nasel jsem ve spravci uloh - smss.exe, csrss.exe, svchost

[glasswort]

Dobrý den,
ve správci úloh jsem nalezl procesy, které se mi nezdáli a na googlu jsem se dozveděl, že se jedná o viry, ovšem jsem opravdu jen základní uživatel PC a tak si nevím rady, jak se toho zbavit. Awast mi nic nehlásí a viry nenajde. V systému Windows se absolutně nevyznám. Mám Win XP. Prosím o radu. Děkuji

[motji]

Dobré ranko
Soubory jsou systémové, tedy ve správném umístění, proto je nemažte .
Pokud máte nějaké podezdření na breberky v pc, vložte zde log ze Rsitu, viz můj podpis. Podíváme se na to

[glasswort]

Stahl jsem si Spyware doctor a ten mi nasel - Trojan.Generic, Adware.WhenU.SaveNow,Adware.Component.WhenU , ovsem byla to jen zkusebni verze a tak to neodstanilo. Dale jsem si stahnul Trojan Remover a ten mi nasel Windir, ale neodstranil... spis tam nebylo ani kde to zadat.

Jeste predem rikam, ze jsem uplnej lajk co se tyka PC

[motji]

krásná sbírečka virů, kde jste k tomu přišel?
Už sám nic nestahujte, ty dva programy co jste stahl bych Vám zase doporučila odinstalovat.
Cokoliv nebudete chápat, napište


Stahněte Rkill z jednoho z odkazů, pokud by ho vir blokoval, zkuste stahnout jiný

Rkill EXE:
http://download.bleepingcomputer.com/grinler/rkill.exe

Rkill COM:
http://download.bleepingcomputer.com/grinler/rkill.com

Rkill SCR:
http://download.bleepingcomputer.com/grinler/rkill.scr

Rkill PIF:
http://download.bleepingcomputer.com/grinler/rkill.pif

-spusťte ho a nechejte pracovat. Sám se ukončí.

- Ted nerestartujte počítač!





Stáhněte na plochu, ukončete všechna aktivní okna a spusťte ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe

-souhlaste s instalací konzole pro zotavení

- ComboFix je třeba spustit pod účtem s právy administrátora

- Před použitím vypněte všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary

- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano

- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna

- Po dokončení skenování, trvajícího maximálně 10 minut, by měl program vytvořit log - C:\ComboFix.txt, zkopírujte celý jeho obsah sem

[glasswort]

Postupoval jsem podle vasich pokynu, combofix mi v prubehu napsal okno, kde mi psal, ze neni konzola na zotaveni systemu, tak si to stahl, pak dokoncil, restartoval a pote vyjel log.
Chci se jen zeptat, program combofix, co vlastne to dela?

[motji]

Combofix provede hloubkový sken systému a odstraní škodlivé soubory, které má v databázi. Do logu zaznamená různé změny v souborech, záznamy v registrech, které já pak vyhodnotím a případně napíšu dočištovací skript na combofix, který odstraní škodlivé soubory.
Rozhodně se nedoporučuje použít combofix bez doporučení a dozoru rádce. Občas má bug a může poškodit systém, což laik opravit nedokáže.
Pro nás rádce je combofix velký pomocník, ale pro laika může být nebezpečný.


Pokud nemáte, přesuňte Combofix na plochu
-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka

Kód: Vybrat vše

Firefox::
FF - ProfilePath - c:\documents and settings\Ondra\Data aplikací\Mozilla\Firefox\Profiles\4y6tdmcj.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... 2.0.0.1&q=

DDS::
uStart Page = hxxp://start.icq.com/

Collect::
c:\windows\system32\WinDir\Svchost.exe
c:\docume~1\Ondra\LOCALS~1\Temp\cdiskdun.sys 
 d:\ntglm7x.sys 
c:\windows\system32\winsys2.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FA8F733N-QQ7V-NY6O-O2X1-2YQ0J477LK13}]

Driver::
cdiskdun

-uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:




-po aplikaci na Vás vypadne další log,vložte ho sem

Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

[glasswort]

Nebudu combofix bezne uzivat, protoze tomu nerozumim, ovsem viditelne problemy po prvnim skenu jiz nejsou. Dale jsem udelal vse jak jste napsala, tedy to poznamkoveho bloku jsem vlozil ten skript a dal sken, ovsem vyskocilo okno, ze nebylo nic nalezeno na disku D a neslo stim nic delat... pote mi nesel internet pres firefox. to jsem vyresil restartem a F8. ale kazdopadne druhy sken se nezdaril.

[motji]

Poprosím o log ze Rsitu

[glasswort]

.

