Cca před 2 měsíci se podařilo synovi zatáhnout si na PC trojana. Snad zdárně se nám to podařilo vyčitstit, ale od té doby po zapnutí PC a nastartování Win XP se automaticky otvírá adresář C:\WINDOWS\system32.
Prosím o kontrolu logu. V případě, že bude něco v nepořádku, prosím o laický popis - jsem začátečník - žena. Díky
Logfile of HijackThis v1.99.1
Scan saved at 18:02:11, on 25.7.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CardReader2.0\CRBroadCasting.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\T-Mobile Communication Centre\Centre.exe
C:\Program Files\JAJC\jajc.exe
C:\program files\voipdiscount.com\voipdiscount\voipdiscount.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\SYSTEM32\GEARSec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CardReader2.0\OTiReader.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
D:\PROGRAMY\Máma_programy\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CRBroadCasting] C:\Program Files\CardReader2.0\CRBroadCasting.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZipTorrent] C:\Program Files\ZipTorrent\ZipTorrent.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [T-Mobile Communication Centre] C:\Program Files\T-Mobile Communication Centre\Centre.exe
O4 - HKCU\..\Run: [JAJC] "C:\Program Files\JAJC\jajc.exe" --no-drive-scan
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SMS Posilac] C:\Program Files\SMS Posílač\smsposilac.exe -m
O4 - HKCU\..\Run: [VoipDiscount] "C:\program files\voipdiscount.com\voipdiscount\voipdiscount.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp04.photoprintit.de/microsite/ ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7147A348-A9E1-437D-9127-8FBC71CF64CC}: NameServer = 10.109.222.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OTi Card Reader Service - Unknown owner - C:\Program Files\CardReader2.0\OTiReader.exe
Prosím o kontrolu logu (vyřešeno)
- mijaja
- Tvůrce článků
-
Level 6.5
- Příspěvky: 4136
- Registrován: září 05
- Bydliště: Zlín
- Pohlaví:
- Stav:
Offline
- Kontakt:
Nejlepší bude když tyto silně vyznačené soubory vyzkoušíš na Jottiscanu (návod jak na to a link na službu mám v podpisu):
C:\Program Files\T-Mobile Communication Centre\Centre.exe
C:\Program Files\JAJC\jajc.exe
C:\program files\voipdiscount.com\voipdiscount\voipdiscount.exe
O4 - HKCU\..\Run: [SMS Posilac] C:\Program Files\SMS Posílač\smsposilac.exe -m
výsledky napiš aby byla jistota
Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp04.photoprintit.de/microsite/ ... loader.cab
po zaškrtnutí klikni na FixChecked
Vyčisti komp CCleanerem (návod a link opět v podpisu) a restartuj.
C:\Program Files\T-Mobile Communication Centre\Centre.exe
C:\Program Files\JAJC\jajc.exe
C:\program files\voipdiscount.com\voipdiscount\voipdiscount.exe
O4 - HKCU\..\Run: [SMS Posilac] C:\Program Files\SMS Posílač\smsposilac.exe -m
výsledky napiš aby byla jistota
Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp04.photoprintit.de/microsite/ ... loader.cab
po zaškrtnutí klikni na FixChecked
Vyčisti komp CCleanerem (návod a link opět v podpisu) a restartuj.
