Moc prosim o kontrolu logu

SiRuK · Příspěvekod **SiRuK** » 28 srp 2007 15:22

Mam problem s prohlizenim stranek, ICQ jede v pohode, i NOD se aktualizuje ale nenacte se mi zadna internetova stranka, ani v mozile ani v IE... tady je vypis z HJT:

Logfile of HijackThis v1.99.1
Scan saved at 15:18:55, on 28.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TotalCmd\totalcmd.exe
C:\WINDOWS\system32\wuauclt.exe
c:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O1 - Hosts: 81.30.226.227 L2authd.lineage2.com
O1 - Hosts: 81.30.226.227 L2testauthd.lineage2.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8A06A1A7-9E64-4359-8556-B6EA03D69814} - C:\WINDOWS\system32\chksic.dll (file missing)
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Adela\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ro0 Service (ro0Srv) - Unknown owner - C:\WINDOWS\system32\ro0\ro0.exe (file missing)
O23 - Service: Radmin Server V3 (RServer3) - Unknown owner - C:\WINDOWS\system32\rserver30\RServer3.exe" /service (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)

MOC DEKUJU ZA PRIPADNOU POMOC

Reklama

Příspěvekod **fredik** » 28 srp 2007 15:50

Zdravím a vítám Tě na fóru.

Stáhni si SDFix
- Spusť ho a rozbalí se ti na disk kde je nainstalovaný Windows (typicky to je C:\SDfix)
- Pak restartuj PC do nouzového režimu (zvol možnost: Stav nouze, ne Stav nouze s práci v síti)
- Otevři adresář kde je vybalený SDFix a spusť soubor RunThis.bat tím spustíš program.
* Pak stiskni klávesu Y a pak Enter pro zahájení čistícího procesu.
* Pro dokončení kontroly budeš vyzván ke stisknoutí libovolné klávesy a počítač se restartuje.
* Při nabíhání operačního systému se program spustí znovu a dokončí čistící proces. Až se objeví Finish, budeš muset po vyzvání stisknout libovolnou klávesu, tim se ukončí program a zobrazí se ti ikony na ploše
- Když se skončí načítání ikon na ploše, otevře se ti na obrazovce log z SDFix a zároveň ho uloží do adresáře kde je rozbalený SDFix jako soubor Report.txt
Pak sem zkopíruj jeho obsah.

Stáhni si SUPERAntiSpyware
Nainstaluj a spusť ho a klikni na tlačítko Check for Updates...
Po provedení Update klikni na tlačítko: Scan your computer
Zvol možnost: Perform Complete Scan a klikni na tlačítko Další >

Proběhne kontrola, po skončení vypíše vše co našel.
Ujisti se že všechny položko jsou zaškrtnuty a pak zvol tlačítko Další
Pak klikni na tlačítko Finish a měl by ses dostat na úvodní obrazovku.
Tam klikni na tlačítko: Preferences... a tam zvol záložku Statistics/Logs
Tam klikni na log s dnešním datem který tam bude a dej tlačítko: View Log...
Otevře se ti Okno s logem tak jeho obsah sem zkopíruj.

Máš starší verzi HJT tak si stáhni novější verzi HijackThis zde. Jelikož tam máš pozůstatky po ConHook tak přejmenuj stažený soubor hijackthis.exe třeba na fluffy.exe a z ní pak nový log a dej ho sem.

Poznámka: Před použitím novější verze HJT odstraň starší verzi.

Tak sem ve výsledku vložíš tři logy z SDFix, SuperAntispyware a z HJT.

SiRuK · Příspěvekod **SiRuK** » 28 srp 2007 19:02

Tak jsem udelal vsechno presne podle toho navodu cos mi napsal a tady jsou ty logy :roll:

SDFix

SDFix: Version 1.100

Run by ???? on Łt 28.08.2007 at 17:50

Microsoft Windows XP [Verze 5.1.2600]

Running From: c:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
dnlsvc
ro0Srv

