Trojan Win32/Kryptik - svcgost.exe

[Chulap]

PS: este dodam info, ze OTM program neodpovedal lebo zamrzol. Skusal som cez TaskMngr tento OTM vypnut, ale nepohlo s nim, tak som urobil restart tlacitkom cez PC box.

Pre istotu som spustil vyhladavanie suboru svcgost.exe, ci ho PC niekde najde. Nasiel sa novovytvoreny priecinok s nazvom "_OTM", kde je ten odstraneny subor jedenkrat a to v adresari:

D:\_OTM\MovedFiles\10102011_185636\_OTM\MovedFiles\10102011_185636\C_Documents and Settings\Rasťo & Marcela\Plocha\svcgost.exe

a druhy je v druhom adresari>

D:\_OTM\MovedFiles\10102011_185636\INŠTALAČKY\svcgost.exe

[vyosek]

To je dobre, to je zaloha OTM, tam jsou soubory neskodne...

Jak se chova PC

[Chulap]

No PC zacina zvlastne blbnut: to znamena, ze vyhadzuje mi hlasku na spodnej liste, ze system ma prilis malo virtualnej pamete, co predtym som s tym nemal vobec problem.

Taktiez mi vyskocilo hlaska-okno s nazvom "Password is required" a popis v okne je "The backup archive you have chosen is password-protected. To access this backup archive you must enter the password." a potom je policko s vlozenim hesla. Toto sa mi na compe objavilo prvykrat a nemam ani sajnuco to chce. Klikam na prikaz Cancel" ale nic nereaguje. Heslo som zatial neskusal davat ziadne.

Co to je?

[vyosek]

Udelejte sken pomoci CureIt http://viry.cz/forum/viewtopic.php?f=29&t=47721

Dejte novy log z RSIT

[Chulap]

Zdravim,

scan cez Curelt som urobil ako expresny scan - ziadne virusy nenasiel. Tu je log RSIT:

Logfile of random's system information tool 1.09 (written by random/random)
Run by Rasťo & Marcela at 2011-10-10 21:37:03
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 5 GB (23%) free of 20 GB
Total RAM: 511 MB (58% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:37:11, on 10.10.2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
D:\INŠTALAČKY\Virusy_Odstranovanie+Scany\RSIT_ScanerPC\RSIT.exe
C:\Program Files\trend micro\Rasťo & Marcela.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.sk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: IOL.lnk = ?
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: Spamihilator.lnk = C:\Program Files\Spamihilator\spamihilator.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.sk/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7431000906
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{680C0A2F-781D-4886-A092-66F4DB2CA560}: NameServer = 193.58.193.11 195.12.128.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE (file missing)

--
End of file - 6959 bytes

=========Mozilla firefox=========

ProfilePath - C:\Documents and Settings\Rasťo & Marcela\Data aplikací\Mozilla\Firefox\Profiles\uat1iuhc.default

prefs.js - "browser.startup.homepage" - "http://www.google.sk/"
prefs.js - "extensions.enabledItems" - "aging-tabs@design-noir.de:0.7.1, {dd3d7613-0246-469d-bc65-2a3cc1668adc}:0.7.1.1, {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03, {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05, {9D6218B8-03C7-4b91-AA43-680B305DD35C}:1.7.9.8, personas@christopher.beard:1.6.2, {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:3.5.9.1, {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.23"
prefs.js - "keyword.URL" - "http://www.fastbrowsersearch.com/result ... EDDAF5}&q="

"{20a82645-c095-46ed-80e3-08825760534b}"=C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
"bkmrksync@nokia.com"=C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\


[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Description"=Adobe® Flash® Player 10.1 Plugin
"Path"=C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5]
"Description"=Windows Presentation Foundation plug-in for Mozilla browsers
"Path"=C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1]
"Description"=Yahoo! activeX Plug-in Bridge
"Path"=C:\Program Files\Yahoo!\Common\npyaxmpb.dll

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd}
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