Log po všech doporučených opravách
C:\Program Files\T-Mobile Communication Centre\Centre.exe OK
C:\Program Files\JAJC\jajc.exe OK
C:\program files\voipdiscount.com\voipdiscount\voipdiscount.exe OK
O4 - HKCU\..\Run: [SMS Posilac] C:\Program Files\SMS Posílač\smsposilac.exe -m v adresáři exe nebyl, odstanila jsem adresář i odkaz v registru
Provedla jsem FixChecked
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp04.photoprintit.de/microsite/ ... loader.cab
Vyčistila komp CCleanerem
Zde je výsledek:
Logfile of HijackThis v1.99.1
Scan saved at 21:19:28, on 25.7.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\GEARSec.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CardReader2.0\CRBroadCasting.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\T-Mobile Communication Centre\Centre.exe
C:\Program Files\JAJC\jajc.exe
C:\program files\voipdiscount.com\voipdiscount\voipdiscount.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CardReader2.0\OTiReader.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\PROGRAMY\Máma_programy\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.seznam.cz/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -
C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -
C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate
Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CRBroadCasting] C:\Program
Files\CardReader2.0\CRBroadCasting.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [T-Mobile Communication Centre] C:\Program Files\T-Mobile
Communication Centre\Centre.exe
O4 - HKCU\..\Run: [JAJC] "C:\Program Files\JAJC\jajc.exe" --no-drive-scan
O4 - HKCU\..\Run: [VoipDiscount] "C:\program
files\voipdiscount.com\voipdiscount\voipdiscount.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash
/minimized
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe
-trayboot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program
Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -
C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9}
- C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 -
HKLM\System\CCS\Services\Tcpip\..\{7147A348-A9E1-437D-9127-8FBC71CF64CC}:
NameServer = 10.109.222.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common
Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies -
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program
Files\Eset\nod32krn.exe
O23 - Service: OTi Card Reader Service - Unknown owner - C:\Program
Files\CardReader2.0\OTiReader.exe
A po restartu stále se stále otevírá v průzkumníkovi adresář C:\WINDOWS\system32
C:\Program Files\JAJC\jajc.exe OK
C:\program files\voipdiscount.com\voipdiscount\voipdiscount.exe OK
O4 - HKCU\..\Run: [SMS Posilac] C:\Program Files\SMS Posílač\smsposilac.exe -m v adresáři exe nebyl, odstanila jsem adresář i odkaz v registru
Provedla jsem FixChecked
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp04.photoprintit.de/microsite/ ... loader.cab
Vyčistila komp CCleanerem
Zde je výsledek:
Logfile of HijackThis v1.99.1
Scan saved at 21:19:28, on 25.7.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\GEARSec.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CardReader2.0\CRBroadCasting.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\T-Mobile Communication Centre\Centre.exe
C:\Program Files\JAJC\jajc.exe
C:\program files\voipdiscount.com\voipdiscount\voipdiscount.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CardReader2.0\OTiReader.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\PROGRAMY\Máma_programy\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.seznam.cz/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -
C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -
C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate
Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CRBroadCasting] C:\Program
Files\CardReader2.0\CRBroadCasting.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [T-Mobile Communication Centre] C:\Program Files\T-Mobile
Communication Centre\Centre.exe
O4 - HKCU\..\Run: [JAJC] "C:\Program Files\JAJC\jajc.exe" --no-drive-scan
O4 - HKCU\..\Run: [VoipDiscount] "C:\program
files\voipdiscount.com\voipdiscount\voipdiscount.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash
/minimized
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe
-trayboot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program
Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -
C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9}
- C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 -
HKLM\System\CCS\Services\Tcpip\..\{7147A348-A9E1-437D-9127-8FBC71CF64CC}:
NameServer = 10.109.222.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common
Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies -
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program
Files\Eset\nod32krn.exe
O23 - Service: OTi Card Reader Service - Unknown owner - C:\Program
Files\CardReader2.0\OTiReader.exe
A po restartu stále se stále otevírá v průzkumníkovi adresář C:\WINDOWS\system32
Log z mwav
Přidávám ještě log z mwav, zdá se, že něco se nám přece jen nepodařilo vyčistit:
Object "conducent flexpak Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Entry "HKCR\floAtMediaCtrl.MouseCtrl" refers to invalid object "{78885E41-045D-4D2C-80A6-9AE055A6622D}". Action Taken: No Action Taken.
