Kontrola logu po 12 trojanech Vyřešeno

[onewinger]

Zdravím,
prosil bych kontrolu logu po odstranění 12ti druhů Trojanů z mého PC.

Díky



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:41:51, on 29.3.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Trust\Trust R-series Mouse And Keyboard\MouseDrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
F2 - REG:system.ini: Shell=explorer.exe csrcs.exe
F3 - REG:win.ini: run=
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Trust\Trust R-series Mouse And Keyboard\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-0443168636-0719290372-618699403-3412\service.exe
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Služba inteligentního přenosu na pozadí (BITS) (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: COMODO Internet Security Helper Service (cmdagent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Automatické aktualizace (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 6317 bytes

[Reklama]

[Damned]

Odinstaluj ten AskBarDis.

Pak si spusť HJT a fixni:

F2 - REG:system.ini: Shell=explorer.exe csrcs.exe
F3 - REG:win.ini: run=
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\ bar\bin\askBar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-0443168636-0719290372-618699403-3412\service.exe
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe

a pokud nemáš multijazykové nastavení (necestuješ s PC po světě) tak i toto:
O11 - Options group: [international] International


Poté restartuj PC a dej sem nový log HJT

[onewinger]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:36:27, on 29.3.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Trust\Trust R-series Mouse And Keyboard\MouseDrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Trust\Trust R-series Mouse And Keyboard\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-0443168636-0719290372-618699403-3412\service.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Služba inteligentního přenosu na pozadí (BITS) (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: COMODO Internet Security Helper Service (cmdagent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Automatické aktualizace (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 6154 bytes

[Damned]

Stále tam vidím ten AskBar, odinstaluj ho!
Ale před tím, než ho odinstaluješ, vypni Nástroj pro obnovení systému. ->Ikona Tento počítač(pravým)->Vlastnosti->Obovení systému->Vypnout Nástroj obnovení systému.
Poté si stáhni Crap Cleaner a vyčisti jím PC.

Pak v HJT fixni (označit a stisknout Fix checked)

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-0443168636-0719290372-618699403-3412\service.exe

A dej sem log z HJT

[Damned]

Pokud máš, stáhni si SmitFraudFix a postupuj podle tohoto návodu , po vyčištění sem dej nový log, já teď musím pryč, cca do šeti

[onewinger]

Na kontrolovaném PC jsem spustil SmitFraudFix a postupoval podle návodu. Nyní to vypsalo
Winsock2 Fix...
Generic Renos Fix...
Deleting infected files...
C:\autorun.inf\*. Jste si jisti? (A/N)

Takže bych se chtěl zeptat co mám dát?
Nerad bych vymazal nějaký systémový soubor

EDIT: Dal jsem pokyn pro vymazání tohoto souboru a SmitFraudFix napsal: Systém nemůže nalézt uvedenou cestu. A nyní pokračuje proces dál.

EDIT 2: SmitFraudFix dokončil proces. Přikládám log z SmitFraudFix a do druhého příspěvku dám log z HJT.


SmitFraudFix v2.405

Scan done at 19:10:55,38, ne 29.03.2009
Run from C:\Documents and Settings\Petr\Plocha\SmitfraudFix
OS: Microsoft Windows XP [Verze 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

Problem while deleting C:\autorun.inf

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E3FAF7F8-5BCC-4303-89FA-70B32C02E0B1}: DhcpNameServer=79.127.160.2 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E3FAF7F8-5BCC-4303-89FA-70B32C02E0B1}: DhcpNameServer=79.127.160.2 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E3FAF7F8-5BCC-4303-89FA-70B32C02E0B1}: DhcpNameServer=79.127.160.2 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=79.127.160.2 192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[onewinger]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:06:51, on 29.3.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Trust\Trust R-series Mouse And Keyboard\MouseDrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Trust\Trust R-series Mouse And Keyboard\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-0443168636-0719290372-618699403-3412\service.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Služba inteligentního přenosu na pozadí (BITS) (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: COMODO Internet Security Helper Service (cmdagent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Automatické aktualizace (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 5987 bytes

[Damned]

Aj, konečně sem se sem dostal. Smita jsme odstranili, teď zbývá jen ten autorun.

