Podezřelý proces gtkxxx.tmp

Zpráva

Thales · #1 Příspěvek od **Thales** » 11 kvě 2010 13:21

Dobrý den,

jsem na tomto fóru nový ale přesto bych rád poprosil o vaší pomoc. Bohužel dnes dopoledne v době kdy jsem spal požívala přítulka můj PC a podařilo se jí vylepšit obsah mého PC o nějaký sajrajt "SecurityTool" (samozřejmě tvrdí "Já nic nedělala" nicméně včera když jsem šel spát byl PC ještě čistý). Ten se mi podařilo přinejmenším částečně spacifikovat tím že jsem zlikvidoval jeho proces, ručně ho smazal a následně použil CCleaner. Bohužel se však současně s ním objevil ve výpisu procesů několik procesů gtkxxx.tmp kde xxx jsou náhodné znaky skládající se z písmen a číslic které se po čase mění. Po ukončení jednoho takového procesu se místo něj objeví jeden až dva další. Tyto procesy procházejí soubory (zjištěno utilitou "File Monitor") a jak se domnívám vyhledávají takové které by mohly obsahovat přístupové údaje. Nevím zda tyto procesy nějak souvisí s tím "SecurityTool" nebo je to další prima věc kterou se jí sem podařilo dostat. Rád bych se toho nějak zbavil. Jak jsem si zde na fóru přečetl je třeba stáhnout utilitu RSIT, vytvořit log a ten sem raportovat. Bohužel odkaz http://images.malwareremoval.com/random/RSIT.exe uvedený na stránce http://www.viry.cz/forum/viewtopic.php?f=13&t=82743 se mi však jeví jako nefunkční (Zkoušeno ve dvou prohlížečích - pro jistotu). Google mi v tomto bohužel mnoho nepomohl (netvrdím že jsem byl extra důkladný ale tase jsem tím nechtěl strávit víc než přeiměřené množství času). Mohl bych nějakého dobrovolníka poprosit buď o uvedení funkčního linku abychom mohli pokračovat a nebo o zaslání na email thales kyselaryba email tečka cz ? Děkuji.

#2 Příspěvek od **Caroprd111** » 11 kvě 2010 13:26

Zdravím

http://www.edisk.cz/stahni/75628/RSIT.exe_763.58KB.html

Thales · #3 Příspěvek od **Thales** » 11 kvě 2010 14:12

Takže tady je log. Chvíli to trvalo protože jsem ještě mezitím zkoušel dopátrat problém na vlastní pěst ale zřejmě jsem nebyl dostatečně důsledný. Ale vypátral a zlikvidoval jsem ještě jednoho šmejda. Ten gtk ale bohužel ne. Původně byl v tempu ale odtud jsem ho hnedka smazal ale mezitím se nejspíš zažral jinam. každopádně neustále vytváří své různě pojmenované kopie v jmeno_uzivatele\Local Setting\Temp o velikosti 117760 Bytů (115K). Už jich tam mám zase asi 65.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Thales at 2010-05-11 15:05:08
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 4 GB (51%) free of 8 GB
Total RAM: 495 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:05:16, on 11.5.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe Acrobat Reader\Reader\Reader_sl.exe
C:\WINDOWS\System32\alg.exe
C:\Profiles\Thales\Plocha\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\trend micro\Thales.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\msupdt.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe Acrobat Reader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MsXSLT] C:\WINDOWS\system32\msxslt3.exe
O4 - HKCU\..\Run: [Google Update] "C:\Profiles\Thales\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4222579453
O17 - HKLM\System\CCS\Services\Tcpip\..\{03631067-D96F-497C-B706-01ED18F67944}: NameServer = 192.168.100.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{03631067-D96F-497C-B706-01ED18F67944}: NameServer = 192.168.100.254
O17 - HKLM\System\CS2\Services\Tcpip\..\{03631067-D96F-497C-B706-01ED18F67944}: NameServer = 192.168.100.254
O20 - Winlogon Notify: wzrd_1 - C:\WINDOWS\SYSTEM32\wzrd_1.dll
O21 - SSODL: LGootkitSSO - {A1BB9624-4730-4BDF-B9E3-DE39806EDBEA} - C:\WINDOWS\System32\lmsxsltsso.dll
O21 - SSODL: GootkitSSO - {FA805C68-F6BD-4C85-A677-218F56E8EBFE} - C:\WINDOWS\System32\msxsltsso.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\bin\jqs.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

--
End of file - 5382 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1935655697-1417001333-500Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1935655697-1417001333-500UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-04 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\bin\ssv.dll [2008-11-19 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\bin\jp2ssv.dll [2008-11-19 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-19 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-12-14 577536]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe Acrobat Reader\Reader\Reader_sl.exe [2010-04-04 36272]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-03-24 952768]
"MsXSLT"=C:\WINDOWS\system32\msxslt3.exe [2009-02-09 23040]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=C:\Profiles\Thales\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe [2010-05-11 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzrd_1]
C:\WINDOWS\system32\wzrd_1.dll [2010-05-09 5632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
LGootkitSSO - {A1BB9624-4730-4BDF-B9E3-DE39806EDBEA} - C:\WINDOWS\System32\lmsxsltsso.dll [2010-05-09 6144]
GootkitSSO - {FA805C68-F6BD-4C85-A677-218F56E8EBFE} - C:\WINDOWS\System32\msxsltsso.dll [2010-05-09 41472]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"ForceClassicControlPanel"=1
"NoSMConfigurePrograms"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ICQ6\ICQ.exe"="C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"
"C:\WINDOWS\TEMP\tmp7778.tmp"="C:\WINDOWS\TEMP\tmp7778.tmp:*:Enabled:tmp7778"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.ini - open - "C:\Program Files\GetDiz\GetDiz.exe" "%1"