[motji]

Použijte znovu OTM, máte ho někde na ploše
-2krát klikněte na Otm,spustí se program,
Do levého okna "Paste Instructions for Items to be Moved" pod žlutou čáru zkopírujete skript

Kód: Vybrat vše

:processes
explorer.exe
 
:files
C:\WINDOWS\system32\*.tmp.dll /s
C:\WINDOWS\system32\SET*.tmp /s
C:\WINDOWS\*.tmp /s
c:\windows\system32\WinDir\Svchost.exe
c:\docume~1\Ondra\LOCALS~1\Temp\cdiskdun.sys
c:\windows\system32\winsys2.exe

:reg
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FA8F733N-QQ7V-NY6O-O2X1-2YQ0J477LK13}]

:Services
cdiskdun

:commands
[emptytemp]
[EMPTYFLASH]
[start explorer]
[Reboot]

-klikněte na červené tlačítko Moveit!
-sem vložte obsah zeleného okénka
-Pokud se bude chtít restartovat pc, dejte YES,log pak najdete C:\_OTM\MovedFiles. Log vložte sem


Stahněte MBAM z mého podpisu
-Nainstalujte,dejte úplný sken

NIC NEMAZAT
-MBAM má občas falešné detekce,proto budeme mazat až po kontrole logu.
-Log zkopírujte sem.

[glasswort]

Omlouvam se, asi jsem uplne mimo, ale OTM? bohuzel nevim, co myslite a na plose to nevidim.

[motji]

Omlouvám se, popletla jsem si to s jiným logem .
Link ke stažení
:arrow:Stáhněte OTM http://oldtimer.geekstogo.com/OTM.exe na plochu a pak pokračujte jak bylo napsáno

[glasswort]

zelene okenko vypsalo tohle :
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
File/Folder C:\WINDOWS\system32\*.tmp.dll not found.
C:\WINDOWS\system32\SET2A.tmp moved successfully.
C:\WINDOWS\system32\SET64.tmp moved successfully.
C:\WINDOWS\system32\SET69.tmp moved successfully.
C:\WINDOWS\system32\SET70.tmp moved successfully.
C:\WINDOWS\002587_.tmp moved successfully.
C:\WINDOWS\65F1CF6331E0450B96F34A88BE7361A6.TMP folder moved successfully.
C:\WINDOWS\85EBB28365AF4C539EBE7C0A232762F7.TMP folder moved successfully.
C:\WINDOWS\NV30843228.TMP folder moved successfully.
C:\WINDOWS\SET116.tmp moved successfully.
C:\WINDOWS\SET119.tmp moved successfully.
C:\WINDOWS\SET125.tmp moved successfully.
C:\WINDOWS\SET150.tmp moved successfully.
C:\WINDOWS\SET21.tmp moved successfully.
C:\WINDOWS\SET3.tmp moved successfully.
C:\WINDOWS\SET4.tmp moved successfully.
C:\WINDOWS\SET8.tmp moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP180.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP262.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP281.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP294.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F6.tmp folder moved successfully.
C:\WINDOWS\Internet Logs\xDB1.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB2.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB3.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB4.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB5.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB6.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB7.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB8.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\AuthCabs\7971f918-a847-4430-9279-4a52d1efe18d\wlt15.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\AuthCabs\7971f918-a847-4430-9279-4a52d1efe18d\wlt4D.tmp moved successfully.
C:\WINDOWS\system32\CONFIG.TMP moved successfully.
C:\WINDOWS\system32\tmp68.tmp moved successfully.
C:\WINDOWS\system32\tmp69.tmp moved successfully.
C:\WINDOWS\system32\tmp87.tmp moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp\system folder moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp\sysbckup folder moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp\inf folder moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp\help folder moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp\drivers folder moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp\directx folder moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp\system folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp\sysbckup folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp\inf folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp\help folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp\drivers folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp\directx folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp\system folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp\sysbckup folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp\inf folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp\help folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp\drivers folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp\directx folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp folder moved successfully.
File move failed. C:\WINDOWS\Temp\ZLT0077b.TMP scheduled to be moved on reboot.
c:\windows\system32\WinDir\Svchost.exe moved successfully.
File/Folder c:\docume~1\Ondra\LOCALS~1\Temp\cdiskdun.sys not found.
c:\windows\system32\WinSys2.exe moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FA8F733N-QQ7V-NY6O-O2X1-2YQ0J477LK13}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FA8F733N-QQ7V-NY6O-O2X1-2YQ0J477LK13}\ not found.
========== SERVICES/DRIVERS ==========
Service cdiskdun stopped successfully!
Service cdiskdun deleted successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 1047916 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: mama
->Temp folder emptied: 1807271 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 60039155 bytes
->Flash cache emptied: 29218 bytes

User: NetworkService
->Temp folder emptied: 982200 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Ondra
->Temp folder emptied: 2368985 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->FireFox cache emptied: 57335835 bytes
->Flash cache emptied: 744 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1133984 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 7648547 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 126,00 mb


