ad-aware SE profesional

[bystryi]

zdar mam tento antispyware a projel jsem s nim celej disk(nic nenašel),ale pořád se mi automaticky zobrazují webové stránky nevím si rady co s tím.
prosim pomoste

[tnema]

hijacks this

[LGA]

nebo pouzit SpywareDoctor, SpySweeper.

To ze ti ad-aware nic nenasel je dle meho dukaz, ze stoji za prd.

[Baron Prášil]

někdo vejš měl vynikající nápad

Vlož sem log z HijackThis.
HijackThis stahneš tady-
http://www.bleepingcomputer.com/files/M ... ckThis.zip
rozbal do vlastní složky,spusť,klikni na "Do a system scan and save a logfile"
Vygenerovaný texťák zkopíruj sem.

[bystryi]

tak tady je ten texták:
Logfile of HijackThis v1.99.1
Scan saved at 13:44:01, on 16.2.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\BYSTRO~1\LOCALS~1\Temp\Rar$EX00.234\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - C:\Program Files\Torrent101\TorrentManager.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [size comp kind setup] C:\Documents and Settings\All Users\Data aplikací\live burn size comp\Binblah.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [transjugs] C:\DOCUME~1\BYSTRO~1\DATAAP~1\FLAGTR~1\barbuploadpoll.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[rary]

No máš tam Lopa.

Prosím odinstaluj Torrent101 pře přidat/odebrat programy.

Poté nech zkontrolovat tyto soubory na Virustotalu:
C:\Documents and Settings\All Users\Data aplikací\live burn size comp\Binblah.exe
C:\DOCUME~1\BYSTRO~1\DATAAP~1\FLAGTR~1\barbuploadpoll.exe

A zapni si zobrazovat skryté a systémové soubory.
A zkopíruj sem výsledky.
Poté si stáhni NoLop

Spusť ho a klikni na "Search and Destroy" začne scanování po scanování
odklikni Ok a klikni na Reboot.
Pak sem kopíruj výpis NoLop který je umístěný v C:\NoLop.log + nový log z HJT.

Jestliže ti zahlásí chybu: "mscomctl.ocx or one of its dependencies are not correctly registered,"
tak si stáhni
mscomctl.ocxdo složky 'system32'.A budeš muset znovu spustit program.

+ si taky nainstaluj firewall.
a pokud nutně nepotřebuješ tak také ten Megaupload Toolbar odinstaluj.

[bystryi]

takže tady je vypis z toho virustotalu: Binblah.exe :

STATUS: FINISHEDComplete scanning result of "Binblah.exe", received in VirusTotal at 02.16.2007, 17:51:13 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.37 02.16.2007 TR/Crypt.XPACK.Gen
Authentium 4.93.8 02.15.2007 no virus found
Avast 4.7.936.0 02.16.2007 no virus found
AVG 386 02.16.2007 no virus found
BitDefender 7.2 02.16.2007 Trojan.FatObfus.Gen
CAT-QuickHeal 9.00 02.16.2007 no virus found
ClamAV devel-20060426 02.16.2007 no virus found
DrWeb 4.33 02.16.2007 no virus found
eSafe 7.0.14.0 02.16.2007 no virus found
eTrust-Vet 30.4.3405 02.16.2007 no virus found
Ewido 4.0 02.16.2007 no virus found
Fortinet 2.85.0.0 02.16.2007 suspicious
F-Prot 4.2.1.29 02.15.2007 no virus found
F-Secure 6.70.13030.0 02.16.2007 no virus found
Ikarus T3.1.0.31 02.16.2007 no virus found
Kaspersky 4.0.2.24 02.16.2007 no virus found
McAfee 4964 02.15.2007 no virus found
Microsoft 1.2204 02.16.2007 no virus found
NOD32v2 2066 02.16.2007 no virus found
Norman 5.80.02 02.16.2007 no virus found
Panda 9.0.0.4 02.16.2007 Adware/Lop
Prevx1 V2 02.16.2007 Adware.Lop
Sophos 4.14.0 02.16.2007 no virus found
Sunbelt 2.2.907.0 02.15.2007 no virus found
Symantec 10 02.16.2007 no virus found
TheHacker 6.1.6.059 02.16.2007 no virus found
UNA 1.83 02.14.2007 no virus found
VBA32 3.11.2 02.16.2007 no virus found
VirusBuster 4.3.19:9 02.16.2007 Adware.Lop.Gen