ImagePath:
"C:\DOCUME~1\Adela\LOCALS~1\Temp\dnlsvc.exe"
C:\WINDOWS\system32\ro0\ro0.exe

dnlsvc - Deleted
ro0Srv - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\KERNEL32.EXE - Deleted
C:\WINDOWS\SYSTEM32\PF5607~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\PF9452~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\PFB0E0~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\PFCA7F~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\PFXZMT~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\PFXZMT~2.DLL - Deleted
C:\WINDOWS\SYSTEM32\PFXZMT~3.DLL - Deleted
C:\WINDOWS\SYSTEM32\PFXZMT~4.DLL - Deleted
C:\WINDOWS\system32\rserver30\_rcomsrv.exe.exe - Deleted
C:\WINDOWS\system32\tmp1.tmp.dll - Deleted
C:\WINDOWS\system32\tmp116.tmp.dll - Deleted
C:\WINDOWS\system32\tmp1D.tmp.dll - Deleted
C:\WINDOWS\system32\tmp2.tmp.dll - Deleted
C:\WINDOWS\system32\tmp2D.tmp.dll - Deleted
C:\WINDOWS\system32\tmp45.tmp.dll - Deleted
C:\WINDOWS\system32\tmp47.tmp.dll - Deleted
C:\WINDOWS\system32\tmp5.tmp.dll - Deleted
C:\WINDOWS\system32\tmp51.tmp.dll - Deleted
C:\WINDOWS\system32\tmp53.tmp.dll - Deleted
C:\WINDOWS\system32\tmp6.tmp.dll - Deleted
C:\WINDOWS\system32\tmp7.tmp.dll - Deleted
C:\WINDOWS\system32\tmp8.tmp.dll - Deleted
C:\WINDOWS\system32\tmpAB.tmp.dll - Deleted
C:\WINDOWS\system32\tmpB2.tmp.dll - Deleted
C:\Program Files\Common Files\delsim\del.exe - Deleted
C:\WINDOWS\system32\Kernel32.exe - Deleted

