Zdravím!
Tak jako mnoho jiných mám problém s obvyklou hláškou. Zde je:
avast! - Varování
Byl nalezen trojský kůň
Jméno souboru: http://85.255.115.187/users/fill/web/images/rzspy.exe
Jméno vzorku: Win32:Trojan-gen. {Other}
Typ malware: Virus/červ
Verze VPS: 0627-3, 07.07.2006
avast! - Varování
Byl nalezen trojský kůň
Jméno souboru: http://85.255.115.187/users/fill/web/im ... wnload.exe
Jméno vzorku: Win32:Small-TG [Trj]
Typ malware: Trojský kůň
Verze VPS: 0627-3, 07.07.2006
Prosím o pomoc s řešením tohoto problému. Díky předem.
Zde je log z HijackThis.
Logfile of HijackThis v1.99.1
Scan saved at 16:23:26, on 9.7.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft Office\Office\Findfast.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trojan\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myway.com/mysearch/?ptnrS=BW
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [fuobx.exe] C:\WINDOWS\system32\fuobx.exe
O4 - HKLM\..\Run: [ZSScheduler] RunDll32.exe "C:\Program Files\Trojan\ZeroSpyware\ZSScheduler.dll", runScheduler C:\Program Files\Trojan\ZeroSpyware\
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Spuštění Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Rychlé hledání Microsoft.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://array-sslvpn-proxy.oracle.com/p ... /arr_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DC7AD4C-0D19-4295-ACE7-3F1DD588B61C}: NameServer = 85.255.114.13 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E14975F-569E-4EF1-A4C5-825D671F1DD4}: NameServer = 85.255.114.13,85.255.112.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.13 85.255.112.78
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.13 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.13 85.255.112.78
O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Virus alert - prosím o pomoc
- mijaja
- Tvůrce článků
-
Level 6.5
- Příspěvky: 4136
- Registrován: září 05
- Bydliště: Zlín
- Pohlaví:
- Stav:
Offline
- Kontakt:
C:\Program Files\Trojan\ZeroSpyware - tohle odinstaluj - ještě nedávno byl na senamu škodlivého softu.
Ty tvé adresy s viry jsou odněkud z Ukrajiny. Takže bych si hned do Keria zadal jejich blokování!!
Tyhle procesy bys mohl nechat zkontrolovat na Jottiscanu:
C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
Mohou být neškodné, ale raději je zkontroluj. Budou-li sebeméně nakažené, tak napiš, uvidíme, co s něma dál.
A teď začneme:
Vypni Obnovu systému (klávesa Windows+Pause/Break - a v okně Vlastnosti systému - karta Obnovení systému zaškrtnout okénko Vypnout nástroj obnovení systému na všech jednotkách
Nainstaluj si alternativní prohlížeč namísto Internet Exploreru.
Stáhni si a nainstaluj Ccleaner (návod a link v podpisu)
Stáhni si SmitFraudFix a nachystej na použití
Restartuj do nouzového režimu, odpoj se od internetu - nejlépe i kabel z síťovky nebo nespouštěj žádný browser. Tohle si raději vytiskni, nebo ulož na plochu v Notepadu.
Spustíš SmitFraudFix - objeví se modrá obrazovka aplikace a stiskneš volbu 2.
Nechej proskenovat počítač.
Pokud budeš dotázán, zda povolíš čištění registrů (Do you want to clean the registry ?), stiskni klávesu Y (pozor na záměnu Y a Z na klávesnici)
Pokud budeš dotázán na odstranění zavirovaných souborů z počítače (Replace infected file ?), stiskneš opět klávesu Y.
Až to budeš mít, vypni Smitfraudfix a spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myway.com/mysearch/?ptnrS=BW
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [fuobx.exe] C:\WINDOWS\system32\fuobx.exe
O4 - HKLM\..\Run: [ZSScheduler] RunDll32.exe "C:\Program Files\Trojan\ZeroSpyware\ZSScheduler.dll", runScheduler C:\Program Files\Trojan\ZeroSpyware\
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe - - nemusí jet hned po startu
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe - nemusí jet hned po startu
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://array-sslvpn-proxy.oracle.com/p ... /arr_x.cab
po zaškrtnutí klikni na FixChecked
Potom najdi na disku ty červeně označené soubory a vymaž je. Nastav si v Možnostech složky zobrazování skrytých a systémových souborů, abys je lépe nalezl.
