Nefunkční firewall po odstranění souborů adirka.exe a spol.

[Janek22]

Omlouvám se za zpoždění - musel jsem se o víkendu věnovat mimo PC i rodině :-)

Log je tady:

Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a 0.85 Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 2.12
smss.exe 532 Správce relací systému Windows NT Microsoft Corporation
csrss.exe 572 1.06 Client Server Runtime Process Microsoft Corporation
winlogon.exe 600 Windows NT Logon Application Microsoft Corporation
services.exe 644 4.76 Services and Controller app Microsoft Corporation
svchost.exe 812 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 860 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 912 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 976 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1068 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1188 Spooler SubSystem App Microsoft Corporation
aswUpdSv.exe 1320
ashServ.exe 1332 avast! antivirus service
cmdagent.exe 1356 Comodo Agent Service COMODO
nvsvc32.exe 1400 NVIDIA Driver Helper Service, Version 81.94 NVIDIA Corporation
locator.exe 1436 Rpc Locator Microsoft Corporation
svchost.exe 1460 Generic Host Process for Win32 Services Microsoft Corporation
wmiapsrv.exe 1524 WMI Performance Adapter Service Microsoft Corporation
ashMaiSv.exe 476 avast! e-Mail Scanner Service ALWIL Software
ashWebSv.exe 704 avast! Web Scanner ALWIL Software
lsass.exe 656 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 3520 0.53 Průzkumník Windows Microsoft Corporation
ashDisp.exe 3768 avast! service GUI component
fpdisp5a.exe 2728 FinePrint FinePrint Software, LLC
rundll32.exe 1200 Run a DLL as an App Microsoft Corporation
OpWareSE4.exe 3828 OCR Aware ScanSoft, Inc.
cpf.exe 3844 56.08 COMODO Firewall Pro COMODO
ctfmon.exe 3856 CTF Loader Microsoft Corporation
msmsgs.exe 1624 Windows Messenger Microsoft Corporation
procexp.exe 3980 28.04 Sysinternals Process Explorer Sysinternals
iexplore.exe 3284 4.23 Internet Explorer Microsoft Corporation

