Nejdou otevřít žádné složky na ploše

[fredik]

Furt je tam přítomná infiltrace Vunda:

Zatím fixni v HJT toto:
O2 - BHO: (no name) - {48967055-9F47-4C88-AC52-1A22EE401115} - C:\WINNT\System32\pmkhg.dll (file missing)
O2 - BHO: (no name) - {8D7E4555-1237-4DEA-BF40-1977FCA588E1} - C:\WINNT\System32\awtroom.dll (file missing)
O4 - HKCU\..\Run: [melg3445] C:\4.exe

Jak jsem dával odkaz na návod na VundoFix tak je tam zmíněný i druhý nástroj tak ho prosím tě použij VirtumundoBegone. Dej sem z něho log + nový log z HJT.

[Reklama]

[v.hospodka]

dobrá....zítra to tu bude ....holt práce...

[v.hospodka]

Tak jsem vše provedl a zde jsou výsledky (po každém zapnutí přesouvám do truhly soubor helpermdmdd.exe z WINNT/system32, který najde avast!):

[06/11/2007, 21:51:00] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\petra\Plocha\VirtumundoBeGone.exe" )
[06/11/2007, 21:51:20] - Detected System Information:
[06/11/2007, 21:51:20] - Windows Version: 5.0.2195, Service Pack 3
[06/11/2007, 21:51:20] - Current Username: Vítek (Admin)
[06/11/2007, 21:51:20] - Windows is in NORMAL mode.
[06/11/2007, 21:51:20] - Searching for Browser Helper Objects:
[06/11/2007, 21:51:20] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/11/2007, 21:51:20] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[06/11/2007, 21:51:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/11/2007, 21:51:20] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[06/11/2007, 21:51:20] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[06/11/2007, 21:51:20] - BHO 3: {E12BFF69-38A7-406e-A8EF-2738107A7831} ()
[06/11/2007, 21:51:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/11/2007, 21:51:20] - Checking for HKLM\...\Winlogon\Notify\jrtfwkad
[06/11/2007, 21:51:20] - Key not found: HKLM\...\Winlogon\Notify\jrtfwkad, continuing.
[06/11/2007, 21:51:20] - Finished Searching Browser Helper Objects
[06/11/2007, 21:51:20] - Finishing up...
[06/11/2007, 21:51:20] - Nothing found! Exiting...

Logfile of HijackThis v1.99.1
Scan saved at 21:51:55, on 11.6.2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Documents and Settings\petra\Plocha\HijackThis\hájdžek.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Poskytovatel aplikace Microsoft Internet Explorer: Computer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINNT\System32\jrtfwkad.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINNT\System32\wuxrhanq.dll",realset
O4 - HKLM\..\Run: [melg3445] C:\4.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{B57D0DBD-0293-43B4-88FA-23E14436A533}: NameServer = 213.250.218.130,213.250.192.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

[fredik]

Spusť znovu Vundofix a klikni na tlačítko Scan for Vundo po té co proběhne sken tak klikni do bílého okna uprostřed pravým tlačítkem myši a zvol Add more files?. Objeví se ti okénko se třemi řádky tak do prvního vlož tento tučně označený text:
C:\WINNT\System32\jrtfwkad.dll
jako druhý
C:\WINNT\System32\wuxrhanq.dll
pak klikni na Add File(s) a dej tlačítko Close Window a okno se ti zavře
pak klikni na Remove Vundo
Začne odstraňování, pak se ti asi restartuje Pc vlož sem pak log z Vundofix.

Stáhni si a spusť ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

+ dej sem nový log z HJT.

Zkus smazat tento soubor:
C:\4.exe
pokud nepůjde tak řekni. Pro lepší nalezení si zkus zapnou zobrazení skrytých souborů a adresářů.

[v.hospodka]

Tak už to je hotovo, 4.exe se na C:\ nezobrazuje ani při zobrazení skrytých souborů...přesto v logu z HJT stále je, tak nevím, jak s ním pryč .