C:\Program Files\Mozilla Firefox\components\
browser.xpt
browserdirprovider.dll
brwsrcmp.dll
components.list
FeedConverter.js
FeedProcessor.js
FeedWriter.js
fuelApplication.js
GPSDGeolocationProvider.js
jsconsole-clhandler.js
NetworkGeolocationProvider.js
nsAddonRepository.js
nsBadCertHandler.js
nsBlocklistService.js
nsBrowserContentHandler.js
nsBrowserGlue.js
nsContentDispatchChooser.js
nsContentPrefService.js
nsDefaultCLH.js
nsDownloadManagerUI.js
nsExtensionManager.js
nsFormAutoComplete.js
nsHandlerService.js
nsHelperAppDlg.js
nsINIProcessor.js
nsLivemarkService.js
nsLoginInfo.js
nsLoginManager.js
nsLoginManagerPrompter.js
nsMicrosummaryService.js
nsPlacesAutoComplete.js
nsPlacesDBFlush.js
nsPlacesTransactionsService.js
nsPrivateBrowsingService.js
nsProxyAutoConfig.js
nsSafebrowsingApplication.js
nsSearchService.js
nsSearchSuggestions.js
nsSessionStartup.js
nsSessionStore.js
nsSetDefaultBrowser.js
nsSidebar.js
nsTaggingService.js
nsTryToClose.js
nsUpdateService.js
nsUpdateServiceStub.js
nsUpdateTimerManager.js
nsUrlClassifierLib.js
nsUrlClassifierListManager.js
nsURLFormatter.js
nsWebHandlerApp.js
pluginGlue.js
storage-Legacy.js
storage-mozStorage.js
txEXSLTRegExFunctions.js
WebContentConverter.js

C:\Program Files\Mozilla Firefox\plugins\
npnul32.dll

C:\Program Files\Mozilla Firefox\searchplugins\
atlas-sk.xml
azet-sk.xml
dunaj-sk.xml
eBay.xml
google.xml
slovnik-sk.xml
wikipedia-sk.xml
zoznam-sk.xml

C:\Documents and Settings\Rasťo & Marcela\Data aplikací\Mozilla\Firefox\Profiles\uat1iuhc.default\extensions\
aging-tabs@design-noir.de
langpack-sk@firefox.mozilla.org
personas@christopher.beard
{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
{50088764-be68-11db-8314-0800200c9a66}
{84b30000-62f6-364b-eba5-2e5e2061d7e6}
{9D6218B8-03C7-4b91-AA43-680B305DD35C}
{dd3d7613-0246-469d-bc65-2a3cc1668adc}

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Acronis Scheduler2 Service"=C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [2006-10-17 87584]
"TrueImageMonitor.exe"=C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2006-10-19 1183656]
"AcronisTimounterMonitor"=C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [2006-10-19 1958800]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-04-09 2029640]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe [2010-06-01 2356088]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

C:\Documents and Settings\Rasťo & Marcela\Nabídka Start\Programy\Po spuštění
IOL.lnk -
OpenOffice.org 3.0.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe
Spamihilator.lnk - C:\Program Files\Spamihilator\spamihilator.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe"="C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe:*:Enabled:Sunbelt Firewall GUI"
"C:\Program Files\Spamihilator\spamihilator.exe"="C:\Program Files\Spamihilator\spamihilator.exe:*:Enabled:Spamihilator"
"C:\Program Files\Spamihilator\cdcc.exe"="C:\Program Files\Spamihilator\cdcc.exe:*:Enabled:Spamihilator DCC Filter Configuration"
"C:\Program Files\Spamihilator\dccproc.exe"="C:\Program Files\Spamihilator\dccproc.exe:*:Enabled:Spamihilator DCC Filter"
"C:\Program Files\TeamViewer\Version6\TeamViewer.exe"="C:\Program Files\TeamViewer\Version6\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application"
"C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe"="C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe:*:Enabled:Teamviewer Remote Control Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"=midimap.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msadpcm"=msadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.trspch"=tssoft32.acm
"vidc.cvid"=iccvid.dll
"vidc.I420"=msh263.drv
"vidc.iv31"=ir32_32.dll
"vidc.iv32"=ir32_32.dll
"vidc.iv41"=ir41_32.ax
"vidc.iyuv"=iyuv_32.dll
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvu9"=tsbyuv.dll
"vidc.yvyu"=msyuv.dll
"wavemapper"=msacm32.drv
"midi"=wdmaud.drv
"wave"=serwvdrv.dll
"msacm.msg723"=msg723.acm
"vidc.M263"=msh263.drv
"vidc.M261"=msh261.drv
"msacm.msaudio1"=msaud32.acm
"msacm.sl_anet"=sl_anet.acm
"msacm.iac2"=C:\WINDOWS\system32\iac25_32.ax
"vidc.iv50"=ir50_32.dll
"msacm.l3acm"=C:\WINDOWS\system32\l3codeca.acm
"wave1"=wdmaud.drv
"midi1"=wdmaud.drv
"mixer"=wdmaud.drv
"vidc.LEAD"=LCODCCMP.DLL

