Kontrola logu prosim, prestane jit net(vyřešeno) Vyřešeno

[Ricky.]

asi po pul hodine od zapnuti pc mi prestane jit net ale icq porad de nevim co stim je

tady muj log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:57:27, on 30.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
G:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Documents and Settings\jan\Plocha\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [SpywareTerminator] C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fuzutjs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fuzutjs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fuzutjs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fuzutjs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fuzutjs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fuzutjs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fuzutjs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fuzutjs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fuzutjs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fuzutjs.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fuzutjs.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - G:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Plánovač automatické aktualizace LiveUpdate - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 7176 bytes

[Reklama]

[sakiri]

Použij LSPFix:
Stáhni si LSPFix a spusť ho.
V okně zatrhni čtvereček u volby I know what i'm doing a zaktivují se ti šipečky mezi okny.A potom v levém okně označ fuzutjs.dll šipkama >> jej přesuň do pravého okna.Poté klikni na tlačítko Finish.
Ale nepřesunuj nic jiného jinak by jsi si mohl znefukčnit internet a kdyby v tom pravém bude ještě něco jiného než fuzutjs.dll tak ho tak to přesuň šipkami << zpět do levého okna.

Poté sem dej nový log z HJT + řekni jestli ti přestane jít net po půl hodině.

[Ricky.]

tady je ten novej log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:35:06, on 31.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
G:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jan\Plocha\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [SpywareTerminator] C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - G:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Plánovač automatické aktualizace LiveUpdate - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6430 bytes

[Ricky.]

ale s tim netem je to stejny asi po pul az 1 hodine se mi objevi stranku nelze zobrazit...

[sakiri]

Odinstaluj Crawler Toolbar.

A potom odstraň jeho složku:
C:\Program Files\Crawler

Použij ComboFixe:
Stáhni si ComboFix, ulož ho na plochu zavři všechna spuštěná okna a spusť ho.
Postupuj dle pokynů během aplikování ComboFixu neklikej do zobrazujícího se okna může se stát totiž že to proces zastaví.
Po skončení se vytvoří log tak sem zkopíruj jeho obsah.
(Je možné že se počítač restartuje, bude to kvůli tomu že ComboFix našel infikované soubory aby je smazal tak se restartuje PC)
Pro spusťění ComboFixu je nutné mít práva administrátora.
Jinak je ComboFixův log umístěný na C:\ComboFix.txt

[Ricky.]

to sakiri: hej moc diky internet zatim de v poho a este k tomu mem 2x rychlejsi komp pri zapinani a uz mi uase funguje centrum zabezpeceni !!! MOC DIKY !!!

tady je ten log z ComboFix nevim jakej sou tam 2 : )

ComboFix 07-08-30.3 - "jan" 2007-09-01 10:41:49.1 - NTFSx86
Syst‚m Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.221 [GMT 2:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected
C:\cp1041.nls
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\a.dll
C:\WINDOWS\system32\cvk.dll
C:\WINDOWS\system32\dketdzptllauu.dll
C:\WINDOWS\system32\fuzutjs.dll
C:\WINDOWS\system32\hgzzbmp.dll
C:\WINDOWS\system32\hptiknacbth.dll
C:\WINDOWS\system32\jikjtajsrdc.dll
C:\WINDOWS\system32\jqvyy.dll
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\ljwxrujsv.dll
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\tambijrhblh.dll
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\uupyagz.dll
Restored copy from - C:\WINDOWS\system32\dllcache\ndis.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FWDRV.SYS
-------\LEGACY_POOF
-------\LEGACY_QQD.SYS
-------\fwdrv.sys
-------\qqd.sys


((((((((((((((((((((((((( Files Created from 2007-08-01 to 2007-09-01 )))))))))))))))))))))))))))))))