Entry "HKCR\floAtMediaCtrl.VolumeCtrl" refers to invalid object "{6EAD3C6D-CC87-4F6A-9EB1-D069979FF081}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Agent" refers to invalid object "{038E9840-12DD-40E8-82BE-DA826423886E}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.AgentDataStore" refers to invalid object "{0BB66938-FC89-4658-A365-7CD7F60E87E7}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Agents" refers to invalid object "{0CA55C77-CC60-408B-94C6-EC772FD104A9}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Common" refers to invalid object "{B50EB9E2-FC6D-4E25-9492-B5D77F373EE2}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.DataStore" refers to invalid object "{3C4E3B8D-98C8-4701-92D6-64702D6A9EEF}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.EventObject" refers to invalid object "{2D0DE198-0296-4A84-AC3B-0DB11C7F62F2}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Events" refers to invalid object "{8D2E6C05-A032-4B23-8287-C3ACF30703B0}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Explorer" refers to invalid object "{1FAE3754-F46B-45DA-B4CF-9EBF92E950EA}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Explorers" refers to invalid object "{B7800816-BCE4-4228-BD55-2E7A2B0B230A}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.FriendlyFiles" refers to invalid object "{23AF82A5-E704-4EBC-BFE8-DF33EA467512}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Inoculation" refers to invalid object "{1FE7C365-F6A9-4AD2-A075-D61F9AD59236}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Inoculations" refers to invalid object "{FBA89159-6A08-4004-B269-D34588429A88}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Manager" refers to invalid object "{0254F2B0-7116-40FC-8551-A2ED8C0C5872}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Quarantine" refers to invalid object "{A7371B3E-46D1-48B0-890D-CC9E7E531EDD}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.QuarantineContainer" refers to invalid object "{70A4E5E9-D350-4AF0-8298-98E8BB30ADB7}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.QuarantineItem" refers to invalid object "{20351880-1EF9-4879-A646-9FAF6D9FC87D}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ResourceStore" refers to invalid object "{2AFC1A12-65EC-433A-BF9B-7AD381F1EF10}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Schedule" refers to invalid object "{3A5AC3A7-CC29-47F8-A0FF-AB82F3D2D9F5}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ScheduleScans" refers to invalid object "{A9141FB9-7A4F-4047-94A2-0A0B1DEF5EBB}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Session" refers to invalid object "{9E0B8886-3014-4617-91AA-DF4B8D50E77C}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ThreatData" refers to invalid object "{F708D841-35FE-4AD6-A313-A7F5F1037A8A}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.UpdateSchedule" refers to invalid object "{1CA68D9F-3A22-4EE6-8DD3-9F4BA554625A}". Action Taken: No Action Taken.
Entry "HKCR\IDMan.CIDMLinkTransmitter" refers to invalid object "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}". Action Taken: No Action Taken.
Entry "HKCR\MobileAgent.AccessoriesMenu" refers to invalid object "{6399EFF0-639D-4CB5-91B5-7F8D48640D1B}". Action Taken: No Action Taken.
Entry "HKCR\MobileAgent.MobileAgentApp" refers to invalid object "{FD31E34D-CB7A-4896-ACA1-6276F345E34F}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document.1.0" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
Entry "HKCR\Skype4OL.cSkypeFriends" refers to invalid object "{165B3B5E-1933-4262-AE8E-4226C7B008D1}". Action Taken: No Action Taken.
Entry "HKCR\Skype4OL.SkypeComm" refers to invalid object "{F4E29C2E-E363-4632-9D65-CBBB373B0036}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx". Action Taken: No Action Taken.
File C:\WINDOWS\system32\ld101.tmp infected by "Trojan-Downloader.Win32.Zlob.rn" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\simpole.tlb infected by "Trojan-Downloader.Win32.Zlob.pm" Virus! Action Taken: No Action Taken.
Tue Jul 25 21:57:48 2006 => Offending file found: C:\WINDOWS\gpinstall.exe
Tue Jul 25 21:57:48 2006 => System found infected with conducent flexpak Spyware/Adware (gpinstall.exe)! Action taken: No Action Taken.