======List of files/folders created in the last 1 months======

2010-05-11 15:05:08 ----D---- C:\rsit
2010-05-11 15:03:10 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-05-11 15:02:24 ----A---- C:\WINDOWS\ntbtlog.txt
2010-05-11 14:39:58 ----D---- C:\Program Files\trend micro
2010-05-11 11:55:51 ----A---- C:\WINDOWS\system32\wpcap.dll
2010-05-11 11:55:51 ----A---- C:\WINDOWS\system32\Packet.dll
2010-05-10 14:18:33 ----A---- C:\WINDOWS\system32\mssrv32.exe
2010-05-09 18:47:35 ----D---- C:\Profiles\Thales\Data aplikací\K-Meleon
2010-05-09 01:08:01 ----A---- C:\WINDOWS\system32\sblog.txt
2010-05-09 01:07:43 ----A---- C:\WINDOWS\system32\wzrd_1.dll
2010-05-09 00:59:08 ----D---- C:\Program Files\CCleaner
2010-05-09 00:49:58 ----A---- C:\WINDOWS\system32\msxsltsso.dll
2010-05-09 00:49:57 ----A---- C:\WINDOWS\system32\lmsxsltsso.dll

======List of files/folders modified in the last 1 months======

2010-05-11 15:03:20 ----D---- C:\WINDOWS
2010-05-11 15:00:19 ----A---- C:\WINDOWS\wincmd.ini
2010-05-11 14:56:31 ----D---- C:\WINDOWS\Temp
2010-05-11 14:39:58 ----RD---- C:\Program Files
2010-05-11 13:40:41 ----D---- C:\_DOC
2010-05-11 13:38:16 ----SD---- C:\WINDOWS\Tasks
2010-05-11 13:34:04 ----D---- C:\WINDOWS\system32\drivers
2010-05-11 13:29:40 ----D---- C:\WINDOWS\Prefetch
2010-05-11 13:11:03 ----D---- C:\Profiles\All Users\Data aplikací\Spybot - Search & Destroy
2010-05-11 11:55:51 ----D---- C:\WINDOWS\system32
2010-05-10 16:41:39 ----D---- C:\Program Files\ICQ
2010-05-09 01:02:36 ----D---- C:\WINDOWS\Debug
2010-05-09 00:53:41 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-05-09 00:49:58 ----D---- C:\Program Files\K-Meleon
2010-05-08 12:35:47 ----A---- C:\WINDOWS\wcx_ftp.ini
2010-05-08 11:36:33 ----A---- C:\WINDOWS\NeroDigital.ini
2010-04-26 05:49:17 ----D---- C:\WINDOWS\system32\oodag
2010-04-18 18:17:52 ----SHD---- C:\WINDOWS\Installer
2010-04-12 13:19:51 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
R1 PQNTDrv;PQNTDrv; C:\WINDOWS\system32\drivers\PQNTDrv.sys [2004-05-05 4228]
R2 Aspi32;Aspi32; C:\WINDOWS\System32\drivers\aspi32.sys [2002-05-06 16512]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-12-16 3842560]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2007-03-14 165760]
R3 hidusb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-09-20 1302332]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-11-06 12160]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 aoz5vwy6;aoz5vwy6; C:\WINDOWS\system32\drivers\aoz5vwy6.sys []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 kvpndev;Kerio VPN adapter; C:\WINDOWS\system32\DRIVERS\kvpndrv.sys [2005-02-11 61440]
S3 NPF;WinPcap Packet Driver (NPF); C:\WINDOWS\system32\drivers\NPF.sys [2010-05-11 50704]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 usbser;Motorola USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-13 26112]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 sr;Ovladač filtru Obnovy systému; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73344]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\bin\jqs.exe [2008-11-19 152984]
R2 O&O Defrag;O&O Defrag; C:\WINDOWS\system32\oodag.exe [2005-05-11 225280]
S2 msupdate;Microsoft security update service; c:\windows\system32\mssrv32.exe [2010-05-10 48128]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-16 271920]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 913920]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------

#4 Příspěvek od **Caroprd111** » 11 kvě 2010 14:45

Stahněte OTL http://oldtimer.geekstogo.com/OTL.exe

Spusťte, poté do spodního políčka vložte následující skript.

Kód: Vybrat vše

 netsvcs
drivers32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /s
c:\windows\*.* /U
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys 
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys 
ndis.sys
winlogon.exe
explorer.exe
userinit.exe
lsass.exe
svchost.exe
smss.exe
hal.dll
ws2_32.dll
tcpip.sys
cryptsvc.dll
Changer.sys
JakNDis.sys
isapnp.sys 
cdrom.sys 
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav 
%systemroot%\system32\*.dll /lockedfiles
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" /v GinaDLL /c
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v ImagePath /c
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v ImagePath /c
%systemroot%\system32\drivers\*.sys /3
%systemroot%\system32\*.* /3
CREATERESTOREPOINT

Označte položku Pro všechny uživatele.
Označte položky Kontrola na havěť "LOP" a Kontrola na havěť "Purity"
Klikněte na tlačítko Prohledat
Po dokončení, sem vložte logy OTL.Txt a Extras.txt

Thales · #5 Příspěvek od **Thales** » 11 kvě 2010 14:55

Je tento výsledek OK? Ten svinec je po restartu stále mezi procesy.

OTL logfile created on: 11.5.2010 15:49:26 - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = c:\_DOC\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

495,00 Mb Total Physical Memory | 183,00 Mb Available Physical Memory | 37,00% Memory free
2,00 Gb Paging File | 1,00 Gb Available in Paging File | 88,00% Paging File free
Paging file location(s): S:\pagefile.sys 1280 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 7,84 Gb Total Space | 4,01 Gb Free Space | 51,14% Space Free | Partition Type: NTFS
Drive D: | 355,65 Gb Total Space | 5,49 Gb Free Space | 1,54% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive M: | 7,81 Gb Total Space | 0,44 Gb Free Space | 5,65% Space Free | Partition Type: NTFS
Drive S: | 2,01 Gb Total Space | 0,75 Gb Free Space | 37,33% Space Free | Partition Type: NTFS
Drive T: | 4,88 Gb Total Space | 4,82 Gb Free Space | 98,70% Space Free | Partition Type: NTFS
Drive X: | 14,94 Gb Total Space | 2,11 Gb Free Space | 14,12% Space Free | Partition Type: NTFS
Drive Z: | 465,76 Gb Total Space | 0,86 Gb Free Space | 0,18% Space Free | Partition Type: NTFS