Stáhni si MWAV a postupuj podle návodu ZDE ,
Log sem dej jen s názvy errors.
Omlouvám se za mé připojení, netuším jak včas zareaguji. (Mám jen GPRS přes mobil).

[onewinger]

Object "Spyware.NetScreenWatch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "SmitFraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "DiskKnight Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\Microsoft.ActiveXPlugin" refers to invalid object "{06DD38D3-D187-11CF-A80D-00C04FD74AD8}". Action Taken: No Action Taken.
Entry "HKCR\Microsoft.ActiveXPlugin.1" refers to invalid object "{06DD38D3-D187-11CF-A80D-00C04FD74AD8}". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".$$$". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mp4". Action Taken: No Action Taken.
File C:\WINDOWS\system32\autorun.inf infected by "Trojan.AutorunINF.Gen (DB)" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\autorun.inf infected by "Trojan.AutorunINF.Gen (DB)" Virus! Action Taken: No Action Taken.

[jaro3]

Na požádání zadavatele a delší nepřítomnosti Damneda budu pokračovat já.

Vypni rez. ochrany u COMODO Internet Security ( i firewall).
Stáhni si ComboFix (by sUBs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[onewinger]

ComboFix 09-03-30.04 - Petr 2009-03-31 18:59:39.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.511.305 [GMT 2:00]
Spuštěný z: c:\documents and settings\Petr\Plocha\ComboFix.exe
* Vytvořen nový Bod Obnovení

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\regedit.com
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\csrcs.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\taskmgr.com
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_botdrv
-------\Service_botdrv


