Prosím o kontrolu logu (vyřešeno)

[zemi]

Cca před 2 měsíci se podařilo synovi zatáhnout si na PC trojana. Snad zdárně se nám to podařilo vyčitstit, ale od té doby po zapnutí PC a nastartování Win XP se automaticky otvírá adresář C:\WINDOWS\system32.

Prosím o kontrolu logu. V případě, že bude něco v nepořádku, prosím o laický popis - jsem začátečník - žena. Díky

Logfile of HijackThis v1.99.1
Scan saved at 18:02:11, on 25.7.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CardReader2.0\CRBroadCasting.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\T-Mobile Communication Centre\Centre.exe
C:\Program Files\JAJC\jajc.exe
C:\program files\voipdiscount.com\voipdiscount\voipdiscount.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\SYSTEM32\GEARSec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CardReader2.0\OTiReader.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
D:\PROGRAMY\Máma_programy\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CRBroadCasting] C:\Program Files\CardReader2.0\CRBroadCasting.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZipTorrent] C:\Program Files\ZipTorrent\ZipTorrent.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [T-Mobile Communication Centre] C:\Program Files\T-Mobile Communication Centre\Centre.exe
O4 - HKCU\..\Run: [JAJC] "C:\Program Files\JAJC\jajc.exe" --no-drive-scan
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SMS Posilac] C:\Program Files\SMS Posílač\smsposilac.exe -m
O4 - HKCU\..\Run: [VoipDiscount] "C:\program files\voipdiscount.com\voipdiscount\voipdiscount.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp04.photoprintit.de/microsite/ ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7147A348-A9E1-437D-9127-8FBC71CF64CC}: NameServer = 10.109.222.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OTi Card Reader Service - Unknown owner - C:\Program Files\CardReader2.0\OTiReader.exe

[Reklama]

[mijaja]

Nejlepší bude když tyto silně vyznačené soubory vyzkoušíš na Jottiscanu (návod jak na to a link na službu mám v podpisu):


C:\Program Files\T-Mobile Communication Centre\Centre.exe
C:\Program Files\JAJC\jajc.exe
C:\program files\voipdiscount.com\voipdiscount\voipdiscount.exe
O4 - HKCU\..\Run: [SMS Posilac] C:\Program Files\SMS Posílač\smsposilac.exe -m
výsledky napiš aby byla jistota

Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp04.photoprintit.de/microsite/ ... loader.cab
po zaškrtnutí klikni na FixChecked

Vyčisti komp CCleanerem (návod a link opět v podpisu) a restartuj.

[zemi]

C:\Program Files\T-Mobile Communication Centre\Centre.exe OK
C:\Program Files\JAJC\jajc.exe OK
C:\program files\voipdiscount.com\voipdiscount\voipdiscount.exe OK
O4 - HKCU\..\Run: [SMS Posilac] C:\Program Files\SMS Posílač\smsposilac.exe -m v adresáři exe nebyl, odstanila jsem adresář i odkaz v registru

Provedla jsem FixChecked
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp04.photoprintit.de/microsite/ ... loader.cab

Vyčistila komp CCleanerem

Zde je výsledek:

Logfile of HijackThis v1.99.1
Scan saved at 21:19:28, on 25.7.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\GEARSec.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CardReader2.0\CRBroadCasting.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\T-Mobile Communication Centre\Centre.exe
C:\Program Files\JAJC\jajc.exe
C:\program files\voipdiscount.com\voipdiscount\voipdiscount.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CardReader2.0\OTiReader.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\PROGRAMY\Máma_programy\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.seznam.cz/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -
C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -
C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate
Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CRBroadCasting] C:\Program
Files\CardReader2.0\CRBroadCasting.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [T-Mobile Communication Centre] C:\Program Files\T-Mobile
Communication Centre\Centre.exe
O4 - HKCU\..\Run: [JAJC] "C:\Program Files\JAJC\jajc.exe" --no-drive-scan
O4 - HKCU\..\Run: [VoipDiscount] "C:\program
files\voipdiscount.com\voipdiscount\voipdiscount.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash
/minimized
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe
-trayboot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program
Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -
C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9}
- C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 -
HKLM\System\CCS\Services\Tcpip\..\{7147A348-A9E1-437D-9127-8FBC71CF64CC}:
NameServer = 10.109.222.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common
Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies -
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program
Files\Eset\nod32krn.exe
O23 - Service: OTi Card Reader Service - Unknown owner - C:\Program
Files\CardReader2.0\OTiReader.exe

A po restartu stále se stále otevírá v průzkumníkovi adresář C:\WINDOWS\system32

[sakiri]

hm teď asi plácnu blbost ale zkus tohle
Start>Settins>Control Panel>Folder Options
neměň tam nic ale pokud tam třeba narazíš na něco co může mít spojitost tím že se ti to spouští tak se radši porad ale neměň nic aby se to víc nezhoršilo.

