Damned píše: Snad Baron ví více
neví.
vidí to poprvé. počká co k tomu řekne fredik nebo sakiri
totomsaa18:co ten komp vlastně vyvádí?
Prosím o kontrolu logu,díky
-
Baron Prášil
- Master Level 7
- Příspěvky: 4882
- Registrován: červen 06
- Pohlaví:
- Stav:
Offline
to to asi bude tvrdý oříšek zkus to ještě jednou odinstalovat pokud to nepůjde tak mě napadá pouze tohle:
stáhni si Avenger a spusť ho pod účtem administrátora.
Zvol možnost - Input script manually a klikni na ikonku lupy vyskočí prázdné okno ka zkopíruj ten tučný text:
Files to delete:
C:\Program Files\SearchNet\ServeUp.exe
C:\Program Files\SearchNet\searchnet.exe
C:\Program Files\SearchNet\uninstall.exe
C:\Program Files\SearchNet\srvnet32.dll
C:\Program Files\SearchNet\snhpr.dll
C:\WINDOWS\System32\servehost.exe
C:\WINDOWS\System32\servehost.dat
C:\WINDOWS\system32\drivers\anfad.sys
C:\WINDOWS\system32\drivers\svq0hve.sys
C:\WINDOWS\system32\drivers\xcvmp7.sys
C:\WINDOWS\system32\drivers\fad.sys
Folders to delete:
C:\Program Files\SearchNet
Poté klikni na Done.
Pak klikni na ikonku semafory.
Vyskočí ti hláška kde odklikni Yes je možné že ti to bude házet chyby tak u všech odklikávej OK poté se dostaneš k té hlášce kde odklikni YES PC se restartuje po restartu by ti měl "vyskočit" výpis z Avengeru tak ho sem zkopíruj poté nový log + jak se PC chová.
Pro jistotu jsem do toho vložil tyhle všechny soubory.
Tohle je vše co mě napadlo.
+ si vyčisti temp CCleaner-em
stáhni si Avenger a spusť ho pod účtem administrátora.
Zvol možnost - Input script manually a klikni na ikonku lupy vyskočí prázdné okno ka zkopíruj ten tučný text:
Files to delete:
C:\Program Files\SearchNet\ServeUp.exe
C:\Program Files\SearchNet\searchnet.exe
C:\Program Files\SearchNet\uninstall.exe
C:\Program Files\SearchNet\srvnet32.dll
C:\Program Files\SearchNet\snhpr.dll
C:\WINDOWS\System32\servehost.exe
C:\WINDOWS\System32\servehost.dat
C:\WINDOWS\system32\drivers\anfad.sys
C:\WINDOWS\system32\drivers\svq0hve.sys
C:\WINDOWS\system32\drivers\xcvmp7.sys
C:\WINDOWS\system32\drivers\fad.sys
Folders to delete:
C:\Program Files\SearchNet
Poté klikni na Done.
Pak klikni na ikonku semafory.
Vyskočí ti hláška kde odklikni Yes je možné že ti to bude házet chyby tak u všech odklikávej OK poté se dostaneš k té hlášce kde odklikni YES PC se restartuje po restartu by ti měl "vyskočit" výpis z Avengeru tak ho sem zkopíruj poté nový log + jak se PC chová.
Pro jistotu jsem do toho vložil tyhle všechny soubory.
Tohle je vše co mě napadlo.
+ si vyčisti temp CCleaner-em
Naposledy upravil(a) sakiri dne 02 úno 2007 09:20, celkem upraveno 2 x.
