Preventivni kontrola Diky moc

[TTT_111]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:24:12 PM, on 5/1/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\58487ff7\jusched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Unikey32\UniKeyNT.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Documents and Settings\admin\My Documents\Downloads\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yandex.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 69.63.181.12 apps.facebook.com
O1 - Hosts: 66.220.149.11 facebook.com
O1 - Hosts: 125.252.224.88 www.facebook.com
O1 - Hosts: 125.252.224.88 logins.facebook.com
O1 - Hosts: 153.16.15.71 www.facebook.com
O1 - Hosts: 153.16.15.71 www.logins.facebook.com
O1 - Hosts: 153.16.15.71 facebook.com
O1 - Hosts: 153.16.15.71 logins.facebook.com
O1 - Hosts: 153.16.15.71 apps.facebook.com
O1 - Hosts: 153.16.15.71 upload.facebook.com
O1 - Hosts: 153.16.15.71 www.connect.facebook.com
O1 - Hosts: 153.16.15.71 graph.facebook.com
O1 - Hosts: 153.16.15.71 static.ak.connect.facebook.com
O1 - Hosts: 153.16.15.71 developers.facebook.com
O1 - Hosts: 153.16.15.71 error.facebook.com
O1 - Hosts: 66.220.158.43 apps.facebook.com
O1 - Hosts: 69.63.189.16 apps.facebook.com
O1 - Hosts: 153.16.15.71 api.facebook.com
O1 - Hosts: 153.16.15.71 chanel.facebook.com
O1 - Hosts: 153.16.15.71 0.50.chanel.facebook.com
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [UniKey] C:\Program Files\Unikey32\UniKeyNT.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6285 bytes

[Reklama]

[TTT_111]

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.01.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
admin :: PC2011101313ZAZ [administrator]

5/1/2012 11:32:42 PM
mbam-log-2012-05-01 (23-38-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 180626
Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Detected: 1
C:\Program Files\58487ff7\jusched.exe (Backdoor.IRCBot) -> 1840 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Program Files\58487ff7\jusched.exe (Backdoor.IRCBot) -> No action taken.
C:\Documents and Settings\admin\Local Settings\Temp\58487ff726.exe (Backdoor.IRCBot) -> No action taken.
C:\WINDOWS\Fonts\VCAD.COM (Malware.Generic) -> No action taken.
C:\WINDOWS\Tasks\Update23.job (Trojan.Jusched) -> No action taken.

(end)

[jaro3]

. Takže spusť znovu MbAM a dej Scan
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Ukaž výsledky
- ujisti se že máš zatrhnuté všechny vypsané nálezy a klikni na tlačítko Odstranit označené
- když skončí odstraňování tak se ti zobrazí log, tak ho sem dej.
- pak zvol v programu OK a pak program ukonči přes Exit

Můžeš sem pak vložit nový log z MbAM.

Zavři ostatní aplikace a prohlížeče, odpoj se od netu a fixni v HJT:
Návod

Kód: Vybrat vše

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yandex.com
O1 - Hosts: 69.63.181.12 apps.facebook.com
O1 - Hosts: 66.220.149.11 facebook.com
O1 - Hosts: 125.252.224.88 www.facebook.com
O1 - Hosts: 125.252.224.88 logins.facebook.com
O1 - Hosts: 153.16.15.71 www.facebook.com
O1 - Hosts: 153.16.15.71 www.logins.facebook.com
O1 - Hosts: 153.16.15.71 facebook.com
O1 - Hosts: 153.16.15.71 logins.facebook.com
O1 - Hosts: 153.16.15.71 apps.facebook.com
O1 - Hosts: 153.16.15.71 upload.facebook.com
O1 - Hosts: 153.16.15.71 www.connect.facebook.com
O1 - Hosts: 153.16.15.71 graph.facebook.com
O1 - Hosts: 153.16.15.71 static.ak.connect.facebook.com
O1 - Hosts: 153.16.15.71 developers.facebook.com
O1 - Hosts: 153.16.15.71 error.facebook.com
O1 - Hosts: 66.220.158.43 apps.facebook.com
O1 - Hosts: 69.63.189.16 apps.facebook.com
O1 - Hosts: 153.16.15.71 api.facebook.com
O1 - Hosts: 153.16.15.71 chanel.facebook.com
O1 - Hosts: 153.16.15.71 0.50.chanel.facebook.com
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