[zemi]

Přidávám ještě log z mwav, zdá se, že něco se nám přece jen nepodařilo vyčistit:

Object "conducent flexpak Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Entry "HKCR\floAtMediaCtrl.MouseCtrl" refers to invalid object "{78885E41-045D-4D2C-80A6-9AE055A6622D}". Action Taken: No Action Taken.
Entry "HKCR\floAtMediaCtrl.VolumeCtrl" refers to invalid object "{6EAD3C6D-CC87-4F6A-9EB1-D069979FF081}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Agent" refers to invalid object "{038E9840-12DD-40E8-82BE-DA826423886E}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.AgentDataStore" refers to invalid object "{0BB66938-FC89-4658-A365-7CD7F60E87E7}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Agents" refers to invalid object "{0CA55C77-CC60-408B-94C6-EC772FD104A9}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Common" refers to invalid object "{B50EB9E2-FC6D-4E25-9492-B5D77F373EE2}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.DataStore" refers to invalid object "{3C4E3B8D-98C8-4701-92D6-64702D6A9EEF}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.EventObject" refers to invalid object "{2D0DE198-0296-4A84-AC3B-0DB11C7F62F2}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Events" refers to invalid object "{8D2E6C05-A032-4B23-8287-C3ACF30703B0}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Explorer" refers to invalid object "{1FAE3754-F46B-45DA-B4CF-9EBF92E950EA}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Explorers" refers to invalid object "{B7800816-BCE4-4228-BD55-2E7A2B0B230A}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.FriendlyFiles" refers to invalid object "{23AF82A5-E704-4EBC-BFE8-DF33EA467512}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Inoculation" refers to invalid object "{1FE7C365-F6A9-4AD2-A075-D61F9AD59236}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Inoculations" refers to invalid object "{FBA89159-6A08-4004-B269-D34588429A88}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Manager" refers to invalid object "{0254F2B0-7116-40FC-8551-A2ED8C0C5872}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Quarantine" refers to invalid object "{A7371B3E-46D1-48B0-890D-CC9E7E531EDD}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.QuarantineContainer" refers to invalid object "{70A4E5E9-D350-4AF0-8298-98E8BB30ADB7}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.QuarantineItem" refers to invalid object "{20351880-1EF9-4879-A646-9FAF6D9FC87D}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ResourceStore" refers to invalid object "{2AFC1A12-65EC-433A-BF9B-7AD381F1EF10}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Schedule" refers to invalid object "{3A5AC3A7-CC29-47F8-A0FF-AB82F3D2D9F5}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ScheduleScans" refers to invalid object "{A9141FB9-7A4F-4047-94A2-0A0B1DEF5EBB}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Session" refers to invalid object "{9E0B8886-3014-4617-91AA-DF4B8D50E77C}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ThreatData" refers to invalid object "{F708D841-35FE-4AD6-A313-A7F5F1037A8A}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.UpdateSchedule" refers to invalid object "{1CA68D9F-3A22-4EE6-8DD3-9F4BA554625A}". Action Taken: No Action Taken.
Entry "HKCR\IDMan.CIDMLinkTransmitter" refers to invalid object "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}". Action Taken: No Action Taken.
Entry "HKCR\MobileAgent.AccessoriesMenu" refers to invalid object "{6399EFF0-639D-4CB5-91B5-7F8D48640D1B}". Action Taken: No Action Taken.
Entry "HKCR\MobileAgent.MobileAgentApp" refers to invalid object "{FD31E34D-CB7A-4896-ACA1-6276F345E34F}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document.1.0" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
Entry "HKCR\Skype4OL.cSkypeFriends" refers to invalid object "{165B3B5E-1933-4262-AE8E-4226C7B008D1}". Action Taken: No Action Taken.
Entry "HKCR\Skype4OL.SkypeComm" refers to invalid object "{F4E29C2E-E363-4632-9D65-CBBB373B0036}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx". Action Taken: No Action Taken.
File C:\WINDOWS\system32\ld101.tmp infected by "Trojan-Downloader.Win32.Zlob.rn" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\simpole.tlb infected by "Trojan-Downloader.Win32.Zlob.pm" Virus! Action Taken: No Action Taken.