Tue Jul 25 21:57:48 2006 => Offending Folder found: C:\WINDOWS\system32\1024
Tue Jul 25 21:57:48 2006 => Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Tue Jul 25 21:57:49 2006 => Offending file found: C:\WINDOWS\system32\ot.ico
Tue Jul 25 21:57:49 2006 => System found infected with smitfraud Browser Hijacker (ot.ico)! Action taken: No Action Taken.
Tue Jul 25 21:57:54 2006 => Offending file found: C:\Documents and Settings\Martin Zeman\Oblíbené položky\antivirus test online.url
Tue Jul 25 21:57:54 2006 => System found infected with smitfraud Browser Hijacker (antivirus test online.url)! Action taken: No Action Taken.
Tue Jul 25 21:58:00 2006 => Offending file found: C:\Documents and Settings\All Users\Nabídka Start\security troubleshooting.url
Tue Jul 25 21:58:00 2006 => System found infected with smitfraud Browser Hijacker (security troubleshooting.url)! Action taken: No Action Taken.
Tue Jul 25 21:57:49 2006 => Offending file found: C:\WINDOWS\system32\dcomcfg.exe
Tue Jul 25 21:57:49 2006 => System found infected with zlob Trojan-Downloader (dcomcfg.exe)! Action taken: No Action Taken.
Tue Jul 25 21:57:49 2006 => Offending file found: C:\WINDOWS\system32\simpole.tlb
Tue Jul 25 21:57:49 2006 => System found infected with zlob Trojan-Downloader (simpole.tlb)! Action taken: No Action Taken.
Sakiri, v tom nastavení složek nevím, co bych měla změnit - neměnili jsme ho.
Object "conducent flexpak Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Entry "HKCR\floAtMediaCtrl.MouseCtrl" refers to invalid object "{78885E41-045D-4D2C-80A6-9AE055A6622D}". Action Taken: No Action Taken.
Entry "HKCR\floAtMediaCtrl.VolumeCtrl" refers to invalid object "{6EAD3C6D-CC87-4F6A-9EB1-D069979FF081}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Agent" refers to invalid object "{038E9840-12DD-40E8-82BE-DA826423886E}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.AgentDataStore" refers to invalid object "{0BB66938-FC89-4658-A365-7CD7F60E87E7}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Agents" refers to invalid object "{0CA55C77-CC60-408B-94C6-EC772FD104A9}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Common" refers to invalid object "{B50EB9E2-FC6D-4E25-9492-B5D77F373EE2}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.DataStore" refers to invalid object "{3C4E3B8D-98C8-4701-92D6-64702D6A9EEF}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.EventObject" refers to invalid object "{2D0DE198-0296-4A84-AC3B-0DB11C7F62F2}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Events" refers to invalid object "{8D2E6C05-A032-4B23-8287-C3ACF30703B0}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Explorer" refers to invalid object "{1FAE3754-F46B-45DA-B4CF-9EBF92E950EA}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Explorers" refers to invalid object "{B7800816-BCE4-4228-BD55-2E7A2B0B230A}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.FriendlyFiles" refers to invalid object "{23AF82A5-E704-4EBC-BFE8-DF33EA467512}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Inoculation" refers to invalid object "{1FE7C365-F6A9-4AD2-A075-D61F9AD59236}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Inoculations" refers to invalid object "{FBA89159-6A08-4004-B269-D34588429A88}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Manager" refers to invalid object "{0254F2B0-7116-40FC-8551-A2ED8C0C5872}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Quarantine" refers to invalid object "{A7371B3E-46D1-48B0-890D-CC9E7E531EDD}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.QuarantineContainer" refers to invalid object "{70A4E5E9-D350-4AF0-8298-98E8BB30ADB7}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.QuarantineItem" refers to invalid object "{20351880-1EF9-4879-A646-9FAF6D9FC87D}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ResourceStore" refers to invalid object "{2AFC1A12-65EC-433A-BF9B-7AD381F1EF10}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Schedule" refers to invalid object "{3A5AC3A7-CC29-47F8-A0FF-AB82F3D2D9F5}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ScheduleScans" refers to invalid object "{A9141FB9-7A4F-4047-94A2-0A0B1DEF5EBB}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Session" refers to invalid object "{9E0B8886-3014-4617-91AA-DF4B8D50E77C}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ThreatData" refers to invalid object "{F708D841-35FE-4AD6-A313-A7F5F1037A8A}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.UpdateSchedule" refers to invalid object "{1CA68D9F-3A22-4EE6-8DD3-9F4BA554625A}". Action Taken: No Action Taken.