Vundo:
No infected files were found.

Logfile of HijackThis v1.99.1
Scan saved at 20:24:47, on 12.6.2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Documents and Settings\petra\Plocha\HijackThis\hájdžek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [melg3445] C:\4.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [melg3445] C:\4.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{B57D0DBD-0293-43B4-88FA-23E14436A533}: NameServer = 213.250.218.130,213.250.192.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe


ComboFix 07-06-11.3 - F:\l‚źba poźˇtaźe\ComboFix.exe
"vˇtek" - 12.06.2007 19:59:58 - Service Pack 3 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\uuhgmlqb.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\4.exe
C:\WINNT\system32\.exe


((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 )))))))))))))))))))))))))))))))


2007-06-12 19:59 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-10 08:32 1,156 --a------ C:\WINNT\mozver.dat
2007-06-10 08:30 0 --a------ C:\WINNT\nsreg.dat
2007-06-07 11:25 <DIR> d-------- C:\DOCUME~1\-\DATAAP~1\Comodo
2007-06-06 21:31 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_1f8.dat
2007-06-06 20:42 <DIR> d-------- C:\VundoFix Backups
2007-06-06 20:25 <DIR> d-------- C:\DOCUME~1\petra\DATAAP~1\Comodo
2007-06-06 20:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Comodo
2007-06-06 20:19 <DIR> d-------- C:\Program Files\Comodo
2007-06-05 21:31 14,868 --a------ C:\WINNT\system32\dsvuhyjb.exe
2007-06-05 21:11 389 --a------ C:\ii.exe
2007-06-04 22:52 2,580 --a------ C:\WINNT\system32\mdijlyrm.exe
2007-06-04 22:52 2,580 --a------ C:\WINNT\system32\ksahgmen.exe
2007-06-04 22:47 2,580 --a------ C:\WINNT\system32\lsguqres.exe
2007-06-04 22:46 2,580 --a------ C:\WINNT\system32\xyrddqqu.exe
2007-06-04 22:45 552 --a------ C:\WINNT\system32\d3d8caps.dat
2007-06-04 22:43 2,580 --a------ C:\WINNT\system32\nsyckywp.exe
2007-06-04 22:38 2,580 --a------ C:\WINNT\system32\rewhkagb.exe
2007-06-04 22:36 2,580 --a------ C:\WINNT\system32\mlmpcixn.exe
2007-06-04 22:17 2,580 --a------ C:\WINNT\system32\qfygnywj.exe
2007-06-04 22:17 2,580 --a------ C:\WINNT\system32\jyixyisx.exe
2007-06-04 22:14 2,580 --a------ C:\WINNT\system32\lvjqaknh.exe
2007-06-04 21:56 2,580 --a------ C:\WINNT\system32\ldxhmlfe.exe
2007-06-04 21:55 2,580 --a------ C:\WINNT\system32\psfolkhk.exe
2007-06-04 21:55 2,580 --a------ C:\WINNT\system32\gbjqnfkd.exe
2007-06-04 21:54 2,580 --a------ C:\WINNT\system32\jjdfedro.exe
2007-06-04 21:45 2,580 --a------ C:\WINNT\system32\fyidkyyj.exe
2007-06-04 21:45 2,580 --a------ C:\WINNT\system32\acaxbidq.exe
2007-06-04 21:40 2,580 --a------ C:\WINNT\system32\aelmnjsn.exe
2007-06-04 21:25 2,580 --a------ C:\WINNT\system32\cyhqohut.exe
2007-06-04 21:25 2,580 --a------ C:\WINNT\system32\cqmqadwk.exe
2007-06-04 21:25 2,580 --a------ C:\WINNT\system32\cngimntr.exe
2007-06-04 21:23 2,580 --a------ C:\WINNT\system32\wxmhqlfy.exe
2007-06-04 21:23 2,580 --a------ C:\WINNT\system32\ibxwcxod.exe
2007-06-04 21:21 2,580 --a------ C:\WINNT\system32\dkxkcfjv.exe
2007-06-03 20:03 2,580 --a------ C:\WINNT\system32\fawxioco.exe
2007-06-03 20:02 37,376 -r-hs---- C:\WINNT\system\csrrs.exe
2007-06-02 08:27 70,789 --a------ C:\WINNT\system32\dload.exe
2007-06-02 07:53 2,580 --a------ C:\WINNT\system32\stacmycf.exe
2007-05-19 18:19 1,060,864 --a------ C:\WINNT\system32\MFC71.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-12 17:58:17 -------- d-----w C:\DOCUME~1\petra\DATAAP~1\OpenOffice.org2
2007-06-04 20:48:28 2,864 ----a-w C:\WINNT\system32\winsock.dll
2007-05-27 17:57:07 -------- d-----w C:\DOCUME~1\petra\DATAAP~1\Canon
2007-05-07 06:19:58 -------- d-----w C:\DOCUME~1\petra\DATAAP~1\Lavasoft
2007-05-07 06:12:56 64,315 ----a-w C:\zzc.exe
2007-04-30 15:46:10 745,600 ----a-w C:\WINNT\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINNT\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINNT\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINNT\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINNT\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINNT\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINNT\system32\AvastSS.scr
2007-04-25 18:41:31 -------- d-----w C:\Program Files\KBcertifikat
2007-04-20 19:07:24 -------- d-----w C:\Program Files\Sunbelt Software
2007-04-19 20:39:05 -------- d-----w C:\Program Files\Lavasoft
2007-04-19 19:44:06 -------- d-----w C:\Program Files\Alwil Software
2007-04-15 19:25:34 -------- d-----w C:\Program Files\IKEA HomePlanner
2007-04-15 19:25:19 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2002-12-05 12:00:00 65,822 --sh--r C:\WINNT\system32\svcchosst.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [04-12-14 11:56 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [05-05-31 01:04 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [02-12-05 14:00 C:\WINNT\system32\mobsync.exe]
"nwiz"="nwiz.exe" [02-11-18 14:15 C:\WINNT\system32\nwiz.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [03-10-31 19:42 ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [06-06-21 19:14 ]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [02-06-03 11:38 ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-04-30 17:42 ]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [07-06-06 20:19 ]
"melg3445"="C:\4.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [05-10-11 18:25 ]
"NVIEW"="nview.dll,nViewLoadHook" []
"ctfmon.exe"="ctfmon.exe" [01-02-19 21:09 C:\WINNT\system32\CTFMON.EXE]
"melg3445"="C:\4.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"Symantec Antivirus professional"=flushdns.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe
"Symantec Antivirus professional"=flushdns.exe