Tue Jul 25 21:57:48 2006 => Offending file found: C:\WINDOWS\gpinstall.exe
Tue Jul 25 21:57:48 2006 => System found infected with conducent flexpak Spyware/Adware (gpinstall.exe)! Action taken: No Action Taken.

Tue Jul 25 21:57:48 2006 => Offending Folder found: C:\WINDOWS\system32\1024
Tue Jul 25 21:57:48 2006 => Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.

Tue Jul 25 21:57:49 2006 => Offending file found: C:\WINDOWS\system32\ot.ico
Tue Jul 25 21:57:49 2006 => System found infected with smitfraud Browser Hijacker (ot.ico)! Action taken: No Action Taken.

Tue Jul 25 21:57:54 2006 => Offending file found: C:\Documents and Settings\Martin Zeman\Oblíbené položky\antivirus test online.url
Tue Jul 25 21:57:54 2006 => System found infected with smitfraud Browser Hijacker (antivirus test online.url)! Action taken: No Action Taken.

Tue Jul 25 21:58:00 2006 => Offending file found: C:\Documents and Settings\All Users\Nabídka Start\security troubleshooting.url
Tue Jul 25 21:58:00 2006 => System found infected with smitfraud Browser Hijacker (security troubleshooting.url)! Action taken: No Action Taken.

Tue Jul 25 21:57:49 2006 => Offending file found: C:\WINDOWS\system32\dcomcfg.exe
Tue Jul 25 21:57:49 2006 => System found infected with zlob Trojan-Downloader (dcomcfg.exe)! Action taken: No Action Taken.

Tue Jul 25 21:57:49 2006 => Offending file found: C:\WINDOWS\system32\simpole.tlb
Tue Jul 25 21:57:49 2006 => System found infected with zlob Trojan-Downloader (simpole.tlb)! Action taken: No Action Taken.

Sakiri, v tom nastavení složek nevím, co bych měla změnit - neměnili jsme ho.

[zemi]

Prosím, poraďte, co s tím dále...

[seitec]

zda se ze toho trojana tam porad mas zkus tenhle nastroj je to na odstraneni trojskejch koni:
http://www.instaluj.cz/cz/katalog/antiv ... n-remover/

[zemi]

Trojan-remover moc nepomohl, ale nainstalovala jsem SpywareDoctor. Podařilo se mi něco odstranit.

Výsledek logu z mwav:

Wed Jul 26 06:25:15 2006 => ***** Scanning complete. *****

Wed Jul 26 06:25:15 2006 => Total Objects Scanned: 27362
Wed Jul 26 06:25:15 2006 => Total Critical Objects: 2
Wed Jul 26 06:25:15 2006 => Total Disinfected Objects: 0
Wed Jul 26 06:25:15 2006 => Total Objects Renamed: 0
Wed Jul 26 06:25:15 2006 => Total Deleted Objects: 0
Wed Jul 26 06:25:15 2006 => Total Errors: 46
Wed Jul 26 06:25:15 2006 => Time Elapsed: 00:19:00
Wed Jul 26 06:25:15 2006 => Virus Database Date: 7/24/2006
Wed Jul 26 06:25:15 2006 => Virus Database Count: 209452