Aditional Information
File size: 547328 bytes
MD5: 64eea1ca05e6afdb5cb68f24cd275cb0
SHA1: e95b69c8f63c93e25a9f12b8cade4f4bd3265724
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=bc1876298145

a tady barbuploadpoll.exe :

STATUS: STOPPEDService is stopped in this moments. Scanning of your sample has not been finalized and results has been lost. If you wish to scan it, please send it again.

Antivirus Version Update Result
AntiVir 7.3.1.37 02.16.2007 TR/Crypt.XPACK.Gen
Authentium 4.93.8 02.15.2007 no virus found
Avast 4.7.936.0 02.16.2007 no virus found
AVG 386 02.16.2007 no virus found
BitDefender 7.2 02.16.2007 Trojan.FatObfus.Gen
CAT-QuickHeal 9.00 02.16.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 02.16.2007 no virus found
DrWeb 4.33 02.16.2007 no virus found
eSafe 7.0.14.0 02.16.2007 no virus found
eTrust-Vet 30.4.3405 02.16.2007 no virus found
Ewido 4.0 02.16.2007 no virus found
Fortinet 2.85.0.0 02.16.2007 suspicious
F-Prot 4.2.1.29 02.15.2007 no virus found
F-Secure 6.70.13030.0 02.16.2007 no virus found
Ikarus T3.1.0.31 02.16.2007 not-a-virus:AdWare.Win32.Lop.ag
Kaspersky 4.0.2.24 02.16.2007 no virus found
McAfee 4965 02.16.2007 no virus found
Microsoft 1.2204 02.16.2007 no virus found
NOD32v2 2066 02.16.2007 no virus found
Norman 5.80.02 02.16.2007 no virus found
Panda 9.0.0.4 02.16.2007 Adware/Lop


Aditional Information
File size: 415232 bytes
MD5: fef5c988b1ba744c47a9b8589d227b4b
SHA1: 95dd2009db353c31dedecbbd811d50f4fd6741b7

nevimproč ale ono se to stoplo skoušel jsem to 3

tady je z NoLop: nevim v cem to mam otevrit zkusil jsem poznámkový blok:


-íxÓlîOž˛xűÝő
F č <
s "€!× : c : \ d o c u m e ~ 1 \ b y s t r o ~ 1 \ d a t a a p ~ 1 \ f l a g t r ~ 1 \ E X T R A L O A D P R O X Y . e x e b y s t r o u ao v é 0 Í   <


a tady je log z HJT:

Logfile of HijackThis v1.99.1
Scan saved at 18:30:51, on 16.2.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\BYSTRO~1\LOCALS~1\Temp\Rar$EX00.172\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [size comp kind setup] "C:\Documents and Settings\All Users\Data aplikací\live burn size comp\Binblah.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [transjugs] C:\DOCUME~1\BYSTRO~1\DATAAP~1\FLAGTR~1\barbuploadpoll.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: NoLop.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

chybu mi to nenahlásilo
firewall ma zapnuti (windowsXP)

[rary]

Ano i když se to stoplo a výsledky nejsou úplné tak teď víme že je to Lop.

A opravdu je to všechno co ti vysal NoLop?

Tak to holt budeme muset udělat jinak stáhni si LopFinda spusť ho během chvíle se má zobrazit textový dokument jinak je uložený na C:\lop.txt tak sem zkopíruj jeho obsah.

Ale ještě před tím udělej toto:
stáhni si [urlhttp://swandog46.geekstogo.com/avenger.exe]Avenger[/url] a spusť ho pod účtem administrátora.