Computer Name: C2D
Current User Name: Thales
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.05.11 15:49:06 | 000,117,760 | ---- | M] () -- C:\Profiles\Thales\Local Settings\Temp\gtk6B.tmp
PRC - [2010.05.11 15:48:20 | 000,570,880 | ---- | M] (OldTimer Tools) -- c:\_DOC\Downloads\OTL.exe
PRC - [2010.04.26 19:13:25 | 000,531,440 | ---- | M] (Google Inc.) -- C:\Profiles\Thales\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe
PRC - [2008.11.19 02:12:53 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\bin\jqs.exe
PRC - [2008.04.14 07:52:24 | 001,034,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006.10.23 07:55:02 | 000,851,664 | ---- | M] (C. Ghisler & Co.) -- C:\Program Files\TotalCommander\TOTALCMD.EXE
PRC - [2005.12.14 19:06:00 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
PRC - [2005.05.11 04:09:54 | 000,225,280 | ---- | M] (O&O Software GmbH) -- C:\WINDOWS\system32\oodag.exe

========== Modules (SafeList) ==========

MOD - [2010.05.11 15:48:20 | 000,570,880 | ---- | M] (OldTimer Tools) -- c:\_DOC\Downloads\OTL.exe
MOD - [2008.04.14 07:49:02 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010.05.10 14:18:32 | 000,048,128 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\mssrv32.exe -- (msupdate)
SRV - [2008.11.19 02:12:53 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2005.05.11 04:09:54 | 000,225,280 | ---- | M] (O&O Software GmbH) [Auto | Running] -- C:\WINDOWS\system32\oodag.exe -- (O&O Defrag)

========== Driver Services (SafeList) ==========

DRV - [2010.05.11 11:55:51 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) WinPcap Packet Driver (NPF)
DRV - [2010.05.09 01:07:48 | 000,016,608 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2008.11.19 19:39:33 | 000,639,224 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2006.09.24 15:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2005.12.16 14:50:00 | 003,842,560 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005.02.11 18:55:32 | 000,061,440 | ---- | M] (Kerio Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\kvpndrv.sys -- (kvpndev)
DRV - [2004.05.05 22:48:40 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\PQNTDRV.sys -- (PQNTDrv)
DRV - [2002.05.06 12:01:14 | 000,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [1996.04.03 21:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-21-1214440339-1935655697-1417001333-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1214440339-1935655697-1417001333-500\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-21-1214440339-1935655697-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\lib\deploy\jqs\ff [2008.11.19 02:12:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\K-Meleon\Extensions\\Plugins: C:\Program Files\K-Meleon\Plugins [2010.03.04 18:55:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\K-Meleon\Extensions\\Components: C:\Program Files\K-Meleon\Components [2010.03.20 20:51:26 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010.05.09 00:54:32 | 000,393,065 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 http://www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 http://www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 http://www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 http://www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 http://www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 http://www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 http://www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 http://www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 http://www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 http://www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 http://www.1-2005-search.com
O1 - Hosts: 13576 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe Acrobat Reader\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [MsXSLT] C:\WINDOWS\system32\msxslt3.exe ()
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-1214440339-1935655697-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1214440339-1935655697-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O9 - Extra Button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe (ICQ Inc.)
O9 - Extra 'Tools' menuitem : ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe (ICQ Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windows ... 4222579453 (WUWebControl Class)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\msupdt.exe) - C:\WINDOWS\system32\msupdt.exe ()
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\wzrd_1: DllName - wzrd_1.dll - C:\WINDOWS\System32\wzrd_1.dll ()
O21 - SSODL: GootkitSSO - {FA805C68-F6BD-4C85-A677-218F56E8EBFE} - C:\WINDOWS\system32\msxsltsso.dll ()
O21 - SSODL: LGootkitSSO - {A1BB9624-4730-4BDF-B9E3-DE39806EDBEA} - C:\WINDOWS\system32\lmsxsltsso.dll ()
O24 - Desktop Components:0 (Aktuální domovská stránka) - About:Home
O24 - Desktop WallPaper: C:\Profiles\Thales\Local Settings\Data aplikací\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Profiles\Thales\Local Settings\Data aplikací\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (OODBS) - C:\WINDOWS\System32\OODBS.exe (O&O Software GmbH)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009.05.16 22:06:57 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: plzwls - C:\WINDOWS\system32\uyfqavbj.dll ()

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.divxa32 - C:\WINDOWS\System32\divxa32.acm (Kristal StudioDFileDescription)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3fhg - C:\WINDOWS\System32\mp3fhg.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.vorbis - C:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co.jp/authors/VA012897/)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.DIVX - C:\WINDOWS\System32\divx.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: VIDC.HFYU - C:\WINDOWS\System32\huffyuv.dll (Disappearing Inc.)
Drivers32: vidc.i263 - C:\WINDOWS\System32\I263_32.drv (Intel Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.VP60 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.VP61 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.VP62 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.VP70 - C:\WINDOWS\System32\vp7vfw.dll (On2.com)
Drivers32: VIDC.X264 - C:\WINDOWS\System32\x264vfw.dll ()
Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll (http://www.helixcommunity.org)
Unable to start service SrService!

========== Files/Folders - Created Within 30 Days ==========

[2010.05.11 15:05:08 | 000,000,000 | ---D | C] -- C:\rsit
[2010.05.11 15:01:07 | 000,000,000 | RH-D | C] -- C:\Profiles\Thales\Recent
[2010.05.11 14:39:58 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2010.05.11 13:46:53 | 000,000,000 | ---D | C] -- C:\Profiles\Thales\Local Settings\Data aplikací\Downloaded Installations
[2010.05.11 13:40:41 | 000,000,000 | ---D | C] -- C:\_DOC\Downloads
[2010.05.11 13:38:17 | 000,000,000 | ---D | C] -- C:\Profiles\Thales\Local Settings\Data aplikací\Temp
[2010.05.11 13:38:14 | 000,000,000 | ---D | C] -- C:\Profiles\Thales\Local Settings\Data aplikací\Google
[2010.05.11 11:55:51 | 000,281,104 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2010.05.11 11:55:51 | 000,100,880 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2010.05.11 11:55:51 | 000,050,704 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2010.05.09 18:47:35 | 000,000,000 | ---D | C] -- C:\Profiles\Thales\Data aplikací\K-Meleon
[2010.05.09 00:59:08 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner

========== Files - Modified Within 30 Days ==========

[2010.05.11 15:43:00 | 000,001,002 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1935655697-1417001333-500UA.job
[2010.05.11 15:42:56 | 000,004,063 | ---- | M] () -- C:\WINDOWS\wincmd.ini
[2010.05.11 15:03:10 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.05.11 15:03:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.05.11 15:03:08 | 000,036,375 | ---- | M] () -- C:\WINDOWS\System32\OODBS.lor
[2010.05.11 15:02:38 | 000,000,178 | -HS- | M] () -- C:\Profiles\Thales\ntuser.ini
[2010.05.11 15:02:37 | 006,553,600 | -H-- | M] () -- C:\Profiles\Thales\NTUSER.DAT
[2010.05.11 15:02:36 | 003,712,656 | -H-- | M] () -- C:\Profiles\Thales\Local Settings\Data aplikací\IconCache.db
[2010.05.11 14:28:41 | 000,781,909 | ---- | M] () -- C:\Profiles\Thales\Plocha\RSIT.exe
[2010.05.11 13:43:00 | 000,000,950 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1935655697-1417001333-500Core.job
[2010.05.11 13:39:06 | 000,002,174 | ---- | M] () -- C:\Profiles\Thales\Plocha\Google Chrome.lnk
[2010.05.11 11:55:51 | 000,281,104 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2010.05.11 11:55:51 | 000,100,880 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2010.05.11 11:55:51 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2010.05.11 11:43:55 | 000,000,052 | ---- | M] () -- C:\WINDOWS\System32\msxslt.dat
[2010.05.10 14:18:32 | 000,048,128 | ---- | M] () -- C:\WINDOWS\System32\mssrv32.exe
[2010.05.09 01:07:48 | 000,016,608 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\gdrv.sys
[2010.05.09 01:07:43 | 000,005,632 | ---- | M] () -- C:\WINDOWS\System32\wzrd_1.dll
[2010.05.09 00:54:32 | 000,393,065 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010.05.09 00:49:58 | 000,041,472 | ---- | M] () -- C:\WINDOWS\System32\msxsltsso.dll
[2010.05.09 00:49:57 | 000,006,144 | ---- | M] () -- C:\WINDOWS\System32\lmsxsltsso.dll
[2010.05.09 00:42:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.05.08 12:35:47 | 000,001,455 | ---- | M] () -- C:\WINDOWS\wcx_ftp.ini
[2010.05.08 11:36:33 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010.04.12 13:19:51 | 000,000,558 | ---- | M] () -- C:\WINDOWS\win.ini

========== Files Created - No Company Name ==========

[2010.05.11 14:40:18 | 000,781,909 | ---- | C] () -- C:\Profiles\Thales\Plocha\RSIT.exe
[2010.05.11 13:39:06 | 000,002,174 | ---- | C] () -- C:\Profiles\Thales\Plocha\Google Chrome.lnk
[2010.05.11 13:38:16 | 000,001,002 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1935655697-1417001333-500UA.job
[2010.05.11 13:38:15 | 000,000,950 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1935655697-1417001333-500Core.job
[2010.05.10 14:18:33 | 000,048,128 | ---- | C] () -- C:\WINDOWS\System32\mssrv32.exe
[2010.05.09 01:07:43 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\wzrd_1.dll
[2010.05.09 00:49:58 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\msxsltsso.dll
[2010.05.09 00:49:58 | 000,000,052 | ---- | C] () -- C:\WINDOWS\System32\msxslt.dat
[2010.05.09 00:49:57 | 000,006,144 | ---- | C] () -- C:\WINDOWS\System32\lmsxsltsso.dll
[2010.01.23 07:41:18 | 000,000,093 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010.01.20 09:39:19 | 000,000,121 | ---- | C] () -- C:\WINDOWS\Winchat.ini
[2009.05.27 21:28:44 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009.05.11 22:15:00 | 000,001,455 | ---- | C] () -- C:\WINDOWS\wcx_ftp.ini
[2008.12.04 01:06:43 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008.12.04 01:06:42 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2008.12.04 01:06:41 | 002,283,027 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2008.12.04 01:06:40 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008.12.04 01:06:40 | 000,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008.12.04 01:06:40 | 000,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008.12.04 01:06:38 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008.12.04 01:06:38 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008.11.20 23:12:16 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008.11.19 19:39:33 | 000,639,224 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008.11.19 03:18:25 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008.11.19 01:45:26 | 000,004,063 | ---- | C] () -- C:\WINDOWS\wincmd.ini
[2008.04.14 07:51:46 | 000,213,974 | RHS- | C] () -- C:\WINDOWS\System32\uyfqavbj.dll
[1996.04.03 21:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2009.03.30 22:00:21 | 000,000,000 | ---D | M] -- C:\Profiles\All Users\Data aplikací\BVRP Software
[2009.08.13 22:18:05 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Foxit
[2009.11.27 20:19:06 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Foxit Software
[2009.04.14 21:32:28 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\ICQ
[2010.05.09 18:47:35 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\K-Meleon
[2009.03.31 00:11:22 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Kerio
[2008.11.19 02:22:44 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\OpenOffice.org
[2008.11.19 02:14:45 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Opera
[2009.12.31 05:38:34 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Thinstall

========== Purity Check ==========

========== Custom Scans ==========

< HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /s >
"Google Update" = "C:\Profiles\Thales\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" /c -- [2010.05.11 13:38:14 | 000,136,176 | ---- | M] (Google Inc.)