Process: services.exe Pid: 644

Type Name
Desktop \Default
Directory \KnownDlls
Directory \Windows
Directory \BaseNamedObjects
Event \BaseNamedObjects\userenv: User Profile setup event
Event \BaseNamedObjects\SC_AutoStartComplete
Event \BaseNamedObjects\SvcctrlStartEvent_A3752DX
Event \BaseNamedObjects\ScNetDrvMsg
Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event \BaseNamedObjects\PnP_No_Pending_Install_Events
Event \BaseNamedObjects\A8dK894Lm9#sF2i$sOBq2X
File C:\WINDOWS\system32
File \Device\NamedPipe\net\NtControlPipe15
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
File \Device\KsecDD
File \Device\NamedPipe\scerpc
File \Device\NamedPipe\scerpc
File \Device\NamedPipe\net\NtControlPipe1
File \Device\NamedPipe\net\NtControlPipe2
File \Device\NamedPipe\net\NtControlPipe2
File C:\WINDOWS\system32\config\Antivirus.Evt
File C:\WINDOWS\system32\config\AppEvent.Evt
File C:\WINDOWS\system32\config\Internet.evt
File C:\WINDOWS\system32\config\SecEvent.Evt
File C:\WINDOWS\system32\config\SysEvent.Evt
File \Device\NamedPipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
File \Device\NamedPipe\net\NtControlPipe0
File \Device\NamedPipe\net\NtControlPipe3
File \Device\NamedPipe\net\NtControlPipe4
File \Device\NamedPipe\net\NtControlPipe5
File \Device\NamedPipe\net\NtControlPipe6
File \Device\NamedPipe\net\NtControlPipe8
File \Device\NamedPipe\net\NtControlPipe7
File \Device\NamedPipe\net\NtControlPipe9
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\net\NtControlPipe10
File \Device\NamedPipe\net\NtControlPipe11
File \Device\NamedPipe\net\NtControlPipe13
File \Device\NamedPipe\net\NtControlPipe12
File \Device\WMIDataDevice
File \Device\WMIDataDevice
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
File \Device\NamedPipe\net\NtControlPipe14
File \Device\Afd\Endpoint
File \Device\NamedPipe\ntsvcs
File \Device\Udp
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\net\NtControlPipe16
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
Key HKLM
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
Key HKLM\SYSTEM\ControlSet001\Enum
Key HKLM\SYSTEM\ControlSet001\Services
Key HKLM\SYSTEM\ControlSet001\Control\Class
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage
Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\Order
Key HKLM\SYSTEM\ControlSet001\Control\ServiceGroupOrder
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent
Key HKLM\SYSTEM\ControlSet001\Services\Eventlog
Key HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
Key HKU
Key HKU\S-1-5-20
Key HKU\.DEFAULT
Key HKU\S-1-5-20
Key HKU\S-1-5-19
Key HKU\S-1-5-20
Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
Key HKLM\SOFTWARE\Microsoft\Windows\ITStorage\Finders
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant \BaseNamedObjects\SHIMLIB_LOG_MUTEX
Mutant \BaseNamedObjects\ShimCacheMutex
Mutant \BaseNamedObjects\PnP_Init_Mutex
Port \RPC Control\ntsvcs
Port \ErrorLogPort
Process svchost.exe(812)
Process svchost.exe(860)
Process svchost.exe(912)
Process ashMaiSv.exe(476)
Process svchost.exe(976)
Process svchost.exe(1068)
Process spoolsv.exe(1188)
Process aswUpdSv.exe(1320)
Process ashServ.exe(1332)
Process cmdagent.exe(1356)
Process nvsvc32.exe(1400)
Process locator.exe(1436)
Process svchost.exe(1460)
Process services.exe(644)
Process wmiapsrv.exe(1524)
Process ashWebSv.exe(704)
Section \BaseNamedObjects\ShimSharedMemory
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Thread services.exe(644): 668
Thread services.exe(644): 672
Thread services.exe(644): 676
Thread services.exe(644): 2360
Thread services.exe(644): 784
Thread services.exe(644): 788
Thread services.exe(644): 792
Thread services.exe(644): 800
Thread services.exe(644): 776
Thread services.exe(644): 824
Thread services.exe(644): 848
Thread services.exe(644): 2684
Thread services.exe(644): 888
Thread services.exe(644): 1500
Thread services.exe(644): 3224
Thread services.exe(644): 1500
Thread services.exe(644): 3060
Thread services.exe(644): 1500
Thread services.exe(644): 2708
Thread services.exe(644): 2680
Thread services.exe(644): 2064
Thread services.exe(644): 2596
Thread services.exe(644): 560
Thread services.exe(644): 2360
Thread services.exe(644): 2656
Thread services.exe(644): 888
Thread services.exe(644): 2008
Thread services.exe(644): 3080
Thread services.exe(644): 2580
Thread services.exe(644): 2596
Thread services.exe(644): 984
Thread services.exe(644): 988
Thread services.exe(644): 2008
Thread services.exe(644): 3080
Thread services.exe(644): 2104
Thread services.exe(644): 3000
Thread services.exe(644): 2064
Thread services.exe(644): 3044
Thread services.exe(644): 2016
Thread services.exe(644): 3820
Thread services.exe(644): 2016
Thread services.exe(644): 2104
Thread services.exe(644): 560
Thread services.exe(644): 3000
Thread services.exe(644): 3224
Thread services.exe(644): 2708
Token NT AUTHORITY\NETWORK SERVICE
Token NT AUTHORITY\NETWORK SERVICE
Token NT AUTHORITY\LOCAL SERVICE
Token NT AUTHORITY\NETWORK SERVICE
Token HARRY\HarryP
WindowStation \Windows\WindowStations\Service-0x0-3e7$
WindowStation \Windows\WindowStations\Service-0x0-3e7$

[Reklama]

[Damned]

Zkontroluj si ještě nastavení služeb: http://madla.webpark.cz/?X. Teoreticky to může dělat ten RPC locator

[Janek22]

Služby jsem prošel podle návodu a všechno raději nastavil na bezpečné nastavení. Ale services.exe stále odolává... Co s tím ještě můžu udělat?

[Damned]

Nebude to odchozí komunikace k poskytovateli internetu?

Servicec.exe nezastavíš,je to systémový proces

[Janek22]

Dneska jsem comodo nainstaloval i na druhý počítač a services.exe mlčí - takže tam mám asi bude něco, o čem nevím, že bych chtěl mít spuštěný...

[Damned]

Toreticky by to mohlo být ještě Vundo nebo Virtumonde.

Udělej nový log HJT a ještě log z toho Process Exploreru z knihovnama,který spouští services.

