pomoc s virem

[Prasek]

ahoj vcera jsem si preinstaloval windows a stahnul jsem si ICQ a od te chvile mam desne spomaleny internet. pustim si Spyware Terminatora a ten mi pise ze je spatnej startdrv.exe dam smazat ale za chvili kdyz to kontroluju znovu tak je to tam porad prosim nevite nekdo co stim??

este jsem davam log z HijackThis
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Documents and Settings\Skupina\Data aplikací\tmp8.tmp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\Programy\QIP\qip.exe
C:\WINDOWS\system\msnrav.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Skupina\Plocha\HijakThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: (no name) - {629bcf92-1171-47fb-9ddf-19a28c42aba7} - C:\WINDOWS\system32\getsam.dll (file missing)
O2 - BHO: (no name) - {BB32C1C3-6775-41AF-9049-E88C9BBDCDAF} - C:\WINDOWS\System32\byvtt.dll (file missing)
O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - C:\WINDOWS\System32\wvuurpm.dll (file missing)
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4D07D05-593E-46E6-82B0-B33670CE2C3F}: NameServer = 194.228.41.65 194.228.41.113
O20 - AppInit_DLLs: c:\windows\system32\awtqolk.dll
O20 - Winlogon Notify: crehcjid - C:\WINDOWS\SYSTEM32\crehcjid.dll
O20 - Winlogon Notify: getsam - getsam.dll (file missing)
O20 - Winlogon Notify: wvuurpm - wvuurpm.dll (file missing)
O20 - Winlogon Notify: Đ8 - Đ8 (file missing)
O20 - Winlogon Notify: Đŕ - Đŕ (file missing)
O20 - Winlogon Notify: Ŕ@  - Ŕ@  (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DomainService - - C:\Documents and Settings\Skupina\Data aplikací\tmp8.tmp.exe
O23 - Service: MSN RAV - Unknown owner - C:\WINDOWS\system\msnrav.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

[Reklama]

[fredik]

Vítej na fóru

Stáhni si SDFix
- Spusť ho a rozbalí se ti na disk kde je nainstalovaný Windows (typicky to je C:\SDfix)
- Pak restartuj PC do nouzového režimu (zvol možnost: Stav nouze, ne Stav nouze s práci v síti)
- Otevři adresář kde je vybalený SDFix a spusť soubor RunThis.bat tím spustíš program.
* Pak stiskni klávesu Y a pak Enter pro zahájení čistícího procesu.
* Pro dokončení kontroly budeš vyzván ke stisknoutí libovolné klávesy a počítač se restartuje.
* Při nabíhání operačního systému se program spustí znovu a dokončí čistící proces. Až se objeví Finish, budeš muset po vyzvání stisknout libovolnou klávesu, tim se ukončí program a zobrazí se ti ikony na ploše
- Když se skončí načítání ikon na ploše, otevře se ti na obrazovce log z SDFix a zároveň ho uloží do adresáře kde je rozbalený SDFix jako soubor Report.txt
Pak sem zkopíruj jeho obsah.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Stáhni si Deckard's System Scanner (DSS) a ulož si ho na plochu
- ukonči všechna aktivní okna a spusť ho
- potvrď licenční podmínky a postupuj podle pokynů
- začne prohlídka systému
- po ukončení kontroly program vytvoří dva logy a zobrazí je: main.txt a extra.txt, tak sem vlož obsah souboru/logu main.txt
- jinak jsou logy uloženy v adresáři: c:\Deckard\System Scanner\

[Prasek]

tak tady mam ten obsah toho reportu



SDFix: Version 1.115

Run by Skupina on st 21.11.2007 at 15:58

Microsoft Windows XP [Verze 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
MSN RAV
xpdx