Entry "HKCR\IDMan.CIDMLinkTransmitter" refers to invalid object "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}". Action Taken: No Action Taken.
Entry "HKCR\MobileAgent.AccessoriesMenu" refers to invalid object "{6399EFF0-639D-4CB5-91B5-7F8D48640D1B}". Action Taken: No Action Taken.
Entry "HKCR\MobileAgent.MobileAgentApp" refers to invalid object "{FD31E34D-CB7A-4896-ACA1-6276F345E34F}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document.1.0" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
Entry "HKCR\Skype4OL.cSkypeFriends" refers to invalid object "{165B3B5E-1933-4262-AE8E-4226C7B008D1}". Action Taken: No Action Taken.
Entry "HKCR\Skype4OL.SkypeComm" refers to invalid object "{F4E29C2E-E363-4632-9D65-CBBB373B0036}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx". Action Taken: No Action Taken.
File C:\WINDOWS\system32\ld101.tmp infected by "Trojan-Downloader.Win32.Zlob.rn" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\simpole.tlb infected by "Trojan-Downloader.Win32.Zlob.pm" Virus! Action Taken: No Action Taken.
Tue Jul 25 21:57:48 2006 => Offending file found: C:\WINDOWS\gpinstall.exe
Tue Jul 25 21:57:48 2006 => System found infected with conducent flexpak Spyware/Adware (gpinstall.exe)! Action taken: No Action Taken.
Tue Jul 25 21:57:48 2006 => Offending Folder found: C:\WINDOWS\system32\1024
Tue Jul 25 21:57:48 2006 => Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Tue Jul 25 21:57:49 2006 => Offending file found: C:\WINDOWS\system32\ot.ico
Tue Jul 25 21:57:49 2006 => System found infected with smitfraud Browser Hijacker (ot.ico)! Action taken: No Action Taken.
Tue Jul 25 21:57:54 2006 => Offending file found: C:\Documents and Settings\Martin Zeman\Oblíbené položky\antivirus test online.url
Tue Jul 25 21:57:54 2006 => System found infected with smitfraud Browser Hijacker (antivirus test online.url)! Action taken: No Action Taken.
Tue Jul 25 21:58:00 2006 => Offending file found: C:\Documents and Settings\All Users\Nabídka Start\security troubleshooting.url
Tue Jul 25 21:58:00 2006 => System found infected with smitfraud Browser Hijacker (security troubleshooting.url)! Action taken: No Action Taken.
Tue Jul 25 21:57:49 2006 => Offending file found: C:\WINDOWS\system32\dcomcfg.exe
Tue Jul 25 21:57:49 2006 => System found infected with zlob Trojan-Downloader (dcomcfg.exe)! Action taken: No Action Taken.
Tue Jul 25 21:57:49 2006 => Offending file found: C:\WINDOWS\system32\simpole.tlb
Tue Jul 25 21:57:49 2006 => System found infected with zlob Trojan-Downloader (simpole.tlb)! Action taken: No Action Taken.
Sakiri, v tom nastavení složek nevím, co bych měla změnit - neměnili jsme ho.
zda se ze toho trojana tam porad mas zkus tenhle nastroj je to na odstraneni trojskejch koni:
http://www.instaluj.cz/cz/katalog/antiv ... n-remover/
http://www.instaluj.cz/cz/katalog/antiv ... n-remover/
:)
Mwav po čištění SpywareDoctor
Trojan-remover moc nepomohl, ale nainstalovala jsem SpywareDoctor. Podařilo se mi něco odstranit.