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-12 20:09:21
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-12 20:11:41 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-06-12 20:11

--- E O F ---

[sakiri]

tam toho je štěstí že se udělal ten log z ComboFixu.
to 4.exe nehledej ComboFix ju smazal.

Máš tam tolik neznámých souborů co budou šmejdi a kdyby se to mělo nechat proscanovat na Virustotalu tak u toho budeme snad do večera.

Takže si stáhni Avenger a spusť ho pod účtem administrátora.

Zaškrtni volbu - Input script manually a klikni na ikonku lupy vyskočí prázdné okno kam zkopíruj ten tučně označený text:
Files to delete:
C:\WINNT\system32\dsvuhyjb.exe
C:\WINNT\system32\mdijlyrm.exe
C:\WINNT\system32\ksahgmen.exe
C:\WINNT\system32\lsguqres.exe
C:\WINNT\system32\xyrddqqu.exe
C:\WINNT\system32\nsyckywp.exe
C:\WINNT\system32\rewhkagb.exe
C:\WINNT\system32\mlmpcixn.exe
C:\WINNT\system32\qfygnywj.exe
C:\WINNT\system32\jyixyisx.exe
C:\WINNT\system32\lvjqaknh.exe
C:\WINNT\system32\ldxhmlfe.exe
C:\WINNT\system32\psfolkhk.exe
C:\WINNT\system32\gbjqnfkd.exe
C:\WINNT\system32\jjdfedro.exe
C:\WINNT\system32\fyidkyyj.exe
C:\WINNT\system32\acaxbidq.exe
C:\WINNT\system32\aelmnjsn.exe
C:\WINNT\system32\cyhqohut.exe
C:\WINNT\system32\cqmqadwk.exe
C:\WINNT\system32\cngimntr.exe
C:\WINNT\system32\wxmhqlfy.exe
C:\WINNT\system32\ibxwcxod.exe
C:\WINNT\system32\dkxkcfjv.exe
C:\WINNT\system32\fawxioco.exe
C:\WINNT\system\csrrs.exe
C:\WINNT\system32\dload.exe
C:\WINNT\system32\svcchosst.exe

