SecurityTool (alias socialni inzenyrstvi v praxi)

Zpráva

jejakop · #1 Příspěvek od **jejakop** » 13 dub 2010 12:40

Dobry den,
bohuzel - uz jsem tu zase. Bohuzel proto, ze mi nic jineho nezbyva. Co se stalo:

vola asistentka reditele, ze restartovala PC a ted je tam neco "divneho", jestli muzu prijit

prijdu tam a vidim pres temer celou obrazovku okno s napisem SecurityTool hned taky mensi okynko ve kterem kazdym okamzikem naskakue dalsi "objeveny virus". Plocha jako takova vubec nebyla videt.

prvni co jsem udelal bylo to, ze jsem vytahl ze zasuvky ethernetovy kabel a odpojil PC od LANky

chtel jsem poridit screenshot abych jej sem mohl poslat, ale nepodarilo se mi spustit ani Malovani (mspaint.exe) - resp spustit ano, ale jen na necele 2sec, pak to ta havet sestrelila

vlastne jedine co sem dokazal otevrit bylo okno Tento pocitac, ale k nicemu mi nebylo, nebot ta havet je neustale navrchu a vsechna (i aktivni) okna jsou schovana pod tim...

ono si to dokonce zabira i prostor okolo vlastniho "okna", cili vlastne vuec neni videt puvodni Plocha - jen TaskBar a StartButton

a ted tedy Vas uctive zadam o radu jak to (co nejrychleji) dat dahromady...
=> predpokladam, ze to bude chtit asi nastartovat do Nouzovyho rezimu a v nem se o neco pokusit, ale nemam dost zkusenosti abych se do toho pustil bez odborneho vedeni - obavam se, ze bych mohl natropit vic skody nez uzitku...

PORADITE NEKDO PROSIM?
Diky

jejakop · #2 Příspěvek od **jejakop** » 13 dub 2010 13:19

Fajn, provedu vse dle instrukci a potom se ozvu.
Zatim dik.

jejakop · #3 Příspěvek od **jejakop** » 13 dub 2010 18:17

Taak, konecne je to tady - omlouvam se, ze to trvalo tak dlouho, ale delal jsem co bylo v mych silach a moznostech...

Zde jest ten log:

OTL logfile created on: 4/13/2010 7:59:42 PM - Run
OTLPE by OldTimer - Version 3.1.37.1 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

1,013.00 Mb Total Physical Memory | 812.00 Mb Available Physical Memory | 80.00% Memory free
901.00 Mb Paging File | 841.00 Mb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.01 Gb Total Space | 110.21 Gb Free Space | 73.96% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2009/01/20 09:02:04 | 000,611,664 | ---- | M] (Lavasoft) [Auto] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/10/24 20:56:30 | 000,019,200 | ---- | M] (ESET) [On_Demand] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2008/10/24 20:51:16 | 000,468,224 | ---- | M] (ESET) [Auto] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2006/09/07 14:24:34 | 000,086,016 | ---- | M] (SigmaTel, Inc.) [Auto] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)
SRV - [2005/07/14 01:35:00 | 001,175,628 | ---- | M] (CANON INC.) [Auto] -- C:\Program Files\Canon\DIAS\CnxDIAS.exe -- (Canon Driver Information Assist Service)
SRV - [2004/02/05 13:35:02 | 000,847,993 | ---- | M] (Ahead Software AG) [Auto] -- C:\Program Files\Ahead\InCD\incdsrv.exe -- (InCDsrv)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Auto] -- -- (ws2_32sik)
DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | Auto] -- -- (systemntmi)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | Auto] -- -- (jcjxkxybgrngen)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | Auto] -- -- (fips32cup)
DRV - File not found [Kernel | Auto] -- -- (ds1410d)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | Auto] -- -- (amd64si)
DRV - [2010/04/13 17:37:38 | 000,087,168 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\drivers\8c991414.sys -- (8c991414)
DRV - [2008/10/24 20:53:28 | 000,034,824 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2008/10/24 20:46:24 | 000,053,256 | ---- | M] (ESET) [Kernel | System] -- C:\WINDOWS\system32\drivers\easdrv.sys -- (easdrv)
DRV - [2008/10/24 20:45:32 | 000,039,944 | ---- | M] (ESET) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2008/04/13 18:36:06 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2006/09/24 15:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/09/07 14:25:06 | 001,178,088 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/07/21 14:12:16 | 001,095,968 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2005/12/02 17:38:04 | 000,041,728 | ---- | M] (Sonic Focus, Inc) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sfng32.sys -- (sfng32)
DRV - [2004/09/02 15:45:14 | 000,022,656 | ---- | M] (Elaborate Bytes AG) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\VClone.sys -- (VClone)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/07/21 23:45:26 | 000,009,856 | ---- | M] (Elaborate Bytes AG) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2004/02/12 19:11:30 | 000,003,968 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay)
DRV - [2004/02/05 13:36:56 | 000,026,944 | ---- | M] (Ahead Software AG) [Kernel | System] -- C:\WINDOWS\system32\drivers\incdpass.sys -- (InCDPass)
DRV - [2004/02/05 13:36:48 | 000,009,570 | ---- | M] (Ahead Software AG) [Recognizer | System] -- C:\WINDOWS\system32\drivers\incdrec.sys -- (InCDrec)
DRV - [2004/02/05 13:36:44 | 000,093,936 | ---- | M] (Ahead Software AG) [File_System | Disabled] -- C:\WINDOWS\system32\drivers\incdfs.sys -- (InCDfs)
DRV - [2003/12/30 12:38:52 | 000,028,080 | ---- | M] (Ahead Software AG) [Kernel | System] -- C:\WINDOWS\system32\drivers\incdrm.sys -- (incdrm)
DRV - [2002/01/21 12:03:36 | 000,048,472 | ---- | M] (Canon Information Systems) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\cis1284.sys -- (cis1284)
DRV - [1996/04/03 21:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\giveio.sys -- (giveio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.triline.cz
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.triline.cz
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\daniel.mrkos_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.triline.cz
IE - HKU\daniel.mrkos_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\franta_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.triline.cz
IE - HKU\franta_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\jmilik_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\jmilik_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\jmilik_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\jmilik_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = server:8080