Zmáčkni v Process Exploreru tlačítko "Wiev Handles (CTRL+D)" (uvidíš v okýnku knihovny dll,první je mám tušení AcGenral.dll) a označ proces services.exe. Pak tlačítkem Save udělej log services.exe.txt a dej ho sem.

[fredik]

Menší vsuvka:

Pokud chceš vyloučit případnou infiltraci V/V tak je potřeba přejmenovat soubor HijackThis.exe třeba na analy.exe protože se dokáže před ním skrýt.

Který z těch postupů jsi zvolil při odstraňování jak jsi psal v úvodním tématu?

[Damned]

To fredík :

V logu vidět nejní,běžnou .dll Virta nebo Vunda odhalí HJT. Ale services.exe by sám neměl odesílat nic,a podle logu z PE nemá mu co odesílat data.
Proto jsem se spíše ptal.

[Janek22]

Takže logy jsou tady - teda i s úpravou ht na analy.exe... ani se mi nechce věřit, co je potřeba... S těma postupama už nemůžu sloužit - mám pocit, že jsem vyzkoušel všechno... promiň.





Logfile of HijackThis v1.99.1
Scan saved at 19:32:41, on 18.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Comodo\Firewall\cpf.exe
C:\WINDOWS\system32\svchost.exe
D:\____Programy k instalaci na nový systém a nastavení\HijackThis 1.99.1\hijackthis\analy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hledani.tiscali.cz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.viry.cz/go.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Data aplikací\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Spustit aplikaci Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint - Náhled - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Přidat na seznam k tisku - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint - Tisk - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Vysokorychlostní tisk - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Stáhnout položku pomocí FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Stáhnout všechny položky pomocí FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - http://adis.mfcr.cz/adis/jepo/epo/bin/capicom.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{99A7111B-7331-4E89-8606-A44CA33C6B9F}: NameServer = 82.202.114.2,195.146.99.4
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



Process PID CPU Description Company Name
System Idle Process 0 61.95
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 528 Správce relací systému Windows NT Microsoft Corporation
csrss.exe 568 1.77 Client Server Runtime Process Microsoft Corporation
winlogon.exe 592 0.88 Windows NT Logon Application Microsoft Corporation
services.exe 636 7.08 Services and Controller app Microsoft Corporation
svchost.exe 808 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 856 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 920 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 960 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1128 Spooler SubSystem App Microsoft Corporation
aswUpdSv.exe 1244
ashServ.exe 1256 avast! antivirus service
cmdagent.exe 1284 Comodo Agent Service COMODO
nvsvc32.exe 1312 NVIDIA Driver Helper Service, Version 81.94 NVIDIA Corporation
ashMaiSv.exe 1632 avast! e-Mail Scanner Service ALWIL Software
ashWebSv.exe 1672 avast! Web Scanner ALWIL Software
svchost.exe 2924 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 648 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 700 0.88 Průzkumník Windows Microsoft Corporation
ashDisp.exe 1480 avast! service GUI component
fpdisp5a.exe 456 FinePrint FinePrint Software, LLC
rundll32.exe 652 Run a DLL as an App Microsoft Corporation
OpWareSE4.exe 1568 OCR Aware ScanSoft, Inc.
ctfmon.exe 1788 CTF Loader Microsoft Corporation
msmsgs.exe 248 Windows Messenger Microsoft Corporation
cpf.exe 3232 0.88 COMODO Firewall Pro COMODO
procexp.exe 1600 25.66 Sysinternals Process Explorer Sysinternals
iexplore.exe 3236 0.88 Internet Explorer Microsoft Corporation