A klikni na Done.
Poté klikni na ikonku Semafory.

Vyskočí hláška kde odklikni Yes poté další hláška kde odklikni Yes.
PC se restartuje.Po restartu by ti měl "vyběhnout" log z Avengeru tak ho sem zkopíruj.

Tyto soubory nech zkontrolovat na Virustotalu:
C:\zzc.exe
C:\ii.exe
C:\WINNT\system32\stacmycf.exe
C:\WINNT\system32\d3d8caps.dat

Pro lepší nalezení si zapni - Zobarazovat skryté a systémové soubory.

A zkopíruj sem výsledky. + nový log z ComboFixu + ten log z Avengeru.

A v HJT fixni:
O4 - HKLM\..\Run: [melg3445] C:\4.exe

[v.hospodka]

Takže, tady jsou výsledky:
ComboFix 07-06-11.3 - F:\l‚źba poźˇtaźe\ComboFix.exe
"vˇtek" - 13.06.2007 21:26:16 - Service Pack 3 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))


2007-06-13 21:00 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_1f8.dat
2007-06-13 20:54 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_1fc.dat
2007-06-12 19:59 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-10 08:32 1,156 --a------ C:\WINNT\mozver.dat
2007-06-10 08:30 0 --a------ C:\WINNT\nsreg.dat
2007-06-07 11:25 <DIR> d-------- C:\DOCUME~1\-\DATAAP~1\Comodo
2007-06-06 20:42 <DIR> d-------- C:\VundoFix Backups
2007-06-06 20:25 <DIR> d-------- C:\DOCUME~1\petra\DATAAP~1\Comodo
2007-06-06 20:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Comodo
2007-06-06 20:19 <DIR> d-------- C:\Program Files\Comodo
2007-06-05 21:11 389 --a------ C:\ii.exe
2007-06-02 07:53 2,580 --a------ C:\WINNT\system32\stacmycf.exe
2007-05-19 18:19 1,060,864 --a------ C:\WINNT\system32\MFC71.dll
2007-05-07 08:19 <DIR> d-------- C:\DOCUME~1\petra\DATAAP~1\Lavasoft


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-13 19:02:20 -------- d-----w C:\DOCUME~1\petra\DATAAP~1\OpenOffice.org2
2007-06-04 20:48:28 2,864 ----a-w C:\WINNT\system32\winsock.dll
2007-05-27 17:57:07 -------- d-----w C:\DOCUME~1\petra\DATAAP~1\Canon
2007-05-07 06:12:56 64,315 ----a-w C:\zzc.exe
2007-04-30 15:46:10 745,600 ----a-w C:\WINNT\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINNT\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINNT\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINNT\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINNT\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINNT\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINNT\system32\AvastSS.scr
2007-04-25 18:41:31 -------- d-----w C:\Program Files\KBcertifikat
2007-04-20 19:07:24 -------- d-----w C:\Program Files\Sunbelt Software
2007-04-19 20:39:05 -------- d-----w C:\Program Files\Lavasoft
2007-04-19 19:44:06 -------- d-----w C:\Program Files\Alwil Software
2007-04-15 19:25:34 -------- d-----w C:\Program Files\IKEA HomePlanner
2007-04-15 19:25:19 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [14.12.04 11:56 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [31.05.05 01:04 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [05.12.02 14:00 C:\WINNT\system32\mobsync.exe]
"nwiz"="nwiz.exe" [18.11.02 14:15 C:\WINNT\system32\nwiz.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [31.10.03 19:42 ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [21.06.06 19:14 ]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [03.06.02 11:38 ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [30.04.07 17:42 ]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [06.06.07 20:19 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [11.10.05 18:25 ]
"NVIEW"="nview.dll,nViewLoadHook" []
"ctfmon.exe"="ctfmon.exe" [19.02.01 21:09 C:\WINNT\system32\CTFMON.EXE]
"melg3445"="C:\4.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"Symantec Antivirus professional"=flushdns.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe
"Symantec Antivirus professional"=flushdns.exe