IE - HKU\kopecky_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.triline.cz
IE - HKU\kopecky_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\kopecky2_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.triline.cz
IE - HKU\kopecky2_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\kredbova_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.triline.cz
IE - HKU\kredbova_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\LocalService_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.triline.cz

IE - HKU\milik_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.triline.cz
IE - HKU\milik_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\najmanova.SOLARKO_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
IE - HKU\najmanova.SOLARKO_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\najmanova.SOLARKO_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = server:8080

IE - HKU\najmanova_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.triline.cz/
IE - HKU\najmanova_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\najmanova_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\najmanova_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = server:8080

IE - HKU\NetworkService_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.triline.cz

IE - HKU\USER_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.triline.cz
IE - HKU\USER_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\mozilla thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2008/03/04 14:32:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\mozilla thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

O1 HOSTS File: ([2006/03/02 14:00:00 | 000,000,737 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\jmilik_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\kredbova_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\milik_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\najmanova.SOLARKO_ON_C\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\najmanova.SOLARKO_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\najmanova_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [93725834] C:\DOCUME~1\ALLUSE~1\DATAAP~1\93725834\93725834.exe ()
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe (Ahead Software AG)
O4 - HKLM..\Run: [MpsOnn] C:\WINDOWS\system32\spool\drivers\w32x86\3\MPSONN.EXE (CANON INC.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\System32\regedit.exe File not found
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
O4 - HKU\kopecky2_ON_C..\Run: [93725834] C:\DOCUME~1\ALLUSE~1\DATAAP~1\93725834\93725834.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Reader Speed Launch.lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Gamma.lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Acrobat Speed Launcher.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\daniel.mrkos_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\franta_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\jmilik_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\kopecky_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\kopecky2_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\kredbova_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\milik_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\najmanova.SOLARKO_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\najmanova_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\USER_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} http://www.digitalwebbooks.com/reader/dbplugin.cab (dnlplayer Class)
O16 - DPF: {4C3CEE0B-4F2F-44C3-9586-4368F3200143} http://download.ica.cz/icapki.cab (ICApki Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftup ... 3274041046 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shoc ... wflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = solarko.intra
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (Aktuální domovská stránka) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Nebe.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Nebe.bmp
O29 - HKLM SecurityProviders - (digiwet.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/11/10 15:26:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/13 12:25:56 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\kopecky2\IETldCache
[2010/04/13 05:43:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\LocalService\IETldCache
[2010/04/06 09:39:49 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\najmanova.SOLARKO\IECompatCache
[2010/04/06 09:39:03 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\najmanova.SOLARKO\PrivacIE
[2010/04/06 09:37:54 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\najmanova.SOLARKO\IETldCache
[2010/04/06 09:31:34 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/03/16 06:27:59 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys
[2010/03/16 06:21:51 | 000,008,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i2omgmt.sys
[2010/03/16 06:17:15 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2005/05/11 23:36:48 | 000,012,288 | ---- | C] (Hewlett-Packard Co.) -- C:\WINDOWS\Fonts\RandFont.dll
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\kopecky2\*.tmp files -> C:\Documents and Settings\kopecky2\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/13 17:37:46 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\kopecky2\NTUSER.DAT
[2010/04/13 17:37:38 | 000,087,168 | ---- | M] () -- C:\WINDOWS\System32\drivers\8c991414.sys
[2010/04/13 16:48:06 | 000,000,946 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/13 12:26:24 | 000,000,764 | ---- | M] () -- C:\Documents and Settings\kopecky2\Plocha\Security Tool.lnk
[2010/04/13 12:25:54 | 000,000,942 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/13 12:24:38 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/13 12:24:30 | 1062,727,680 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/13 12:24:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/13 12:23:56 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/04/13 12:23:56 | 000,237,568 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/04/13 12:23:46 | 007,077,888 | ---- | M] () -- C:\Documents and Settings\najmanova.SOLARKO\NTUSER.DAT