Process: winlogon.exe Pid: 592

Type Name
<Unknown type> \BaseNamedObjects\userenv: refresh timer for 592:1204
<Unknown type> \BaseNamedObjects\userenv: refresh timer for 592:1080
Desktop \Winlogon
Desktop \Disconnect
Desktop \Default
Desktop \Default
Directory \KnownDlls
Directory \Windows
Directory \BaseNamedObjects
Event \BaseNamedObjects\crypt32LogoffEvent
Event \BaseNamedObjects\userenv: User Profile setup event
Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh Needs Foreground Processing
Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done
Event \BaseNamedObjects\userenv: Machine Policy Foreground Done Event
Event \BaseNamedObjects\userenv: User Group Policy has been applied
Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs Foreground Processing
Event \BaseNamedObjects\userenv: User Group Policy Processing is done
Event \BaseNamedObjects\userenv: User Policy Foreground Done Event
Event \BaseNamedObjects\WinlogonTSSynchronizeEvent
Event \BaseNamedObjects\TS-WPAAE
Event \BaseNamedObjects\ReconEvent
Event \Security\NetworkProviderLoad
Event \BaseNamedObjects\Microsoft Smart Card Resource Manager Started
Event \BaseNamedObjects\WFP_IDLE_TRIGGER
Event \BaseNamedObjects\msgina: ReturnToWelcome
Event \BaseNamedObjects\msgina: ShutdownEvent
Event \BaseNamedObjects\ThemesStartEvent
Event \BaseNamedObjects\winlogon: machine GPO Event 57572
Event \BaseNamedObjects\DINPUTWINMM
Event \BaseNamedObjects\jjCSCSharedFillEvent_UM_KM
Event \BaseNamedObjects\jjCSCSessEvent_UM_KM_0
Event \BaseNamedObjects\WkssvcToAgentStartEvent
Event \BaseNamedObjects\WkssvcToAgentStopEvent
Event \BaseNamedObjects\AgentToWkssvcEvent
Event \BaseNamedObjects\AgentExistsEvent
Event \BaseNamedObjects\SENS Started Event
Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh Needs Foreground Processing
Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done
Event \BaseNamedObjects\userenv: machine policy force refresh event
Event \BaseNamedObjects\userenv: machine policy refresh event
Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
Event \BaseNamedObjects\userenv: User Group Policy has been applied
Event \BaseNamedObjects\winlogon: User GPO Event 652648
Event \BaseNamedObjects\userenv: user policy refresh event
Event \BaseNamedObjects\userenv: user policy force refresh event
Event \BaseNamedObjects\userenv: User Group Policy has been applied
Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs Foreground Processing
Event \BaseNamedObjects\userenv: User Group Policy Processing is done
Event \BaseNamedObjects\mixercallback
Event \BaseNamedObjects\CscCacheInitCompleteEvent
Event \BaseNamedObjects\WlballoonLogoffNotificationEventName
Event \BaseNamedObjects\WlballoonLogoffNotificationEventName
Event \BaseNamedObjects\000000000005a701_WlballoonKerberosNotificationEventName
Event \BaseNamedObjects\hardwaremixercallback
File \Device\NamedPipe\TerminalServer\AutoReconnect
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
File \Device\KsecDD
File \Device\Tcp
File \Device\NamedPipe\winlogonrpc
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
File \Device\NamedPipe\InitShutdown
File \Device\NamedPipe\InitShutdown
File C:\WINDOWS\system32\dllcache
File C:\WINDOWS\AppPatch
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_adm
File C:\WINDOWS\system32
File C:\WINDOWS\Help
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_aut
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_aut
File C:\WINDOWS\system32\inetsrv
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin
File C:\WINDOWS\Fonts
File C:\WINDOWS\system32\drivers
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\servsupp
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar
File C:\Program Files\microsoft frontpage\version3.0\bin
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\1029
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi
File C:\WINDOWS
File C:\Program Files\Common Files\Microsoft Shared\DAO
File C:\Program Files\Windows Media Player
File C:\Program Files\Common Files\System\msadc
File C:\Program Files\Common Files\System\ado
File C:\Program Files\Common Files\System\Ole DB
File C:\WINDOWS\inf
File C:\WINDOWS\system
File C:\WINDOWS\msagent
File C:\WINDOWS\msagent\intl
File C:\Program Files\MSN Gaming Zone\Windows
File C:\WINDOWS\pchealth\helpctr\binaries
File C:\Program Files\NetMeeting
File C:\WINDOWS\system32\drivers\disdn
File C:\WINDOWS\ime\CHTIME\Applets
File C:\WINDOWS\system32\wbem
File C:\WINDOWS\system32\IME\CINTLGNT
File C:\WINDOWS\system32\Com
File C:\WINDOWS\system32\Setup
File C:\WINDOWS\ime\imjp8_1
File C:\Program Files\Common Files\Microsoft Shared\Triedit
File C:\Program Files\Windows NT
File C:\Program Files\Common Files\System
File C:\WINDOWS\system32\1029
File C:\WINDOWS\system32\1033
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admcgi\scripts