Folder C:\Program Files\Common Files\delsim - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Hry\\Warcraft III\\Warcraft III.exe"="D:\\Hry\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"D:\\Hry\\Warcraft III\\War3.exe"="D:\\Hry\\Warcraft III\\War3.exe:*:Enabled:Warcraft III"
"D:\\Hry\\CS 1.6\\hl.exe"="D:\\Hry\\CS 1.6\\hl.exe:*:Enabled:Half-Life Launcher"
"D:\\Hry\\Call of Duty\\CoDMP.exe"="D:\\Hry\\Call of Duty\\CoDMP.exe:*:Enabled:CoDMP"
"C:\\Program Files\\ICQLitee\\ICQLite.exe"="C:\\Program Files\\ICQLitee\\ICQLite.exe:*:Enabled:ICQ Lite"
"c:\\windows\\system32\\mstsdsc.exe"="c:\\windows\\system32\\mstsdsc.exe:*:Enabled:mstsdsc"
"C:\\tmp1.tmp.exe"="C:\\tmp1.tmp.exe"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Program Files\\VoipDiscount.com\\VoipDiscount\\VoipDiscount.exe"="C:\\Program Files\\VoipDiscount.com\\VoipDiscount\\VoipDiscount.exe:*:Enabled:VoipDiscount"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\Radmin\\r_server.exe"="C:\\Program Files\\Radmin\\r_server.exe:*:Enabled:r_server"
"c:\\windows\\system32\\a.exe"="c:\\windows\\system32\\a.exe:*:Disabled:a"
"C:\\Program Files\\Radmin\\raddrv.dll"="C:\\Program Files\\Radmin\\raddrv.dll:*:Enabled:raddrv.dll"
"C:\\Program Files\\Radmin\\radmin.exe"="C:\\Program Files\\Radmin\\radmin.exe:*:Enabled:radmin"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\CS 1.6\\hl.exe"="C:\\CS 1.6\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Prevx1\\PXAgent.exe"="C:\\Program Files\\Prevx1\\PXAgent.exe:*:Enabled:PXAgent"
"C:\\Program Files\\Prevx1\\PXConsole.exe"="C:\\Program Files\\Prevx1\\PXConsole.exe:*:Enabled:PXConsole"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINDOWS\SoftwareDistribution\Download\00727be00eb44eabbe301c318b80ba61\download\BIT76.tmp
C:\WINDOWS\SoftwareDistribution\Download\00f85aac948bcf6d640626746edf60f9\download\BIT67.tmp
C:\WINDOWS\SoftwareDistribution\Download\12daac87fc2e01040beda57ad4e7f12e\download\BIT60.tmp
C:\WINDOWS\SoftwareDistribution\Download\1d8dd98abe0ed0d26bc073a83ddc074b\download\BIT5B.tmp
C:\WINDOWS\SoftwareDistribution\Download\24957a983e1ed82751d0e04e4d999dc7\download\BIT59.tmp
C:\WINDOWS\SoftwareDistribution\Download\40ff1c2576d72a940c4903dd67d9e7f4\download\BIT64.tmp
C:\WINDOWS\SoftwareDistribution\Download\54438091347d420ae27601eb9fcb4587\download\BIT5F.tmp
C:\WINDOWS\SoftwareDistribution\Download\5fa9563e06660b7fc55d5ba2f73241e8\download\BIT77.tmp
C:\WINDOWS\SoftwareDistribution\Download\612fb09751075bc84631a5f45a14242b\download\BIT63.tmp
C:\WINDOWS\SoftwareDistribution\Download\66eed887da5482a1fd9a76342d71dc23\download\BIT62.tmp
C:\WINDOWS\SoftwareDistribution\Download\6ad53a8394e8bdfdfb4d7e9bbfc4a035\download\BIT5E.tmp
C:\WINDOWS\SoftwareDistribution\Download\6fd37e91266acb4a00bdb8e201fbd862\download\BIT5A.tmp
C:\WINDOWS\SoftwareDistribution\Download\701bbc439e2ff47a457d9740440ec948\download\BIT6D.tmp
C:\WINDOWS\SoftwareDistribution\Download\733424ccee980bc90e7b33193acd7716\download\BIT75.tmp
C:\WINDOWS\SoftwareDistribution\Download\7a93be16865afe5068a00f32d0ad1246\download\BIT4A.tmp
C:\WINDOWS\SoftwareDistribution\Download\7ea0907c12389f8327ba547c9e394348\download\BIT6E.tmp
C:\WINDOWS\SoftwareDistribution\Download\7ff4b0c681f506f8096ba5e784b9b8fc\download\BIT73.tmp
C:\WINDOWS\SoftwareDistribution\Download\852fa9cd37d04bc89e414a3fb2ef2f4b\download\BIT70.tmp
C:\WINDOWS\SoftwareDistribution\Download\88896ca0498e954bfa21602cc9c1d566\download\BIT6A.tmp
C:\WINDOWS\SoftwareDistribution\Download\9b61aa71b9af024a32d0706989159aad\download\BIT71.tmp
C:\WINDOWS\SoftwareDistribution\Download\b02abdcf237d8fadb193f15a46268b4c\download\BIT58.tmp
C:\WINDOWS\SoftwareDistribution\Download\bcc3f24dcc5ab7bb112aea41ce8f2c8b\download\BIT72.tmp
C:\WINDOWS\SoftwareDistribution\Download\bd74a87132b6d6c5a5ed54768503fab5\download\BIT65.tmp
C:\WINDOWS\SoftwareDistribution\Download\c0aa41dc2e72ef175c6c43497f103e8a\download\BIT74.tmp
C:\WINDOWS\SoftwareDistribution\Download\c573e4938c9634483bd47dd8ee7de9eb\download\BIT6B.tmp
C:\WINDOWS\SoftwareDistribution\Download\c8bd19c2b1130e8b1f570feab47fce71\download\BIT6F.tmp
C:\WINDOWS\SoftwareDistribution\Download\d24df90f5807ede61f49cf61a3694ae5\download\BIT5D.tmp
C:\WINDOWS\SoftwareDistribution\Download\d4d720d85b0fcfb9e1e299b282c6ec92\download\BIT66.tmp
C:\WINDOWS\SoftwareDistribution\Download\d51cb58fc0b1ed01a53e2a598ff59a95\download\BIT61.tmp
C:\WINDOWS\SoftwareDistribution\Download\d6825026fe6101b32c53383c9edd89c1\download\BIT41.tmp
C:\WINDOWS\SoftwareDistribution\Download\e5a6ce1f8ea60105c71471c731c05538\download\BIT57.tmp
C:\WINDOWS\SoftwareDistribution\Download\ea42314f860f5702c15b0ee4cecc20d9\download\BIT78.tmp
C:\WINDOWS\SoftwareDistribution\Download\f458bd461aec609d2fbb34f48bbbe4d2\download\BIT68.tmp
C:\WINDOWS\SoftwareDistribution\Download\fbe7276e626ef1181696976ff82fb1bd\download\BIT69.tmp
C:\WINDOWS\SoftwareDistribution\Download\fc35e4c5030a99b1369e76da84ab3a01\download\BIT2F.tmp
C:\WINDOWS\SoftwareDistribution\Download\fd3e63cd9a4971514053f9d47955026a\download\BIT6C.tmp