-
Baron Prášil
- Master Level 7
- Příspěvky: 4882
- Registrován: červen 06
- Pohlaví:
- Stav:
Offline
http://www.symantec.com/security_respon ... 99&tabid=3
na tento návod sem se díval,ale než to začnu překládat do uživatelsky přívětivího jazyka,tak bych
rád věděl,proč na něj nezabírá toto
http://www.viry.cz/forum/viewtopic.php?t=10288
na virech.cz sem našel tento případ
,kdy to taky není vidět ve službách,ale podle návodu
o odinstalaci to šlo
http://viry.cz/forum/viewtopic.php?t=12858&start=0
totomsaa18:podívej se do služeb,jestli tam neni a jakej má status
Remote Loga podívej se pro jistotu znova do přidat/odebrat(po restartu,bez fixování)
a ještě bych zkusil odpojit se od netu,vypnout všechny ochrany a firewall a udělat co sem psal nahoře
(jestli ho něco neblokuje,ale to fakt vařim z vody)
no,rootkit
zajímavej nápad,sakiri,sem zvědavej.já sem upek tohle a mazat už to nebudu
na tento návod sem se díval,ale než to začnu překládat do uživatelsky přívětivího jazyka,tak bych
rád věděl,proč na něj nezabírá toto
http://www.viry.cz/forum/viewtopic.php?t=10288
na virech.cz sem našel tento případ
,kdy to taky není vidět ve službách,ale podle návodu
o odinstalaci to šlo
http://viry.cz/forum/viewtopic.php?t=12858&start=0
totomsaa18:podívej se do služeb,jestli tam neni a jakej má status
Remote Loga podívej se pro jistotu znova do přidat/odebrat(po restartu,bez fixování)
a ještě bych zkusil odpojit se od netu,vypnout všechny ochrany a firewall a udělat co sem psal nahoře
(jestli ho něco neblokuje,ale to fakt vařim z vody)
no,rootkit
zajímavej nápad,sakiri,sem zvědavej.já sem upek tohle a mazat už to nebudu
-
fredik
- člen Security týmu
-
Master Level 7
- Příspěvky: 4680
- Registrován: červenec 06
- Pohlaví:
- Stav:
Offline
Ještě krapet upravím skript:
Drivers to unload:
fad
anfad
Files to delete:
C:\Program Files\SearchNet\ServeUp.exe
C:\Program Files\SearchNet\searchnet.exe
C:\Program Files\SearchNet\uninstall.exe
C:\Program Files\SearchNet\srvnet32.dll
C:\Program Files\SearchNet\snhpr.dll
C:\WINDOWS\System32\servehost.exe
C:\WINDOWS\System32\servehost.dat
C:\WINDOWS\system32\drivers\anfad.sys
C:\WINDOWS\system32\drivers\fad.sys
Folders to delete:
C:\Program Files\SearchNet
s těma dalšíma driverama co uvedl sakiri ještě nevím na to se musím podívat. Možná je krapet zbytečné mazat jednotlivé soubory v adr. SearchNet když smažeš pak celý adresář.
Drivers to unload:
fad
anfad
Files to delete:
C:\Program Files\SearchNet\ServeUp.exe
C:\Program Files\SearchNet\searchnet.exe
C:\Program Files\SearchNet\uninstall.exe
C:\Program Files\SearchNet\srvnet32.dll
C:\Program Files\SearchNet\snhpr.dll
C:\WINDOWS\System32\servehost.exe
C:\WINDOWS\System32\servehost.dat
C:\WINDOWS\system32\drivers\anfad.sys
C:\WINDOWS\system32\drivers\fad.sys
Folders to delete:
C:\Program Files\SearchNet
s těma dalšíma driverama co uvedl sakiri ještě nevím na to se musím podívat. Možná je krapet zbytečné mazat jednotlivé soubory v adr. SearchNet když smažeš pak celý adresář.
-
Baron Prášil
- Master Level 7
- Příspěvky: 4882
- Registrován: červen 06
- Pohlaví:
- Stav:
Offline
tofredik,sakiri:
tady je to dost slušně rozebraný
http://viry.cz/forum/viewtopic.php?t=10 ... ht=serveup
tady je to dost slušně rozebraný
http://viry.cz/forum/viewtopic.php?t=10 ... ht=serveup
To saciri: tak jsem to smazal tim avengerem a vypadá to že to je pryč
posílám výpis z avengeru + log: ale jinak moc díky
avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\coajcpdi
*******************
Script file located at: \??\C:\Program Files\yauurpqp.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\Program Files\SearchNet\ServeUp.exe not found!