[2010/04/13 12:23:44 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\najmanova.SOLARKO\ntuser.ini
[2010/04/13 12:07:30 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/13 12:07:28 | 000,000,764 | ---- | M] () -- C:\Documents and Settings\najmanova.SOLARKO\Plocha\Security Tool.lnk
[2010/04/13 09:46:10 | 000,013,730 | ---- | M] () -- C:\Documents and Settings\najmanova.SOLARKO\intlname.ols
[2010/04/13 06:00:00 | 000,001,006 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1957994488-682003330-1180Core1cac7205870e9da.job
[2010/04/09 09:13:50 | 000,002,517 | ---- | M] () -- C:\Documents and Settings\najmanova.SOLARKO\Plocha\Microsoft Office Excel 2003.lnk
[2010/04/07 14:15:28 | 000,002,561 | ---- | M] () -- C:\Documents and Settings\najmanova.SOLARKO\Plocha\Microsoft Office Word 2003.lnk
[2010/04/02 11:07:08 | 000,002,258 | ---- | M] () -- C:\Documents and Settings\najmanova.SOLARKO\Plocha\Google Chrome.lnk
[2010/03/31 14:12:44 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\najmanova.SOLARKO\Plocha\Faxy 2010.xls
[2010/03/29 11:41:02 | 000,001,394 | ---- | M] () -- C:\Documents and Settings\najmanova.SOLARKO\Plocha\Připojení ke vzdálené ploše.lnk
[2010/03/29 05:52:30 | 000,156,360 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/18 09:06:32 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\najmanova.SOLARKO\Plocha\Dodavatelé - rozdělení.xls
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\kopecky2\*.tmp files -> C:\Documents and Settings\kopecky2\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/13 12:26:22 | 000,000,764 | ---- | C] () -- C:\Documents and Settings\kopecky2\Plocha\Security Tool.lnk
[2010/04/13 12:07:26 | 000,000,764 | ---- | C] () -- C:\Documents and Settings\najmanova.SOLARKO\Plocha\Security Tool.lnk
[2010/03/19 05:55:07 | 000,001,006 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1957994488-682003330-1180Core1cac7205870e9da.job
[2009/11/27 06:10:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CPC10Q.INI
[2009/10/20 08:35:35 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\MSHRES0E.DLL
[2009/10/20 08:35:35 | 000,028,693 | ---- | C] () -- C:\WINDOWS\MSUMLT0E.INI
[2009/09/21 05:51:50 | 000,087,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\8c991414.sys
[2009/07/20 14:30:37 | 000,000,028 | ---- | C] () -- C:\Documents and Settings\najmanova.SOLARKO\Data aplikací\wiaserva.log
[2009/05/14 03:01:25 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/05/06 06:02:19 | 000,213,024 | ---- | C] () -- C:\WINDOWS\System32\drivers\str.sys
[2009/04/23 11:05:28 | 000,000,039 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009/01/08 18:44:22 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\jmilik\Local Settings\Data aplikací\fusioncache.dat
[2008/06/03 13:35:01 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\kopecky\Local Settings\Data aplikací\fusioncache.dat
[2008/04/28 07:53:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\najmanova.SOLARKO\Data aplikací\HelpFilesUpdatePatch_HELPFILEREPLACE.log
[2008/04/28 07:53:20 | 000,000,365 | ---- | C] () -- C:\Documents and Settings\najmanova.SOLARKO\Data aplikací\HelpFilesUpdatePatch_PRINTHELPWRAPPER.log
[2008/04/28 07:53:20 | 000,000,234 | ---- | C] () -- C:\WINDOWS\PrnHlpLogConfig.ini
[2008/04/28 07:53:06 | 000,002,891 | ---- | C] () -- C:\Documents and Settings\najmanova.SOLARKO\Data aplikací\PatchUpdate_InstantShareJPG.log
[2008/04/28 07:53:06 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_InstantSHareJPG.ini
[2008/04/28 07:52:38 | 000,003,720 | ---- | C] () -- C:\Documents and Settings\najmanova.SOLARKO\Data aplikací\PatchUpdate_IZClosingDiscError.log
[2008/04/28 07:52:38 | 000,000,217 | ---- | C] () -- C:\WINDOWS\HP_IZClosingDiscErrorPatch.ini
[2008/04/28 07:50:11 | 000,033,841 | ---- | C] () -- C:\Documents and Settings\najmanova.SOLARKO\Data aplikací\Update_HP_RedboxHprblog_HPSU.log
[2008/04/28 07:50:11 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2008/03/13 09:33:52 | 000,192,592 | ---- | C] () -- C:\WINDOWS\System32\DNLEng.dll
[2008/02/20 11:11:16 | 000,034,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\epfwtdir.sys
[2007/12/28 11:37:44 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\najmanova.SOLARKO\Local Settings\Data aplikací\PUTTY.RND
[2007/12/23 14:27:20 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\jmilik\Local Settings\Data aplikací\PUTTY.RND
[2007/12/23 12:50:41 | 000,000,208 | ---- | C] () -- C:\WINDOWS\MPASS.INI
[2007/07/20 09:40:04 | 000,000,339 | ---- | C] () -- C:\WINDOWS\PWK20.INI
[2007/07/02 11:49:53 | 000,000,125 | ---- | C] () -- C:\Documents and Settings\milik\Local Settings\Data aplikací\fusioncache.dat
[2007/03/12 11:38:05 | 000,015,872 | ---- | C] () -- C:\Documents and Settings\najmanova.SOLARKO\Local Settings\Data aplikací\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/02/22 14:14:04 | 000,000,043 | ---- | C] () -- C:\WINDOWS\hpfccopy.INI
[2006/11/20 10:38:55 | 003,673,360 | ---- | C] () -- C:\WINDOWS\System32\MSO97RT.DLL
[2006/11/15 17:15:27 | 000,156,160 | ---- | C] () -- C:\WINDOWS\System32\unrar3.dll
[2006/11/15 17:15:27 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2006/11/15 17:14:12 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2006/11/15 16:51:51 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\najmanova.SOLARKO\Local Settings\Data aplikací\fusioncache.dat
[2006/11/15 16:47:09 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Data aplikací\fusioncache.dat
[2006/11/11 11:27:39 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/11/10 15:45:16 | 000,000,390 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/05/27 10:19:18 | 000,002,424 | ---- | C] () -- C:\WINDOWS\System32\DIASUninst.ini
[2003/04/09 15:38:04 | 000,005,664 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1996/04/03 21:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys
[1980/01/01 00:00:00 | 000,348,880 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[1980/01/01 00:00:00 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4642.dll
[1980/01/01 00:00:00 | 000,000,510 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