Finished

SUPERAntiSpyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/28/2007 at 06:43 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:36:20

Memory items scanned : 329
Memory threats detected : 0
Registry items scanned : 3810
Registry threats detected : 5
File items scanned : 29334
File threats detected : 209

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{D651AFF4-9590-424d-BD1E-8E33E090DFB3}
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}\InprocServer32
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}\InprocServer32#ThreadingModel
C:\DOCUME~1\ADELA\LOCALS~1\TEMP\TMP2.TMP.DLL
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}

Trojan.Downloader-Newsploit
C:\DOCUMENTS AND SETTINGS\ADELA\J.EXE

Trojan.Downloader-Gen/SysFade
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CWF7FFLK\SYSFADE[1].EXE
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CWF7FFLK\SYSFADE[2].EXE
C:\WINDOWS\SYSFADE.EXEAXTRHW
C:\WINDOWS\SYSFADE.EXEDDHQAA
C:\WINDOWS\SYSFADE.EXEDRUFXV
C:\WINDOWS\SYSFADE.EXEHKUAUU
C:\WINDOWS\SYSFADE.EXEIYJBAC
C:\WINDOWS\SYSFADE.EXESWFEWX
C:\WINDOWS\SYSFADE.EXETMTHJG

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{57FF0796-A9CF-4D49-9A86-FD0A94BD7321}\RP48\A0041452.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{57FF0796-A9CF-4D49-9A86-FD0A94BD7321}\RP48\A0046686.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{57FF0796-A9CF-4D49-9A86-FD0A94BD7321}\RP48\A0046750.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{57FF0796-A9CF-4D49-9A86-FD0A94BD7321}\RP49\A0046914.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{57FF0796-A9CF-4D49-9A86-FD0A94BD7321}\RP50\A0047985.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{57FF0796-A9CF-4D49-9A86-FD0A94BD7321}\RP50\A0048011.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{57FF0796-A9CF-4D49-9A86-FD0A94BD7321}\RP50\A0048021.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{57FF0796-A9CF-4D49-9A86-FD0A94BD7321}\RP50\A0048028.EXE

Trojan.Net-ShareSearcher
C:\WINDOWS\PSI.EXEEVQAUT

Trojan.Downloader-Gen/RSVP
C:\WINDOWS\SYSTEM32\RSVP322.DLL

Trace.Known Threat Sources
C:\Documents and Settings\Adela\Local Settings\Temporary Internet Files\Content.IE5\8DURG56J\test[1].gif
C:\Documents and Settings\Adela\Local Settings\Temporary Internet Files\Content.IE5\KZ05A5CO\checksoft[1].js
C:\Documents and Settings\Adela\Local Settings\Temporary Internet Files\Content.IE5\KZ05A5CO\button2[1].gif
C:\Documents and Settings\Adela\Local Settings\Temporary Internet Files\Content.IE5\KZ05A5CO\top_pic2[1].gif
C:\Documents and Settings\Adela\Local Settings\Temporary Internet Files\Content.IE5\KZ05A5CO\ico1[1].gif
C:\Documents and Settings\Adela\Local Settings\Temporary Internet Files\Content.IE5\KZ05A5CO\logo[3].gif
C:\Documents and Settings\Adela\Local Settings\Temporary Internet Files\Content.IE5\W5UP7C4G\CA0B2XEV.gif
C:\Documents and Settings\Adela\Local Settings\Temporary Internet Files\Content.IE5\6KC8EY6J\top1_menu[1].gif
C:\Documents and Settings\Adela\Local Settings\Temporary Internet Files\Content.IE5\6KC8EY6J\ico2[1].gif
C:\Documents and Settings\Adela\Local Settings\Temporary Internet Files\Content.IE5\W5UP7C4G\top1[1].gif
C:\Documents and Settings\Adela\Local Settings\Temporary Internet Files\Content.IE5\8LIZKTAR\CAG5UJCX.js

HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:56:09, on 28.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TotalCmd\totalcmd.exe
c:\fluffy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8A06A1A7-9E64-4359-8556-B6EA03D69814} - C:\WINDOWS\system32\chksic.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [gamma] c:\DriverLoad\windrv0.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SysRestore] "C:\tmp1.tmp.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Radmin Server V3 (RServer3) - Unknown owner - C:\WINDOWS\system32\rserver30\RServer3.exe (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