Tady je oříšek složený z jedné adresy na Ukrajině (85.255.114.13) a druhé z Ameriky (85.255.112.78)
Jestli jsi si jistý, že to NENÍ tvůj poskytovatel internetu, tak to fixni také:
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DC7AD4C-0D19-4295-ACE7-3F1DD588B61C}: NameServer = 85.255.114.13 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E14975F-569E-4EF1-A4C5-825D671F1DD4}: NameServer = 85.255.114.13,85.255.112.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.13 85.255.112.78
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.13 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.13 85.255.112.78
------------------------------------------------------------------------------------------------------------------------------------
Tyhle služby zastav ve Službách systému Windows:
nabídka Start>>Spustit- do okénka napiš services.msc a zmáčkni Enter.
O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
označíš příslušný řádek a pravým myšítkem přepni na Vlastnosti a v roletce Typ spouštění dej ručně nebo zakázáno.
Spusť Ccleaner a dej vyčistit windows, aplikace i registry. Potom nakoukni do složek Temp a Temporary Internet Files ve všech profilech Documents and Settings a Windows, jestli jsou prázdné a vysyp koš.
Restartuj do normálu (připoj se k netu) a dej nový log na kontrolu.
Ty tvé adresy s viry jsou odněkud z Ukrajiny. Takže bych si hned do Keria zadal jejich blokování!!
Tyhle procesy bys mohl nechat zkontrolovat na Jottiscanu:
C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
Mohou být neškodné, ale raději je zkontroluj. Budou-li sebeméně nakažené, tak napiš, uvidíme, co s něma dál.
A teď začneme:
Vypni Obnovu systému (klávesa Windows+Pause/Break - a v okně Vlastnosti systému - karta Obnovení systému zaškrtnout okénko Vypnout nástroj obnovení systému na všech jednotkách
Nainstaluj si alternativní prohlížeč namísto Internet Exploreru.
Stáhni si a nainstaluj Ccleaner (návod a link v podpisu)
Stáhni si SmitFraudFix a nachystej na použití
Restartuj do nouzového režimu, odpoj se od internetu - nejlépe i kabel z síťovky nebo nespouštěj žádný browser. Tohle si raději vytiskni, nebo ulož na plochu v Notepadu.
Spustíš SmitFraudFix - objeví se modrá obrazovka aplikace a stiskneš volbu 2.
Nechej proskenovat počítač.
Pokud budeš dotázán, zda povolíš čištění registrů (Do you want to clean the registry ?), stiskni klávesu Y (pozor na záměnu Y a Z na klávesnici)
Pokud budeš dotázán na odstranění zavirovaných souborů z počítače (Replace infected file ?), stiskneš opět klávesu Y.
Až to budeš mít, vypni Smitfraudfix a spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myway.com/mysearch/?ptnrS=BW
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [fuobx.exe] C:\WINDOWS\system32\fuobx.exe
O4 - HKLM\..\Run: [ZSScheduler] RunDll32.exe "C:\Program Files\Trojan\ZeroSpyware\ZSScheduler.dll", runScheduler C:\Program Files\Trojan\ZeroSpyware\
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe - - nemusí jet hned po startu
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe - nemusí jet hned po startu
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://array-sslvpn-proxy.oracle.com/p ... /arr_x.cab
po zaškrtnutí klikni na FixChecked
Potom najdi na disku ty červeně označené soubory a vymaž je. Nastav si v Možnostech složky zobrazování skrytých a systémových souborů, abys je lépe nalezl.
Tady je oříšek složený z jedné adresy na Ukrajině (85.255.114.13) a druhé z Ameriky (85.255.112.78)
Jestli jsi si jistý, že to NENÍ tvůj poskytovatel internetu, tak to fixni také:
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DC7AD4C-0D19-4295-ACE7-3F1DD588B61C}: NameServer = 85.255.114.13 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E14975F-569E-4EF1-A4C5-825D671F1DD4}: NameServer = 85.255.114.13,85.255.112.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.13 85.255.112.78
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.13 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.13 85.255.112.78
------------------------------------------------------------------------------------------------------------------------------------
Tyhle služby zastav ve Službách systému Windows:
nabídka Start>>Spustit- do okénka napiš services.msc a zmáčkni Enter.
O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
označíš příslušný řádek a pravým myšítkem přepni na Vlastnosti a v roletce Typ spouštění dej ručně nebo zakázáno.
Spusť Ccleaner a dej vyčistit windows, aplikace i registry. Potom nakoukni do složek Temp a Temporary Internet Files ve všech profilech Documents and Settings a Windows, jestli jsou prázdné a vysyp koš.
Restartuj do normálu (připoj se k netu) a dej nový log na kontrolu.