Path:
"C:\WINDOWS\system\msnrav.exe"
\??\C:\WINDOWS\System32\xpdx.sys

MSN RAV - Deleted
xpdx - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service asc3550o - Deleted after Reboot
Service runtime2 - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\HEOVQL.EXE - Deleted
C:\WINDOWS\SYSTEM32\PHQGHU.EXE - Deleted
C:\WINDOWS\SYSTEM32\PINLW.EXE - Deleted
C:\-12060~1 - Deleted
C:\Documents and Settings\Skupina\Data aplikacˇ\tmp7.tmp.exe - Deleted
C:\Documents and Settings\Skupina\Data aplikacˇ\tmp8.tmp.exe - Deleted
C:\Documents and Settings\Skupina\Data aplikacˇ\tmpC.tmp.exe - Deleted
C:\DOCUME~1\Skupina\LOCALS~1\Temp\removalfile.bat - Deleted
C:\WINDOWS\system\msnrav.exe - Deleted
C:\WINDOWS\system32\3.tmp - Deleted
C:\WINDOWS\system32\4.tmp - Deleted
C:\WINDOWS\system32\5.tmp - Deleted
C:\WINDOWS\system32\6.tmp - Deleted
C:\WINDOWS\system32\7.tmp - Deleted
C:\WINDOWS\system32\D.tmp - Deleted
C:\WINDOWS\system32\0_exception.nls - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\o - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\system32\xpdx.sys - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-21 16:01:46
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?\xe9?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1\xed?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\\20\1\b]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="\x110\b8\b\30\a\2\2"
"Logon"="WLEventLogon\0\0\0\0\0003"
"Logoff"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\\20\1\b]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="\x110\b\x155\b\30\a\2\2"
"Logon"="WLEventLogon\0\0\0\0\0"
"Logoff"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\T\1\b]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DLLName"="\x154\b@\b \a\2\2"
"Logon"="WLEventLogon\0\0\0\0\0"
"Logoff"=""

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 19 Nov 2007 8 ..SHR --- "C:\WINDOWS\system32\E7034D519E.dll"
Mon 19 Nov 2007 6,470 A.SH. --- "C:\WINDOWS\system32\ttvyb.bak1"
Tue 20 Nov 2007 6,625 A.SH. --- "C:\WINDOWS\system32\ttvyb.bak2"

Finished!

[fredik]

Vlož sem ještě log z DSS

//Doplněno:
Pokud jsi ještě nedělal log z DSS, tak použij toto:
Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[Prasek]

ten mi nejak nefunguje zasekne se to pri completed stage 29

[fredik]

Sken může trvat déle než těch 10 min. Píše to nějakou chybu nebo se to prostě jen zastaví na té stage?

Pokud ti to nejde tak udělej a vlož sem ten uvedeny log z DSS.

[Prasek]

jen se mi to zastavi a ten log udelat nemuzu protoze to nejde

[fredik]

Tak udělej log z Deckard's System Scanner (DSS) nebo to ti taky nejde?

[Prasek]

posledni dobou mi nejak blbnul internet tak jsem se sem nedostal

a tady mam ten log:

Deckard's System Scanner v20071014.68
Run by Skupina on 2007-11-25 11:28:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Skupina.exe) ---------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-25 11:29:56
Platform: Windows XP (5.01.2600)
MSIE: Internet Explorer (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\Programy\QIP\qip.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Skupina\Plocha\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dl ... cid=0x0405
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: (no name) - {629bcf92-1171-47fb-9ddf-19a28c42aba7} - C:\WINDOWS\system32\getsam.dll (file missing)
O2 - BHO: (no name) - {BB32C1C3-6775-41AF-9049-E88C9BBDCDAF} - C:\WINDOWS\System32\byvtt.dll (file missing)
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Související - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/ ... mv9dmo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{B4D07D05-593E-46E6-82B0-B33670CE2C3F}: NameServer = 194.228.41.65 194.228.41.113
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - AppInit_DLLs: c:\windows\system32\awtqolk.dll
O20 - Winlogon Notify: X - C:\WINDOWS\System32\ X (file missing)
O20 - Winlogon Notify: crehcjid - C:\WINDOWS\System32\crehcjid.dll
O20 - Winlogon Notify: getsam - C:\WINDOWS\System32\getsam.dll (file missing)
O20 - Winlogon Notify: wvuurpm - C:\WINDOWS\System32\wvuurpm.dll (file missing)
O20 - Winlogon Notify: Đ8 - C:\WINDOWS\System32\Đ8 (file missing)
O20 - Winlogon Notify: Đŕ - C:\WINDOWS\System32\Đŕ (file missing)
O20 - Winlogon Notify: Ŕ@  - C:\WINDOWS\System32\Ŕ@  (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Skupina\Data aplikací\tmp8.tmp.exe /service
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe


--
End of file - 5823 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-10-25 and 2007-11-25 -----------------------------