--
End of file - 3928 bytes
_____________________________________________

tak jsem zvedavy jestli neco vyresime, pac uz jsem beznadejny a sam si nedokazu poradit :cry:

Baron Prášil · Příspěvekod **Baron Prášil** » 28 srp 2007 22:27

vypni obnovu systému
pravím na Tento počítač>vlastnosti>obnova systému a zaškrtni a ok a potvrdit

fixni
v okně programu HJT zaškrtni nalevo u položek co napíšu a potom klik na Fix checked
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {8A06A1A7-9E64-4359-8556-B6EA03D69814} - C:\WINDOWS\system32\chksic.dll (file missing)
O4 - HKUS\S-1-5-18\..\Run: [gamma] c:\DriverLoad\windrv0.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SysRestore] "C:\tmp1.tmp.exe" (User 'SYSTEM')
O20 - AppInit_DLLs:

potom použij Avenger http://www.spyware.cz/go.php?p=spyware&t=aplikace&id=35

a tento skript

Files to delete:
c:\windows\system32\mstsdsc.exe
C:\tmp1.tmp.exe
c:\windows\system32\a.exe
c:\DriverLoad\windrv0.exe

všechno potrvrď,bude restart a po něm ti Avenger vyplivne log-ten sem postni.
taky novej log z hijackthis
a info o tom problému :wink:

SiRuK · Příspěvekod **SiRuK** » 28 srp 2007 23:32

takze vse jsem provedl, ale stranky se stale nenacitaji ale icq jde :roll:

co jsem pochopil z avengeru, tak ze se mu nepodarilo nic smazat :(

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qjcji^wm

*******************

Script file located at: \??\C:\Program Files\rordbmml.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File c:\windows\system32\mstsdsc.exe not found!
Deletion of file c:\windows\system32\mstsdsc.exe failed!

Could not process line:
c:\windows\system32\mstsdsc.exe
Status: 0xc0000034

File C:\tmp1.tmp.exe not found!
Deletion of file C:\tmp1.tmp.exe failed!

Could not process line:
C:\tmp1.tmp.exe
Status: 0xc0000034

File c:\windows\system32\a.exe not found!
Deletion of file c:\windows\system32\a.exe failed!

Could not process line:
c:\windows\system32\a.exe
Status: 0xc0000034

Could not open file c:\DriverLoad\windrv0.exe for deletion
Deletion of file c:\DriverLoad\windrv0.exe failed!

Could not process line:
c:\DriverLoad\windrv0.exe
Status: 0xc000003a

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:25:30, on 28.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\TotalCmd\totalcmd.exe
c:\fluffy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Radmin Server V3 (RServer3) - Unknown owner - C:\WINDOWS\system32\rserver30\RServer3.exe (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

--
End of file - 3604 bytes

Baron Prášil · Příspěvekod **Baron Prášil** » 29 srp 2007 11:59

tak,prosím tě,ještě udělej log z programu MWAV
a
Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log, který se ti zobrazí, jinak ho najdeš zde: C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

SiRuK · Příspěvekod **SiRuK** » 29 srp 2007 14:23

tady je log z MWAV

Soubor C:\WINDOWS\effdcd.dll je infikovaný virem Packed.Win32.Klone.k !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\geebya.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.kw". Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\sstqpq.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.kw". Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\vtuurr.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.kw". Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\aeado.exe//PE-Crypt.PolyCryptA je infikovaný virem Trojan.Win32.DNSChanger.hd !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\qlrfu.exe//PE-Crypt.PolyCryptA je infikovaný virem Trojan.Win32.DNSChanger.hd !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\raddrv.dll indentifikován jako "not-a-virus:RemoteAdmin.Win32.RAdmin.20". Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\r_server.exe//RadPack indentifikován jako "not-a-virus:RemoteAdmin.Win32.RAdmin.22". Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\{F8C97EA1-D5D9-4E39-B663-BE21C93444D9}.exe//data0002//UPX indentifikován jako "not-a-virus:FraudTool.Win32.SpyVampire.a". Provedené akce: Nic nebylo provedeno.