((((((((((((((((((((((((( Soubory vytvořené od 2009-02-28 do 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-31 18:48 . 2009-03-31 18:51 <DIR> d-------- C:\32788R22FWJFW.1.tmp
2009-03-31 18:43 . 2009-03-31 18:48 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-03-29 19:09 . 2009-03-18 18:34 <DIR> d-------- c:\documents and settings\Administrator\Plocha
2009-03-29 19:09 . 2009-03-18 18:34 <DIR> d--h----- c:\documents and settings\Administrator\Okolní tiskárny
2009-03-29 19:09 . 2009-03-18 18:34 <DIR> d--h----- c:\documents and settings\Administrator\Okolní síť
2009-03-29 19:09 . 2009-03-18 18:34 <DIR> d-------- c:\documents and settings\Administrator\Oblíbené položky
2009-03-29 19:09 . 2009-03-18 17:42 <DIR> d--h----- c:\documents and settings\Administrator\Šablony
2009-03-29 19:09 . 2009-03-18 18:34 <DIR> dr------- c:\documents and settings\Administrator\Nabídka Start
2009-03-29 19:09 . 2009-03-18 18:34 <DIR> d-------- c:\documents and settings\Administrator\Dokumenty
2009-03-29 19:09 . 2009-03-18 18:34 <DIR> dr-h----- c:\documents and settings\Administrator\Data aplikací
2009-03-29 19:09 . 2009-03-29 19:09 <DIR> d-------- c:\documents and settings\Administrator
2009-03-29 15:41 . 2009-03-29 15:41 0 --a------ C:\23990098.$$$
2009-03-29 15:32 . 2009-03-29 20:58 28 --a------ c:\windows\Lic.xxx
2009-03-29 15:31 . 2009-03-29 15:31 <DIR> d-------- c:\program files\Common Files\MicroWorld
2009-03-29 15:31 . 2009-03-29 15:31 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\MicroWorld
2009-03-29 15:31 . 2009-03-29 15:31 626,688 --a------ c:\windows\system32\msvcr80.dll
2009-03-29 15:31 . 2009-03-29 15:31 548,864 --a------ c:\windows\system32\msvcp80.dll
2009-03-29 15:31 . 2008-04-14 08:52 147,968 --a------ c:\windows\R.COM
2009-03-29 15:31 . 2008-04-14 08:52 137,216 --a------ c:\windows\system32\T.COM
2009-03-29 15:31 . 2009-03-29 15:31 28,672 --a------ c:\windows\system32\eEmpty.exe
2009-03-29 15:31 . 2005-09-22 23:22 522 --a------ c:\windows\system32\Microsoft.VC80.CRT.manifest
2009-03-29 15:17 . 2009-03-29 15:21 <DIR> d-a------ c:\documents and settings\All Users\Data aplikací\TEMP
2009-03-29 15:15 . 2009-03-29 15:20 <DIR> d-------- c:\program files\SpywareBlaster
2009-03-29 14:41 . 2009-03-29 14:41 <DIR> d-------- c:\program files\Trend Micro
2009-03-29 12:29 . 2009-03-29 12:29 <DIR> d-------- c:\program files\Microsoft Games
2009-03-29 12:15 . 2009-03-29 12:20 2,876 --a------ c:\windows\WTRAN32.INI
2009-03-29 12:14 . 2009-03-29 12:17 <DIR> d-------- c:\program files\TRANSLAT
2009-03-29 11:54 . 2009-03-29 11:54 <DIR> d--hs---- c:\documents and settings\Petr\PrivacIE
2009-03-29 11:53 . 2009-03-29 11:53 <DIR> d--hs---- c:\documents and settings\Petr\IETldCache
2009-03-29 11:47 . 2009-03-29 11:49 <DIR> d--h-c--- c:\windows\ie8
2009-03-29 00:51 . 2009-03-29 22:02 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\_comodo_
2009-03-29 00:10 . 2009-03-29 00:10 <DIR> d-------- c:\program files\AskSearch
2009-03-29 00:10 . 2009-03-29 00:10 249,592 --a------ c:\windows\system32\cssdll32.dll
2009-03-29 00:09 . 2009-03-31 18:57 <DIR> d-------- c:\program files\COMODO
2009-03-28 22:06 . 2009-03-28 22:06 0 --ahs---- C:\khq
2009-03-28 21:59 . 2009-03-28 21:59 <DIR> d-------- C:\Logs
2009-03-27 20:46 . 2009-03-27 20:46 <DIR> d-------- c:\documents and settings\Petr\WINDOWS
2009-03-27 20:46 . 1997-06-02 12:32 314,880 --a------ c:\windows\IsUninst.exe
2009-03-27 17:50 . 2009-03-27 17:50 737,280 --a------ c:\windows\iun6002.exe
2009-03-27 08:27 . 2009-03-27 08:27 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-26 15:58 . 2008-04-14 01:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-03-26 15:58 . 2008-04-14 01:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-03-26 15:58 . 2009-03-26 15:58 511 --a------ c:\windows\eReg.dat
2009-03-25 18:13 . 2009-03-25 18:14 <DIR> d-------- c:\program files\TotalCMD
2009-03-25 18:13 . 2009-03-29 15:19 2,231 --a------ c:\windows\wincmd.ini
2009-03-25 18:13 . 2008-08-08 08:04 545 --a------ c:\windows\UC.PIF
2009-03-25 18:13 . 2008-08-08 08:04 545 --a------ c:\windows\RAR.PIF
2009-03-25 18:13 . 2008-08-08 08:04 545 --a------ c:\windows\PKZIP.PIF
2009-03-25 18:13 . 2008-08-08 08:04 545 --a------ c:\windows\PKUNZIP.PIF
2009-03-25 18:13 . 2008-08-08 08:04 545 --a------ c:\windows\NOCLOSE.PIF
2009-03-25 18:13 . 2008-08-08 08:04 545 --a------ c:\windows\LHA.PIF
2009-03-25 18:13 . 2008-08-08 08:04 545 --a------ c:\windows\ARJ.PIF
2009-03-25 15:12 . 2009-03-25 15:12 <DIR> d-------- c:\documents and settings\Petr\Data aplikací\Apple Computer
2009-03-25 15:06 . 2009-03-25 15:07 <DIR> d-------- c:\program files\QuickTime
2009-03-25 15:06 . 2009-03-25 15:06 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Apple Computer