< c:\windows\*.* /U >

< %SYSTEMDRIVE%\*.exe >

< %ALLUSERSPROFILE%\Application Data\*. >

< %ALLUSERSPROFILE%\Application Data\*.exe /s >

< %APPDATA%\*. >
[2009.03.30 23:00:28 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Adobe
[2008.11.20 23:12:31 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Ahead
[2009.08.13 22:18:05 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Foxit
[2009.11.27 20:19:06 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Foxit Software
[2009.10.02 03:07:15 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Help
[2009.04.14 21:32:28 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\ICQ
[2008.11.19 01:47:55 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Identities
[2010.05.09 18:47:35 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\K-Meleon
[2009.03.31 00:11:22 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Kerio
[2009.03.30 23:00:28 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Macromedia
[2008.12.04 05:25:03 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Media Player Classic
[2009.09.21 01:51:12 | 000,000,000 | --SD | M] -- C:\Profiles\Thales\Data aplikací\Microsoft
[2008.11.19 02:22:44 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\OpenOffice.org
[2008.11.19 02:14:45 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Opera
[2009.06.25 02:45:25 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Real
[2008.11.19 02:12:30 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Sun
[2009.12.31 05:38:34 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\Thinstall
[2008.11.19 02:17:29 | 000,000,000 | ---D | M] -- C:\Profiles\Thales\Data aplikací\WinRAR

< %APPDATA%\*.exe /s >

< MD5 for: AGP440.SYS >
[2008.11.06 01:03:48 | 017,813,288 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: AHCIX86.SYS >
[2008.11.06 00:57:25 | 000,176,136 | ---- | M] (AMD Technologies Inc.) MD5=B6E729A575F84938A08D367E8352EB86 -- C:\WINDOWS\NLDRV\003\ahcix86.sys

< MD5 for: ATAPI.SYS >
[2008.11.06 01:03:48 | 017,813,288 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008.04.14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008.04.14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

< MD5 for: CDROM.SYS >
[2008.11.06 01:03:48 | 017,813,288 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:cdrom.sys
[2008.05.02 12:49:39 | 000,062,976 | ---- | M] (Microsoft Corporation) MD5=4B0A100EAF5C49EF3CCA8C641431EACC -- C:\WINDOWS\Driver Cache\i386\cdrom.sys
[2008.05.02 12:49:39 | 000,062,976 | ---- | M] (Microsoft Corporation) MD5=4B0A100EAF5C49EF3CCA8C641431EACC -- C:\WINDOWS\system32\dllcache\cdrom.sys
[2008.05.02 11:49:39 | 000,062,976 | ---- | M] (Microsoft Corporation) MD5=4B0A100EAF5C49EF3CCA8C641431EACC -- C:\WINDOWS\system32\drivers\cdrom.sys

< MD5 for: CRYPTSVC.DLL >
[2008.04.14 07:51:40 | 000,062,464 | ---- | M] (Microsoft Corporation) MD5=F3AB0933CBD166D271992F411C27CCAF -- C:\WINDOWS\system32\cryptsvc.dll

< MD5 for: EVENTLOG.DLL >
[2008.04.14 07:51:42 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=2EE99F67C930931EB404DADCE57E976E -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: EXPLORER.EXE >
[2008.04.14 07:52:24 | 001,034,240 | ---- | M] (Microsoft Corporation) MD5=27AFD587C462E280EE046B8CCA3C2CD1 -- C:\WINDOWS\explorer.exe

< MD5 for: HAL.DLL >
[2008.11.06 01:03:48 | 017,813,288 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:hal.dll
[2008.04.13 23:01:30 | 000,134,400 | ---- | M] (Microsoft Corporation) MD5=4329EE7D502C9113EBA0F9570392F5EE -- C:\WINDOWS\system32\hal.dll

< MD5 for: CHANGER.SYS >
[2008.11.06 01:03:48 | 017,813,288 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:Changer.sys

< MD5 for: IASTOR.SYS >
[2008.11.06 00:57:35 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\WINDOWS\NLDRV\005\iastor.sys
[2008.11.06 00:57:26 | 000,327,192 | ---- | M] (Intel Corporation) MD5=8EF427C54497C5F8A7A645990E4278C7 -- C:\WINDOWS\NLDRV\004\iastor.sys

< MD5 for: ISAPNP.SYS >
[2008.11.06 01:03:48 | 017,813,288 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:isapnp.sys
[2008.04.14 07:57:54 | 000,037,248 | ---- | M] (Microsoft Corporation) MD5=CC9F8A2D60AED1A51A3AC34C59B987AE -- C:\WINDOWS\system32\drivers\isapnp.sys
[2008.04.14 06:57:54 | 000,037,248 | ---- | M] (Microsoft Corporation) MD5=CC9F8A2D60AED1A51A3AC34C59B987AE -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\isapnp.sys

< MD5 for: LSASS.EXE >
[2008.04.14 07:52:30 | 000,013,312 | ---- | M] (Microsoft Corporation) MD5=ED0A176354487CEED65B80A7148AB739 -- C:\WINDOWS\system32\lsass.exe

< MD5 for: NDIS.SYS >
[2008.11.06 00:56:40 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=B5B1080D35974C0E718D64280761BCD5 -- C:\WINDOWS\system32\drivers\ndis.sys

< MD5 for: NETLOGON.DLL >
[2008.11.06 00:56:03 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=B3D65E8F4D9EC988FA17060F21AC445B -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVGTS.SYS >
[2008.11.06 00:57:47 | 000,102,400 | ---- | M] (NVIDIA Corporation) MD5=1F790624AB1619CAE0C78597BD33615B -- C:\WINDOWS\NLDRV\008\nvgts.sys
[2008.11.06 00:57:48 | 000,102,400 | ---- | M] (NVIDIA Corporation) MD5=1F790624AB1619CAE0C78597BD33615B -- C:\WINDOWS\NLDRV\009\nvgts.sys
[2008.11.06 00:57:44 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=37954CD1D0AFC11BECD149F7C3EC88C2 -- C:\WINDOWS\NLDRV\007\nvgts.sys
[2008.11.06 00:57:42 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=EA98BFE4931BD13D747D647C1859796E -- C:\WINDOWS\NLDRV\006\nvgts.sys

< MD5 for: NVRD32.SYS >
[2008.11.06 00:57:48 | 000,128,000 | ---- | M] (NVIDIA Corporation) MD5=3802044AD8385654C620488DA8C9F0D9 -- C:\WINDOWS\NLDRV\009\nvrd32.sys
[2008.11.06 00:57:46 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=BEF704AA9E17D176A46DDF77C6A52194 -- C:\WINDOWS\NLDRV\007\nvrd32.sys

< MD5 for: SCECLI.DLL >
[2008.04.14 07:51:56 | 000,185,856 | ---- | M] (Microsoft Corporation) MD5=830CE8951C71F361D7D2F38416CC8BC1 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SMSS.EXE >
[2008.04.14 07:52:48 | 000,050,688 | ---- | M] (Microsoft Corporation) MD5=9B08A8C6331C2DA9C30377BCB4262721 -- C:\WINDOWS\system32\smss.exe