========== LOP Check ==========

[2008/08/18 11:04:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jmilik\Data aplikací\Thunderbird
[2010/02/19 14:42:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jmilik\Data aplikací\BR
[2008/06/01 18:06:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\milik\Data aplikací\Thunderbird
[2008/03/04 14:32:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\najmanova.SOLARKO\Data aplikací\Thunderbird
[2009/02/16 08:32:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\najmanova.SOLARKO\Data aplikací\Cybele Software
[2010/02/19 11:57:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\najmanova.SOLARKO\Data aplikací\BR

========== Purity Check ==========

< End of report >

Doufam, ze se i v tuhle pozdni hodinu najde nekdo, kdo mi poradi (protoze ten dobrodinec co mi radil dat sem ten log tu ted uz asi neni...). Kdyby slo o me, nikam bych nespechal, ale to PC je sefovo asistentky a esi to rano nepojede, tak na koberecek pudu samozrejme ja... No nic, nema cenu si stezovat, ze?

Predem diky za dobre rady!

jejakop · #4 Příspěvek od **jejakop** » 13 dub 2010 19:12

OK, jdu na to, jen se chci radeji preptat - ponevadz se bojim mit to zasvinene PC pripojene k LANce, pouzivam ted k prenosu souboru Pozn.Blok/TXT files/FlashDiskUSB - jak jinak dostanu text z myho NTB (kde sedim ted) do nakazeneho PC (na vedlejsim stole)? Cili: jak velke riziko podstupuji tim pouzivanim flashdisku? Nebo naopak se bat nemusim a muzu to pripojit k LANce?

Jdu to udelat, at mam ten vysledek pro vas co nejdriv a moc vas nezdrzuju...

Zatim diky!

jejakop · #5 Příspěvek od **jejakop** » 13 dub 2010 19:18

maly dotaz: Fix hotovo - a ten Restart mam udela sam rucne nebo se to restartne samo? Hned po probehnuti Fix se objevil TXT file, ale to neni ten co ho chcete, je to tak?

jejakop · #6 Příspěvek od **jejakop** » 13 dub 2010 19:48

Tak poporade:

ja to puvodne pochopil tak, ze te zajima log ktery vznikne po restartu (i kdyz to asi nedava moc smyslu, no nic). Tady je to co se zobrazilo hned po Fixu (ani nevim, kde je to ulozeno, ja si to z toho okna hned ctrl+s ulozil na flashku:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\8c991414 deleted successfully.
C:\WINDOWS\system32\drivers\8c991414.sys moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\93725834 deleted successfully.
C:\DOCUME~1\ALLUSE~1\DATAAP~1\93725834\93725834.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Regedit32 deleted successfully.
Registry value HKEY_USERS\kopecky2_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\93725834 deleted successfully.
File C:\DOCUME~1\ALLUSE~1\DATAAP~1\93725834\93725834.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\\SecurityProviders:digiwet.dll deleted successfully.
File C:\WINDOWS\System32\drivers\8c991414.sys not found.
C:\Documents and Settings\kopecky2\Plocha\Security Tool.lnk moved successfully.
C:\WINDOWS\System32\Security.dll moved successfully.