2007-11-25 11:19:16 82820 -ra------ C:\WINDOWS\System32\scricon.exe
2007-11-25 11:17:45 510464 --a------ C:\WINDOWS\System32\wupdate.exe
2007-11-24 22:53:37 69 --a------ C:\WINDOWS\System32\ii
2007-11-24 22:41:34 0 d-------- C:\Documents and Settings\Skupina\Phone Browser
2007-11-24 19:10:44 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-11-24 19:10:29 0 d-------- C:\Program Files\SimpleCenter
2007-11-24 19:04:10 0 d-------- C:\Program Files\DIFX
2007-11-24 19:03:18 0 d-------- C:\Program Files\Common Files\Nokia
2007-11-24 19:02:17 0 d------c- C:\WINDOWS\System32\DRVSTORE
2007-11-24 19:01:15 0 d-------- C:\Program Files\Nokia
2007-11-24 19:01:15 0 d-------- C:\Program Files\Common Files\PCSuite
2007-11-24 19:01:10 0 d-------- C:\WINDOWS\Downloaded Installations
2007-11-22 12:55:13 1156 --a------ C:\WINDOWS\mozver.dat
2007-11-21 18:33:18 0 d-------- C:\Program Files\Hamachi
2007-11-21 15:58:16 0 d-------- C:\WINDOWS\ERUNT
2007-11-20 22:58:20 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-20 22:17:27 6625 --ahs---- C:\WINDOWS\System32\ttvyb.bak2
2007-11-20 21:05:45 138624 --a------ C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
2007-11-20 20:53:18 0 d-------- C:\Documents and Settings\Skupina\Application Data
2007-11-20 20:53:18 0 d-------- C:\Documents and Settings\Skupina\Application Data\Spyware Terminator
2007-11-20 20:53:01 0 d-------- C:\Program Files\Spyware Terminator
2007-11-20 20:30:09 0 d-------- C:\Program Files\7-Zip
2007-11-20 20:29:23 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-11-20 20:29:06 0 d-------- C:\Program Files\Codec Pack - All In 1
2007-11-20 20:28:22 0 dr-h----- C:\$VAULT$.AVG
2007-11-19 20:48:41 6470 --ahs---- C:\WINDOWS\System32\ttvyb.bak1
2007-11-19 19:50:21 0 d---s---- C:\WINDOWS\System32\Microsoft
2007-11-19 19:33:09 16768 --a------ C:\WINDOWS\System32\tcpip_patcher.sys <Not Verified; http://www.kceasy.com; KCeasy tcpip.sys patcher>
2007-11-19 19:22:22 1474560 --a------ C:\WINDOWS\adiras.exe <Not Verified; ; adiras Application>
2007-11-19 19:22:21 127456 --a------ C:\WINDOWS\System32\ipdetect.exe <Not Verified; ; IPDETECT>
2007-11-19 19:22:20 126976 --a------ C:\WINDOWS\System32\coclassfast.dll
2007-11-19 19:22:17 135168 --a------ C:\WINDOWS\System32\unaddrv.exe <Not Verified; Analog Devices.; UnADdrv>
2007-11-19 19:22:17 46892 --a------ C:\WINDOWS\System32\adadix16.dll
2007-11-19 19:22:15 143360 --a------ C:\WINDOWS\autoclk.exe <Not Verified; ; autoclk Application>
2007-11-19 19:22:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-19 19:21:49 0 d-------- C:\Program Files\SAGEM
2007-11-19 18:27:06 0 d-------- C:\WINDOWS\nview
2007-11-19 18:26:49 0 d-------- C:\WINDOWS\System32\ReinstallBackups
2007-11-19 18:26:25 0 d-------- C:\Program Files\Common Files\InstallShield
2007-11-19 18:25:24 0 d-------- C:\NVIDIA
2007-11-19 18:17:20 8 -r-hs---- C:\WINDOWS\System32\E7034D519E.dll
2007-11-19 18:01:48 0 d-------- C:\WINDOWS\RegisteredPackages