< MD5 for: SVCHOST.EXE >
[2008.04.14 07:52:50 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=BE4A520E29B6391F49E79CCC52044D93 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: TCPIP.SYS >
[2008.11.06 00:57:15 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=E88631E21A9CACA06104802F9E915115 -- C:\WINDOWS\system32\drivers\tcpip.sys

< MD5 for: USERINIT.EXE >
[2008.04.14 07:52:52 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=7DC1830F22E7D275B438127B68030239 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: VIAMRAID.SYS >
[2008.11.06 00:58:00 | 000,117,248 | ---- | M] (VIA Technologies inc,.ltd) MD5=00046AA2E396EDC2238556E740A8E5AF -- C:\WINDOWS\NLDRV\024\viamraid.sys

< MD5 for: WINLOGON.EXE >
[2008.04.14 07:52:54 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=CDDB1F8E1AEA356F3AD106F2CF9B7FEA -- C:\WINDOWS\system32\winlogon.exe

< MD5 for: WS2_32.DLL >
[2008.04.14 07:52:08 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=951D473917C51F21496D914CF6E5DDD1 -- C:\WINDOWS\system32\ws2_32.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009.03.21 16:09:02 | 000,213,974 | RHS- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\uyfqavbj.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2008.11.19 19:39:33 | 000,639,224 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys

< %systemroot%\System32\config\*.sav >
[2008.11.19 02:03:41 | 000,102,400 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008.11.19 02:03:41 | 001,093,632 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008.11.19 02:03:41 | 000,471,040 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.dll /lockedfiles >
[2009.03.21 16:09:02 | 000,213,974 | RHS- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\uyfqavbj.dll

< reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" /v GinaDLL /c >
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

< reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v ImagePath /c >
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\WUAUSERV
IMAGEPATH REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k netsvcs

< reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v ImagePath /c >
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\BITS
IMAGEPATH REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k netsvcs

< %systemroot%\system32\drivers\*.sys /3 >
[2010.05.11 11:55:51 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\system32\drivers\npf.sys

< %systemroot%\system32\*.* /3 >
[2010.05.09 00:49:57 | 000,006,144 | ---- | M] () -- C:\WINDOWS\system32\lmsxsltsso.dll
[2010.05.10 14:18:32 | 000,048,128 | ---- | M] () -- C:\WINDOWS\system32\mssrv32.exe
[2010.05.11 11:43:55 | 000,000,052 | ---- | M] () -- C:\WINDOWS\system32\msxslt.dat
[2010.05.09 00:49:58 | 000,041,472 | ---- | M] () -- C:\WINDOWS\system32\msxsltsso.dll
[2010.05.11 15:03:08 | 000,036,375 | ---- | M] () -- C:\WINDOWS\system32\OODBS.lor
[2010.05.11 11:55:51 | 000,100,880 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\system32\Packet.dll
[2010.05.11 15:49:46 | 000,188,280 | ---- | M] () -- C:\WINDOWS\system32\sblog.txt
[2010.05.09 00:42:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\system32\wpa.dbl
[2010.05.11 11:55:51 | 000,281,104 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\system32\wpcap.dll
[2010.05.09 01:07:43 | 000,005,632 | ---- | M] () -- C:\WINDOWS\system32\wzrd_1.dll
< End of report >

------------------------

OTL Extras logfile created on: 11.5.2010 15:49:26 - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = c:\_DOC\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

495,00 Mb Total Physical Memory | 183,00 Mb Available Physical Memory | 37,00% Memory free
2,00 Gb Paging File | 1,00 Gb Available in Paging File | 88,00% Paging File free
Paging file location(s): S:\pagefile.sys 1280 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 7,84 Gb Total Space | 4,01 Gb Free Space | 51,14% Space Free | Partition Type: NTFS
Drive D: | 355,65 Gb Total Space | 5,49 Gb Free Space | 1,54% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive M: | 7,81 Gb Total Space | 0,44 Gb Free Space | 5,65% Space Free | Partition Type: NTFS
Drive S: | 2,01 Gb Total Space | 0,75 Gb Free Space | 37,33% Space Free | Partition Type: NTFS
Drive T: | 4,88 Gb Total Space | 4,82 Gb Free Space | 98,70% Space Free | Partition Type: NTFS
Drive X: | 14,94 Gb Total Space | 2,11 Gb Free Space | 14,12% Space Free | Partition Type: NTFS
Drive Z: | 465,76 Gb Total Space | 0,86 Gb Free Space | 0,18% Space Free | Partition Type: NTFS

Computer Name: C2D
Current User Name: Thales
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)
.ini [@ = GetDiz.Document] -- C:\Program Files\GetDiz\GetDiz.exe (Outer Technologies - http://outertech.com)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Opera\Opera.exe" (Opera Software)
https [open] -- "C:\Program Files\Opera\Opera.exe" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallDisableNotify" = 1
"FirewallOverride" = 0
"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"4665:TCP" = 4665:TCP:*:Enabled:xbmwf