2009-03-25 15:05 . 2009-03-25 15:05 <DIR> d-------- c:\program files\Apple Software Update
2009-03-25 15:05 . 2009-03-25 15:05 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Apple
2009-03-23 22:15 . 2006-11-30 16:14 97,088 -ra------ c:\windows\system32\drivers\se45mdm.sys
2009-03-23 22:15 . 2006-11-30 16:14 9,360 -ra------ c:\windows\system32\drivers\se45mdfl.sys
2009-03-23 22:15 . 2006-11-30 16:13 6,240 -ra------ c:\windows\system32\drivers\se45cmnt.sys
2009-03-23 22:15 . 2006-11-30 16:13 6,240 -ra------ c:\windows\system32\drivers\se45cm.sys
2009-03-23 19:58 . 2009-03-23 19:59 <DIR> d-------- c:\documents and settings\Petr\Data aplikací\Zoner
2009-03-23 19:56 . 2009-03-23 19:56 <DIR> d-------- c:\program files\Zoner
2009-03-23 19:47 . 2009-03-23 19:47 <DIR> d-------- c:\documents and settings\Guest\Data aplikací\Sony Ericsson
2009-03-23 19:46 . 2009-03-23 19:48 <DIR> d-------- c:\documents and settings\Guest\Plocha
2009-03-23 19:46 . 2009-03-18 18:34 <DIR> d--h----- c:\documents and settings\Guest\Okolní tiskárny
2009-03-23 19:46 . 2009-03-18 18:34 <DIR> d--h----- c:\documents and settings\Guest\Okolní síť
2009-03-23 19:46 . 2009-03-23 19:47 <DIR> dr------- c:\documents and settings\Guest\Oblíbené položky
2009-03-23 19:46 . 2009-03-18 17:42 <DIR> d--h----- c:\documents and settings\Guest\Šablony
2009-03-23 19:46 . 2009-03-18 18:34 <DIR> dr------- c:\documents and settings\Guest\Nabídka Start
2009-03-23 19:46 . 2009-03-23 19:47 <DIR> dr------- c:\documents and settings\Guest\Dokumenty
2009-03-23 19:46 . 2009-03-24 19:11 <DIR> dr-h----- c:\documents and settings\Guest\Data aplikací
2009-03-23 19:46 . 2009-03-23 19:48 <DIR> d-------- c:\documents and settings\Guest
2009-03-23 18:59 . 2009-03-29 12:22 69 --a------ c:\windows\NeroDigital.ini
2009-03-23 17:55 . 2006-11-30 16:13 61,536 -ra------ c:\windows\system32\drivers\se45bus.sys
2009-03-23 17:55 . 2008-04-14 01:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-03-23 17:55 . 2008-04-14 01:15 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-03-23 17:55 . 2006-11-30 16:14 5,872 -ra------ c:\windows\system32\drivers\se45whnt.sys
2009-03-23 17:55 . 2006-11-30 16:14 5,872 -ra------ c:\windows\system32\drivers\se45wh.sys
2009-03-23 17:40 . 2009-03-23 17:40 <DIR> d-------- c:\program files\RocketDock
2009-03-23 17:32 . 2009-03-25 08:26 <DIR> d-------- c:\documents and settings\Petr\Data aplikací\skypePM
2009-03-23 17:32 . 2009-03-23 17:32 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-03-23 17:31 . 2009-03-23 17:31 <DIR> dr------- c:\program files\Skype
2009-03-23 17:31 . 2009-03-23 17:31 <DIR> d-------- c:\program files\Common Files\Skype
2009-03-23 17:31 . 2009-03-25 08:30 <DIR> d-------- c:\documents and settings\Petr\Data aplikací\Skype
2009-03-23 17:30 . 2009-03-23 17:31 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Skype
2009-03-23 17:28 . 2009-03-25 21:30 <DIR> d-------- c:\documents and settings\Petr\Data aplikací\Ahead
2009-03-23 17:21 . 2009-03-23 17:21 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Nero
2009-03-23 17:20 . 2009-03-23 17:20 <DIR> d-------- c:\program files\Nero
2009-03-23 17:20 . 2009-03-23 17:30 <DIR> d-------- c:\program files\Common Files\Ahead
2009-03-23 17:15 . 2008-04-14 08:51 52,224 --a------ c:\windows\system32\MsPMSNSv.dll
2009-03-23 17:13 . 2008-04-14 08:53 299,520 --a------ c:\windows\system32\drmclien.dll
2009-03-23 17:13 . 2008-04-14 08:51 87,040 --a------ c:\windows\system32\drmstor.dll
2009-03-23 17:09 . 2008-04-14 08:51 25,088 --a------ c:\windows\system32\shfolder.dll
2009-03-23 16:51 . 2009-03-23 16:51 <DIR> d-------- c:\program files\Common Files\CANON
2009-03-23 16:29 . 2009-03-23 16:29 <DIR> d--h----- c:\windows\system32\CanonIJ Uninstaller Information
2009-03-23 16:29 . 2009-03-23 16:29 <DIR> d--h----- c:\documents and settings\All Users\Data aplikací\CanonBJ
2009-03-23 16:29 . 1998-11-13 13:58 307,200 --a------ c:\windows\IsUn0405.exe
2009-03-23 16:29 . 2006-09-13 07:00 197,632 --a------ c:\windows\system32\CNMLM86.DLL
2009-03-23 16:28 . 2009-03-23 16:28 <DIR> d--h----- c:\program files\CanonBJ
2009-03-23 16:27 . 2009-03-23 16:30 <DIR> d-------- c:\program files\Canon
2009-03-23 16:23 . 2009-03-23 16:23 <DIR> d-------- c:\program files\Trust
2009-03-23 16:23 . 2007-02-13 08:42 14,848 --a------ c:\windows\system32\drivers\KMWDFilter.SYS
2009-03-23 16:21 . 2009-03-23 16:21 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\{3E318E90-4BE6-4440-A0EE-2EAF8419199C}
2009-03-23 16:10 . 2009-03-23 16:10 <DIR> d-------- c:\documents and settings\Petr\Data aplikací\Sony Ericsson
2009-03-23 16:04 . 2009-03-23 16:09 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-23 16:04 . 2009-03-23 16:04 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Sony Ericsson