Soubor C:\Program Files\ESET\cache\FND0.NFI//PE-Crypt.XorPE//ASPack je infikovaný virem Trojan-Proxy.Win32.Cimuz.cv !! Provedené akce: Nic nebylo provedeno.
¨
Soubor C:\Program Files\ESET\cache\FND1.NFI//PE-Crypt.XorPE//ASPack je infikovaný virem Trojan-Proxy.Win32.Cimuz.cl !! Provedené akce: Nic nebylo provedeno.

Soubor C:\Program Files\ESET\cache\FND2.NFI//PE-Crypt.XorPE je infikovaný virem Trojan-Downloader.Win32.ConHook.ba !! Provedené akce: Nic nebylo provedeno.

Soubor C:\Program Files\ESET\cache\FND3.NFI//PE-Crypt.XorPE//ASPack je infikovaný virem Email-Worm.Win32.Warezov.dq !! Provedené akce: Nic nebylo provedeno.

Soubor C:\Program Files\ESET\cache\FND5.NFI//PE-Crypt.XorPE je infikovaný virem Trojan.Win32.Agent.vk !! Provedené akce: Nic nebylo provedeno.

Soubor C:\Program Files\ESET\infected\3L44WUAA.NQF//PE-Crypt.XorPE//ASPack je infikovaný virem Trojan-Proxy.Win32.Cimuz.cv !! Provedené akce: Nic nebylo provedeno.

Soubor C:\Program Files\ESET\infected\MRV2H5CA.NQF//PE-Crypt.XorPE//ASPack je infikovaný virem Email-Worm.Win32.Warezov.dq !! Provedené akce: Nic nebylo provedeno.

Soubor C:\Program Files\ESET\infected\UCGNU3CA.NQF//PE-Crypt.XorPE//UPX je infikovaný virem Backdoor.Win32.Delf.avh !! Provedené akce: Nic nebylo provedeno.

Soubor C:\Program Files\ESET\infected\WWJMYODA.NQF//PE-Crypt.XorPE je infikovaný virem Trojan.Win32.Agent.vk !! Provedené akce: Nic nebylo provedeno.

Soubor C:\Program Files\Radmin\raddrv.dll indentifikován jako "not-a-virus:RemoteAdmin.Win32.RAdmin.20". Nic nebylo provedeno.

Soubor C:\Program Files\Radmin\r_server.exe//RadPack indentifikován jako "not-a-virus:RemoteAdmin.Win32.RAdmin.22". Nic nebylo provedeno.

Soubor C:\SDFix\SDFix\backups\backups.zip/backups/tmp2.tmp.dll je infikovaný virem Trojan.Win32.BHO.bd !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\effdcd.dll je infikovaný virem Packed.Win32.Klone.k !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\geebya.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.kw". Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\sstqpq.dll indentifikován jako "not-a-virus:AdWare.Win32.Virtumonde.kw". Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\aeado.exe//PE-Crypt.PolyCryptA je infikovaný virem Trojan.Win32.DNSChanger.hd !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\qlrfu.exe//PE-Crypt.PolyCryptA je infikovaný virem Trojan.Win32.DNSChanger.hd !! Provedené akce: Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\raddrv.dll indentifikován jako "not-a-virus:RemoteAdmin.Win32.RAdmin.20". Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\r_server.exe//RadPack indentifikován jako "not-a-virus:RemoteAdmin.Win32.RAdmin.22". Nic nebylo provedeno.

Soubor C:\WINDOWS\system32\{F8C97EA1-D5D9-4E39-B663-BE21C93444D9}.exe//data0002//UPX indentifikován jako "not-a-virus:FraudTool.Win32.SpyVampire.a". Provedené akce: Nic nebylo provedeno.

a tady log z COMBOFIX

ComboFix 07-08-29.3 - "Adela" 2007-08-29 14:14:01.1 - NTFSx86
Syst‚m Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.175 [GMT 2:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Adela\Plocha\internet explorer.lnk
C:\WINDOWS\aybeeg.ini
C:\WINDOWS\bywuvu.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\dcdffe.ini
C:\WINDOWS\effdcd.dll
C:\WINDOWS\geebya.dll
C:\WINDOWS\qpqtss.ini
C:\WINDOWS\regedit.com
C:\WINDOWS\rruutv.ini
C:\WINDOWS\sstqpq.dll
C:\WINDOWS\system32\{F8C97EA1-D5D9-4E39-B663-BE21C93444D9}.exe
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\uvuwyb.ini
C:\WINDOWS\vtuurr.dll

((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-29 )))))))))))))))))))))))))))))))