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\ICQ6\ICQ.exe" = C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6 -- File not found
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\WINDOWS\TEMP\tmp7778.tmp" = C:\WINDOWS\TEMP\tmp7778.tmp:*:Enabled:tmp7778 -- File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{21DBBDD6-93A5-4326-9A04-C9A5C9148502}" = Norton PartitionMagic
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java(TM) 6 Update 10
"{293C9DF5-7669-4826-BBB2-E1F182D71029}" = Nero 7 Ultra Edition
"{350C9405-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D699C53-96C8-42E0-9767-B2D352F7A837}_is1" = Sundaze (theme)
"{53480370-6CA2-47EC-BC05-02B4B9271C31}" = O&O Defrag Professional Edition
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{7A4CFCAC-68DC-4A56-AFCB-DA236E8B363F}_is1" = Angel Writer 3.2
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{90840405-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003
"{90850405-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{90AF0405-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{AC76BA86-7AD7-1029-7B44-A93000000001}" = Adobe Reader 9.3.2 - Czech
"{B2DC3F08-2EB2-49A5-AA24-15DFC8B1CB83}" = @BIOS Ver.2.03
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BBBF4CFE-9D26-4D93-A869-B2B021B3CA85}" = Intel(R) PRO Network Connections 12.2.41.0
"{BE8BE32F-F595-4693-9F82-1E0A5A047BB6}" = OpenOffice.org 3.0
"{E20C5E13-DE01-4938-A776-E7563FDA86B4}" = RAMBooster.Net
"{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}" = mobile PhoneTools
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FB8148DD-C575-4B0A-9F6C-0CFC46937930}" = Opera 10.10
"7-Zip" = 7-Zip 4.65
"ACDSee" = ACDSee
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"ArtaSoftware_is1" = Arta Software version 1.4.1
"ASIO4ALL" = ASIO4ALL
"CCleaner" = CCleaner (remove only)
"DameK UltraBluever. 1.5" = DameK UltraBlue
"Foxit Reader" = Foxit Reader
"GetDiz 3.0" = GetDiz 3.0
"HD Tach 2.61" = HD Tach 2.61
"HijackThis" = HijackThis 2.0.2
"ICQ" = ICQ
"InstallShield_{21DBBDD6-93A5-4326-9A04-C9A5C9148502}" = Norton PartitionMagic 8.0
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 4.3.4
"K-Meleon" = K-Meleon 1.5.4 en-US (remove only)
"Longhorn Theme 4" = Longhorn Theme 4
"MetallicShades" = Metallic Shades 2.0 Visual Style
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"R-Studio 4.5NSIS" = R-Studio 4.5
"SpeedFan" = SpeedFan (remove only)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinISO_is1" = WinISO 5.3
"WinRAR archiver" = WinRAR
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XBOX" = XBOX

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1214440339-1935655697-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8.2.2010 22:10:20 | Computer Name = C2D | Source = PerfNet | ID = 2005
Description = Nelze číst data o výkonu ze služby serveru. V tomto vzorku nebudou
vrácena žádná data o výkonu serveru. Vrácený chybový kód je v datech DWORD 0, IOSB.Status
je DWORD 1 a IOSB.Information je DWORD 2.

Error - 8.2.2010 22:10:20 | Computer Name = C2D | Source = PerfNet | ID = 2006
Description = Nelze číst data o výkonu fronty ze služby serveru. V tomto vzorku nebudou
vrácena žádná data o výkonu fronty serveru. Vrácený chybový kód je v datech DWORD
0, IOSB.Status je DWORD 1 a IOSB.Information je DWORD 2.

Error - 8.5.2010 19:07:31 | Computer Name = C2D | Source = PerfNet | ID = 2004
Description = Nelze otevřít službu serveru. Data o výkonu serveru nejsou k dispozici.
Vrácený chybový kód je v datech DWORD 0.

Error - 9.5.2010 11:48:08 | Computer Name = C2D | Source = PerfNet | ID = 2004
Description = Nelze otevřít službu serveru. Data o výkonu serveru nejsou k dispozici.
Vrácený chybový kód je v datech DWORD 0.

Error - 10.5.2010 10:43:33 | Computer Name = C2D | Source = PerfNet | ID = 2004
Description = Nelze otevřít službu serveru. Data o výkonu serveru nejsou k dispozici.
Vrácený chybový kód je v datech DWORD 0.

Error - 11.5.2010 7:14:43 | Computer Name = C2D | Source = PerfNet | ID = 2004
Description = Nelze otevřít službu serveru. Data o výkonu serveru nejsou k dispozici.
Vrácený chybový kód je v datech DWORD 0.

Error - 11.5.2010 8:32:25 | Computer Name = C2D | Source = PerfNet | ID = 2004
Description = Nelze otevřít službu serveru. Data o výkonu serveru nejsou k dispozici.
Vrácený chybový kód je v datech DWORD 0.

Error - 11.5.2010 8:41:31 | Computer Name = C2D | Source = PerfNet | ID = 2004
Description = Nelze otevřít službu serveru. Data o výkonu serveru nejsou k dispozici.
Vrácený chybový kód je v datech DWORD 0.

Error - 11.5.2010 8:48:38 | Computer Name = C2D | Source = PerfNet | ID = 2004
Description = Nelze otevřít službu serveru. Data o výkonu serveru nejsou k dispozici.
Vrácený chybový kód je v datech DWORD 0.

Error - 11.5.2010 9:03:16 | Computer Name = C2D | Source = PerfNet | ID = 2004
Description = Nelze otevřít službu serveru. Data o výkonu serveru nejsou k dispozici.
Vrácený chybový kód je v datech DWORD 0.

[ System Events ]
Error - 16.5.2009 16:04:39 | Computer Name = C2D | Source = Service Control Manager | ID = 7001
Description = Služba Prohledávání počítačů závisí na službě Server, která neuspěla
při spuštění v důsledku následující chyby: %%5

Error - 16.5.2009 16:04:39 | Computer Name = C2D | Source = Service Control Manager | ID = 7023
Description = Služba Server byla ukončena s následující chybou: %%5

Error - 16.5.2009 16:05:03 | Computer Name = C2D | Source = Service Control Manager | ID = 7023
Description = Služba Server byla ukončena s následující chybou: %%5

Error - 16.5.2009 16:16:44 | Computer Name = C2D | Source = NETLOGON | ID = 3095
Description = Tento počítač je nakonfigurován jako člen pracovní skupiny, nikoliv
jako člen domény. Přihlašovací služba Netlogon nepotřebuje být spuštěna v této konfiguraci.

Error - 16.5.2009 16:30:40 | Computer Name = C2D | Source = W32Time | ID = 39452689
Description = Klient NTP zprostředkovatele časových údajů: Při vyhledávání DNS ručně
nakonfigurovaného partnera time.windows.com,0x1 došlo k chybě. Klient NTP se pokusí
o vyhledání pomocí služby DNS znovu za 15 minut. Chyba: Došlo k pokusu o operaci
se soketem v okamžiku nedosažitelnosti hostitele. (0x80072751)

Error - 16.5.2009 16:30:40 | Computer Name = C2D | Source = W32Time | ID = 39452701
Description = Klient NTP zprostředkovatele časových údajů je konfigurován pro získávání
časových údajů z jednoho nebo více zdrojů času. Žádný z těchto zdrojů však není
aktuálně k dispozici. Po dobu 14 minut nebude proveden žádný pokus o kontaktování
zdroje. Klient NTP nemá k dispozici žádný zdroj času.