2009-03-23 16:03 . 2009-03-23 16:03 <DIR> d-------- c:\program files\Sony Ericsson
2009-03-23 16:03 . 2009-03-23 16:04 <DIR> d-------- c:\program files\Common Files\Teleca Shared
2009-03-23 16:03 . 2009-03-23 16:04 <DIR> d-------- c:\program files\Common Files\Sony Ericsson Shared
2009-03-23 16:03 . 2009-03-23 16:04 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Teleca
2009-03-23 16:02 . 2009-03-23 16:02 <DIR> d-------- c:\windows\Downloaded Installations
2009-03-23 16:02 . 2009-03-28 23:59 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-03-23 16:00 . 2009-03-23 16:00 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-23 16:00 . 2009-03-23 16:00 1,409 --a------ c:\windows\QTFont.for
2009-03-23 15:55 . 2009-03-23 18:16 <DIR> d-------- c:\program files\Any Video Converter
2009-03-23 15:55 . 2009-03-23 18:16 <DIR> d-------- c:\documents and settings\Petr\Data aplikací\Any Video Converter
2009-03-23 15:33 . 2009-03-23 15:33 0 --a------ c:\windows\nsreg.dat
2009-03-19 21:19 . 2009-03-19 21:19 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2009-03-19 21:14 . 2009-03-19 21:14 <DIR> d-------- c:\documents and settings\Petr\Data aplikací\DAEMON Tools Lite
2009-03-19 21:12 . 2009-03-23 18:22 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\McAfee.com
2009-03-19 20:35 . 2008-04-14 08:51 21,504 --a------ c:\windows\system32\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 17:59 45,568 ----a-w c:\windows\system32\mshta.exe
2009-03-28 22:00 --------- d-----w c:\program files\QIP
2009-03-24 14:48 --------- d-----w c:\program files\ICQ6.5
2009-03-23 16:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-23 15:11 --------- d-----w c:\documents and settings\Petr\Data aplikací\ICQ
2009-03-18 16:47 --------- d-----w c:\documents and settings\All Users\Data aplikací\Microsoft Help
2009-03-18 16:44 --------- d-----w c:\program files\Microsoft Works
2009-03-18 16:43 --------- d-----w c:\program files\MSBuild
2009-03-18 16:03 --------- d-----w c:\program files\C-Media
2009-03-18 15:48 --------- d-----w c:\program files\microsoft frontpage
2009-01-15 00:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 00:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 00:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 00:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 00:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 00:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 00:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 00:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-14 23:50 156,160 ----a-w c:\windows\system32\msls31.dll
2001-11-23 04:08 712,704 ----a-r c:\windows\inf\OTHER\AUDIO3D.DLL
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"WireLessMouse"="c:\program files\Trust\Trust R-series Mouse And Keyboard\StartAutorun.exe" [2007-03-06 212992]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2006-10-17 398944]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\cssdll32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO SafeSurf]
--a------ 2009-03-29 00:10 278264 c:\program files\COMODO\SafeSurf\cssurf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2009-03-01 12:59 172792 c:\program files\ICQ6.5\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2009-03-16 19:47 24095528 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 02:06 487424 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
-ra------ 2002-07-12 10:33 1581056 c:\windows\mixer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2004-08-03 69120]
S1 b41c9e6;b41c9e6;c:\windows\system32\drivers\b41c9e6.sys --> c:\windows\system32\drivers\b41c9e6.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{566b13c0-17b2-11de-956e-00e04c7edb28}]
\Shell\AutoRun\command - fhaxft.exe
\Shell\explore\Command - fhaxft.exe
\Shell\open\Command - fhaxft.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{566b13c1-17b2-11de-956e-00e04c7edb28}]
\Shell\AutoRun\command - fhaxft.exe
\Shell\explore\Command - fhaxft.exe
\Shell\open\Command - fhaxft.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffffaed3-1bc7-11de-957f-00e04c7edb28}]
\Shell\AutoRun\command - G:\fhaxft.exe
\Shell\explore\Command - G:\fhaxft.exe
\Shell\open\Command - G:\fhaxft.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60b49e34-c7cc-11d0-8953-00a0c90347ff}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKCU-Run-12ZFG94-F641-2SF-K31P-5N1ER6H6L2 - c:\recycler\S-1-5-21-0443168636-0719290372-618699403-3412\service.exe
MSConfigStartUp-12zfg94-f641-2sf-k31p-5n1er6h6l2 - c:\recycler\S-1-5-21-0443168636-0719290372-618699403-3412\service.exe
MSConfigStartUp-COMODO Internet Security - c:\program files\COMODO\COMODO Internet Security\cfp.exe