2007-11-19 18:00:17 1769472 --a------ C:\WINDOWS\System32\dxdiagn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-19 18:00:17 1703936 --a------ C:\WINDOWS\System32\d3d9.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-19 17:47:19 0 d-------- C:\WINDOWS\ShellNew
2007-11-19 17:35:12 0 d--hs---- C:\WINDOWS\Installer
2007-11-19 17:34:52 0 d--h----- C:\Documents and Settings\Skupina\Šablony
2007-11-19 17:34:52 0 dr-h----- C:\Documents and Settings\Skupina\SendTo
2007-11-19 17:34:52 0 dr-h----- C:\Documents and Settings\Skupina\Recent
2007-11-19 17:34:52 0 d-------- C:\Documents and Settings\Skupina\Plocha
2007-11-19 17:34:52 0 d--h----- C:\Documents and Settings\Skupina\Okolní tiskárny
2007-11-19 17:34:52 0 d--h----- C:\Documents and Settings\Skupina\Okolní síť
2007-11-19 17:34:52 0 dr------- C:\Documents and Settings\Skupina\Oblíbené položky
2007-11-19 17:34:52 1048576 --ah----- C:\Documents and Settings\Skupina\NTUSER.DAT
2007-11-19 17:34:52 0 dr------- C:\Documents and Settings\Skupina\Nabídka Start
2007-11-19 17:34:52 0 d--h----- C:\Documents and Settings\Skupina\Local Settings
2007-11-19 17:34:52 0 dr------- C:\Documents and Settings\Skupina\Dokumenty
2007-11-19 17:34:52 0 dr-h----- C:\Documents and Settings\Skupina\Data aplikací
2007-11-19 17:34:52 0 d---s---- C:\Documents and Settings\Skupina\Cookies
2007-11-19 17:33:24 0 d--hs---- C:\System Volume Information
2007-11-19 17:33:22 0 d-------- C:\WINDOWS\Prefetch
2007-11-19 17:27:57 0 d-------- C:\WINDOWS\System32\xircom
2007-11-19 17:27:57 0 d-------- C:\Program Files\microsoft frontpage
2007-11-19 17:27:17 0 -rahs---- C:\MSDOS.SYS
2007-11-19 17:27:17 0 -rahs---- C:\IO.SYS
2007-11-19 17:27:17 0 --a------ C:\CONFIG.SYS
2007-11-19 17:27:17 0 --a------ C:\AUTOEXEC.BAT
2007-11-19 17:25:16 0 dr------- C:\WINDOWS\Offline Web Pages
2007-11-19 17:25:16 0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-11-19 17:24:35 0 d-------- C:\WINDOWS\srchasst
2007-11-19 17:24:26 0 d-------- C:\WINDOWS\System32\DirectX
2007-11-19 17:24:25 0 d-------- C:\WINDOWS\System32\Macromed
2007-11-19 17:24:13 0 d-------- C:\Program Files\Movie Maker
2007-11-19 17:23:41 0 d-------- C:\WINDOWS\System32\Restore
2007-11-19 17:23:35 0 d-------- C:\WINDOWS\PCHEALTH
2007-11-19 17:23:29 0 d---s---- C:\WINDOWS\Tasks
2007-11-19 17:23:25 0 d-------- C:\Program Files\Common Files\MSSoap
2007-11-19 17:22:29 21812 --a------ C:\WINDOWS\System32\emptyregdb.dat
2007-11-19 17:22:00 0 d-------- C:\WINDOWS\Registration
2007-11-19 17:21:47 0 d--h----- C:\Program Files\WindowsUpdate
2007-11-19 17:21:47 0 d-------- C:\Program Files\Online Services
2007-11-19 17:21:35 0 d-------- C:\Program Files\Messenger
2007-11-19 17:21:26 0 d-------- C:\Program Files\MSN Gaming Zone
2007-11-19 17:21:12 0 d-------- C:\Program Files\Windows NT
2007-11-19 17:20:58 0 d-------- C:\WINDOWS\System32\MsDtc
2007-11-19 17:20:54 0 d-------- C:\WINDOWS\System32\Com