2007-09-01 10:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-30 18:10 <DIR> d-------- C:\Program Files\Vidomi
2007-08-29 17:11 1,984 --a------ C:\WINDOWS\system32\drivers\papycpu.sys
2007-08-29 17:11 1,888 --a------ C:\WINDOWS\system32\drivers\papyjoy.sys
2007-08-29 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}
2007-08-25 11:26 598,016 --a------ C:\WINDOWS\system32\OOD2KCRS.dll
2007-08-25 11:26 29,272 --a------ C:\WINDOWS\system32\OOD2KBS.exe
2007-08-25 11:26 24,576 --a------ C:\WINDOWS\system32\OODCSPRO.dll
2007-08-25 11:26 238,080 --a------ C:\WINDOWS\system32\OOD2000.exe
2007-08-25 11:26 16,384 --a------ C:\WINDOWS\system32\ood2kmsg.dll
2007-08-21 13:15 <DIR> d-------- C:\Program Files\Winamp
2007-08-19 18:53 <DIR> d-------- C:\Nov  slo§ka
2007-08-18 22:31 <DIR> d-------- C:\Program Files\ICQ FORCE
2007-08-15 11:56 163,328 --------- C:\WINDOWS\UNINEPSC.EXE
2007-08-13 16:02 <DIR> d-------- C:\Program Files\Centauri
2007-08-13 11:43 <DIR> d-------- C:\Program Files\Yahoo!
2007-08-11 20:55 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-08-11 20:51 <DIR> d-------- C:\Program Files\Nero
2007-08-11 20:51 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-08-11 20:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Nero
2007-08-10 16:10 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2007-08-10 16:10 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2007-08-10 16:10 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2007-08-10 16:10 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll
2007-08-10 16:10 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2007-08-10 16:10 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2007-08-10 16:10 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2007-08-07 21:49 <DIR> d-------- C:\Program Files\ICQ6
2007-08-06 16:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Comodo
2007-08-06 16:52 <DIR> d-------- C:\Program Files\Comodo
2007-08-05 21:14 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-08-05 21:14 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-08-05 21:14 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-08-05 21:14 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2007-08-05 21:14 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2007-08-05 21:14 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2007-08-05 21:10 147,968 --a------ C:\WINDOWS\R.COM
2007-08-05 21:10 137,216 --a------ C:\WINDOWS\system32\T.COM
2007-08-05 19:08 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-08-05 19:02 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-08-05 19:02 <DIR> d-------- C:\Program Files\Crawler
2007-08-05 19:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Spyware Terminator
2007-08-04 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-04 16:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Lavasoft
2007-08-04 16:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-01 10:36 --------- d-------- C:\Program Files\ICQToolbar
2007-08-27 12:17 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-26 22:38 --------- d-------- C:\Program Files\DAEMON Tools
2007-08-04 16:40 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-26 12:43 --------- d-------- C:\Program Files\Codec Pack - All In 1
2007-07-22 17:10 330 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2007-07-22 16:43 --------- d-------- C:\Program Files\Sunbelt Software
2007-07-21 11:35 --------- d-------- C:\Program Files\Quad 2
2007-07-17 17:57 --------- d-------- C:\Program Files\E-Color
2007-07-14 11:54 --------- d-------- C:\Program Files\QIP
2007-07-14 10:15 4 --a------ C:\WINDOWS\info147.sys
2007-07-14 10:12 --------- d-------- C:\Program Files\Common Files\Totem Shared
2007-07-13 20:09 --------- d-------- C:\Program Files\MSBuild
2007-07-13 20:03 --------- d-------- C:\Program Files\Reference Assemblies
2007-06-03 18:04 737280 --a------ C:\WINDOWS\iun6002.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-15 20:45]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-08-06 20:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 09:47]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 09:47]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 09:46]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-08-05 19:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-17 15:58]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 16:31 C:\WINDOWS\SOUNDMAN.EXE]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-08-05 19:03]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 00:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)

R1 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys
R1 papyjoy;papyjoy;C:\WINDOWS\system32\drivers\papyjoy.sys
R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
S2 Plánovač automatické aktualizace LiveUpdate;Plánovač automatické aktualizace LiveUpdate;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Schedule