Object "conducent flexpak Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Entry "HKCR\floAtMediaCtrl.MouseCtrl" refers to invalid object "{78885E41-045D-4D2C-80A6-9AE055A6622D}". Action Taken: No Action Taken.
Entry "HKCR\floAtMediaCtrl.VolumeCtrl" refers to invalid object "{6EAD3C6D-CC87-4F6A-9EB1-D069979FF081}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Agent" refers to invalid object "{038E9840-12DD-40E8-82BE-DA826423886E}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.AgentDataStore" refers to invalid object "{0BB66938-FC89-4658-A365-7CD7F60E87E7}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Agents" refers to invalid object "{0CA55C77-CC60-408B-94C6-EC772FD104A9}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Common" refers to invalid object "{B50EB9E2-FC6D-4E25-9492-B5D77F373EE2}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.DataStore" refers to invalid object "{3C4E3B8D-98C8-4701-92D6-64702D6A9EEF}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.EventObject" refers to invalid object "{2D0DE198-0296-4A84-AC3B-0DB11C7F62F2}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Events" refers to invalid object "{8D2E6C05-A032-4B23-8287-C3ACF30703B0}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Explorer" refers to invalid object "{1FAE3754-F46B-45DA-B4CF-9EBF92E950EA}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Explorers" refers to invalid object "{B7800816-BCE4-4228-BD55-2E7A2B0B230A}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.FriendlyFiles" refers to invalid object "{23AF82A5-E704-4EBC-BFE8-DF33EA467512}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Inoculation" refers to invalid object "{1FE7C365-F6A9-4AD2-A075-D61F9AD59236}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Inoculations" refers to invalid object "{FBA89159-6A08-4004-B269-D34588429A88}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Manager" refers to invalid object "{0254F2B0-7116-40FC-8551-A2ED8C0C5872}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Quarantine" refers to invalid object "{A7371B3E-46D1-48B0-890D-CC9E7E531EDD}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.QuarantineContainer" refers to invalid object "{70A4E5E9-D350-4AF0-8298-98E8BB30ADB7}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.QuarantineItem" refers to invalid object "{20351880-1EF9-4879-A646-9FAF6D9FC87D}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ResourceStore" refers to invalid object "{2AFC1A12-65EC-433A-BF9B-7AD381F1EF10}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Schedule" refers to invalid object "{3A5AC3A7-CC29-47F8-A0FF-AB82F3D2D9F5}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ScheduleScans" refers to invalid object "{A9141FB9-7A4F-4047-94A2-0A0B1DEF5EBB}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Session" refers to invalid object "{9E0B8886-3014-4617-91AA-DF4B8D50E77C}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ThreatData" refers to invalid object "{F708D841-35FE-4AD6-A313-A7F5F1037A8A}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.UpdateSchedule" refers to invalid object "{1CA68D9F-3A22-4EE6-8DD3-9F4BA554625A}". Action Taken: No Action Taken.
Entry "HKCR\IDMan.CIDMLinkTransmitter" refers to invalid object "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}". Action Taken: No Action Taken.
Entry "HKCR\MobileAgent.AccessoriesMenu" refers to invalid object "{6399EFF0-639D-4CB5-91B5-7F8D48640D1B}". Action Taken: No Action Taken.
Entry "HKCR\MobileAgent.MobileAgentApp" refers to invalid object "{FD31E34D-CB7A-4896-ACA1-6276F345E34F}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document.1.0" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
Entry "HKCR\Skype4OL.cSkypeFriends" refers to invalid object "{165B3B5E-1933-4262-AE8E-4226C7B008D1}". Action Taken: No Action Taken.
Entry "HKCR\Skype4OL.SkypeComm" refers to invalid object "{F4E29C2E-E363-4632-9D65-CBBB373B0036}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Trojan Remover_is1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{0CE2C834-9737-4330-8E46-6A257DBC7804}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{156BA4E7-F524-4C97-88CD-2E7D4B51779F}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{1807A881-57A4-4791-8F21-7485F785A1E1}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{72A8EF9E-B939-4098-A8DB-B6FE08075C20}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7884F09C-F871-4489-9CD2-24CF2954A095}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AA0FEBC9-3E9A-46DE-B264-CD59B180DDD4}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{C6F1E87D-F3E1-4874-97EC-F87DAB6D6878}". Action Taken: No Action Taken.

Wed Jul 26 06:22:21 2006 => Offending file found: C:\WINDOWS\gpinstall.exe
Wed Jul 26 06:22:21 2006 => System found infected with conducent flexpak Spyware/Adware (gpinstall.exe)! Action taken: No Action Taken.

Wed Jul 26 06:22:21 2006 => Offending Folder found: C:\WINDOWS\system32\1024
Wed Jul 26 06:22:21 2006 => Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.

CO MÁM UDĚLAT DÁLE? JE TO UŽ V POŘÁDKU???

[sakiri]

nastav si v Možnostech složky zobrazování skrytých a systémových souborů a smaž:
C:\WINDOWS\gpinstall.exe
najdi na disku ten červeně označený soubor a smaž jej

[zemi]

Problém to není, já to smažu, ale proč? K čemu je gpinstall.exe? Čím škodí?

[sakiri]

no je to adware podle toho co psal MWAV a co jsem našel na netu

[zemi]

OK, už jsem to smazala, v registrech taky - byly tam odkazy. Mám ještě vytvořit nějaký log v mwav nebo v HijackThis pro kontrolu?