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-13 21:30:13
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 13.06.2007 21:31:41
C:\ComboFix-quarantined-files.txt ... 13.06.07 21:31
C:\ComboFix2.txt ... 12.06.07 20:11

--- E O F ---


Avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wumrvtrw

*******************

Script file located at: \??\C:\WINNT\System32\ocvlawjk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\dsvuhyjb.exe deleted successfully.
File C:\WINNT\system32\mdijlyrm.exe deleted successfully.
File C:\WINNT\system32\ksahgmen.exe deleted successfully.
File C:\WINNT\system32\lsguqres.exe deleted successfully.
File C:\WINNT\system32\xyrddqqu.exe deleted successfully.
File C:\WINNT\system32\d3d8caps.dat deleted successfully.
File C:\WINNT\system32\nsyckywp.exe deleted successfully.
File C:\WINNT\system32\rewhkagb.exe deleted successfully.
File C:\WINNT\system32\mlmpcixn.exe deleted successfully.
File C:\WINNT\system32\qfygnywj.exe deleted successfully.
File C:\WINNT\system32\jyixyisx.exe deleted successfully.
File C:\WINNT\system32\lvjqaknh.exe deleted successfully.
File C:\WINNT\system32\ldxhmlfe.exe deleted successfully.
File C:\WINNT\system32\psfolkhk.exe deleted successfully.
File C:\WINNT\system32\gbjqnfkd.exe deleted successfully.
File C:\WINNT\system32\jjdfedro.exe deleted successfully.
File C:\WINNT\system32\fyidkyyj.exe deleted successfully.
File C:\WINNT\system32\acaxbidq.exe deleted successfully.
File C:\WINNT\system32\aelmnjsn.exe deleted successfully.
File C:\WINNT\system32\cyhqohut.exe deleted successfully.
File C:\WINNT\system32\cqmqadwk.exe deleted successfully.
File C:\WINNT\system32\cngimntr.exe deleted successfully.
File C:\WINNT\system32\wxmhqlfy.exe deleted successfully.
File C:\WINNT\system32\ibxwcxod.exe deleted successfully.
File C:\WINNT\system32\dkxkcfjv.exe deleted successfully.
File C:\WINNT\system32\fawxioco.exe deleted successfully.
File C:\WINNT\system\csrrs.exe deleted successfully.
File C:\WINNT\system32\dload.exe deleted successfully.
File C:\WINNT\system32\svcchosst.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Complete scanning result of "zzc.exe", received in VirusTotal at 06.13.2007, 21:21:28 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.6.12.2 06.13.2007 no virus found
AntiVir 7.4.0.32 06.13.2007 HEUR/Crypted
Authentium 4.93.8 06.13.2007 could be a corrupted executable file
Avast 4.7.997.0 06.13.2007 no virus found
AVG 7.5.0.467 06.13.2007 no virus found
BitDefender 7.2 06.13.2007 no virus found
CAT-QuickHeal 9.00 06.13.2007 no virus found
ClamAV devel-20070416 06.13.2007 no virus found
DrWeb 4.33 06.13.2007 no virus found
eSafe 7.0.15.0 06.13.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3715 06.13.2007 no virus found
Ewido 4.0 06.13.2007 no virus found
FileAdvisor 1 06.13.2007 No threat detected
Fortinet 2.85.0.0 06.13.2007 no virus found
F-Prot 4.3.2.48 06.13.2007 no virus found
F-Secure 6.70.13030.0 06.13.2007 no virus found
Ikarus T3.1.1.8 06.13.2007 no virus found
Kaspersky 4.0.2.24 06.13.2007 no virus found
McAfee 5052 06.13.2007 no virus found
Microsoft 1.2503 06.13.2007 no virus found
NOD32v2 2327 06.13.2007 no virus found
Norman 5.80.02 06.13.2007 no virus found
Panda 9.0.0.4 06.13.2007 no virus found
Prevx1 V2 06.13.2007 no virus found
Sophos 4.18.0 06.12.2007 no virus found
Sunbelt 2.2.907.0 06.09.2007 no virus found
Symantec 10 06.13.2007 no virus found
TheHacker 6.1.6.132 06.11.2007 no virus found
VBA32 3.12.0.1 06.12.2007 no virus found
VirusBuster 4.3.23:9 06.13.2007 no virus found
Webwasher-Gateway 6.0.1 06.13.2007 Heuristic.Crypted