Deletion of file C:\Program Files\SearchNet\ServeUp.exe failed!
Could not process line:
C:\Program Files\SearchNet\ServeUp.exe
Status: 0xc0000034
File C:\Program Files\SearchNet\searchnet.exe not found!
Deletion of file C:\Program Files\SearchNet\searchnet.exe failed!
Could not process line:
C:\Program Files\SearchNet\searchnet.exe
Status: 0xc0000034
File C:\Program Files\SearchNet\uninstall.exe deleted successfully.
File C:\Program Files\SearchNet\srvnet32.dll not found!
Deletion of file C:\Program Files\SearchNet\srvnet32.dll failed!
Could not process line:
C:\Program Files\SearchNet\srvnet32.dll
Status: 0xc0000034
File C:\Program Files\SearchNet\snhpr.dll not found!
Deletion of file C:\Program Files\SearchNet\snhpr.dll failed!
Could not process line:
C:\Program Files\SearchNet\snhpr.dll
Status: 0xc0000034
File C:\WINDOWS\System32\servehost.exe not found!
Deletion of file C:\WINDOWS\System32\servehost.exe failed!
Could not process line:
C:\WINDOWS\System32\servehost.exe
Status: 0xc0000034
File C:\WINDOWS\System32\servehost.dat not found!
Deletion of file C:\WINDOWS\System32\servehost.dat failed!
Could not process line:
C:\WINDOWS\System32\servehost.dat
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\anfad.sys deleted successfully.
File C:\WINDOWS\system32\drivers\svq0hve.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\svq0hve.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\svq0hve.sys
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\xcvmp7.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\xcvmp7.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\xcvmp7.sys
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\fad.sys deleted successfully.
Folder C:\Program Files\SearchNet deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
log:
Logfile of HijackThis v1.99.1
Scan saved at 11:33:54, on 2.2.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Filzip\Filzip.exe
C:\DOCUME~1\J1EA4~1\LOCALS~1\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MonitorURL Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\PROGRA~1\DESKAD~2\deskipn.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-781cd0e19f00} - c:\program files\steganos internet anonym pro 7\siapro7iep.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\SBLive\RemoteCenter\Rc\Rcman.exe
O4 - HKCU\..\Run: [SSS5] "C:\Program Files\Steganos Security Suite 5\steganos5.exe" /booting
O4 - HKCU\..\Run: [SSS5SAFE] "C:\Program Files\Steganos Security Suite 5\safe.exe" /booting
O4 - HKCU\..\Run: [SSS5SPM] "C:\Program Files\Steganos Security Suite 5\spm.exe" /booting
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Ovládací prvek AcDcToday) - file://C:\Program Files\AutoCAD LT 2000i Cz\AcDcToday.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Prvek AcPreview) - file://C:\Program Files\AutoCAD LT 2000i Cz\AcPreview.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
posílám výpis z avengeru + log: ale jinak moc díky
avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\coajcpdi
*******************
Script file located at: \??\C:\Program Files\yauurpqp.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\Program Files\SearchNet\ServeUp.exe not found!
Deletion of file C:\Program Files\SearchNet\ServeUp.exe failed!
Could not process line:
C:\Program Files\SearchNet\ServeUp.exe
Status: 0xc0000034
File C:\Program Files\SearchNet\searchnet.exe not found!
Deletion of file C:\Program Files\SearchNet\searchnet.exe failed!
Could not process line:
C:\Program Files\SearchNet\searchnet.exe
Status: 0xc0000034
File C:\Program Files\SearchNet\uninstall.exe deleted successfully.