OTLPE by OldTimer - Version 3.1.37.1 log created on 04132010_211531

PC jsem restartoval, boot do win - ted tam bezi jakysi win startup control (takovy to co se pousti pote co vypnou elektriku)

v praci jsem jak je potreba - mam sice povinnost (jako kazdej) odpracovat denne 8,5hodiny, ale u me je (vicemene) jedno, kdy prijdu a kdy odejdu (pokud ovsem vse co mam nastarosti funguje jak ma). My jsme takova relativna mala, rodinna firma (bohuzel, ackoli reditele mi dela vlastni otec, kdyz pisu rodinna firma, netyka se to nasi rodiny - my oba jsme tu jen zamestnani...). No nicmene abych odpovedel na tvou otazku: v praci jsem dnes tak dlouho proto, ze A) sefovo sekretarce se podelal ten PC B) mam tu hromadu bezne prace C) ve Ctvrtek rano jedu na tydeni sluzebni cestu (krom starosti o PC ve firme jsem jeste service engineer na kartonazni stroje ktery vyrabime) po 2 klientech a jenom pripravy mi zaberou 1 den; jeste jsem nestihl ani zacit s pripravami...

a jestli mas chut se zeptat, kdy hodlam spat, tak to bych videl az tak nekdy na prelom leta/podzimu

taaak, uz to dobehlo, ted se prihlasuju (btw pouzivam svuj ucet - na vsech stanicich jsem jako LocalAdmin - ale projevilo se to v jinam uctu); jsem prihlasen. vse vypada OK. Zkusim to trochu dukladneji a ozvu se za chvilku...

zatim dikes!!!

jejakop · #7 Příspěvek od **jejakop** » 13 dub 2010 20:17

No, odhlasil jsem se jako Já a prihlasil se na jeji ucet (tzn na ucet kazdodenni uzivatelky PC).

Tu jsou me poznatky:

Se zbytkem site si to povida

Na net se dostane

Money S3 jede, coz je velmi podstatne

Posta jede

Pripojeni ke vzdalene plose taky

Všechny zastupci a ikonky co ma na plose (jak se v tom muze vyznat vi buh) ji taky funguji

Cili si dovoluji timto PROHLASIT PC ZA VYCISTENO/OPRAVENO/Z MRTVYCH VZKRISENO

No pro jistotu pustim ještě Secunii aby mi nasla nezazaplatovany diry a přes noc necham pracovat pana Eseta… Ale myslim, ze to podstatne je hotovo. Fakt mi spadl kamen ze srdce!

Mam ale ještě několik dotazu:

Když se mi tu ve firme za par dnu/tydnu objevi stejna/podobna brebera (resp brebera stejne/podobne se projevujici) – mohu zkusit pouzit to dnesni CDcko? Asi tezko vlastne, když si nejsem schopen sam napsat potrebny skript (nebo cos mi to daval k vlozeni do OTL). No tak to jsem si vlasne odpovedel sam, ze? Sikula.

Ještě na něco jsem se chtel optat, ale ted si zaboha nemuzu vzpomenout, sakra!

Pujdu si zakourit a třeba se mi rozsviti a vzpomenu si…

A mezitim pustim ten RSIT, jasne! Driv nez secunii&eset.

Kazdopadne mockrat Ti (tykame?/vykame?) za poskytnutou pomoc – bez ni bych to zcela jiste nezvladl – rozhodne ne tak ciste, elegantne a především rychle! Takze DIKY!

jejakop · #8 Příspěvek od **jejakop** » 13 dub 2010 21:02

Tak uz je to!

Security.dll skutecne nebyla tam kde mela byt a flakala se tam kdes rikal, ze bude. Presunuto zpet. Presto ale inet fungoval - nerikals, ze bez teto knihovny by nemel fungovat?? Jen si v tom snazim udelat jasno...

Vyyborne - tak to jsme stejne stari

OK, je fakt ze takoveto pouziti toho cd me zatim nenapadlo, ale urcite si ho schovam - bude se hodit.

k tomu Esetu - jen upresnuju, ze jsem mel (a furt mam) na mysli nikoli ESET OnLine Scanner (ci jaxe to jmenuje), ale normalni ESET kterej tu mam nainstalovanej na kazdy stanici (a na serveru vlastne taky). Mam v planu nastavit Hloubkovou kontrolu vsech souboru a nechat to bezet pres noc (uz mi totiz pomalu zacina padat hlava...)

no a posledni vec - to je ten log z RSITu, takze tady je:

Logfile of random's system information tool 1.06 (written by random/random)
Run by kopecky2 at 2010-04-13 22:24:24
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 113 GB (74%) free of 153 GB
Total RAM: 1013 MB (61% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:24:55, on 13.4.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\sttray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\AcroDist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\48s\RSIT.exe
C:\Program Files\trend micro\kopecky2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.triline.cz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1715567821-1957994488-682003330-1180\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'najmanova')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International
O14 - IERESET.INF: START_PAGE_URL=http://www.triline.cz
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {4C3CEE0B-4F2F-44C3-9586-4368F3200143} (ICApki Class) - http://download.ica.cz/icapki.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3274041046
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = solarko.intra
O17 - HKLM\Software\..\Telephony: DomainName = solarko.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solarko.intra
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = solarko.intra
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Služba inteligentního přenosu na pozadí (BITS) (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Automatické aktualizace (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8987 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1957994488-682003330-1180Core1cac7205870e9da.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-06 41368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-08-06 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2006-07-21 98304]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2006-07-21 86016]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2006-07-21 81920]
"SigmatelSysTrayApp"=C:\WINDOWS\sttray.exe [2006-09-07 303104]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2008-04-14 143872]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"InCD"=C:\Program Files\Ahead\InCD\InCD.exe [2004-02-05 1261687]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-08-06 148888]
"VirtualCloneDrive"=C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [2004-08-20 45056]
"Acrobat Assistant 7.0"=C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]
""= []
"MpsOnn"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe [2007-05-28 28232]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-10-24 1451264]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Rychlé spuštění aplikace HP Image Zone.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe [2005-05-12 73728]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2006-07-21 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 267304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll,schannel.dll,digest.dll,msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG7\avgemc.exe"="C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Canon\DIAS\CnxDIAS.exe"="C:\Program Files\Canon\DIAS\CnxDIAS.exe:*:Disabled:Canon Driver Information Assist Service"
"C:\Program Files\Messenger\MSMSGS.EXE"="C:\Program Files\Messenger\MSMSGS.EXE:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Documents and Settings\najmanova.SOLARKO\Plocha\PVITransfer\PVITransfer\PviMan.exe"="C:\Documents and Settings\najmanova.SOLARKO\Plocha\PVITransfer\PVITransfer\PviMan.exe:*:Enabled:PVI Manager"