Zvol možnost - input script manually a klikni na ikonku lupy vyskočí prázdné okno kam zkopíruj ten zeleně označený text:
Folders to delete:
C:\Documents and Settings\All Users\Data aplikací\live burn size comp
C:\DOCUME~1\BYSTRO~1\DATAAP~1\FLAGTR~1
Pak klikni na Done.
Poté klikni na ikonku semafory Vyskočí ti hláška kde odklikni YEs poté další kde odklikni Yes.

Po restartu by ti měl vyskočit výpis Avengeru tak ho sem zkopíruj.

+ ten log z LopFind + log z HJT.

A já myslím normální firewall a né ve Win ten je nedostačující.

[tnema]

Jinak doporučuje http://www.viry.cz/forum/
hod jim tam log a tam ti velice ochotně poradí

[bystryi]

tak v tom NoLap to bylo všechno.

tady je vypis s avengeru:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qaybqqfd

*******************

Script file located at: \??\C:\WINDOWS\system32\lhilnscs.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\Documents and Settings\All Users\Data aplikací\live burn size comp deleted successfully.
Folder C:\DOCUME~1\BYSTRO~1\DATAAP~1\FLAGTR~1 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

tady výpis z LopFinda :

******************************************

1) Výpis obsahů Application Data složek pro zjištění podezřelých adresářů:

Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 185F-0911.

Věpis adres ýe C:\Documents and Settings\All Users\DATAAP~1

16.02.2007 14:40 <DIR> Webroot
27.01.2007 11:15 <DIR> SolidDocuments
25.01.2007 20:07 <DIR> Macromedia
19.12.2006 14:55 <DIR> River Past G5
22.11.2006 15:00 1751 QTSBandwidthCache
07.11.2006 16:09 <DIR> Windows Genuine Advantage
02.11.2006 15:57 <DIR> Skype
02.11.2006 14:21 <DIR> Apple Computer
01.11.2006 14:32 <DIR> Google
08.06.2006 12:52 <DIR> Adobe
07.06.2006 17:13 <DIR> HP
07.06.2006 17:07 1730 hpzinstall.log
05.06.2006 15:19 62 desktop.ini
05.06.2006 15:19 <DIR> Microsoft
05.06.2006 15:19 <DIR> .
05.06.2006 15:19 <DIR> ..
05.06.2006 14:46 <DIR> QuickTime
3 soubor…, 3543 bajt…
Adres ý…: 14, Volněch bajt…: 7840550912
Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 185F-0911.

Věpis adres ýe C:\Documents and Settings\bystrouçov‚\DATAAP~1

16.02.2007 14:39 <DIR> Webroot
10.02.2007 11:54 <DIR> Image Zone Express
08.02.2007 13:39 51789 PatchUpdate_HP_CounterReport_Update_HPSU.log
08.02.2007 13:38 2139 HPSU_48BitScanUpdate.log
08.02.2007 13:36 54447 Update_HP_RedboxHprblog_HPSU.log
28.01.2007 14:41 <DIR> Sun
27.01.2007 11:16 <DIR> SolidDocuments
26.01.2007 13:21 <DIR> Nvu
25.01.2007 20:34 13276 phpdesigner2007pe.xml
25.01.2007 20:31 <DIR> vmntoolbar
26.12.2006 12:23 <DIR> Teleca
18.11.2006 17:31 <DIR> Hamachi
16.11.2006 17:37 <DIR> Apple Computer
02.11.2006 15:57 <DIR> Skype
01.11.2006 15:36 <DIR> ICQ Toolbar
01.11.2006 15:36 <DIR> ICQLite
01.11.2006 14:42 <DIR> Google
30.10.2006 17:42 <DIR> Opera
30.10.2006 17:39 <DIR> Mozilla
14.09.2006 14:56 <DIR> Zoner
12.09.2006 20:29 <DIR> ArcSoft
04.09.2006 08:53 <DIR> My Battle for Middle-earth(tm) II Files
07.08.2006 15:44 <DIR> InfoTurist
07.08.2006 15:44 <DIR> Macromedia
27.06.2006 19:35 <DIR> Help
08.06.2006 12:54 <DIR> AdobeUM
08.06.2006 12:53 <DIR> Adobe
07.06.2006 17:07 <DIR> HP
05.06.2006 14:48 <DIR> Nikon
05.06.2006 14:03 <DIR> Microsoft Web Folders
05.06.2006 13:34 62 desktop.ini
05.06.2006 13:34 <DIR> Microsoft
05.06.2006 13:34 <DIR> .
05.06.2006 13:34 <DIR> ..
5 soubor…, 121713 bajt…
Adres ý…: 29, Volněch bajt…: 7840550912
Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 185F-0911.