Výsledek logu z mwav:
Wed Jul 26 06:25:15 2006 => ***** Scanning complete. *****
Wed Jul 26 06:25:15 2006 => Total Objects Scanned: 27362
Wed Jul 26 06:25:15 2006 => Total Critical Objects: 2
Wed Jul 26 06:25:15 2006 => Total Disinfected Objects: 0
Wed Jul 26 06:25:15 2006 => Total Objects Renamed: 0
Wed Jul 26 06:25:15 2006 => Total Deleted Objects: 0
Wed Jul 26 06:25:15 2006 => Total Errors: 46
Wed Jul 26 06:25:15 2006 => Time Elapsed: 00:19:00
Wed Jul 26 06:25:15 2006 => Virus Database Date: 7/24/2006
Wed Jul 26 06:25:15 2006 => Virus Database Count: 209452
Object "conducent flexpak Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Entry "HKCR\floAtMediaCtrl.MouseCtrl" refers to invalid object "{78885E41-045D-4D2C-80A6-9AE055A6622D}". Action Taken: No Action Taken.
Entry "HKCR\floAtMediaCtrl.VolumeCtrl" refers to invalid object "{6EAD3C6D-CC87-4F6A-9EB1-D069979FF081}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Agent" refers to invalid object "{038E9840-12DD-40E8-82BE-DA826423886E}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.AgentDataStore" refers to invalid object "{0BB66938-FC89-4658-A365-7CD7F60E87E7}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Agents" refers to invalid object "{0CA55C77-CC60-408B-94C6-EC772FD104A9}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Common" refers to invalid object "{B50EB9E2-FC6D-4E25-9492-B5D77F373EE2}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.DataStore" refers to invalid object "{3C4E3B8D-98C8-4701-92D6-64702D6A9EEF}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.EventObject" refers to invalid object "{2D0DE198-0296-4A84-AC3B-0DB11C7F62F2}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Events" refers to invalid object "{8D2E6C05-A032-4B23-8287-C3ACF30703B0}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Explorer" refers to invalid object "{1FAE3754-F46B-45DA-B4CF-9EBF92E950EA}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Explorers" refers to invalid object "{B7800816-BCE4-4228-BD55-2E7A2B0B230A}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.FriendlyFiles" refers to invalid object "{23AF82A5-E704-4EBC-BFE8-DF33EA467512}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Inoculation" refers to invalid object "{1FE7C365-F6A9-4AD2-A075-D61F9AD59236}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Inoculations" refers to invalid object "{FBA89159-6A08-4004-B269-D34588429A88}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Manager" refers to invalid object "{0254F2B0-7116-40FC-8551-A2ED8C0C5872}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Quarantine" refers to invalid object "{A7371B3E-46D1-48B0-890D-CC9E7E531EDD}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.QuarantineContainer" refers to invalid object "{70A4E5E9-D350-4AF0-8298-98E8BB30ADB7}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.QuarantineItem" refers to invalid object "{20351880-1EF9-4879-A646-9FAF6D9FC87D}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ResourceStore" refers to invalid object "{2AFC1A12-65EC-433A-BF9B-7AD381F1EF10}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Schedule" refers to invalid object "{3A5AC3A7-CC29-47F8-A0FF-AB82F3D2D9F5}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ScheduleScans" refers to invalid object "{A9141FB9-7A4F-4047-94A2-0A0B1DEF5EBB}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Session" refers to invalid object "{9E0B8886-3014-4617-91AA-DF4B8D50E77C}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ThreatData" refers to invalid object "{F708D841-35FE-4AD6-A313-A7F5F1037A8A}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.UpdateSchedule" refers to invalid object "{1CA68D9F-3A22-4EE6-8DD3-9F4BA554625A}". Action Taken: No Action Taken.