======List of files/folders created in the last 1 months======

2010-04-13 22:24:24 ----D---- C:\rsit
2010-04-13 22:24:24 ----D---- C:\Program Files\trend micro
2010-04-13 22:23:54 ----D---- C:\48s
2010-04-13 21:45:36 ----D---- C:\Documents and Settings\kopecky2\Data aplikací\Macromedia
2010-04-13 21:27:58 ----SHD---- C:\FOUND.006
2010-04-13 21:15:31 ----D---- C:\_OTL
2010-04-13 20:01:38 ----A---- C:\OTL.Txt
2010-04-13 05:43:26 ----D---- C:\Documents and Settings\All Users\Data aplikací\93725834
2010-04-06 09:31:34 ----HD---- C:\WINDOWS\ie8

======List of files/folders modified in the last 1 months======

2010-04-13 17:37:48 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-13 12:26:02 ----A---- C:\WINDOWS\OEWABLog.txt
2010-04-13 11:50:02 ----A---- C:\psfparse.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-10-24 53256]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-10-24 34824]
R1 InCDPass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2004-02-05 26944]
R1 incdrm;InCD EasyWrite Reader; C:\WINDOWS\system32\drivers\incdrm.sys [2003-12-30 28080]
R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
R2 cis1284;cis1284; \??\C:\WINDOWS\system32\drivers\cis1284.sys []
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-10-24 39944]
R2 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2004-07-21 9856]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2006-01-12 163328]
R3 ElbyDelay;ElbyDelay; C:\WINDOWS\System32\Drivers\ElbyDelay.sys [2004-02-12 3968]
R3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2006-07-21 1095968]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2006-09-07 1178088]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Ovladač standardního rozbočovače USB; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbstor;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys [2004-02-05 93936]
S2 amd64si;amd64si; \??\C:\WINDOWS\system32\drivers\amd64si.sys []
S2 ds1410d;DS1410D; C:\WINDOWS\SYSTEM32\drivers\DS1410D.SYS []
S2 fips32cup;fips32cup; \??\C:\WINDOWS\system32\drivers\fips32cup.sys []
S2 jcjxkxybgrngen;jcjxkxybgrngen; \??\C:\WINDOWS\system32\drivers\fslehfsumlteiw.sys []
S2 systemntmi;systemntmi; \??\C:\WINDOWS\system32\drivers\systemntmi.sys []
S2 ws2_32sik;ws2_32sik; \??\C:\WINDOWS\system32\drivers\ws2_32sik.sys []
S3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 sfng32;Sonic Focus Plugin for Sigmatel HDA; C:\WINDOWS\system32\drivers\sfng32.sys [2005-12-02 41728]
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2009-01-20 611664]
R2 Canon Driver Information Assist Service;Canon Driver Information Assist Service; C:\Program Files\Canon\DIAS\CnxDIAS.exe [2005-07-14 1175628]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-24 468224]
R2 InCDsrv;InCD Helper; C:\Program Files\Ahead\InCD\InCDsrv.exe [2004-02-05 847993]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-08-06 152984]
R2 STacSV;SigmaTel Audio Service; C:\WINDOWS\system32\STacSV.exe [2006-09-07 86016]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-25 135664]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2007-04-04 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-10-24 19200]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 913920]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Snad to bude OK. Doufam - uz chci dnes do postele!

jejakop · #9 Příspěvek od **jejakop** » 13 dub 2010 21:21

Pripomne mi kdybych nahodou chtel nasadit combofix, abych to nedelal, nema rad nektere ucetnivtvi - maze ho

tak to si bud jist, ze ti to pripomenu!

i kdyz ono by se tolik nestalo - data jsou na serveru, na stanici je jen aplikace a samozrejme server je denne zalohovan na pasku...