Věpis adres ýe C:\Documents and Settings\bystrouçov‚\DATAAP~1

16.02.2007 14:39 <DIR> Webroot
10.02.2007 11:54 <DIR> Image Zone Express
08.02.2007 13:39 51789 PatchUpdate_HP_CounterReport_Update_HPSU.log
08.02.2007 13:38 2139 HPSU_48BitScanUpdate.log
08.02.2007 13:36 54447 Update_HP_RedboxHprblog_HPSU.log
28.01.2007 14:41 <DIR> Sun
27.01.2007 11:16 <DIR> SolidDocuments
26.01.2007 13:21 <DIR> Nvu
25.01.2007 20:34 13276 phpdesigner2007pe.xml
25.01.2007 20:31 <DIR> vmntoolbar
26.12.2006 12:23 <DIR> Teleca
18.11.2006 17:31 <DIR> Hamachi
16.11.2006 17:37 <DIR> Apple Computer
02.11.2006 15:57 <DIR> Skype
01.11.2006 15:36 <DIR> ICQ Toolbar
01.11.2006 15:36 <DIR> ICQLite
01.11.2006 14:42 <DIR> Google
30.10.2006 17:42 <DIR> Opera
30.10.2006 17:39 <DIR> Mozilla
14.09.2006 14:56 <DIR> Zoner
12.09.2006 20:29 <DIR> ArcSoft
04.09.2006 08:53 <DIR> My Battle for Middle-earth(tm) II Files
07.08.2006 15:44 <DIR> InfoTurist
07.08.2006 15:44 <DIR> Macromedia
27.06.2006 19:35 <DIR> Help
08.06.2006 12:54 <DIR> AdobeUM
08.06.2006 12:53 <DIR> Adobe
07.06.2006 17:07 <DIR> HP
05.06.2006 14:48 <DIR> Nikon
05.06.2006 14:03 <DIR> Microsoft Web Folders
05.06.2006 13:34 62 desktop.ini
05.06.2006 13:34 <DIR> Microsoft
05.06.2006 13:34 <DIR> .
05.06.2006 13:34 <DIR> ..
5 soubor…, 121713 bajt…
Adres ý…: 29, Volněch bajt…: 7840546816
Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 185F-0911.

Věpis adres ýe C:\Documents and Settings\Default User\DATAAP~1

05.06.2006 15:19 62 desktop.ini
05.06.2006 15:19 <DIR> ..
05.06.2006 15:19 <DIR> Microsoft
05.06.2006 15:19 <DIR> .
1 soubor…, 62 bajt…
Adres ý…: 3, Volněch bajt…: 7840546816
Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 185F-0911.

Věpis adres ýe C:\Documents and Settings\LocalService\DATAAP~1

16.02.2007 14:47 <DIR> Webroot
05.06.2006 13:33 <DIR> Microsoft
05.06.2006 13:33 <DIR> ..
05.06.2006 13:33 <DIR> .
0 soubor…, 0 bajt…
Adres ý…: 4, Volněch bajt…: 7840546816
Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 185F-0911.