RE: Virus alert
Snažil jsem se provést to dle tvého návodu, ale stav je stejný.
Jediné, co jsem neudělal je nastavení blokování v Keriu. Nejsem si jistý, kde to zablokovat a jde to vůbec u volné verze? Nemusí být placená?
Procesy zkontrolované na Jottiscanu jsou v pořádku.
Zde je nový log.
Logfile of HijackThis v1.99.1
Scan saved at 23:16:04, on 10.7.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\Microsoft Office\Office\Findfast.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trojan\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [qjdca.exe] C:\WINDOWS\system32\qjdca.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Spuštění Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Rychlé hledání Microsoft.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://array-sslvpn-proxy.oracle.com/p ... /arr_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DC7AD4C-0D19-4295-ACE7-3F1DD588B61C}: NameServer = 85.255.114.13 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E14975F-569E-4EF1-A4C5-825D671F1DD4}: NameServer = 85.255.114.13,85.255.112.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.13 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.13 85.255.112.78
O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Jediné, co jsem neudělal je nastavení blokování v Keriu. Nejsem si jistý, kde to zablokovat a jde to vůbec u volné verze? Nemusí být placená?
Procesy zkontrolované na Jottiscanu jsou v pořádku.
Zde je nový log.
Logfile of HijackThis v1.99.1
Scan saved at 23:16:04, on 10.7.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\Microsoft Office\Office\Findfast.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trojan\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [qjdca.exe] C:\WINDOWS\system32\qjdca.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Spuštění Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Rychlé hledání Microsoft.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://array-sslvpn-proxy.oracle.com/p ... /arr_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DC7AD4C-0D19-4295-ACE7-3F1DD588B61C}: NameServer = 85.255.114.13 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E14975F-569E-4EF1-A4C5-825D671F1DD4}: NameServer = 85.255.114.13,85.255.112.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.13 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.13 85.255.112.78
O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
- mijaja
- Tvůrce článků
-
Level 6.5
- Příspěvky: 4136
- Registrován: září 05
- Bydliště: Zlín
- Pohlaví:
- Stav:
Offline
- Kontakt:
No jak jsem si všiml, tak z logu zmizel soubor
C:\WINDOWS\system32\fuobx.exe
a místo něho se objevil soubor
C:\WINDOWS\system32\qjdca.exe
Tohle bude nějaký polymorfní červ.
Musíš proskenovat komp MWAVem podle návodu co mám v podpisu.
Stáhni si BlackLightBetu a Rootkit Revealer a proskenuj komp na přítomnost rootkitů.
U keria, jestli máš neplacenou verzi, tak to už asi po 30 dnech nejde - vyzkoušej to v jeho různých záložkách - Síťová bezpečnost, WWW stránky....
C:\WINDOWS\system32\fuobx.exe
a místo něho se objevil soubor
C:\WINDOWS\system32\qjdca.exe
Tohle bude nějaký polymorfní červ.
Musíš proskenovat komp MWAVem podle návodu co mám v podpisu.
Stáhni si BlackLightBetu a Rootkit Revealer a proskenuj komp na přítomnost rootkitů.
U keria, jestli máš neplacenou verzi, tak to už asi po 30 dnech nejde - vyzkoušej to v jeho různých záložkách - Síťová bezpečnost, WWW stránky....
RE: Virus alert
Tak jsem provedl vše podle poslední rady a stále. Vše bylo negativní. Přesto se to objevuje pořád. Zde je log z HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 0:58:25, on 12.7.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft Office\Office\Findfast.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\trojan\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Trojan\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Trojan\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\Trojan\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [risdq.exe] C:\WINDOWS\system32\risdq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Spuštění Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Rychlé hledání Microsoft.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://array-sslvpn-proxy.oracle.com/p ... /arr_x.cab
O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\trojan\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Logfile of HijackThis v1.99.1
Scan saved at 0:58:25, on 12.7.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft Office\Office\Findfast.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\trojan\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Trojan\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Trojan\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\Trojan\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [risdq.exe] C:\WINDOWS\system32\risdq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Spuštění Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Rychlé hledání Microsoft.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://array-sslvpn-proxy.oracle.com/p ... /arr_x.cab
O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\trojan\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
- mijaja
- Tvůrce článků
-
Level 6.5
- Příspěvky: 4136
- Registrován: září 05
- Bydliště: Zlín
- Pohlaví:
- Stav:
Offline
- Kontakt:
Ten červ je tam stále a tentokrát má zase název
C:\WINDOWS\system32\risdq.exe
Něco v pozadí ho stále obnovuje vždy pod jiným jménem. Musíš udělat ten log z MWAVu (link na něj i návod mám v podpisu)
Může ho tam udržovat i naprosto dobrá aplikace, která není v Hijackthisu vidět, ale po jeho fixnutí ho zase obnoví.