Entry "HKCR\IDMan.CIDMLinkTransmitter" refers to invalid object "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}". Action Taken: No Action Taken.
Entry "HKCR\MobileAgent.AccessoriesMenu" refers to invalid object "{6399EFF0-639D-4CB5-91B5-7F8D48640D1B}". Action Taken: No Action Taken.
Entry "HKCR\MobileAgent.MobileAgentApp" refers to invalid object "{FD31E34D-CB7A-4896-ACA1-6276F345E34F}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document.1.0" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
Entry "HKCR\Skype4OL.cSkypeFriends" refers to invalid object "{165B3B5E-1933-4262-AE8E-4226C7B008D1}". Action Taken: No Action Taken.
Entry "HKCR\Skype4OL.SkypeComm" refers to invalid object "{F4E29C2E-E363-4632-9D65-CBBB373B0036}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Trojan Remover_is1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{0CE2C834-9737-4330-8E46-6A257DBC7804}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{156BA4E7-F524-4C97-88CD-2E7D4B51779F}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{1807A881-57A4-4791-8F21-7485F785A1E1}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{72A8EF9E-B939-4098-A8DB-B6FE08075C20}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7884F09C-F871-4489-9CD2-24CF2954A095}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AA0FEBC9-3E9A-46DE-B264-CD59B180DDD4}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{C6F1E87D-F3E1-4874-97EC-F87DAB6D6878}". Action Taken: No Action Taken.
Wed Jul 26 06:22:21 2006 => Offending file found: C:\WINDOWS\gpinstall.exe
Wed Jul 26 06:22:21 2006 => System found infected with conducent flexpak Spyware/Adware (gpinstall.exe)! Action taken: No Action Taken.
Wed Jul 26 06:22:21 2006 => Offending Folder found: C:\WINDOWS\system32\1024
Wed Jul 26 06:22:21 2006 => Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
CO MÁM UDĚLAT DÁLE? JE TO UŽ V POŘÁDKU???
Výsledek logu z mwav:
Wed Jul 26 06:25:15 2006 => ***** Scanning complete. *****
Wed Jul 26 06:25:15 2006 => Total Objects Scanned: 27362
Wed Jul 26 06:25:15 2006 => Total Critical Objects: 2
Wed Jul 26 06:25:15 2006 => Total Disinfected Objects: 0
Wed Jul 26 06:25:15 2006 => Total Objects Renamed: 0
Wed Jul 26 06:25:15 2006 => Total Deleted Objects: 0
Wed Jul 26 06:25:15 2006 => Total Errors: 46
Wed Jul 26 06:25:15 2006 => Time Elapsed: 00:19:00
Wed Jul 26 06:25:15 2006 => Virus Database Date: 7/24/2006
Wed Jul 26 06:25:15 2006 => Virus Database Count: 209452
Object "conducent flexpak Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Entry "HKCR\floAtMediaCtrl.MouseCtrl" refers to invalid object "{78885E41-045D-4D2C-80A6-9AE055A6622D}". Action Taken: No Action Taken.