Complete scanning result of "ii.exe", received in VirusTotal at 06.13.2007, 21:22:07 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.6.12.2 06.13.2007 no virus found
AntiVir 7.4.0.32 06.13.2007 no virus found
Authentium 4.93.8 06.13.2007 no virus found
Avast 4.7.997.0 06.13.2007 no virus found
AVG 7.5.0.467 06.13.2007 no virus found
BitDefender 7.2 06.13.2007 no virus found
CAT-QuickHeal 9.00 06.13.2007 no virus found
ClamAV devel-20070416 06.13.2007 no virus found
DrWeb 4.33 06.13.2007 no virus found
eSafe 7.0.15.0 06.13.2007 no virus found
eTrust-Vet 30.7.3715 06.13.2007 no virus found
Ewido 4.0 06.13.2007 no virus found
FileAdvisor 1 06.13.2007 no virus found
Fortinet 2.85.0.0 06.13.2007 no virus found
F-Prot 4.3.2.48 06.13.2007 no virus found
F-Secure 6.70.13030.0 06.13.2007 no virus found
Ikarus T3.1.1.8 06.13.2007 no virus found
Kaspersky 4.0.2.24 06.13.2007 no virus found
McAfee 5052 06.13.2007 no virus found
Microsoft 1.2503 06.13.2007 no virus found
NOD32v2 2327 06.13.2007 no virus found
Norman 5.80.02 06.13.2007 no virus found
Panda 9.0.0.4 06.13.2007 no virus found
Prevx1 V2 06.13.2007 no virus found
Sophos 4.18.0 06.12.2007 no virus found
Sunbelt 2.2.907.0 06.09.2007 no virus found
Symantec 10 06.13.2007 no virus found
TheHacker 6.1.6.132 06.11.2007 no virus found
VBA32 3.12.0.1 06.12.2007 no virus found
VirusBuster 4.3.23:9 06.13.2007 no virus found
Webwasher-Gateway 6.0.1 06.13.2007 no virus found
Aditional Information
File size: 389 bytes
MD5: 31d9e76f51133513f50d88c4e729a64d
SHA1: 516e180aab3ad97115a872004ab13a5a2930464a