Stáhni si ATF Cleaner
Poklepej na ATF Cleaner.exe, klikni na select all found, poté:
-Když používáš Firefox (Mozzila), klikni na Firefox nahoře a vyber: Select All, poté klikni na Empty Selected.
-Když používáš Operu, klikni nahoře na Operu a vyber: Select All, poté klikni na Empty Selected. Poté klikni na Main (hlavní stránku ) a klikni na Empty Selected.
Po vyčištění klikni na Exit k zavření programu.
ATF-Cleaner je jednoduchý nástroj na odstranění historie z webového prohlížeče. Program dokáže odstranit cache, cookies, historii a další stopy po surfování na Internetu. Mezi podporované prohlížeče patří Internet Explorer, Firefox a Opera. Aplikace navíc umí odstranit dočasné soubory Windows, vysypat koš atd.

C:\Program Files\58487ff7--zkus odinstalovat , když nepůjde , smaž tu složku.

Vypni rez. ochranu u antiviru a antispywaru,příp. firewall..

Stáhni si ComboFix (by sUBs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah
Pokud budou problémy , spusť ho v nouz. režimu.

Upozornění : Může se stát, že po aplikaci Combofixu a restartu počítače, Windows nenaběhnou , nebo nenajede plocha , budou problémy s připojením, pak znovu restartuj počítač, pokud to nepomůže , po restartu mačkej klávesu F8 a pak zvol poslední známou funkční konfiguraci. , či použij bod obnovy.

[TTT_111]

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.01.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
admin :: PC2011101313ZAZ [administrator]

5/2/2012 9:14:14 AM
mbam-log-2012-05-02 (09-14-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 178240
Time elapsed: 1 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[TTT_111]

ComboFix 12-05-01.03 - admin 05/02/2012 9:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1917.1336 [GMT 7:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\admin\Application Data\IDM\idmmzcc3
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\chrome.manifest
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\chrome\idmmzcc.jar
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\components\iIDMMzCC.xpt
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\components2\idmhelper.js
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\components2\idmmzcc.dll
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\components2\iIDMHelper.xpt
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\components2\iIDMMzCC.xpt
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\install.js
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\install.rdf
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\META-INF\manifest.mf
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\META-INF\zigbert.rsa
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\META-INF\zigbert.sf
c:\documents and settings\admin\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\Fonts\SLIDELIB.EXE
c:\windows\Fonts\VNACAD.EXE
.
.
((((((((((((((((((((((((( Files Created from 2012-04-02 to 2012-05-02 )))))))))))))))))))))))))))))))
.
.
2012-05-01 16:31 . 2012-05-01 16:31 -------- d-----w- c:\documents and settings\admin\Application Data\Malwarebytes
2012-05-01 16:31 . 2012-05-01 16:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-01 16:31 . 2012-05-01 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-01 16:31 . 2012-04-04 08:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-20 06:38 . 2012-04-20 06:38 -------- d-----w- c:\documents and settings\admin\Application Data\Avira
2012-04-05 12:01 . 2012-04-14 17:01 4139680 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-05 11:38 . 2012-04-14 17:01 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-14 17:01 . 2011-10-13 05:41 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-18 11:08 . 2012-01-27 10:43 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2008-04-14 11:00 60416 -csha-w- c:\windows\system32\dllcache\msimn.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-09-22 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2011-10-06 2015544]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UniKey"="c:\program files\Unikey32\UniKeyNT.exe" [2009-11-01 261632]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-01-31 17147528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-22 281768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-08-21 17:18 6276408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 04:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
2001-09-05 23:03 106544 ----a-w- c:\windows\system32\TWEAKUI.CPL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/13/2011 12:42 PM 136360]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [10/13/2011 12:34 PM 62576]
S0 SMBALI;SMBALI;c:\windows\system32\DRIVERS\SMBALI.sys --> c:\windows\system32\DRIVERS\SMBALI.sys [?]
S0 SMBHC;SMBHC;c:\windows\system32\DRIVERS\SMBHC.sys --> c:\windows\system32\DRIVERS\SMBHC.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1/31/2012 3:09 PM 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 6:38 PM 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/13/2011 1:24 PM 1691480]
S3 FXDrv32;FXDrv32;\??\f:\fxdrv32.sys --> f:\FXDrv32.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 17:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.anninhthudo.vn/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\idmmbc.dll
TCP: DhcpNameServer = 192.168.9.1
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\4tkxderh.default\
FF - prefs.js: browser.startup.homepage - hxxp://vietnamnet.vn/
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-02 09:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ac,20,f1,ee,a5,89,79,0a,30,31,a1,f8,21,c4,08,31,c6,2c,95,b7,e2,
6d,2d,a0,39,90,04,e0,2b,77,14,9a,c3,7a,06,5c,f9,a1,a1,a5,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{e0e32537-5674-4f1a-937a-3b8694112ef5}]
@Denied: (Full) (Everyone)
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\idmmbc.dll
.
Completion time: 2012-05-02 09:28:41
ComboFix-quarantined-files.txt 2012-05-02 02:28
.
Pre-Run: 47,762,419,712 bytes free
Post-Run: 47,730,819,072 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\hiren.bin="Hiren's Boot HDD v10.5"
.
- - End Of File - - 0AE8ADCEB41992038644DB7F34732A9D