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-01 10:43:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\P3]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\papycpu]
"ImagePath"="\SystemRoot\system32\drivers\papycpu.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\papyjoy]
"ImagePath"="\SystemRoot\system32\drivers\papyjoy.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PartMgr]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\ParVdm]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PCIDump]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PCIIde]
"ImagePath"="system32\DRIVERS\pciide.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PDRELI]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\perc2]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\perc2hib]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PerfNet]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PerfOS]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PerfProc]

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\P l á n o v a

a u t o m a t i c k é a k t u a l i z a c e L i v e U p d a t e ]
"ImagePath"="\"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe\""
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\prodrv06]
"ImagePath"="\SystemRoot\System32\drivers\prodrv06.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\prohlp02]
"ImagePath"="System32\drivers\prohlp02.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\PxHelp20]
"ImagePath"="System32\Drivers\PxHelp20.sys"

Completion time: 2007-09-01 10:47:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-01 10:47

--- E O F ---


A TADY JE TEN DRUHEJ...

Kód: Vybrat vše

2004-08-17 15:49      137216    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\TASKMGR.COM.vir
2004-08-17 15:49      147968    --a------    C:\Qoobox\Quarantine\C\WINDOWS\REGEDIT.COM.vir
2007-06-08 17:45      25088    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\koos.exe.vir
2007-06-08 17:45      281348    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ndis.sys.vir
2007-06-08 17:45      30208    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\poof.vir
2007-06-08 17:45      6144    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\kprof.vir
2007-07-08 21:23      15399    --a------    C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir
2007-08-07 12:45      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jikjtajsrdc.dll.vir
2007-08-07 15:40      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jqvyy.dll.vir
2007-08-07 16:01      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\tambijrhblh.dll.vir
2007-08-07 16:37      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ljwxrujsv.dll.vir
2007-08-07 17:08      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\uupyagz.dll.vir
2007-08-07 17:15      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\cvk.dll.vir
2007-08-07 18:19      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\a.dll.vir
2007-08-07 19:35      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\hptiknacbth.dll.vir
2007-08-07 19:40      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\dketdzptllauu.dll.vir
2007-08-08 16:36      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\fuzutjs.dll.vir
2007-08-31 22:06      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\hgzzbmp.dll.vir
2007-09-01 10:41      0    --a------    C:\Qoobox\BackEnv\FAVORITES.folder.cf
2007-09-01 10:41      0    --a------    C:\Qoobox\BackEnv\MY PICTURES.folder.cf
2007-09-01 10:41      0    --a------    C:\Qoobox\BackEnv\PROGRAMS.folder.cf
2007-09-01 10:41      0    --a------    C:\Qoobox\BackEnv\START MENU.folder.cf
2007-09-01 10:41      0    --a------    C:\Qoobox\BackEnv\STARTUP.folder.cf
2007-09-01 10:41      0    --a------    C:\Qoobox\BackEnv\TEMPLATES.folder.cf
2007-09-01 10:41      164    --a------    C:\Qoobox\BackEnv\profiles.folder.cf
2007-09-01 10:41      195    --a------    C:\Qoobox\BackEnv\CACHE.folder.cf
2007-09-01 10:41      196    --a------    C:\Qoobox\BackEnv\LOCAL SETTINGS.folder.cf
2007-09-01 10:41      2696    --a------    C:\Qoobox\BackEnv\setpath.bat
2007-09-01 10:41      31    --a------    C:\Qoobox\BackEnv\APPDATA.folder.cf
2007-09-01 10:41      35    --a------    C:\Qoobox\BackEnv\LOCAL APPDATA.folder.cf
2007-09-01 10:41      82    --a------    C:\Qoobox\BackEnv\DESKTOP.folder.cf
2007-09-01 10:41      88    --a------    C:\Qoobox\BackEnv\PERSONAL.folder.cf
2007-09-01 10:42      1052    --a------    C:\Qoobox\Quarantine\Registry_backups\services_qqd.reg.cf
2007-09-01 10:42      1122    --a------    C:\Qoobox\Quarantine\Registry_backups\services_fwdrv.reg.cf
2007-09-01 10:42      1208    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_QQD.SYS.reg.cf
2007-09-01 10:42      1232    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_FWDRV.SYS.reg.cf
2007-09-01 10:42      13780    --a------    C:\Qoobox\Quarantine\catchme2007-09-01_104335.21.zip
2007-09-01 10:42      148    --a------    C:\Qoobox\Quarantine\catchme.log
2007-09-01 10:43      461176    --a------    C:\Qoobox\snapshot_2007-09-01_104353.56.cf