OTM by OldTimer - Version 3.1.16.1 log created on 09272010_091621

[glasswort]

A tady mi po restartu PC vyhodil OTM log :
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
File/Folder C:\WINDOWS\system32\*.tmp.dll not found.
C:\WINDOWS\system32\SET2A.tmp moved successfully.
C:\WINDOWS\system32\SET64.tmp moved successfully.
C:\WINDOWS\system32\SET69.tmp moved successfully.
C:\WINDOWS\system32\SET70.tmp moved successfully.
C:\WINDOWS\002587_.tmp moved successfully.
C:\WINDOWS\65F1CF6331E0450B96F34A88BE7361A6.TMP folder moved successfully.
C:\WINDOWS\85EBB28365AF4C539EBE7C0A232762F7.TMP folder moved successfully.
C:\WINDOWS\NV30843228.TMP folder moved successfully.
C:\WINDOWS\SET116.tmp moved successfully.
C:\WINDOWS\SET119.tmp moved successfully.
C:\WINDOWS\SET125.tmp moved successfully.
C:\WINDOWS\SET150.tmp moved successfully.
C:\WINDOWS\SET21.tmp moved successfully.
C:\WINDOWS\SET3.tmp moved successfully.
C:\WINDOWS\SET4.tmp moved successfully.
C:\WINDOWS\SET8.tmp moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP180.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP262.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP281.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP294.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F6.tmp folder moved successfully.
C:\WINDOWS\Internet Logs\xDB1.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB2.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB3.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB4.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB5.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB6.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB7.tmp moved successfully.
C:\WINDOWS\Internet Logs\xDB8.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\AuthCabs\7971f918-a847-4430-9279-4a52d1efe18d\wlt15.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\AuthCabs\7971f918-a847-4430-9279-4a52d1efe18d\wlt4D.tmp moved successfully.
C:\WINDOWS\system32\CONFIG.TMP moved successfully.
C:\WINDOWS\system32\tmp68.tmp moved successfully.
C:\WINDOWS\system32\tmp69.tmp moved successfully.
C:\WINDOWS\system32\tmp87.tmp moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp\system folder moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp\sysbckup folder moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp\inf folder moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp\help folder moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp\drivers folder moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp\directx folder moved successfully.
C:\WINDOWS\system32\DirectX\DX108.tmp folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp\system folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp\sysbckup folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp\inf folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp\help folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp\drivers folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp\directx folder moved successfully.
C:\WINDOWS\system32\DirectX\DX18.tmp folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp\system folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp\sysbckup folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp\inf folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp\help folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp\drivers folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp\directx folder moved successfully.
C:\WINDOWS\system32\DirectX\DXD.tmp folder moved successfully.
File move failed. C:\WINDOWS\Temp\ZLT0077b.TMP scheduled to be moved on reboot.
c:\windows\system32\WinDir\Svchost.exe moved successfully.
File/Folder c:\docume~1\Ondra\LOCALS~1\Temp\cdiskdun.sys not found.
c:\windows\system32\WinSys2.exe moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FA8F733N-QQ7V-NY6O-O2X1-2YQ0J477LK13}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FA8F733N-QQ7V-NY6O-O2X1-2YQ0J477LK13}\ not found.
========== SERVICES/DRIVERS ==========
Service cdiskdun stopped successfully!
Service cdiskdun deleted successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 1047916 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: mama
->Temp folder emptied: 1807271 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 60039155 bytes
->Flash cache emptied: 29218 bytes

User: NetworkService
->Temp folder emptied: 982200 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Ondra
->Temp folder emptied: 2368985 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->FireFox cache emptied: 57335835 bytes
->Flash cache emptied: 744 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1133984 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 7648547 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 126,00 mb


OTM by OldTimer - Version 3.1.16.1 log created on 09272010_091621

Files moved on Reboot...
C:\WINDOWS\Temp\ZLT0077b.TMP moved successfully.
C:\Documents and Settings\Ondra\Local Settings\Temp\~DF6F6E.tmp moved successfully.
C:\Documents and Settings\Ondra\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\4y6tdmcj.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Ondra\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\4y6tdmcj.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Ondra\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\4y6tdmcj.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Ondra\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\4y6tdmcj.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Ondra\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\4y6tdmcj.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Ondra\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\4y6tdmcj.default\XUL.mfl moved successfully.
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Nevim jestli to co jsem kopiroval neni stejne, nekontroloval jsem to a nerozumim tomu, tak sem davam radsi vsechno. a tedka jdu tedy spustit ten druhy program.

[glasswort]

jeste se zeptam, po spusteni Mbam mi awast ohlasil ze v tom je vir?