Complete scanning result of "stacmycf.exe", received in VirusTotal at 06.13.2007, 21:23:31 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.9.0 05.09.2007 no virus found
AntiVir 7.4.0.32 06.13.2007 TR/Agent.anr.1
Authentium 4.93.8 06.13.2007 is a security risk or a "backdoor" program
Avast 4.7.997.0 06.13.2007 no virus found
AVG 7.5.0.467 05.08.2007 no virus found
BitDefender 7.2 06.13.2007 Trojan.LowZones.SA
CAT-QuickHeal 9.00 06.13.2007 Trojan.Agent.anr
ClamAV devel-20070416 05.09.2007 no virus found
DrWeb 4.33 06.13.2007 no virus found
eSafe 7.0.15.0 05.08.2007 no virus found
eTrust-Vet 30.7.3715 06.13.2007 no virus found
FileAdvisor 1 06.13.2007 no virus found
Fortinet 2.85.0.0 06.13.2007 no virus found
F-Prot 4.3.2.48 05.08.2007 no virus found
F-Secure 6.70.13030.0 05.09.2007 no virus found
Ikarus T3.1.1.7 05.09.2007 no virus found
Kaspersky 4.0.2.24 06.13.2007 Trojan.Win32.Agent.anr
McAfee 5052 06.13.2007 no virus found
Microsoft 1.2503 06.13.2007 no virus found
NOD32v2 2327 06.13.2007 Win32/Agent.ANR
Norman 5.80.02 06.13.2007 W32/Agent.BQSQ
Panda 9.0.0.4 06.13.2007 Trj/Lowzones.TP
Prevx1 V2 06.13.2007 Covert.Sys.Exec
Sophos 4.18.0 06.12.2007 Troj/SetCook-A
Sunbelt 2.2.907.0 05.05.2007 no virus found
Symantec 10 05.09.2007 no virus found
TheHacker 6.1.6.132 06.11.2007 Trojan/Agent.anr
VBA32 3.12.0.1 06.12.2007 Trojan.Win32.Agent.anr
VirusBuster 4.3.23:9 06.13.2007 Trojan.Lowzones.FI
Webwasher-Gateway 6.0.1 05.09.2007 no virus found
Aditional Information
File size: 2580 bytes
MD5: 2ad3361c2af46e235c7c39373a9e5a07
SHA1: 38fc3f6cea29ba3a32d785342446ed1e9d2002af
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=580699751500

[sakiri]

OK, všiml jsem si že jsem omylem dal ke smazání i dobrý soubor a to ten d3d8caps.dat .

Takže ho zpátky obnovíme.

Otevři složke Avenger která je na C:
bude tam backup.zip ten neotvírej protože jsi již jednou použil Avenger a tam jsou ty soubory co jsi smazal poprvé.
Ale otevři backup- tady bude datum kdy jsi to vymazal.zip to znamená že otevřeš ten druhý .zip soubor (nerozbaluj ho ale normálně ho otevři)
Až ten .zip soubor otevřeš tak se ti objeví složka tu taky normálně otevři.
Pak by se ti měli zobrazit soubory co jsi smazal. Tak najdi d3d8caps.dat a zkopíruj ho zpátky do C:\WINNT\system32\

A restartuj PC.

Ale nepřesunuj nic jiného protože tam ty ostatní soubory jsou šmejdi.

Jinak ještě jednou se omlouvám

Až to všechno uděláš tak řekni půjdeme odstranit ty zbylí šmejdy.

[v.hospodka]

Hlásím opětné obnovení souboru!

[sakiri]

Ok takže jdeme mazat.

I když to u ii.exe a zzc.exe nic nenašlo tak jsou to šmejdi.

Opět použij Avengera.

Zaškrtni volbu - Input script manually a klikni na ikonku lupy vyskočí prázdné okno kam zkopíruj ten tučně označený text:
Files to delete:
C:\ii.exe
C:\WINNT\system32\stacmycf.exe
C:\zzc.exe

A klikni na Done.
Poté klikni na ikonku Semafory.

Vyskočí hláška kde odklikni Yes poté další hláška kde odklikni Yes.
PC se restartuje.Po restartu by ti měl "vyběhnout" log z Avengeru tak ho sem zkopíruj.

poté nám sem dej ten log Avengeru + log z ComboFixu + nový log z HJT.