.
------- Doplňkový sken -------
.
uStart Page = about:blank
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Petr\Data aplikací\Mozilla\Firefox\Profiles\dzrfm8ma.default\
FF - prefs.js: browser.startup.homepage - hxxp://seznam.cz/

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 19:03:30
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\wscntfy.exe
c:\program files\Trust\Trust R-series Mouse And Keyboard\MouseDrv.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Celkový čas: 2009-03-31 19:06:27 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-03-31 17:06:24

Před spuštěním: Volných bajtů: 33 223 802 880
Po spuštění: Volných bajtů: 33,237,569,536

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
270

[jaro3]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

sc config b41c9e6 start= disabled
sc stop b41c9e6
sc delete b41c9e6

ulož si ho na plochu jako-název remove.bat a ulož ho jako typ všechny soubory , najdi na ploše tento soubor , spusť ho poklepáním.Otevře se Dosovské okno a zavře. Restartuj comp.
*****************************************************************************************************************************************
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
C:\32788R22FWJFW.1.tmp
C:\32788R22FWJFW.0.tmp
c:\windows\iun6002.exe
c:\windows\system32\drivers\b41c9e6.sys

Driver::
b41c9e6

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{566b13c0-17b2-11de-956e-00e04c7edb28}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{566b13c1-17b2-11de-956e-00e04c7edb28}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffffaed3-1bc7-11de-957f-00e04c7edb28}]


Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT