, 16:30:42] - Found: HKLM\...\Winlogon\Notify\khfeeff - This is probably Virtumundo.
[10/06/2007, 16:30:42] - Assigning {F4002052-AB29-4B33-8C8D-0E99084564EC} MSEvents Object
[10/06/2007, 16:30:42] - BHO list has been changed! Starting over...
[10/06/2007, 16:30:42] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/06/2007, 16:30:42] - BHO 2: {6465875B-0DCA-457A-83F7-90F1C17D4A19} (MSEvents Object)
[10/06/2007, 16:30:42] - ALERT: Found MSEvents Object!
[10/06/2007, 16:30:42] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/06/2007, 16:30:42] - BHO 4: {F4002052-AB29-4B33-8C8D-0E99084564EC} (MSEvents Object)
[10/06/2007, 16:30:42] - ALERT: Found MSEvents Object!
[10/06/2007, 16:30:42] - Finished Searching Browser Helper Objects
[10/06/2007, 16:30:42] - *** Detected MSEvents Object
[10/06/2007, 16:30:42] - Trying to remove MSEvents Object...
[10/06/2007, 16:30:43] - Terminating Process: IEXPLORE.EXE
[10/06/2007, 16:30:43] - Terminating Process: RUNDLL32.EXE
[10/06/2007, 16:30:43] - Disabling Automatic Shell Restart
[10/06/2007, 16:30:43] - Terminating Process: EXPLORER.EXE
[10/06/2007, 16:30:44] - Suspending the NT Session Manager System Service
[10/06/2007, 16:30:44] - Terminating Windows NT Logon/Logoff Manager
[10/06/2007, 16:30:44] - Re-enabling Automatic Shell Restart
[10/06/2007, 16:30:44] - File to disable: C:\WINDOWS\System32\mljjg.dll
[10/06/2007, 16:30:44] - Renaming C:\WINDOWS\System32\mljjg.dll -> C:\WINDOWS\System32\mljjg.dll.vir
[10/06/2007, 16:30:44] - File successfully renamed!
[10/06/2007, 16:30:44] - Removing HKLM\...\Browser Helper Objects\{6465875B-0DCA-457A-83F7-90F1C17D4A19}
[10/06/2007, 16:30:44] - Removing HKCR\CLSID\{6465875B-0DCA-457A-83F7-90F1C17D4A19}
[10/06/2007, 16:30:44] - Adding Kill Bit for ActiveX for GUID: {6465875B-0DCA-457A-83F7-90F1C17D4A19}
[10/06/2007, 16:30:44] - Deleting ATLEvents/MSEvents Registry entries
[10/06/2007, 16:30:44] - Removing HKLM\...\Winlogon\Notify\mljjg
[10/06/2007, 16:30:44] - Searching for Browser Helper Objects:
[10/06/2007, 16:30:44] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/06/2007, 16:30:44] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/06/2007, 16:30:44] - BHO 3: {F4002052-AB29-4B33-8C8D-0E99084564EC} (MSEvents Object)
[10/06/2007, 16:30:44] - ALERT: Found MSEvents Object!
[10/06/2007, 16:30:44] - Finished Searching Browser Helper Objects
[10/06/2007, 16:30:44] - *** Detected MSEvents Object
[10/06/2007, 16:30:44] - Trying to remove MSEvents Object...
[10/06/2007, 16:30:45] - Terminating Process: IEXPLORE.EXE
[10/06/2007, 16:30:45] - Terminating Process: RUNDLL32.EXE
[10/06/2007, 16:30:46] - Disabling Automatic Shell Restart
[10/06/2007, 16:30:46] - Terminating Process: EXPLORER.EXE
[10/06/2007, 16:30:46] - Suspending the NT Session Manager System Service
[10/06/2007, 16:30:46] - Terminating Windows NT Logon/Logoff Manager
[10/06/2007, 16:30:46] - Re-enabling Automatic Shell Restart
[10/06/2007, 16:30:46] - File to disable: C:\WINDOWS\system32\khfeeff.dll
[10/06/2007, 16:30:46] - Renaming C:\WINDOWS\system32\khfeeff.dll -> C:\WINDOWS\system32\khfeeff.dll.vir
[10/06/2007, 16:30:46] - File successfully renamed!
[10/06/2007, 16:30:46] - Removing HKLM\...\Browser Helper Objects\{F4002052-AB29-4B33-8C8D-0E99084564EC}
[10/06/2007, 16:30:46] - Removing HKCR\CLSID\{F4002052-AB29-4B33-8C8D-0E99084564EC}
[10/06/2007, 16:30:46] - Adding Kill Bit for ActiveX for GUID: {F4002052-AB29-4B33-8C8D-0E99084564EC}
[10/06/2007, 16:30:46] - Deleting ATLEvents/MSEvents Registry entries
[10/06/2007, 16:30:46] - Removing HKLM\...\Winlogon\Notify\khfeeff
[10/06/2007, 16:30:46] - Searching for Browser Helper Objects:
[10/06/2007, 16:30:46] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/06/2007, 16:30:46] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/06/2007, 16:30:46] - Finished Searching Browser Helper Objects
[10/06/2007, 16:30:46] - Finishing up...
[10/06/2007, 16:30:46] - A restart is needed.
[10/06/2007, 16:31:07] - Attempting to Restart via STOP error (Blue Screen!)

[paul27]

Mam notebook uplne novej od začátku tohodle školního roku... koupil jsem ho bez operacniho systemu...

To je škoda, protože ten SP2 ti bude neustále chybět. Tohle je fakt jak cedník a antivir, firewall, antispyware to nemusejí zachránit.

Zkus použít MWAV. Před scanem pročisti CCleanerem (návod tady na fóru). Scan bude i o několik desítek minut kratší. Návod ve zdejší sekci HijackThis. Po skončení scanování sem vlož výsledky z okna o nalezených hrozbách (virus log information).