[jaro3]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:

Kód: Vybrat vše

File::
c:\program files\Skype\Updater\Updater.exe

Driver::
SMBALI
SMBHC
SkypeUpdate


Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

Upozornění : Může se stát, že po aplikaci Combofixu a restartu počítače, Windows nenaběhnou , nebo nenajede plocha , budou problémy s připojením, pak znovu restartuj počítač, pokud to nepomůže , po restartu mačkej klávesu F8 a pak zvol poslední známou funkční konfiguraci. , či použij bod obnovy.

Stáhni si aswMBR
na svojí plochu. Uzavři všechna okna , programy a prohlížeče. Poklepej na aswMBR.exe. Pokud se objeví hláška o možnosti stáhnutí databáze Avastu , klikni na NE. Poté klikni na „Scan“ . Po skenu klikni na „Save Log“ a ulož si log na plochu .Zkopíruj sem celý obsah toho logu. Pak klikni na „Exit“ k zavření programu.

V možnostech složky si povol zobrazování skrytých souborů a složek+ odškrtni zatržítko skrýt chráněné soubory operačního systému

Toto otestuj na Virustotal
c:\windows\system32\sfcfiles.dll

Klikni vpravo od okénka na Vybrat a v Exploreru najdi požadovaný soubor v Tvém PC. Označ ho myší a klikni na Otevřít , poté klikni na Send File. Pokud už byl soubor testován , objeví se okno ve kterém klikni na Reanalyze. Soubor se začne postupně testovat více antivirovými programy. Až skončí test posledního antiviru , objeví se nahoře result a červeně počet nákaz , např. 0/43 , nebo 1/43. Pak zkopíruj myší odkaz na tuto stránku a vlož ji do svého příspěvku.

[TTT_111]

ComboFix 12-05-01.03 - admin 05/02/2012 22:42:29.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1917.1342 [GMT 7:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\program files\Skype\Updater\Updater.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\admin\Application Data\IDM\idmmzcc3
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\chrome.manifest
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\chrome\idmmzcc.jar
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\components\iIDMMzCC.xpt
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\components2\idmhelper.js
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\components2\idmmzcc.dll
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\components2\iIDMHelper.xpt
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\components2\iIDMMzCC.xpt
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\install.js
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\install.rdf
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\META-INF\manifest.mf
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\META-INF\zigbert.rsa
c:\documents and settings\admin\Application Data\IDM\idmmzcc3\META-INF\zigbert.sf
c:\program files\Skype\Updater\Updater.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SKYPEUPDATE
-------\Service_SkypeUpdate
-------\Service_SMBALI
-------\Service_SMBHC
.
.
((((((((((((((((((((((((( Files Created from 2012-04-02 to 2012-05-02 )))))))))))))))))))))))))))))))
.
.
2012-05-01 16:31 . 2012-05-01 16:31 -------- d-----w- c:\documents and settings\admin\Application Data\Malwarebytes
2012-05-01 16:31 . 2012-05-01 16:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-01 16:31 . 2012-05-01 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-01 16:31 . 2012-04-04 08:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-20 06:38 . 2012-04-20 06:38 -------- d-----w- c:\documents and settings\admin\Application Data\Avira
2012-04-05 12:01 . 2012-04-14 17:01 4139680 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-05 11:38 . 2012-04-14 17:01 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-14 17:01 . 2011-10-13 05:41 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-18 11:08 . 2012-01-27 10:43 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2008-04-14 11:00 60416 -csha-w- c:\windows\system32\dllcache\msimn.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-09-22 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-05-02_02.22.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-02 15:46 . 2012-05-02 15:46 16384 c:\windows\temp\Perflib_Perfdata_cdc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2011-10-06 2015544]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UniKey"="c:\program files\Unikey32\UniKeyNT.exe" [2009-11-01 261632]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-01-31 17147528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-22 281768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-08-21 17:18 6276408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 04:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
2001-09-05 23:03 106544 ----a-w- c:\windows\system32\TWEAKUI.CPL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/13/2011 12:42 PM 136360]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [10/13/2011 12:34 PM 62576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 6:38 PM 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/13/2011 1:24 PM 1691480]
S3 FXDrv32;FXDrv32;\??\f:\fxdrv32.sys --> f:\FXDrv32.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 17:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.anninhthudo.vn/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\idmmbc.dll
TCP: DhcpNameServer = 192.168.9.1
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\4tkxderh.default\
FF - prefs.js: browser.startup.homepage - hxxp://vietnamnet.vn/
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-02 22:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ac,20,f1,ee,a5,89,79,0a,30,31,a1,f8,21,c4,08,31,c6,2c,95,b7,e2,
6d,2d,a0,39,90,04,e0,2b,77,14,9a,c3,7a,06,5c,f9,a1,a1,a5,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{e0e32537-5674-4f1a-937a-3b8694112ef5}]
@Denied: (Full) (Everyone)
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(760)
c:\windows\system32\idmmbc.dll
.
- - - - - - - > 'explorer.exe'(1768)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2012-05-02 22:52:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-02 15:52
ComboFix2.txt 2012-05-02 02:28
.
Pre-Run: 47,624,445,952 bytes free
Post-Run: 47,584,808,960 bytes free
.
- - End Of File - - F3826CF420B37E84E002A9EDA499E856