Věpis adres ýe C:\Documents and Settings\NetworkService\DATAAP~1

05.06.2006 13:32 <DIR> ..
05.06.2006 13:32 <DIR> Microsoft
05.06.2006 13:32 <DIR> .
0 soubor…, 0 bajt…
Adres ý…: 3, Volněch bajt…: 7840546816

******************************************

2) Vyhledávání a odstranění podezřelých .job souborů:

a) Soubory přítomné v C:\WINDOWS\tasks\ adresáři:

Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 185F-0911.

Věpis adres ýe C:\WINDOWS\Tasks

16.02.2007 14:47 1˙414 wrSpySweeperTrialSweep.job
02.11.2006 14:22 284 AppleSoftwareUpdate.job
05.06.2006 13:33 6 SA.DAT
05.06.2006 13:27 65 desktop.ini
05.06.2006 13:27 <DIR> ..
05.06.2006 13:27 <DIR> .
4 soubor…, 1˙769 bajt…
Adres ý…: 2, Volněch bajt…: 7˙840˙546˙816

––––––––––––––––––––––––––––––––––––––––––

b) Nalezené a odstraněné nežádoucí soubory:


––––––––––––––––––––––––––––––––––––––––––

c) Soubory přítomné v adresáři po vymazání:

Svazek v jednotce C nem  § dnou jmenovku.
S‚riov‚ źˇslo svazku je 185F-0911.

Věpis adres ýe C:\WINDOWS\Tasks

16.02.2007 14:47 1˙414 wrSpySweeperTrialSweep.job
02.11.2006 14:22 284 AppleSoftwareUpdate.job
05.06.2006 13:33 6 SA.DAT
05.06.2006 13:27 65 desktop.ini
05.06.2006 13:27 <DIR> ..
05.06.2006 13:27 <DIR> .
4 soubor…, 1˙769 bajt…
Adres ý…: 2, Volněch bajt…: 7˙840˙546˙816

******************************************

3) Vyhledávání podvodných programů ve složce Program files:


Adresář C:\Program Files\Adv Nepřítomen !

Adresář C:\Program Files\Adverts Nepřítomen !

Adresář C:\Program Files\BitGrabber Nepřítomen !

Adresář C:\Program Files\BitRoll Nepřítomen !

Adresář C:\Program Files\C2Media Nepřítomen !

Adresář C:\Program Files\Download Plugin Nepřítomen !

Adresář C:\Program Files\Messenger Plus! 3 Nepřítomen !

Adresář C:\Program Files\NetPumper Nepřítomen !

Adresář C:\Program Files\Proxy download Nepřítomen !

Adresář C:\Program Files\SuperTorrent Nepřítomen !

Adresář C:\Program Files\Torrent101 Nepřítomen !

tady z HJT :

Logfile of HijackThis v1.99.1
Scan saved at 14:41:56, on 17.2.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\DOCUME~1\BYSTRO~1\LOCALS~1\Temp\Rar$EX00.437\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [size comp kind setup] "C:\Documents and Settings\All Users\Data aplikací\live burn size comp\Binblah.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [transjugs] C:\DOCUME~1\BYSTRO~1\DATAAP~1\FLAGTR~1\barbuploadpoll.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

a jakej firewall je lejlepší?

[bystryi]

je to už dobrý? a co se stane když odstranim tyto složky:barbuploadpoll.exe , Binblah.exe

[OndraSter]

nic se nestane, maximalne smazes nejaky spyware, vir, ..

[rary]

v HJT jenom fixni:
O4 - HKLM\..\Run: [size comp kind setup] "C:\Documents and Settings\All Users\Data aplikací\live burn size comp\Binblah.exe"
O4 - HKCU\..\Run: [transjugs] C:\DOCUME~1\BYSTRO~1\DATAAP~1\FLAGTR~1\barbuploadpoll.exe

Tohle už jsou jenom záznamy v registrech protože to co jsme smazali tím avengerem byly složky kde se ty soubory nacházeli tak že je ani nehledej protože je nenajdeš

Toť všeš pokud nemáš problémy.

[bystryi]

dobry už jsem to fixnul a běží to bez problémů moc dik