Věpis CESTY slo§ky
S‚riov‚ źˇslo svazku je 9C65-D8DE
C:\QOOBOX
|   snapshot_2007-09-01_104353.56.cf
|   
+---BackEnv
|       APPDATA.folder.cf
|       CACHE.folder.cf
|       DESKTOP.folder.cf
|       FAVORITES.folder.cf
|       LOCAL APPDATA.folder.cf
|       LOCAL SETTINGS.folder.cf
|       MY PICTURES.folder.cf
|       PERSONAL.folder.cf
|       profiles.folder.cf
|       PROGRAMS.folder.cf
|       setpath.bat
|       START MENU.folder.cf
|       STARTUP.folder.cf
|       TEMPLATES.folder.cf
|       
\---Quarantine
    |   catchme.log
    |   catchme2007-09-01_104335.21.zip
    |   
    +---C
    |   +---ComboFix
    |   |       FProps.vbs.vir
    |   |       
    |   \---WINDOWS
    |       |   REGEDIT.COM.vir
    |       |   
    |       \---system32
    |           |   a.dll.vir
    |           |   cvk.dll.vir
    |           |   dketdzptllauu.dll.vir
    |           |   fuzutjs.dll.vir
    |           |   hgzzbmp.dll.vir
    |           |   hptiknacbth.dll.vir
    |           |   jikjtajsrdc.dll.vir
    |           |   jqvyy.dll.vir
    |           |   koos.exe.vir
    |           |   kprof.vir
    |           |   ljwxrujsv.dll.vir
    |           |   poof.vir
    |           |   tambijrhblh.dll.vir
    |           |   TASKMGR.COM.vir
    |           |   uupyagz.dll.vir
    |           |   
    |           \---drivers
    |                   ndis.sys.vir
    |                   
    \---Registry_backups
            LEGACY_FWDRV.SYS.reg.cf
            LEGACY_QQD.SYS.reg.cf
            services_fwdrv.reg.cf
            services_qqd.reg.cf
           


[sakiri]

Měl jsi tam pěknou sbírku ale ComboFix vše smazal.
A také nahradil infikovaný ndis.sys čistým.

Ale ještě udělej toto:
Stáhni si Avenger a spusť ho pod účtem administrátora.
Zaškrtni volbu - Input script manually a klikni na ikonku lupy vyskočí prázdné okno kam zkopíruj ten tučně označený text:
Folders to delete:
C:\Program Files\Crawler
C:\Qoobox

A klikni na Done.
Poté klikni na ikonku Semafory.

Vyskočí hláška kde odklikni Yes poté další hláška kde odklikni Yes.
PC se restartuje.Po restartu by ti měl "vyběhnout" log z Avengeru tak ho sem zkopíruj.

[Ricky.]

promin ze to tak trvalo :)

tady to je:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ygsdabpx

*******************

Script file located at: \??\C:\WINDOWS\vqmjescs.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\Program Files\Crawler deleted successfully.
Folder C:\Qoobox deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[sakiri]

Avenger vše smazal.

Smaž jeho zálohu:
C:\Avenger

A jeho log taky smaž:
C:\Avenger.txt

A to je vše pokud nemáš problémy.

[Ricky.]

ok. hele fakt moc diky internet de uplne krasne dik

[sakiri]

Nemáš zač.

Jinak stáhni si T-Cleaner a spusť ho.

Poté ten T-Cleaner.bat smaž.