2007-08-29 14:13 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-29 13:18 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-08-29 13:18 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-08-29 13:18 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-08-29 13:18 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2007-08-29 13:18 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2007-08-29 13:18 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2007-08-29 12:52 147,968 --a------ C:\WINDOWS\R.COM
2007-08-29 12:52 137,216 --a------ C:\WINDOWS\system32\T.COM
2007-08-29 12:51 18,756,720 --a------ C:\Program Files\lol.exe
2007-08-29 12:47 <DIR> d-------- C:\Program Files\CCleaner
2007-08-28 23:17 130,048 --a------ C:\avenger.exe
2007-08-28 18:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-28 18:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\SUPERAntiSpyware.com
2007-08-28 18:03 401,720 --a------ C:\fluffy.exe
2007-08-28 18:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-28 17:49 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-28 15:14 <DIR> d-------- C:\backups
2007-08-28 14:33 77,312 --a------ C:\WINDOWS\ua2.dll
2007-08-28 13:58 233,868 --a------ C:\LSPRegBackup_28082007_135806.REG
2007-08-27 20:58 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-08-27 20:58 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-08-27 20:58 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-08-27 20:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Eset
2007-08-27 20:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Spybot - Search & Destroy
2007-08-26 18:41 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-26 18:41 <DIR> d-------- C:\WINDOWS\$hf_mig$
2007-08-21 18:39 <DIR> d-------- C:\Program Files\NetLimiter 2 Pro
2007-08-21 18:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Locktime
2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-29 12:49 --------- d-------- C:\Program Files\ICQ6
2007-08-20 09:36 --------- d-------- C:\Program Files\ICQLite
2007-07-31 20:36 --------- d-------- C:\Program Files\Mozilla Firefox24
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 21:39 --------- d-------- C:\Program Files\ICQToolbar
2007-07-27 20:52 --------- d-------- C:\Program Files\Radmin
2007-07-27 16:40 --------- d-------- C:\Program Files\PowerArchiver
2007-07-18 11:08 --------- d-------- C:\Program Files\VoipDiscount.com
2007-07-17 14:14 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-20 13:42 70331 --a------ C:\Program Files\client.rar
2007-06-13 15:23 1033728 --a------ C:\WINDOWS\explorer.exe
2001-01-11 09:02 794624 --a------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-27 20:58]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"alpha"=c:\DriverLoad\windrv0.exe
"beta"=c:\DriverLoad\windrv0.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADriver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alpha]
c:\DriverLoad\windrv0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\beta]
c:\DriverLoad\windrv0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Speaker Configuration]
C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CDriver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDriver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverLoad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FDriver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gamma]
c:\DriverLoad\windrv0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
C:\WINDOWS\system32\lsasss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
????

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]
rundll32.exe "C:\WINDOWS\bywuvu.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRT]
"C:\WINDOWS\system32\MRT.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mstsdsc.exe]
c:\windows\system32\mstsdsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
????

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysRestore]
"C:\DOCUME~1\Adela\LOCALS~1\Temp\tmp1.tmp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDriver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDriverLoad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipDiscount]
"C:\Program Files\VoipDiscount.com\VoipDiscount\VoipDiscount.exe" -nosplash -minimized

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R1 nltdi;nltdi;\??\C:\WINDOWS\system32\drivers\nltdi.sys
R1 raddrvv3;raddrvv3;\??\C:\WINDOWS\system32\rserver30\raddrvv3.sys
R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" /service
R3 mirrorv3;mirrorv3;C:\WINDOWS\system32\DRIVERS\rminiv3.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
S2 RServer3;Radmin Server V3;"C:\WINDOWS\system32\rserver30\RServer3.exe" /service

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Schedule

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-29 14:18:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-29 14:20:15 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-29 14:19

--- E O F ---

Baron Prášil · Příspěvekod **Baron Prášil** » 29 srp 2007 15:37

no,pěkný!

takže znova avenger

a skript

Files to delete:
C:\WINDOWS\effdcd.dll
C:\WINDOWS\geebya.dll
C:\WINDOWS\sstqpq.dll
C:\WINDOWS\vtuurr.dll
C:\WINDOWS\system32\aeado.exe
C:\WINDOWS\system32\qlrfu.exe
C:\WINDOWS\system32\{F8C97EA1-D5D9-4E39-B663-BE21C93444D9}.exe
C:\Program Files\lol.exe