OK, budu se tesit na zitra.
Thanks a dobrou.

jejakop · #10 Příspěvek od **jejakop** » 14 dub 2010 07:04

Dobre rano,
tak uz jsem zase tady a se mnou log z vcerejsi hloubkove kontroly ESETem:

Protokol o kontrole
Verze virové databáze: 5026 (20100413)
Datum: 14.4.2010 Čas: 0:23:37
Testované disky, adresáře a soubory: Paměť;C:\Boot sektor;C:\
C:\pagefile.sys - chyba při otevírání [4]
C:\hiberfil.sys - chyba při otevírání [4]
C:\WINDOWS\system32\config\system.LOG - chyba při otevírání [4]
C:\WINDOWS\system32\config\software.LOG - chyba při otevírání [4]
C:\WINDOWS\system32\config\default.LOG - chyba při otevírání [4]
C:\WINDOWS\system32\config\SECURITY - chyba při otevírání [4]
C:\WINDOWS\system32\config\SAM - chyba při otevírání [4]
C:\WINDOWS\system32\config\SECURITY.LOG - chyba při otevírání [4]
C:\WINDOWS\system32\config\SAM.LOG - chyba při otevírání [4]
C:\WINDOWS\system32\config\SYSTEM - chyba při otevírání [4]
C:\WINDOWS\system32\config\SOFTWARE - chyba při otevírání [4]
C:\WINDOWS\system32\config\DEFAULT - chyba při otevírání [4]
C:\WINDOWS\Temp\2DB4E691.exe - varianta infiltrace Win32/Kryptik.DPV trojský kůň - vyléčen smazáním - uložen do karantény [1]
C:\Documents and Settings\NetworkService\NTUSER.DAT - chyba při otevírání [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - chyba při otevírání [4]
C:\Documents and Settings\NetworkService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat - chyba při otevírání [4]
C:\Documents and Settings\NetworkService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat.LOG - chyba při otevírání [4]
C:\Documents and Settings\LocalService\NTUSER.DAT - chyba při otevírání [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - chyba při otevírání [4]
C:\Documents and Settings\LocalService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat - chyba při otevírání [4]
C:\Documents and Settings\LocalService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat.LOG - chyba při otevírání [4]
C:\Documents and Settings\najmanova.SOLARKO\Local Settings\Temp\~TM54F.tmp - varianta infiltrace Win32/Kryptik.ALJ trojský kůň - vyléčen smazáním - uložen do karantény [1]
C:\Documents and Settings\najmanova.SOLARKO\Local Settings\Temp\756274notepad.exe - Win32/Adware.GeneralAV aplikace - vyléčen smazáním - uložen do karantény [1]
C:\Documents and Settings\najmanova.SOLARKO\Local Settings\Temp\925251charmap.exe - varianta infiltrace Win32/Kryptik.CIQ trojský kůň - vyléčen smazáním - uložen do karantény [1]
C:\Documents and Settings\najmanova.SOLARKO\Local Settings\Temp\jar_cache1696982125537469791.tmp » ZIP » fiece/MyYjefe.class - pravděpodobně varianta infiltrace Java/TrojanDownloader.Agent.NAI trojský kůň - byl součástí smazaného objektu
C:\Documents and Settings\najmanova.SOLARKO\Data aplikací\Sun\Java\Deployment\cache\6.0\23\222f7497-1dc76667 - pravděpodobně varianta infiltrace Win32/Agent trojský kůň - vyléčen smazáním - uložen do karantény [1]
C:\Documents and Settings\najmanova.SOLARKO\Data aplikací\Sun\Java\Deployment\cache\6.0\35\5c30eea3-45a24cd3 - pravděpodobně varianta infiltrace Win32/Agent trojský kůň - vyléčen smazáním - uložen do karantény [1]
C:\Documents and Settings\kopecky2\NTUSER.DAT - chyba při otevírání [4]
C:\Documents and Settings\kopecky2\ntuser.dat.LOG - chyba při otevírání [4]
C:\Documents and Settings\kopecky2\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat.LOG - chyba při otevírání [4]
C:\Documents and Settings\kopecky2\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat - chyba při otevírání [4]
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\vcd-uninst.exe » NSIS - špatný archiv
C:\_OTL\MovedFiles\04132010_211531\C_WINDOWS\system32\drivers\8c991414.sys - Win32/Rustock.NIH trojský kůň - vyléčen smazáním - uložen do karantény [1]
C:\_OTL\MovedFiles\04132010_211531\C_DOCUME~1\ALLUSE~1\DATAAP~1\93725834\93725834.exe - Win32/Adware.SecurityTool.AA aplikace - vyléčen smazáním - uložen do karantény [1]
C:\System Volume Information\_restore{DC90D06B-B1DA-46B2-A153-1E074EA92957}\RP792\A0099695.exe - varianta infiltrace Win32/Kryptik.CIQ trojský kůň - vyléčen smazáním - uložen do karantény [1]
C:\System Volume Information\_restore{DC90D06B-B1DA-46B2-A153-1E074EA92957}\RP829\A0105600.sys - Win32/Rustock.NIH trojský kůň - vyléčen smazáním - uložen do karantény [1]
C:\System Volume Information\_restore{DC90D06B-B1DA-46B2-A153-1E074EA92957}\RP829\A0105601.exe - Win32/Adware.SecurityTool.AA aplikace - vyléčen smazáním - uložen do karantény [1]
C:\OLDHD\WINDOWS\OPTIONS\CABS\BASE4.CAB » CAB » ebd.cab » CAB » SCANDISK.EXE » Pklite 1.15 - chyba při extrakci
C:\OLDHD\WINDOWS\OPTIONS\CABS\BASE4.CAB » CAB » ebd.cab » CAB » SCANDISK.INI - archiv je poškozen a soubor nemůže být extrahován
C:\OLDHD\WINDOWS\OPTIONS\CABS\BASE4.CAB » CAB » ebd.cab » CAB » SYS.COM - archiv je poškozen a soubor nemůže být extrahován
C:\OLDHD\WINDOWS\OPTIONS\CABS\BASE4.CAB » CAB » ebd.cab » CAB » MSCDEX.EXE - archiv je poškozen a soubor nemůže být extrahován
C:\OLDHD\WINDOWS\OPTIONS\CABS\BASE4.CAB » CAB » ebd.cab » CAB » EXT.EXE - archiv je poškozen a soubor nemůže být extrahován
C:\OLDHD\WINDOWS\OPTIONS\CABS\BASE4.CAB » CAB » ebd.cab » CAB » ATTRIB.EXE - archiv je poškozen a soubor nemůže být extrahován
C:\OLDHD\WINDOWS\OPTIONS\CABS\BASE4.CAB » CAB » ebd.cab » CAB » FORMAT.COM - archiv je poškozen a soubor nemůže být extrahován
C:\OLDHD\WINDOWS\OPTIONS\CABS\BASE4.CAB » CAB » ebd.cab » CAB » RESTART.COM - nemohu najít další díl archivu
C:\OLDHD\WINDOWS\OPTIONS\CABS\DRIVER11.CAB » CAB » iyuv_32.dll - nemohu najít další díl archivu
C:\OLDHD\WINDOWS\OPTIONS\CABS\NET7.CAB » CAB » ditrace.exe - nemohu najít další díl archivu
C:\OLDHD\WINDOWS\OPTIONS\CABS\PRECOPY1.CAB » CAB » suwin.exe - nemohu najít další díl archivu
C:\OLDHD\WINDOWS\OPTIONS\CABS\WIN98_21.CAB » CAB » acelpdec.ax - nemohu najít další díl archivu
Počet zkontrolovaných objektů: 526543
Počet nalezených infiltrací: 12
Počet vyléčených objektů: 12
Čas ukončení: 1:37:04 Celkový čas diagnostiky: 4407 sek (01:13:27)