======List of files/folders created in the last 1 month======

2011-10-10 18:17:32 ----SHD---- C:\RECYCLER
2011-10-09 22:58:55 ----D---- C:\WINDOWS\temp
2011-10-09 22:58:51 ----A---- C:\ComboFix.txt
2011-10-09 22:07:25 ----A---- C:\TDSSKiller.2.6.6.0_09.10.2011_22.07.25_log.txt
2011-10-09 21:06:17 ----D---- C:\rsit

======List of files/folders modified in the last 1 month======

2011-10-10 21:37:07 ----D---- C:\Program Files\Trend Micro
2011-10-10 20:35:13 ----D---- C:\WINDOWS\system32\CatRoot2
2011-10-10 20:35:04 ----D---- C:\WINDOWS\system32\drivers
2011-10-10 19:35:23 ----D---- C:\WINDOWS
2011-10-10 19:16:42 ----D---- C:\Documents and Settings\Rasťo & Marcela\Data aplikací\Spamihilator
2011-10-10 19:09:40 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-10-10 18:16:35 ----A---- C:\WINDOWS\NeroDigital.ini
2011-10-09 22:58:57 ----D---- C:\Qoobox
2011-10-09 22:55:33 ----A---- C:\WINDOWS\system.ini
2011-10-09 22:51:33 ----D---- C:\WINDOWS\system32
2011-10-09 22:51:33 ----D---- C:\WINDOWS\AppPatch
2011-10-09 22:51:29 ----D---- C:\Program Files\Common Files
2011-10-09 20:58:20 ----D---- C:\WINDOWS\Minidump
2011-10-08 11:23:24 ----D---- C:\WINDOWS\system32\drivers\etc
2011-10-08 11:21:18 ----D---- C:\WINDOWS\system32\config
2011-10-08 11:21:08 ----D---- C:\WINDOWS\erdnt
2011-10-08 11:01:08 ----D---- C:\WINDOWS\Prefetch
2011-10-08 10:59:59 ----A---- C:\WINDOWS\WDICT32.INI
2011-10-04 19:31:51 ----D---- C:\Program Files\Mozilla Firefox