[v.hospodka]

Tak ten log z Avengeru mi trochu unikl...nevím proč, ale byl prázdný, tak alespoň ty zbylé dva:

Logfile of HijackThis v1.99.1
Scan saved at 22:09:47, on 17.6.2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\petra\Plocha\HijackThis\hájdžek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [melg3445] C:\4.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{B57D0DBD-0293-43B4-88FA-23E14436A533}: NameServer = 213.250.218.130,213.250.192.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe


ComboFix 07-06-11.3 - F:\l‚źba poźˇtaźe\ComboFix.exe
"vˇtek" - 17.06.2007 22:01:52 - Service Pack 3 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 )))))))))))))))))))))))))))))))


2007-06-17 21:55 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_1fc.dat
2007-06-17 21:34 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_1f8.dat
2007-06-14 21:14 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_200.dat
2007-06-14 21:10 552 --a------ C:\WINNT\system32\d3d8caps.dat
2007-06-12 19:59 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-10 08:32 1,156 --a------ C:\WINNT\mozver.dat
2007-06-10 08:30 0 --a------ C:\WINNT\nsreg.dat
2007-06-07 11:25 <DIR> d-------- C:\DOCUME~1\-\DATAAP~1\Comodo
2007-06-06 20:42 <DIR> d-------- C:\VundoFix Backups
2007-06-06 20:25 <DIR> d-------- C:\DOCUME~1\petra\DATAAP~1\Comodo
2007-06-06 20:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Comodo
2007-06-06 20:19 <DIR> d-------- C:\Program Files\Comodo
2007-06-02 07:53 2,580 --a------ C:\WINNT\system32\stacmycf.exe
2007-05-19 18:19 1,060,864 --a------ C:\WINNT\system32\MFC71.dll
2007-05-07 08:19 <DIR> d-------- C:\DOCUME~1\petra\DATAAP~1\Lavasoft


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 19:57:01 -------- d-----w C:\DOCUME~1\petra\DATAAP~1\OpenOffice.org2
2007-06-04 20:48:28 2,864 ----a-w C:\WINNT\system32\winsock.dll
2007-05-27 17:57:07 -------- d-----w C:\DOCUME~1\petra\DATAAP~1\Canon
2007-04-30 15:46:10 745,600 ----a-w C:\WINNT\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINNT\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINNT\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINNT\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINNT\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINNT\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINNT\system32\AvastSS.scr
2007-04-25 18:41:31 -------- d-----w C:\Program Files\KBcertifikat
2007-04-20 19:07:24 -------- d-----w C:\Program Files\Sunbelt Software
2007-04-19 20:39:05 -------- d-----w C:\Program Files\Lavasoft
2007-04-19 19:44:06 -------- d-----w C:\Program Files\Alwil Software


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [14.12.04 11:56 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [31.05.05 01:04 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [05.12.02 14:00 C:\WINNT\system32\mobsync.exe]
"nwiz"="nwiz.exe" [18.11.02 14:15 C:\WINNT\system32\nwiz.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [31.10.03 19:42 ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [21.06.06 19:14 ]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [03.06.02 11:38 ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [30.04.07 17:42 ]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [06.06.07 20:19 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [11.10.05 18:25 ]
"NVIEW"="nview.dll,nViewLoadHook" []
"ctfmon.exe"="ctfmon.exe" [19.02.01 21:09 C:\WINNT\system32\CTFMON.EXE]
"melg3445"="C:\4.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"Symantec Antivirus professional"=flushdns.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe
"Symantec Antivirus professional"=flushdns.exe


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-17 22:06:31
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 17.06.2007 22:08:17
C:\ComboFix-quarantined-files.txt ... 17.06.07 22:07

--- E O F ---

[Baron Prášil]

stáhni si killbox
rozbal,spust a do okýnka zkopíruj tučné
C:\WINNT\system32\stacmycf.exe
zaškrtni Delete on Reboot a all files
a klikni na křížek.stroj pude do restartu

a znova log z hijackthis a combofixu

//v hijackthis fixni O4 - HKCU\..\Run: [melg3445] C:\4.exe