C:\WINDOWS\system32\risdq.exe
Něco v pozadí ho stále obnovuje vždy pod jiným jménem. Musíš udělat ten log z MWAVu (link na něj i návod mám v podpisu)
Může ho tam udržovat i naprosto dobrá aplikace, která není v Hijackthisu vidět, ale po jeho fixnutí ho zase obnoví.
RE:
Zde je ten log z MWAVu.Přidal jsem i poslední z HijackThis.
Virus Log Information z MWAV
Object "mywebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "funweb Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "funwebproducts Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "mywebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "win32.passma Virus" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "Wareout adware" found in File System! Action Taken: No Action Taken.
Object "UnSpyPC adware" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "aureate/radiate Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "aureate/radiate Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "cws.smartsearch Browser Hijacker" found in File System! Action Taken: No Action Taken.
File C:\WINDOWS\system32\f3PSSavr.scr.tcf tagged as "not-a-virus:AdWare.Win32.MyWebSearch". Action Taken: No Action Taken.
File C:\WINDOWS\system32\respm.exe infected by "Trojan.Win32.DNSChanger.ef" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\nlfuq.exe infected by "Trojan.Win32.DNSChanger.ef" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ccnzt.exe infected by "Trojan.Win32.DNSChanger.ef" Virus! Action Taken: No Action Taken.
Log z MWAVu
Wed Jul 12 21:41:31 2006 => System found infected with mywebsearch Spyware/Adware ({63d0ed2b-b45b-4458-8b3b-60c69bbbd83c})! Action taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKCU\Software\fun web products !!!
Wed Jul 12 21:41:32 2006 => Object "funweb Spyware/Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKCU\Software\funwebproducts !!!
Wed Jul 12 21:41:32 2006 => Object "funwebproducts Spyware/Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKLM\software\microsoft\office\outlook\addins\mywebsearch.outlookaddin !!!
Wed Jul 12 21:41:32 2006 => Object "mywebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\ruins !!!
Wed Jul 12 21:41:32 2006 => Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\time zones !!!
Wed Jul 12 21:41:32 2006 => Object "win32.passma Virus" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\urls !!!
Wed Jul 12 21:41:32 2006 => Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ruins !!!
Wed Jul 12 21:41:32 2006 => Object "Wareout adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Poisoned DNS Server Entry 85.255.112.78 (85.255.112.*) found!!!
Wed Jul 12 21:41:32 2006 => Poisoned DNS Server Entry 85.255.114.13 (85.255.114.*) found!!!
Wed Jul 12 21:41:32 2006 => Object "UnSpyPC adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:34 2006 => Offending file found: C:\WINDOWS\Application Data\install.dat
Wed Jul 12 21:41:34 2006 => System found infected with zlob Trojan-Downloader (install.dat)! Action taken: No Action Taken.
Wed Jul 12 21:41:36 2006 => Offending Folder found: C:\Documents and Settings\Unknown User\Local Settings\data aplikací\software\radiate
Wed Jul 12 21:41:36 2006 => Object "aureate/radiate Spyware/Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:36 2006 => Offending Folder found: C:\Documents and Settings\Unknown User\Local Settings\Data aplikací\software\radiate
Wed Jul 12 21:41:36 2006 => Object "aureate/radiate Spyware/Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:36 2006 => Offending file found: C:\Documents and Settings\All Users\Nabídka Start\online security guide.url
Wed Jul 12 21:41:36 2006 => System found infected with smitfraud Browser Hijacker (online security guide.url)! Action taken: No Action Taken.
Wed Jul 12 21:41:36 2006 => Offending file found: C:\Documents and Settings\All Users\Nabídka Start\security troubleshooting.url
Wed Jul 12 21:41:36 2006 => System found infected with smitfraud Browser Hijacker (security troubleshooting.url)! Action taken: No Action Taken.
Wed Jul 12 21:41:37 2006 => Offending file found: C:\WINDOWS\start.exe
Wed Jul 12 21:41:37 2006 => System found infected with cws.smartsearch Browser Hijacker (C:\WINDOWS\start.exe)! Action taken: No Action Taken.
Wed Jul 12 21:43:38 2006 => Scanning File C:\WINDOWS\system32\f3PSSavr.scr.tcf
Wed Jul 12 21:43:38 2006 => File C:\WINDOWS\system32\f3PSSavr.scr.tcf tagged as "not-a-virus:AdWare.Win32.MyWebSearch". Action Taken: No Action Taken.