Entry "HKCR\floAtMediaCtrl.VolumeCtrl" refers to invalid object "{6EAD3C6D-CC87-4F6A-9EB1-D069979FF081}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Agent" refers to invalid object "{038E9840-12DD-40E8-82BE-DA826423886E}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.AgentDataStore" refers to invalid object "{0BB66938-FC89-4658-A365-7CD7F60E87E7}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Agents" refers to invalid object "{0CA55C77-CC60-408B-94C6-EC772FD104A9}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Common" refers to invalid object "{B50EB9E2-FC6D-4E25-9492-B5D77F373EE2}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.DataStore" refers to invalid object "{3C4E3B8D-98C8-4701-92D6-64702D6A9EEF}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.EventObject" refers to invalid object "{2D0DE198-0296-4A84-AC3B-0DB11C7F62F2}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Events" refers to invalid object "{8D2E6C05-A032-4B23-8287-C3ACF30703B0}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Explorer" refers to invalid object "{1FAE3754-F46B-45DA-B4CF-9EBF92E950EA}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Explorers" refers to invalid object "{B7800816-BCE4-4228-BD55-2E7A2B0B230A}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.FriendlyFiles" refers to invalid object "{23AF82A5-E704-4EBC-BFE8-DF33EA467512}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Inoculation" refers to invalid object "{1FE7C365-F6A9-4AD2-A075-D61F9AD59236}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Inoculations" refers to invalid object "{FBA89159-6A08-4004-B269-D34588429A88}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Manager" refers to invalid object "{0254F2B0-7116-40FC-8551-A2ED8C0C5872}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Quarantine" refers to invalid object "{A7371B3E-46D1-48B0-890D-CC9E7E531EDD}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.QuarantineContainer" refers to invalid object "{70A4E5E9-D350-4AF0-8298-98E8BB30ADB7}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.QuarantineItem" refers to invalid object "{20351880-1EF9-4879-A646-9FAF6D9FC87D}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ResourceStore" refers to invalid object "{2AFC1A12-65EC-433A-BF9B-7AD381F1EF10}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Schedule" refers to invalid object "{3A5AC3A7-CC29-47F8-A0FF-AB82F3D2D9F5}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ScheduleScans" refers to invalid object "{A9141FB9-7A4F-4047-94A2-0A0B1DEF5EBB}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.Session" refers to invalid object "{9E0B8886-3014-4617-91AA-DF4B8D50E77C}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.ThreatData" refers to invalid object "{F708D841-35FE-4AD6-A313-A7F5F1037A8A}". Action Taken: No Action Taken.
Entry "HKCR\gcasDtServ.UpdateSchedule" refers to invalid object "{1CA68D9F-3A22-4EE6-8DD3-9F4BA554625A}". Action Taken: No Action Taken.
Entry "HKCR\IDMan.CIDMLinkTransmitter" refers to invalid object "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}". Action Taken: No Action Taken.
Entry "HKCR\MobileAgent.AccessoriesMenu" refers to invalid object "{6399EFF0-639D-4CB5-91B5-7F8D48640D1B}". Action Taken: No Action Taken.
Entry "HKCR\MobileAgent.MobileAgentApp" refers to invalid object "{FD31E34D-CB7A-4896-ACA1-6276F345E34F}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document.1.0" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
Entry "HKCR\Skype4OL.cSkypeFriends" refers to invalid object "{165B3B5E-1933-4262-AE8E-4226C7B008D1}". Action Taken: No Action Taken.
Entry "HKCR\Skype4OL.SkypeComm" refers to invalid object "{F4E29C2E-E363-4632-9D65-CBBB373B0036}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IPSUploader.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Trojan Remover_is1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{0CE2C834-9737-4330-8E46-6A257DBC7804}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{156BA4E7-F524-4C97-88CD-2E7D4B51779F}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{1807A881-57A4-4791-8F21-7485F785A1E1}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{72A8EF9E-B939-4098-A8DB-B6FE08075C20}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7884F09C-F871-4489-9CD2-24CF2954A095}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AA0FEBC9-3E9A-46DE-B264-CD59B180DDD4}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{C6F1E87D-F3E1-4874-97EC-F87DAB6D6878}". Action Taken: No Action Taken.
Wed Jul 26 06:22:21 2006 => Offending file found: C:\WINDOWS\gpinstall.exe
Wed Jul 26 06:22:21 2006 => System found infected with conducent flexpak Spyware/Adware (gpinstall.exe)! Action taken: No Action Taken.
Wed Jul 26 06:22:21 2006 => Offending Folder found: C:\WINDOWS\system32\1024
Wed Jul 26 06:22:21 2006 => Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
CO MÁM UDĚLAT DÁLE? JE TO UŽ V POŘÁDKU???
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 6 hostů