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2007-03-08 43528]
R0 RecAgent;RecAgent; C:\WINDOWS\system32\DRIVERS\RecAgent.sys [2004-08-04 13776]
R0 snapman;Acronis Snapshots Manager; C:\WINDOWS\system32\DRIVERS\snapman.sys [2009-01-25 114048]
R0 timounter;Acronis True Image Backup Archive Explorer; C:\WINDOWS\system32\DRIVERS\timntr.sys [2009-01-25 395744]
R0 uagp35;Filtr Microsoft AGPv3.5; C:\WINDOWS\system32\DRIVERS\uagp35.sys [2004-08-04 44672]
R0 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2008-01-18 77696]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-04-09 94360]
R1 fwdrv;Firewall Driver; C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 302000]
R1 InCDPass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2005-01-27 28928]
R1 incdrm;InCD Reader; C:\WINDOWS\system32\drivers\incdrm.sys [2005-01-27 27776]
R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-17 39936]
R1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-17 14848]
R1 khips;Kerio HIPS Driver; C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 72624]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-04-09 113960]
R2 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2007-02-28 15440]
R2 irda;Protokol IrDA; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-04 87424]
R2 tifsfilter;Acronis True Image FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2009-01-25 39264]
R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2004-08-23 821760]
R3 ElbyDelay;ElbyDelay; C:\WINDOWS\System32\Drivers\ElbyDelay.sys [2004-06-09 3968]
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
R3 hidusb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-10-25 9600]
R3 irsir;Microsoft Serial Infrared Driver; C:\WINDOWS\system32\DRIVERS\irsir.sys [2001-08-17 18688]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-25 12160]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-18 2944]
R3 Mtlmnt5;Mtlmnt5; C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys [2004-08-04 126686]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 Slntamr;Smart Link 56K Modem Driver; C:\WINDOWS\system32\DRIVERS\slntamr.sys [2004-08-04 404990]
R3 SlWdmSup;SlWdmSup; C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys [2004-08-04 13240]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys [2005-01-27 99200]
S3 catchme;catchme; \??\C:\DOCUME~1\RASO&M~1\LOCALS~1\Temp\catchme.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-03-08 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-03-08 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-03-08 21744]
S3 Mtlstrm;Mtlstrm; C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys [2004-08-04 1309184]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2009-10-06 17664]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2009-10-06 22016]
S3 NtMtlFax;NtMtlFax; C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys [2004-08-04 180360]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]
S3 SlNtHal;SlNtHal; C:\WINDOWS\system32\DRIVERS\Slnthal.sys [2004-08-04 95424]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 teamviewervpn;TeamViewer VPN Adapter; C:\WINDOWS\system32\DRIVERS\teamviewervpn.sys [2011-03-30 25088]
S3 TF1D091010;TF1D091010; C:\WINDOWS\system32\DRIVERS\TF1D091010.sys [2008-02-02 99968]
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2009-10-06 7936]
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\drivers\usbser.sys [2004-08-03 25600]
S3 UsbserFilt;UsbserFilt; C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2009-10-06 7936]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-01-18 83328]
S4 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-10-25 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2006-10-17 230944]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-04-09 731840]
R2 InCDsrv;InCD Helper; C:\Program Files\Ahead\InCD\InCDsrv.exe [2005-01-27 856064]
R2 Irmon;Sledování infračerveného přenosu; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 ProtexisLicensing;ProtexisLicensing; C:\Program Files\Common Files\Protexis\License Service\PSIService.exe [2006-11-02 174656]
R2 SLService;SmartLinkService; C:\WINDOWS\system32\slserv.exe [2004-08-17 73796]
R2 SPF4;Sunbelt Personal Firewall 4; C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe [2007-04-26 1234480]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
R3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2009-10-27 657408]
S2 InCDsrvR;InCD Helper (read only); C:\Program Files\Ahead\InCD\InCDsrv.exe [2005-01-27 856064]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
S2 UTSCSI;CLCV0; C:\WINDOWS\system32\UTSCSI.EXE []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-04-09 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

[vyosek]

Na havet vypada cisto, co PC, stale zlobi

Udelejte kdyztak jeste komplet sken pres CureIt - je sice pomaly, ale dusledny...

Taktez je nutne nainstalovat ServicePack 3 - resi mnoho problemu a chyb

[Chulap]

Zdravim,

urobil som Curelt scan uplny - bezal viac ako 4 hod. a nenaslo sa nic. Po restarte PC sa mi uz viackrat neobjavila ta hlaska so zadanim hesla pre tu BackUp aplikaciu. Taktiez vyrovnavacia virutalna pamet je OK, CPU je na cca 25%. Zda sa, ze PC mi teraz bezi bez akychkolvek problemov. Mozem ten priecinok "_OTM", kde je ta havet ulozena ako zaloha uplne vymazat? Taktiez mozem vymazat adresar a vsetky subory ComboFix cez CMD prikaz "ComboFix /u" ? Este jedna otazka, je mozne zoficialnit MS WinXP, ale tak aby som nemusel nic preinstalovavat, len kupim nejaky KEY, ktory vlozim do register kluca a bude to OK? Mam toho v PC dost, a velmi som spokojny a navyknuty na XP, i ked mam skusenost aj s W7, ale na XP nedam dopustit. Vdaka za odpovede.

[vyosek]

Uklidime po utilitach trochu "odborneji" nez jen smazanim toho co je videt

T-Cleaner http://vyosek.ic.cz/pro_usery/T-Cleaner.exe

• Stahnete a spustte
• Pro potvrzeni volby mackejte A, Enter
• Po pouziti utilitu smazte
• Antiviry touhou utilitu chybne oznacit jako vir - jedna se o falesny poplach - takze v pohode stahnete (pripadne vypnete pri stahovani antivir)

OTC http://oldtimer.geekstogo.com/OTC.exe

• Stahnete a spustte
• Kliknete na CleanUp a potvrdte YES
• Program uklidi a restartuje PC

TFC http://oldtimer.geekstogo.com/TFC.exe

• Stahnete a spustte
• Kliknete na Start a potvrdte OK
• Program uklidi a restartuje pc
• Po pouziti utilitu smazte