Wed Jul 12 21:43:45 2006 => Scanning File C:\WINDOWS\system32\respm.exe
Wed Jul 12 21:43:45 2006 => File C:\WINDOWS\system32\respm.exe infected by "Trojan.Win32.DNSChanger.ef" Virus! Action Taken: No Action Taken.
Wed Jul 12 21:43:45 2006 => Scanning File C:\WINDOWS\system32\nlfuq.exe
Wed Jul 12 21:43:45 2006 => File C:\WINDOWS\system32\nlfuq.exe infected by "Trojan.Win32.DNSChanger.ef" Virus! Action Taken: No Action Taken.
Wed Jul 12 21:43:45 2006 => Scanning File C:\WINDOWS\system32\ccnzt.exe
Wed Jul 12 21:43:45 2006 => File C:\WINDOWS\system32\ccnzt.exe infected by "Trojan.Win32.DNSChanger.ef" Virus! Action Taken: No Action Taken.
Wed Jul 12 21:44:04 2006 => ***** Scanning complete. *****
Wed Jul 12 21:44:04 2006 => Total Objects Scanned: 15991
Wed Jul 12 21:44:04 2006 => Total Critical Objects: 19
Wed Jul 12 21:44:04 2006 => Total Disinfected Objects: 0
Wed Jul 12 21:44:04 2006 => Total Objects Renamed: 0
Wed Jul 12 21:44:04 2006 => Total Deleted Objects: 0
Wed Jul 12 21:44:04 2006 => Total Errors: 9
Wed Jul 12 21:44:04 2006 => Time Elapsed: 00:03:12
Wed Jul 12 21:44:04 2006 => Virus Database Date: 7/8/2006
Wed Jul 12 21:44:04 2006 => Virus Database Count: 205795
Wed Jul 12 21:44:04 2006 => Scan Completed.
Log z HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 22:25:07, on 12.7.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\trojan\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Trojan\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft Office\Office\Findfast.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\FSScrCtl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\UNKNOW~1\LOCALS~1\Temp\mexe.com
C:\DOCUME~1\UNKNOW~1\LOCALS~1\Temp\kavss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trojan\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\Trojan\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Spuštění Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Rychlé hledání Microsoft.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://array-sslvpn-proxy.oracle.com/p ... /arr_x.cab
O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\trojan\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Virus Log Information z MWAV
Object "mywebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "funweb Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "funwebproducts Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "mywebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "win32.passma Virus" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "Wareout adware" found in File System! Action Taken: No Action Taken.
Object "UnSpyPC adware" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "aureate/radiate Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "aureate/radiate Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "cws.smartsearch Browser Hijacker" found in File System! Action Taken: No Action Taken.
File C:\WINDOWS\system32\f3PSSavr.scr.tcf tagged as "not-a-virus:AdWare.Win32.MyWebSearch". Action Taken: No Action Taken.
File C:\WINDOWS\system32\respm.exe infected by "Trojan.Win32.DNSChanger.ef" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\nlfuq.exe infected by "Trojan.Win32.DNSChanger.ef" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\ccnzt.exe infected by "Trojan.Win32.DNSChanger.ef" Virus! Action Taken: No Action Taken.
Log z MWAVu
Wed Jul 12 21:41:31 2006 => System found infected with mywebsearch Spyware/Adware ({63d0ed2b-b45b-4458-8b3b-60c69bbbd83c})! Action taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKCU\Software\fun web products !!!
Wed Jul 12 21:41:32 2006 => Object "funweb Spyware/Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKCU\Software\funwebproducts !!!
Wed Jul 12 21:41:32 2006 => Object "funwebproducts Spyware/Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKLM\software\microsoft\office\outlook\addins\mywebsearch.outlookaddin !!!
Wed Jul 12 21:41:32 2006 => Object "mywebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\ruins !!!
Wed Jul 12 21:41:32 2006 => Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\time zones !!!
Wed Jul 12 21:41:32 2006 => Object "win32.passma Virus" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\urls !!!
Wed Jul 12 21:41:32 2006 => Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Offending Key found: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ruins !!!
Wed Jul 12 21:41:32 2006 => Object "Wareout adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:32 2006 => Poisoned DNS Server Entry 85.255.112.78 (85.255.112.*) found!!!
Wed Jul 12 21:41:32 2006 => Poisoned DNS Server Entry 85.255.114.13 (85.255.114.*) found!!!