File C:\Program Files\SearchNet\srvnet32.dll not found!
Deletion of file C:\Program Files\SearchNet\srvnet32.dll failed!
Could not process line:
C:\Program Files\SearchNet\srvnet32.dll
Status: 0xc0000034
File C:\Program Files\SearchNet\snhpr.dll not found!
Deletion of file C:\Program Files\SearchNet\snhpr.dll failed!
Could not process line:
C:\Program Files\SearchNet\snhpr.dll
Status: 0xc0000034
File C:\WINDOWS\System32\servehost.exe not found!
Deletion of file C:\WINDOWS\System32\servehost.exe failed!
Could not process line:
C:\WINDOWS\System32\servehost.exe
Status: 0xc0000034
File C:\WINDOWS\System32\servehost.dat not found!
Deletion of file C:\WINDOWS\System32\servehost.dat failed!
Could not process line:
C:\WINDOWS\System32\servehost.dat
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\anfad.sys deleted successfully.
File C:\WINDOWS\system32\drivers\svq0hve.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\svq0hve.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\svq0hve.sys
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\xcvmp7.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\xcvmp7.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\xcvmp7.sys
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\fad.sys deleted successfully.
Folder C:\Program Files\SearchNet deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
log:
Logfile of HijackThis v1.99.1
Scan saved at 11:33:54, on 2.2.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Filzip\Filzip.exe
C:\DOCUME~1\J1EA4~1\LOCALS~1\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MonitorURL Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\PROGRA~1\DESKAD~2\deskipn.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-781cd0e19f00} - c:\program files\steganos internet anonym pro 7\siapro7iep.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\SBLive\RemoteCenter\Rc\Rcman.exe
O4 - HKCU\..\Run: [SSS5] "C:\Program Files\Steganos Security Suite 5\steganos5.exe" /booting
O4 - HKCU\..\Run: [SSS5SAFE] "C:\Program Files\Steganos Security Suite 5\safe.exe" /booting
O4 - HKCU\..\Run: [SSS5SPM] "C:\Program Files\Steganos Security Suite 5\spm.exe" /booting
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Ovládací prvek AcDcToday) - file://C:\Program Files\AutoCAD LT 2000i Cz\AcDcToday.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Prvek AcPreview) - file://C:\Program Files\AutoCAD LT 2000i Cz\AcPreview.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
sakra ono to tam je pořád.
zajímá mě proč Avenger ale nesmazal ten ServeUP.exe když ho měl smazat.
no nevím co napadne Fredika a Barona
Mě by ještě napadlo udělat pár logů z IceSwordu nebo další detekční utilitky na rootkity.
Ale ještě chvíli počkej.
+ spusť Avenger postupuj tak jak minule ale místo toho tam zadej tento script jak mě doplnil Fredik (to celý které je označený tam zkopíruj protože jsem v tom 1. výpisu neviděl aby smazal tu složku.):
Drivers to unload:
fad
anfad
Folders to delete:
C:\Program Files\SearchNet
Poté klikni na Done.
Pak klikni na ikonku semafory.
Vyskočí ti hláška kde odklikni Yes poté další hláška kde odklikni YES PC se restartuje po restartu by ti měl "vyskočit" výpis z Avengeru tak ho sem zkopíruj + nový log z HJT.
zajímá mě proč Avenger ale nesmazal ten ServeUP.exe když ho měl smazat.
no nevím co napadne Fredika a Barona
Mě by ještě napadlo udělat pár logů z IceSwordu nebo další detekční utilitky na rootkity.
Ale ještě chvíli počkej.
+ spusť Avenger postupuj tak jak minule ale místo toho tam zadej tento script jak mě doplnil Fredik (to celý které je označený tam zkopíruj protože jsem v tom 1. výpisu neviděl aby smazal tu složku.):
Drivers to unload:
fad
anfad
Folders to delete:
C:\Program Files\SearchNet
Poté klikni na Done.