Stahnete Ccleaner (viz muj podpis)
Panel čistič

• Vse nechte jak je, jen dejte Analyzovat a pote Spustit CCleaner

Panel registry

• dejte Hledej problémy
• nasledne Opravit problémy - zalohu registru doporucuji udelat, opravte vsechny problemy
• postup opakujte dokud nebude bez problemu - vetsinou cca 3x

Panel nástroje

• Zde muzete odinstalovat nepotrebne programy

CCleaner doporucuji pouzivat cca jednou za tyden

Zlegalizovat system bez jeho reinstalu jde - presny postup Vam bohuzel nereknu, ale kdyz napisete microsoftu, urcite poradi jak na to

[Chulap]

Vsetky postupy na poupratovaie vykonane. Ako mozem odstranit adresar Qoobox? A aj na ploche mam ComboFix s tym nazvom Beruska.com

[vyosek]

Berusku normalne smazte - i vy sadisto - takove hezke zviratko

Qoobox nejde normalne smazat Zkuste tohle http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE

[Chulap]

Zdravim,

ten adresar Qoobox sa nepodarilo odstranit. Pozeram, ze adresar ma este podadresar BackEnv, ktory je chraneny avsak nie su tam ziadne subory. Qoobox je uplne prazdny, takze necham ho tam ak je ak nema nejaky podstatny vyznam. Inac znova sa mi znicoho nic objavila ta hlaska s vlozenim hesla do tej zvlastnej aplikacie BackUp Archive. Odstranil som ju cez TASK MNGR a je mmentalne pokoj. Avsak obavam sa, ze niekomu sa to objavi na ploche, hodi tam hocijake cislo ako heslo a prave na toto ta vec asi caka ...

[vyosek]

Kdyz se spusti a prejdete v task manageru na umisteni, kde ten BackUp Archive je

Stahnete SytemLook (viz muj podpis) a ulozte jej na plochu

• Do okna vlozte skript nize

• Kód: Vybrat vše

  :folderfind
  BackUp Archive
  
  :regfind
  BackUp Archive

• Kliknete na Look
• Tlacitko Look se zmeni na Scanning a zsedne
• Pockejte pokud se tlacitko Scanning opet nezmeni na Look - tak poznate ze SystemLook dokoncil svou praci
• Vyskoci na Vas log s nazvem SystemLook (pripadne bude ulozen na plose), jeho obsah mi sem vlozte

[Chulap]

Zdravim,

doteraz sa mi na ploche ta hlaska PASSWORD neobjavila, takze neviem, resp. dufam ze je to uz prec a je vsetko OK. V kazdom pripade, by som sa Vam chcel velmi pekne podakovat za vasu ochotu, snahu a pomoc

Tu je este log z SystemLook, a neviem ci nutne este nieco riesit )

SystemLook 30.07.11 by jpshortstuff
Log created at 22:28 on 13/10/2011 by Rasťo & Marcela
Administrator - Elevation successful

========== folderfind ==========

Searching for "BackUp Archive"
No folders found.

========== regfind ==========

Searching for "BackUp Archive"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe"="Monitor for Acronis True Image Backup Archive Explorer"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tibfile]
@="Acronis True Image Backup Archive"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{1860459D-4692-4825-B761-44A725991050}\0000]
"DriverDesc"="Acronis True Image Backup Archive Explorer"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ACRONISDEVICES\0000]
"DeviceDesc"="Acronis True Image Backup Archive Explorer"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\timounter]
"DisplayName"="Acronis True Image Backup Archive Explorer"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\ACRONISDEVICES\0000]
"DeviceDesc"="Acronis True Image Backup Archive Explorer"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\timounter]
"DisplayName"="Acronis True Image Backup Archive Explorer"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{1860459D-4692-4825-B761-44A725991050}\0000]
"DriverDesc"="Acronis True Image Backup Archive Explorer"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\ACRONISDEVICES\0000]
"DeviceDesc"="Acronis True Image Backup Archive Explorer"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\timounter]
"DisplayName"="Acronis True Image Backup Archive Explorer"
[HKEY_USERS\S-1-5-21-789336058-854245398-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe"="Monitor for Acronis True Image Backup Archive Explorer"

-= EOF =-

[vyosek]

Zdravim

Ta hlaska je zpusobena Acronisem, jak jste mohl sam videt v logu ze SL. Pokud zmizela, asi jedine dobre

Takze mame hotovo, cisto

Jinak nemate zac, rado se stalo, pomoc na foru je pro me relaxem