Wed Jul 12 21:41:32 2006 => Object "UnSpyPC adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:34 2006 => Offending file found: C:\WINDOWS\Application Data\install.dat
Wed Jul 12 21:41:34 2006 => System found infected with zlob Trojan-Downloader (install.dat)! Action taken: No Action Taken.
Wed Jul 12 21:41:36 2006 => Offending Folder found: C:\Documents and Settings\Unknown User\Local Settings\data aplikací\software\radiate
Wed Jul 12 21:41:36 2006 => Object "aureate/radiate Spyware/Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:36 2006 => Offending Folder found: C:\Documents and Settings\Unknown User\Local Settings\Data aplikací\software\radiate
Wed Jul 12 21:41:36 2006 => Object "aureate/radiate Spyware/Adware" found in File System! Action Taken: No Action Taken.
Wed Jul 12 21:41:36 2006 => Offending file found: C:\Documents and Settings\All Users\Nabídka Start\online security guide.url
Wed Jul 12 21:41:36 2006 => System found infected with smitfraud Browser Hijacker (online security guide.url)! Action taken: No Action Taken.
Wed Jul 12 21:41:36 2006 => Offending file found: C:\Documents and Settings\All Users\Nabídka Start\security troubleshooting.url
Wed Jul 12 21:41:36 2006 => System found infected with smitfraud Browser Hijacker (security troubleshooting.url)! Action taken: No Action Taken.
Wed Jul 12 21:41:37 2006 => Offending file found: C:\WINDOWS\start.exe
Wed Jul 12 21:41:37 2006 => System found infected with cws.smartsearch Browser Hijacker (C:\WINDOWS\start.exe)! Action taken: No Action Taken.
Wed Jul 12 21:43:38 2006 => Scanning File C:\WINDOWS\system32\f3PSSavr.scr.tcf
Wed Jul 12 21:43:38 2006 => File C:\WINDOWS\system32\f3PSSavr.scr.tcf tagged as "not-a-virus:AdWare.Win32.MyWebSearch". Action Taken: No Action Taken.
Wed Jul 12 21:43:45 2006 => Scanning File C:\WINDOWS\system32\respm.exe
Wed Jul 12 21:43:45 2006 => File C:\WINDOWS\system32\respm.exe infected by "Trojan.Win32.DNSChanger.ef" Virus! Action Taken: No Action Taken.
Wed Jul 12 21:43:45 2006 => Scanning File C:\WINDOWS\system32\nlfuq.exe
Wed Jul 12 21:43:45 2006 => File C:\WINDOWS\system32\nlfuq.exe infected by "Trojan.Win32.DNSChanger.ef" Virus! Action Taken: No Action Taken.
Wed Jul 12 21:43:45 2006 => Scanning File C:\WINDOWS\system32\ccnzt.exe
Wed Jul 12 21:43:45 2006 => File C:\WINDOWS\system32\ccnzt.exe infected by "Trojan.Win32.DNSChanger.ef" Virus! Action Taken: No Action Taken.
Wed Jul 12 21:44:04 2006 => ***** Scanning complete. *****
Wed Jul 12 21:44:04 2006 => Total Objects Scanned: 15991
Wed Jul 12 21:44:04 2006 => Total Critical Objects: 19
Wed Jul 12 21:44:04 2006 => Total Disinfected Objects: 0
Wed Jul 12 21:44:04 2006 => Total Objects Renamed: 0
Wed Jul 12 21:44:04 2006 => Total Deleted Objects: 0
Wed Jul 12 21:44:04 2006 => Total Errors: 9
Wed Jul 12 21:44:04 2006 => Time Elapsed: 00:03:12
Wed Jul 12 21:44:04 2006 => Virus Database Date: 7/8/2006
Wed Jul 12 21:44:04 2006 => Virus Database Count: 205795
Wed Jul 12 21:44:04 2006 => Scan Completed.
Log z HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 22:25:07, on 12.7.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\trojan\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Trojan\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft Office\Office\Findfast.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\FSScrCtl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\UNKNOW~1\LOCALS~1\Temp\mexe.com
C:\DOCUME~1\UNKNOW~1\LOCALS~1\Temp\kavss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trojan\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\Trojan\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Spuštění Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Rychlé hledání Microsoft.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://array-sslvpn-proxy.oracle.com/p ... /arr_x.cab
O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\trojan\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
- mijaja
- Tvůrce článků
-
Level 6.5
- Příspěvky: 4136
- Registrován: září 05
- Bydliště: Zlín
- Pohlaví:
- Stav:
Offline
- Kontakt:
No jak jsem uviděl ten zástup virů, hned jsem se musel nechat naočkovat hořčičákem trnkových kapek.