Pak klikni na ikonku semafory.
Vyskočí ti hláška kde odklikni Yes poté další hláška kde odklikni YES PC se restartuje po restartu by ti měl "vyskočit" výpis z Avengeru tak ho sem zkopíruj + nový log z HJT.
Zde je výpis z avengeru:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\aolteikt
*******************
Script file located at: \??\C:\WINDOWS\oaesihti.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Registry key \Registry\Machine\System\CurrentControlSet\Services\fad not found!
Unload of driver fad failed!
Could not process line:
fad
Status: 0xc0000034
Registry key \Registry\Machine\System\CurrentControlSet\Services\anfad not found!
Unload of driver anfad failed!
Could not process line:
anfad
Status: 0xc0000034
Folder C:\Program Files\SearchNet not found!
Deletion of folder C:\Program Files\SearchNet failed!
Could not process line:
C:\Program Files\SearchNet
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
a zde log:
Logfile of HijackThis v1.99.1
Scan saved at 16:34:30, on 2.2.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\SBLive\RemoteCenter\Rc\Rcman.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Creative\SBLive\RemoteCenter\Center\RCenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\J1EA4~1\LOCALS~1\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.seznam.cz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-781cd0e19f00} - c:\program files\steganos internet anonym pro 7\siapro7iep.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\SBLive\RemoteCenter\Rc\Rcman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Ovládací prvek AcDcToday) - file://C:\Program Files\AutoCAD LT 2000i Cz\AcDcToday.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Prvek AcPreview) - file://C:\Program Files\AutoCAD LT 2000i Cz\AcPreview.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\aolteikt
*******************
Script file located at: \??\C:\WINDOWS\oaesihti.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Registry key \Registry\Machine\System\CurrentControlSet\Services\fad not found!
Unload of driver fad failed!
Could not process line:
fad
Status: 0xc0000034
Registry key \Registry\Machine\System\CurrentControlSet\Services\anfad not found!
Unload of driver anfad failed!
Could not process line:
anfad
Status: 0xc0000034
Folder C:\Program Files\SearchNet not found!
Deletion of folder C:\Program Files\SearchNet failed!
Could not process line:
C:\Program Files\SearchNet
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
a zde log:
Logfile of HijackThis v1.99.1
Scan saved at 16:34:30, on 2.2.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\SBLive\RemoteCenter\Rc\Rcman.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Creative\SBLive\RemoteCenter\Center\RCenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\J1EA4~1\LOCALS~1\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.seznam.cz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-781cd0e19f00} - c:\program files\steganos internet anonym pro 7\siapro7iep.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\SBLive\RemoteCenter\Rc\Rcman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Ovládací prvek AcDcToday) - file://C:\Program Files\AutoCAD LT 2000i Cz\AcDcToday.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Prvek AcPreview) - file://C:\Program Files\AutoCAD LT 2000i Cz\AcPreview.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
log již vypadá čistý.
aby jsme se ujistily že je to ok a nic odesílá tak si stáhni [url=http://www.majorgeeks.com/downloadget.php?id=5199&file=10&evp=0d36c3ec48c6373fd5daac78f0c6a417]
IceSword[/url] a spusť ho.Poté jak ho spustíš tak klikni na Port tam na hoře je tlačítko Log tak na něj klikni bude to chtít uložit tak ho ulož a poté sem zkopíruj obsah toho uloženého souboru.
aby jsme se ujistily že je to ok a nic odesílá tak si stáhni [url=http://www.majorgeeks.com/downloadget.php?id=5199&file=10&evp=0d36c3ec48c6373fd5daac78f0c6a417]
IceSword[/url] a spusť ho.Poté jak ho spustíš tak klikni na Port tam na hoře je tlačítko Log tak na něj klikni bude to chtít uložit tak ho ulož a poté sem zkopíruj obsah toho uloženého souboru.
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 89 hostů