-- Find3M Report ---------------------------------------------------------------

2007-11-25 09:49:11 0 d-------- C:\Documents and Settings\Skupina\Data aplikací\AVG7
2007-11-24 19:10:44 0 d-------- C:\Program Files\Common Files
2007-11-24 19:02:54 0 d-------- C:\Documents and Settings\Skupina\Data aplikací\PC Suite
2007-11-23 18:54:36 0 d-------- C:\Documents and Settings\Skupina\Data aplikací\Hamachi
2007-11-21 23:27:23 0 d-------- C:\Documents and Settings\Skupina\Data aplikací\Macromedia
2007-11-21 16:38:33 309990 --a------ C:\WINDOWS\System32\perfh005.dat
2007-11-21 16:38:33 46196 --a------ C:\WINDOWS\System32\perfc005.dat
2007-11-20 22:58:11 0 d-------- C:\Documents and Settings\Skupina\Data aplikací\Mozilla
2007-11-20 20:52:38 0 d-------- C:\Documents and Settings\Skupina\Data aplikací\Help
2007-11-19 17:35:08 0 d-------- C:\Documents and Settings\Skupina\Data aplikací\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{629bcf92-1171-47fb-9ddf-19a28c42aba7}]
C:\WINDOWS\system32\getsam.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB32C1C3-6775-41AF-9049-E88C9BBDCDAF}]
C:\WINDOWS\System32\byvtt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 12:22]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-20 20:25]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2007-11-20 21:04]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-25 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-11-19 19:22:20]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ X]
X

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid]
crehcjid.dll 2007-11-19 21:14 90112 C:\WINDOWS\system32\crehcjid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\getsam]
getsam.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuurpm]
wvuurpm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Đ8]
Đ8

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Đŕ]
Đŕ

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Ŕ@ ]
Ŕ@ 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\awtqolk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\byvtt.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Schedule




-- End of Deckard's System Scanner: finished at 2007-11-25 11:34:27 ------------

[Prasek]

a tet se mi obevil dalsi problem kdyz si dam správce úloh a ten mi ukazuje ze mam cpu na 100% nevite nekdo co stim prosim???

[Prasek]

jste se na me vyprdli?

[fredik]

Ne.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
1)
Otestuj tento soubor na VirusTotall a dej sem výsledek.
C:\WINDOWS\System32\E7034D519E.dll

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
2)
Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
O2 - BHO: (no name) - {629bcf92-1171-47fb-9ddf-19a28c42aba7} - C:\WINDOWS\system32\getsam.dll (file missing)
O2 - BHO: (no name) - {BB32C1C3-6775-41AF-9049-E88C9BBDCDAF} - C:\WINDOWS\System32\byvtt.dll (file missing)
O20 - Winlogon Notify: X - C:\WINDOWS\System32\ X (file missing)
O20 - Winlogon Notify: crehcjid - C:\WINDOWS\System32\crehcjid.dll
O20 - Winlogon Notify: getsam - C:\WINDOWS\System32\getsam.dll (file missing)
O20 - Winlogon Notify: wvuurpm - C:\WINDOWS\System32\wvuurpm.dll (file missing)
O20 - Winlogon Notify: Đ8 - C:\WINDOWS\System32\Đ8 (file missing)
O20 - Winlogon Notify: Đŕ - C:\WINDOWS\System32\Đŕ (file missing)
O20 - Winlogon Notify: Ŕ@  - C:\WINDOWS\System32\Ŕ@  (file missing)
po zaškrtnutí klikni na tlačítko Fix Checked

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
3)
Stáhni si Avengera spusť ho pod účtem administrátora.
Zvol možnost - Input script manually a klikni na ikonku lupy vyskočí prázdné okno kam zkopíruj tento tučný text:
Files to delete:
C:\WINDOWS\System32\scricon.exe
C:\WINDOWS\System32\wupdate.exe
C:\WINDOWS\System32\ii
C:\WINDOWS\System32\ttvyb.bak2
C:\WINDOWS\System32\ttvyb.bak1
C:\WINDOWS\system32\crehcjid.dll
c:\windows\system32\awtqolk.dll

Registry values to replace with dummy:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Poté klikni na Done.
Pak klikni na ikonku semafory.
Vyskočí ti hláška kde odklikni Yes. PC se restartuje po restartu by ti měl "vyskočit" výpis z Avengeru tak ho sem zkopíruj.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
4)
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

REGEDIT4

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Pak dej Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: fix.reg
Uložit jako typ: tak tam vyber Všechny soubory
Ulož si daný soubor na plochu
Na ploše by se měl objevit soubor fix.reg spusť ho vyskočí hláška kde odklikni Ano poté je další hláška kde odklikni OK

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Zkus si stáhnout znovu ComboFix a vložit sem z něho log pokud projede. Pokud ne tak udělej nový log z DSS.

V následujícím příspěvku sem vlož tyto logy/výsledky:
- log z ComboFix/DSS
- výsledek z VirusTotal
- log z Avengeru