Můj názor ( který ti nevnucuji) je, že bys měl shodit takové programy jako Array SSL VPN a SpySubtract a místo nich si dát osvědčené a vyzkoušené - v linku Důležité.... je jich dost.
Nainstaluj si alternativní prohlížeč namísto Internet Exploreru.
A teď
Vypni Obnovu systému (klávesa Windows+Pause/Break - a v okně Vlastnosti systému - karta Obnovení systému zaškrtnout okénko Vypnout nástroj obnovení systému na všech jednotkách (možná jej ještě máš vypnutý, protože v logu mwavu není jediný záznam z SWI)
Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
O1 - Hosts: localhost 127.0.0.1
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://array-sslvpn-proxy.oracle.com/p ... /arr_x.cab
po zaškrtnutí klikni na FixChecked
Tyhle služby zastav ve Službách systému Windows:
nabídka Start>>Spustit- do okénka napiš services.msc a zmáčkni Enter.
O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
označíš příslušný řádek a pravým myšítkem přepni na Vlastnosti a v roletce Typ spouštění dej ručně nebo zakázáno.
--------------------------------------------------------------------------------------------------------------
Tyhle soubory musí zmizet z disku. Nastav si v Možnostech složky Zobrazování skrytých a systémových souborů, abys je lépe nalezl.:
C:\WINDOWS\start.exe
C:\WINDOWS\system32\f3PSSavr.scr.tcf
C:\WINDOWS\system32\nlfuq.exe
C:\WINDOWS\system32\respm.exe
C:\WINDOWS\system32\ccnzt.exe
C:\WINDOWS\Application Data\install.dat
C:\Documents and Settings\Unknown User\Local Settings\data aplikací\software\radiate
C:\Documents and Settings\All Users\Nabídka Start\online security guide.url
C:\Documents and Settings\All Users\Nabídka Start\security troubleshooting.url
co najdeš smaž. Co nenajdeš, napiš sem
Potom dej: Nabídka Start>>Spustit- do okénka napiš regedit a zmáčkni Entern nebo OK. V editoru registrů vyhledej tyto klíče a smaž je:
HKEY_CURRENT_USER\Software\fun web products
HKEY_LOCAL_MACHINE\software\microsoft\office\outlook\addins\mywebsearch.outlookaddin
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ruins
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\time zones
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\urls
Tyto soubory patří k těm šmejdům, ale mwav je neoznačil. Možná je tam už nemáš, nebo jsou skryté. Zkus se po nich podívat a jestli tam bude některý z nich, tak jej smaž:
technical details
When W32.HLLW.Veedna.C runs, it does the following:
1. Copies itself as the following files:
* C:\Tuxedo.mp3.scr
* C:\XMen 2.scr
* C:\Xmen 2.mp3.scr
* C:\ZephyrSong.mp3.scr
* C:\XFiles.mp3.scr
* C:\Matrix.avi.scr
* C:\Matrix.mpeg.scr
* C:\Matrix.scr
* C:\Matrix 2.mpeg.scr
* C:\Fire.mp3.scr
* C:\Reign of Fire.mp3.scr
* C:\XFiles.mpg.scr
* C:\The Tuxedo.mpeg.scr
* C:\Small Ville.scr
* C:\Small Ville .scr
* C:\Small Ville .scr
* C:\Small Ville .scr
* C:\Small Ville .scr
* C:\Small Ville .scr
* C:\Small Ville .scr
* C:\Small Ville .scr
* C:\Tuxedo.mpg .scr
* C:\Small Ville .scr
* C:\Reignof Fire.mpeg.scr
* C:\Pentium5.doc.scr
* C:\Pentium5.rtf.scr
* C:\Howtomakeviruses.txt.scr
* C:\Playboy10.mpeg.scr
* C:\Setup.exe.scr
* A:\TheIncredible Hulk.scr
* D:\TheRock.scr
* C:\vandEEd0.scr
* C:\Windows\start.scr
* C:\Windows\start.exe
* C:\WinNT\start.scr
* C:\WinNT\start.exe
http://www.symantec.com/avcenter/venc/d ... dna.c.html
Můj názor ( který ti nevnucuji) je, že bys měl shodit takové programy jako Array SSL VPN a SpySubtract a místo nich si dát osvědčené a vyzkoušené - v linku Důležité.... je jich dost.
Nainstaluj si alternativní prohlížeč namísto Internet Exploreru.