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admisapi\scripts
File C:\WINDOWS\system32\usmt
File C:\WINDOWS\ime\imkr6_1\dicts
File C:\WINDOWS\system32\mui\0005
File C:\Program Files\Internet Explorer
File C:\WINDOWS\ime\imjp8_1\applets
File C:\WINDOWS\ime\imkr6_1\applets
File C:\WINDOWS\system32\xircom
File C:\Program Files\Internet Explorer\Connection Wizard
File C:\Program Files\Common Files\Microsoft Shared\MSInfo
File C:\WINDOWS\ime\imkr6_1
File C:\WINDOWS\ime\shared
File C:\WINDOWS\system32\IME\PINTLGNT
File C:\Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033
File C:\WINDOWS\Resources\Themes\Luna
File C:\Program Files\Movie Maker
File C:\WINDOWS\ime
File C:\WINDOWS\srchasst
File C:\Program Files\Outlook Express
File C:\WINDOWS\system32\oobe
File C:\Program Files\Common Files\MSSoap\Binaries
File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1029
File C:\WINDOWS\system32\npp
File C:\WINDOWS\ime\shared\res
File C:\Program Files\Windows NT\Pinball
File C:\WINDOWS\ime\chsime\applets
File C:\WINDOWS\system32\Restore
File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033
File C:\Program Files\Common Files\Microsoft Shared\Speech
File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor
File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead
File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic
File C:\WINDOWS\system32\wbem\snmp
File C:\Program Files\Common Files\SpeechEngines\Microsoft
File C:\Program Files\Common Files\Microsoft Shared\Speech\1029
File C:\WINDOWS\PeerNet
File C:\WINDOWS\system32\spool\drivers\color
File C:\WINDOWS\system32\IME\TINTLGNT
File C:\WINDOWS\Help\Tours\mmTour
File C:\WINDOWS\pchealth\UploadLB\Binaries
File C:\Program Files\Common Files\Microsoft Shared\VGX
File C:\WINDOWS\system32\wbem\xml
File C:\Program Files\Windows NT\Accessories
File C:\Program Files\xerox\nwwia
File C:\WINDOWS\WinSxS
File \Device\NamedPipe\SfcApi
File \Device\NamedPipe\SfcApi
File \Device\Ip
File \Device\NamedPipe\winlogonrpc
File \Device\Tcp
File \Device\NamedPipe\winlogonrpc
File \Device\NamedPipe\ROUTER
File \Device\Ip
File \Device\NamedPipe\ROUTER
File \Device\Ip
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
File \Device\KSENUM#00000001\{9B365890-165F-11D0-A195-0020AFD156E4}
File C:\WINDOWS\system32
Key HKLM
Key HKCR
Key HKU\.DEFAULT
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Key HKLM\SYSTEM\ControlSet001\Control\Lsa
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key HKLM\SYSTEM\Setup
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials
Key HKU
Key HKCU
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
Key HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32
Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam
Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant \BaseNamedObjects\userenv: machine policy mutex
Mutant \BaseNamedObjects\userenv: Machine Registry policy mutex
Mutant \BaseNamedObjects\userenv: user policy mutex
Mutant \BaseNamedObjects\userenv: User Registry policy mutex
Mutant \BaseNamedObjects\SingleSesMutex
Mutant \BaseNamedObjects\winlogon: Logon UserProfileMapping Mutex
Mutant \BaseNamedObjects\ShimCacheMutex
Mutant \BaseNamedObjects\msgina: InteractiveLogonMutex
Mutant \BaseNamedObjects\msgina: InteractiveLogonRequestMutex
Mutant \BaseNamedObjects\WPA_PR_MUTEX
Mutant \BaseNamedObjects\WPA_RT_MUTEX
Mutant \BaseNamedObjects\WPA_LT_MUTEX
Mutant \BaseNamedObjects\WPA_HWID_MUTEX
Mutant \BaseNamedObjects\WPA_LICSTORE_MUTEX
Mutant \BaseNamedObjects\RasPbFile
Mutant \BaseNamedObjects\MidiMapper_modLongMessage_RefCnt
Mutant \BaseNamedObjects\MidiMapper_Configure
Port \RPC Control\sclogonrpc
Port \RPC Control\IUserProfile
Port \RPC Control\OLE28A27679185742939C239B1F9B8D
Process services.exe(636)
Process lsass.exe(648)
Section \BaseNamedObjects\ShimSharedMemory
Section \BaseNamedObjects\WDMAUD_Callbacks
Section \BaseNamedObjects\mmGlobalPnpInfo
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
Thread winlogon.exe(592): 596
Thread winlogon.exe(592): 1840
Thread winlogon.exe(592): 596
Thread winlogon.exe(592): 624
Thread winlogon.exe(592): 632
Thread winlogon.exe(592): 644
Thread winlogon.exe(592): 748
Thread winlogon.exe(592): 748
Thread winlogon.exe(592): 752
Thread winlogon.exe(592): 756
Thread winlogon.exe(592): 848
Thread winlogon.exe(592): 1064
Thread winlogon.exe(592): 988
Thread winlogon.exe(592): 1204
Thread winlogon.exe(592): 1200
Thread winlogon.exe(592): 1080
Thread winlogon.exe(592): 1928
Thread winlogon.exe(592): 1112
Thread winlogon.exe(592): 1396
Thread winlogon.exe(592): 1108
Thread winlogon.exe(592): 1396
Thread winlogon.exe(592): 552
Token HARRY\HarryP
Token HARRY\HarryP
Token NT AUTHORITY\SYSTEM
Token HARRY\HarryP
Token NT AUTHORITY\SYSTEM
Token HARRY\HarryP
Token HARRY\HarryP
WindowStation \Windows\WindowStations\WinSta0
WindowStation \Windows\WindowStations\WinSta0