[jaro3]

Máš tam nákazu v IDM , raději ho odinstaluj..

uStart Page = hxxp://www.anninhthudo.vn/
ta stránka Ti něco říká??

f:\FXDrv32.sys to je co?


Ten virus total , ješte
c:\windows\system32\dllcache\msimn.exe
+
co jsem psal minule:
c:\windows\system32\sfcfiles.dll

Stáhni si aswMBR
na svojí plochu. Uzavři všechna okna , programy a prohlížeče. Poklepej na aswMBR.exe. Pokud se objeví hláška o možnosti stáhnutí databáze Avastu , klikni na NE. Poté klikni na „Scan“ . Po skenu klikni na „Save Log“ a ulož si log na plochu .Zkopíruj sem celý obsah toho logu. Pak klikni na „Exit“ k zavření programu.

[TTT_111]

c:\windows\system32\sfcfiles.dll ---- link< https://www.virustotal.com/file/8b9ef2f ... 336018833/

[jaro3]

a c:\windows\system32\dllcache\msimn.exe ?

[TTT_111]

c:\windows\system32\dllcache\msimn.exe link [
https://www.virustotal.com/file/5c60d72 ... /analysis/

[TTT_111]

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-04 19:12:27
-----------------------------
19:12:27.578 OS Version: Windows 5.1.2600 Service Pack 3
19:12:27.578 Number of processors: 2 586 0x170A
19:12:27.578 ComputerName: PC2011101313ZAZ UserName: admin
19:12:29.968 Initialize success
19:12:44.031 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
19:12:44.031 Disk 0 Vendor: ST250DM000-1BD141 KC44 Size: 238475MB BusType: 3
19:12:44.062 Disk 0 MBR read successfully
19:12:44.062 Disk 0 MBR scan
19:12:44.062 Disk 0 unknown MBR code
19:12:44.062 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 51207 MB offset 63
19:12:44.062 Disk 0 Partition - 00 05 Extended 187265 MB offset 104872320
19:12:44.078 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 81925 MB offset 104872383
19:12:44.078 Disk 0 Partition - 00 05 Extended 105340 MB offset 272655180
19:12:44.093 Disk 0 scanning sectors +488392065
19:12:44.171 Disk 0 scanning C:\WINDOWS\system32\drivers
19:12:50.296 Service scanning
19:12:52.109 Service FXDrv32 F:\FXDrv32.sys **LOCKED** 21
19:12:56.734 Modules scanning
19:13:10.968 Disk 0 trace - called modules:
19:13:10.984
19:13:10.984 Scan finished successfully
19:13:21.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\admin\Desktop\MBR.dat"
19:13:21.328 The log file has been saved successfully to "C:\Documents and Settings\admin\Desktop\aswMBR.txt"