A teď
Vypni Obnovu systému (klávesa Windows+Pause/Break - a v okně Vlastnosti systému - karta Obnovení systému zaškrtnout okénko Vypnout nástroj obnovení systému na všech jednotkách (možná jej ještě máš vypnutý, protože v logu mwavu není jediný záznam z SWI)
Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
O1 - Hosts: localhost 127.0.0.1
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://array-sslvpn-proxy.oracle.com/p ... /arr_x.cab
po zaškrtnutí klikni na FixChecked
Tyhle služby zastav ve Službách systému Windows:
nabídka Start>>Spustit- do okénka napiš services.msc a zmáčkni Enter.
O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
označíš příslušný řádek a pravým myšítkem přepni na Vlastnosti a v roletce Typ spouštění dej ručně nebo zakázáno.
--------------------------------------------------------------------------------------------------------------
Tyhle soubory musí zmizet z disku. Nastav si v Možnostech složky Zobrazování skrytých a systémových souborů, abys je lépe nalezl.:
C:\WINDOWS\start.exe
C:\WINDOWS\system32\f3PSSavr.scr.tcf
C:\WINDOWS\system32\nlfuq.exe
C:\WINDOWS\system32\respm.exe
C:\WINDOWS\system32\ccnzt.exe
C:\WINDOWS\Application Data\install.dat
C:\Documents and Settings\Unknown User\Local Settings\data aplikací\software\radiate
C:\Documents and Settings\All Users\Nabídka Start\online security guide.url
C:\Documents and Settings\All Users\Nabídka Start\security troubleshooting.url
co najdeš smaž. Co nenajdeš, napiš sem
Potom dej: Nabídka Start>>Spustit- do okénka napiš regedit a zmáčkni Entern nebo OK. V editoru registrů vyhledej tyto klíče a smaž je:
HKEY_CURRENT_USER\Software\fun web products
HKEY_LOCAL_MACHINE\software\microsoft\office\outlook\addins\mywebsearch.outlookaddin
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ruins
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\time zones
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\urls
Tyto soubory patří k těm šmejdům, ale mwav je neoznačil. Možná je tam už nemáš, nebo jsou skryté. Zkus se po nich podívat a jestli tam bude některý z nich, tak jej smaž:
technical details
When W32.HLLW.Veedna.C runs, it does the following:
1. Copies itself as the following files:
* C:\Tuxedo.mp3.scr
* C:\XMen 2.scr
* C:\Xmen 2.mp3.scr
* C:\ZephyrSong.mp3.scr
* C:\XFiles.mp3.scr
* C:\Matrix.avi.scr
* C:\Matrix.mpeg.scr
* C:\Matrix.scr
* C:\Matrix 2.mpeg.scr
* C:\Fire.mp3.scr
* C:\Reign of Fire.mp3.scr
* C:\XFiles.mpg.scr
* C:\The Tuxedo.mpeg.scr
* C:\Small Ville.scr
* C:\Small Ville .scr
* C:\Small Ville .scr
* C:\Small Ville .scr
* C:\Small Ville .scr
* C:\Small Ville .scr
* C:\Small Ville .scr
* C:\Small Ville .scr
* C:\Tuxedo.mpg .scr
* C:\Small Ville .scr
* C:\Reignof Fire.mpeg.scr
* C:\Pentium5.doc.scr
* C:\Pentium5.rtf.scr
* C:\Howtomakeviruses.txt.scr
* C:\Playboy10.mpeg.scr
* C:\Setup.exe.scr
* A:\TheIncredible Hulk.scr
* D:\TheRock.scr
* C:\vandEEd0.scr
* C:\Windows\start.scr
* C:\Windows\start.exe
* C:\WinNT\start.scr
* C:\WinNT\start.exe
http://www.symantec.com/avcenter/venc/d ... dna.c.html
-
- Level 1
- Příspěvky: 50
- Registrován: červen 06
- Bydliště: Hradec Králové
- Pohlaví:
- Stav:
Offline
čau,už je to zase tady!Mám virus Alert na systémové liště!Používám Adware,kerio,a PC on Point a taky NOD32.V tomd 32,jsem měl betaverzi a teď mi prošla licence takže nemůžu aktualizovat.Tak se to odinstaloval a nainstaloval to znovu a dal tam crack.Jenže mám dojem,že přes tu dobu se tam mohl dostat a taky že jo!!
Prosím poraďmi znova.Mám vygenerovat log,nebo jak mám teda začít?Předem ti dík za odpověd
Prosím poraďmi znova.Mám vygenerovat log,nebo jak mám teda začít?Předem ti dík za odpověd
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 7 hostů