[Damned]

Potřebuji vidět ty knihovny se services.exe:



Z klíčů a názvů se toho moc nepozná, pokud tam je nějaký root nebo v/v nebude vidět takto,ale podle knihovny

[fredik]

V logu vidět nejní,běžnou .dll Virta nebo Vunda odhalí HJT.

Nemáš pravdu, protože Conhook, tedy Virtumonde, dokáže v logu z HijackThis skrýt vstupy O2 a O20. Proto se používá jeho přejmenování pro nalezení jestli tam není.
Myslím že už s tímto v betaverzi 2 není problém ale nemám to ověřené takže bych nechtěl kecat. Takže tu poslední větu neber jako ověřený fakt.

[Damned]

fredík-

Damned - citace:
V logu vidět nejní,běžnou .dll Virta nebo Vunda odhalí HJT.

Nemáš pravdu, protože Conhook, tedy Virtumonde, dokáže v logu z HijackThis skrýt vstupy O2 a O20. Proto se používá jeho přejmenování pro nalezení jestli tam není.
Myslím že už s tímto v betaverzi 2 není problém ale nemám to ověřené takže bych nechtěl kecat. Takže tu poslední větu neber jako ověřený fakt.

Myslel sem tento log,tedy tento případ. Tady ho nevidím. Já minulý týden zkoušel něco podobné a nechtělo se to pustit a v HJT 2.0 nebylo vidět:

AhnLab-V3 2007.4.18.0 04.17.2007 no virus found
AntiVir 7.3.1.53 04.17.2007 ADSPY/Virtumonde.IH.2
Authentium 4.93.8 04.16.2007 no virus found
Avast 4.7.981.0 04.17.2007 no virus found
AVG 7.5.0.447 04.17.2007 no virus found
BitDefender 7.2 04.17.2007 MemScan:Trojan.Vundo.DLM
CAT-QuickHeal 9.00 04.17.2007 Adware.Virtumonde.gen
ClamAV devel-20070312 04.17.2007 Trojan.Packed-7
DrWeb 4.33 04.17.2007 Trojan.Virtumod
eSafe 7.0.15.0 04.17.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3574 04.17.2007 Win32/Chisyne!generic
Ewido 4.0 04.17.2007 Adware.Virtumonde
FileAdvisor 1 04.17.2007 no virus found
Fortinet 2.85.0.0 04.17.2007 no virus found
F-Prot 4.3.2.48 04.17.2007 no virus found
F-Secure 6.70.13030.0 04.17.2007 Vundo.gen17
Ikarus T3.1.1.5 04.17.2007 not-a-virus:AdWare.Win32.Virtumonde.bq
Kaspersky 4.0.2.24 04.17.2007 not-a-virus:AdWare.Win32.Virtumonde.ih
McAfee 5010 04.16.2007 no virus found
Microsoft 1.2405 04.17.2007 no virus found
NOD32v2 2198 04.17.2007 no virus found
Norman 5.80.02 04.17.2007 Vundo.gen17
Panda 9.0.0.4 04.17.2007 Suspicious file
Prevx1 V2 04.17.2007 SpywareQuake
Sophos 4.16.0 04.16.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 VIPRE.Suspicious
Symantec 10 04.17.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.17.2007 no virus found
VirusBuster 4.3.7:9 04.17.2007 Adware.Vundo.Gen!Pac.8
Webwasher-Gateway 6.0.1 04.17.2007 Ad-Spyware.Virtumonde.IH.2

.

Knihovna qppklnnji.dll.