Poznámky:
[1] Objekt byl smazán, obsahoval pouze škodlivý kód.
[4] Objekt nelze otevřít ke čtení. Je využíván jinou aplikací (nebo operačním systémem), která ho otevřela výhradně pro sebe.

Všiml jsem si, že to něco objevilo, ale nebudu se ppouštět do věcí kterym nerozumim a hodnoceni logu prenecham s dovolenim tobe

Dej vedet jake dalsi kroky mam podniknout...

THX

jejakop · #11 Příspěvek od **jejakop** » 14 dub 2010 12:53

all right, jdu na to a ozvu se s vysledkem, resp pokud bych narazil na neco s cim si neporadim...
thx

#12 Příspěvek od **cernohous13** » 14 dub 2010 15:06

Dovolím si vstup - zastaralé odkazy na obrázky jsou nefunkční proto:
obr1 - http://img9.imgup.eu/registry.jpg
obr2 - http://img0.imgup.eu/registry1.jpg

jejakop · #13 Příspěvek od **jejakop** » 14 dub 2010 17:12

Panove,
obema vam dekuji za udelene rady, avsak musim se zaroven omluvit. Totiz situace je takova, ze ja MUSIM zitra rano odjet na zahranicni sluzebnii cestu a pripravy na ni (jde o servis relativne slozitych stroju) mi zabrali naprostou vetsinu dnesniho dne a to jeste nejsem zcela u konce. O tom, ze si taky musim zabalit a trochu se vyspat nez si sednu za volant a pojedu 600km buhvikam (na dnesek jsem spal asi 4 hodiny) se nebudu rozepisovat.
Proste doslo k prehodnoceni priorit a sam sef pravil, ze asistentcin PC bude muset pockat a ona s nim (co bude ten tyden bez kompu delat nevim, ale nestaram se). Takze - vasich rad si cenim a jiste se jimi budu ridit, ale az po navratu, cili nejdrive ve ctvrtek pristiho tydne...

Do te doby se mejte.
Diky

VIRY.CZ

SecurityTool (alias socialni inzenyrstvi v praxi)

SecurityTool (alias socialni inzenyrstvi v praxi)

Re: SecurityTool (alias socialni inzenyrstvi v praxi)

Re: SecurityTool (alias socialni inzenyrstvi v praxi)

Re: SecurityTool (alias socialni inzenyrstvi v praxi)

Re: SecurityTool (alias socialni inzenyrstvi v praxi)

Re: SecurityTool (alias socialni inzenyrstvi v praxi)

Re: SecurityTool (alias socialni inzenyrstvi v praxi)

Re: SecurityTool (alias socialni inzenyrstvi v praxi)

Re: SecurityTool (alias socialni inzenyrstvi v praxi)

Re: SecurityTool (alias socialni inzenyrstvi v praxi)

Re: SecurityTool (alias socialni inzenyrstvi v praxi)

Re: SecurityTool (alias socialni inzenyrstvi v praxi)

Re: SecurityTool (alias socialni inzenyrstvi v praxi)