Registry keys to delete:
hklm\software\microsoft\shared tools\msconfig\startupreg\alpha
hklm\software\microsoft\shared tools\msconfig\startupreg\beta
hklm\software\microsoft\shared tools\msconfig\startupreg\gamma
hklm\software\microsoft\shared tools\msconfig\startupreg\mstsdsc.exe
hklm\software\microsoft\shared tools\msconfig\startupreg\SysRestore

po restartu ještě použij Vundofix http://www.viry.cz/forum/viewtopic.php?t=16634
vlož sem log z Vundofix, který najdeš na C:\VundoFix.txt
a opět info o chování kompu :wink:

SiRuK · Příspěvekod **SiRuK** » 29 srp 2007 17:31

avenger log (zase se to vsecko neodstranilo)

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pnintsmq

*******************

Script file located at: \??\C:\Program Files\oavkoxxf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\effdcd.dll not found!
Deletion of file C:\WINDOWS\effdcd.dll failed!

Could not process line:
C:\WINDOWS\effdcd.dll
Status: 0xc0000034

File C:\WINDOWS\geebya.dll not found!
Deletion of file C:\WINDOWS\geebya.dll failed!

Could not process line:
C:\WINDOWS\geebya.dll
Status: 0xc0000034

File C:\WINDOWS\sstqpq.dll not found!
Deletion of file C:\WINDOWS\sstqpq.dll failed!

Could not process line:
C:\WINDOWS\sstqpq.dll
Status: 0xc0000034

File C:\WINDOWS\vtuurr.dll not found!
Deletion of file C:\WINDOWS\vtuurr.dll failed!

Could not process line:
C:\WINDOWS\vtuurr.dll
Status: 0xc0000034

File C:\WINDOWS\system32\aeado.exe deleted successfully.
File C:\WINDOWS\system32\qlrfu.exe deleted successfully.

File C:\WINDOWS\system32\{F8C97EA1-D5D9-4E39-B663-BE21C93444D9}.exe not found!
Deletion of file C:\WINDOWS\system32\{F8C97EA1-D5D9-4E39-B663-BE21C93444D9}.exe failed!

Could not process line:
C:\WINDOWS\system32\{F8C97EA1-D5D9-4E39-B663-BE21C93444D9}.exe
Status: 0xc0000034

File C:\Program Files\lol.exe deleted successfully.
Registry key hklm\software\microsoft\shared tools\msconfig\startupreg\alpha deleted successfully.
Registry key hklm\software\microsoft\shared tools\msconfig\startupreg\beta deleted successfully.
Registry key hklm\software\microsoft\shared tools\msconfig\startupreg\gamma deleted successfully.
Registry key hklm\software\microsoft\shared tools\msconfig\startupreg\mstsdsc.exe deleted successfully.
Registry key hklm\software\microsoft\shared tools\msconfig\startupreg\SysRestore deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

VUNDO

VundoFix V6.5.7

Checking Java version...

Sun Java not detected
Scan started at 16:54:42 29.8.2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

FURT JDE JENOM ICQ ALE PROHLIZET STRANKY NEJDOU :cry:

Baron Prášil · Příspěvekod **Baron Prášil** » 29 srp 2007 18:44

tak použij ještě ten VirtumundoBegone
http://www.viry.cz/forum/viewtopic.php?t=16634

stáhni otmoveit: http://download.bleepingcomput.....MoveIt.exe
spusť ho a do levého bílého okna zkopíruj tento text:
C:\WINDOWS\effdcd.dll
C:\WINDOWS\geebya.dll
C:\WINDOWS\sstqpq.dll
C:\WINDOWS\vtuurr.dll
C:\WINDOWS\system32\{F8C97EA1-D5D9-4E39-B663-BE21C93444D9}.exe

zaškrtni Unregister Dll´s and Ocx´s
klikni na tlacitko MoveIt a když bude chtít restart,tak ho povol
potom pošli log,kterej najdeš tady C:\_OTMoveIt\MovedFiles

SiRuK · Příspěvekod **SiRuK** » 29 srp 2007 19:04

ten VirtumundoBegone v nozouvem rezimu jsem zkousel take, ale nic:(... jdu teda zkusit ten otmoveit

SiRuK · Příspěvekod **SiRuK** » 29 srp 2007 19:05

heh dal si tam spatnej link:)

Moc prosim o kontrolu logu

Moc prosim o kontrolu logu

reporty

Kdo je online