Error - 16.5.2009 16:30:44 | Computer Name = C2D | Source = W32Time | ID = 39452689
Description = Klient NTP zprostředkovatele časových údajů: Při vyhledávání DNS ručně
nakonfigurovaného partnera time.windows.com,0x1 došlo k chybě. Klient NTP se pokusí
o vyhledání pomocí služby DNS znovu za 15 minut. Chyba: Došlo k pokusu o operaci
se soketem v okamžiku nedosažitelnosti hostitele. (0x80072751)

Error - 16.5.2009 16:30:44 | Computer Name = C2D | Source = W32Time | ID = 39452701
Description = Klient NTP zprostředkovatele časových údajů je konfigurován pro získávání
časových údajů z jednoho nebo více zdrojů času. Žádný z těchto zdrojů však není
aktuálně k dispozici. Po dobu 15 minut nebude proveden žádný pokus o kontaktování
zdroje. Klient NTP nemá k dispozici žádný zdroj času.

Error - 16.5.2009 16:33:41 | Computer Name = C2D | Source = W32Time | ID = 39452689
Description = Klient NTP zprostředkovatele časových údajů: Při vyhledávání DNS ručně
nakonfigurovaného partnera time.windows.com,0x1 došlo k chybě. Klient NTP se pokusí
o vyhledání pomocí služby DNS znovu za 15 minut. Chyba: Došlo k pokusu o operaci
se soketem v okamžiku nedosažitelnosti hostitele. (0x80072751)

Error - 16.5.2009 16:33:41 | Computer Name = C2D | Source = W32Time | ID = 39452701
Description = Klient NTP zprostředkovatele časových údajů je konfigurován pro získávání
časových údajů z jednoho nebo více zdrojů času. Žádný z těchto zdrojů však není
aktuálně k dispozici. Po dobu 15 minut nebude proveden žádný pokus o kontaktování
zdroje. Klient NTP nemá k dispozici žádný zdroj času.

< End of report >

#6 Příspěvek od **Caroprd111** » 11 kvě 2010 15:09

Spusťte OTL a do spodního okna vložte následující skript.

Kód: Vybrat vše

:OTL
PRC - [2010.05.11 15:49:06 | 000,117,760 | ---- | M] () -- C:\Profiles\Thales\Local Settings\Temp\gtk6B.tmp
SRV - [2010.05.10 14:18:32 | 000,048,128 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\mssrv32.exe -- (msupdate)
O4 - HKLM..\Run: [MsXSLT] C:\WINDOWS\system32\msxslt3.exe ()
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\msupdt.exe) - C:\WINDOWS\system32\msupdt.exe ()
O20 - Winlogon\Notify\wzrd_1: DllName - wzrd_1.dll - C:\WINDOWS\System32\wzrd_1.dll ()
[2010.05.11 13:38:17 | 000,000,000 | ---D | C] -- C:\Profiles\Thales\Local Settings\Data aplikací\Temp
[2008.04.14 07:51:46 | 000,213,974 | RHS- | C] () -- C:\WINDOWS\System32\uyfqavbj.dll
O21 - SSODL: GootkitSSO - {FA805C68-F6BD-4C85-A677-218F56E8EBFE} - C:\WINDOWS\system32\msxsltsso.dll ()
O21 - SSODL: LGootkitSSO - {A1BB9624-4730-4BDF-B9E3-DE39806EDBEA} - C:\WINDOWS\system32\lmsxsltsso.dll ()

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\TEMP\tmp7778.tmp" =-

:Files
C:\WINDOWS\TEMP
C:\Profiles\Thales\Local Settings\Temp

:Commands
[EMPTYTEMP] 
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[RESETHOSTS] 
[CREATERESTOREPOINT]

Poté klikněte na Opravit, PC se restartuje, log vložte sem.

Obrázek

Doporučuji odinstalovat Spybot - Search & Destroy.

Thales · #7 Příspěvek od **Thales** » 11 kvě 2010 15:19

Se stejným nastavením jako minule (všechny uživatele, kontrola na havěť...) nebo bez těchto nastavení?

Mohu se zeptat co je na Spybotu S&D špatného?

#8 Příspěvek od **Caroprd111** » 11 kvě 2010 15:31

S původním nastavením. Spybot - Search & Destroy je zastaralý, proto ho nedoporučujeme používat.

Thales · #9 Příspěvek od **Thales** » 11 kvě 2010 16:05

Tak mezi procesy už nic nevidím, nikde kde jsem se koukal se také nic nemnoží. Zdá se tedy že to zabralo. Díky moc a kdybych mohl na oplátku nabídnout své znalosti z oboru audiotechniky tak budu nápomocen.

Můžeš ještě poradit šikovnou náhradu za toho Spybota?

All processes killed
========== OTL ==========
No active process named gtk6B.tmp was found!
Service msupdate stopped successfully!
Service msupdate deleted successfully!
File move failed. C:\WINDOWS\system32\mssrv32.exe scheduled to be moved on reboot.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MsXSLT deleted successfully.
C:\WINDOWS\system32\msxslt3.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\msupdt.exe deleted successfully.
C:\WINDOWS\system32\msupdt.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzrd_1\ deleted successfully.
C:\WINDOWS\system32\wzrd_1.dll moved successfully.
C:\Profiles\Thales\Local Settings\Data aplikací\Temp folder moved successfully.
C:\WINDOWS\system32\uyfqavbj.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\GootkitSSO deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FA805C68-F6BD-4C85-A677-218F56E8EBFE}\ deleted successfully.
C:\WINDOWS\system32\msxsltsso.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\LGootkitSSO deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1BB9624-4730-4BDF-B9E3-DE39806EDBEA}\ deleted successfully.
C:\WINDOWS\system32\lmsxsltsso.dll moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\tmp7778.tmp deleted successfully.
========== FILES ==========
C:\WINDOWS\Temp folder moved successfully.
C:\Profiles\Thales\Local Settings\Temp folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes

User: Thales
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 7862047 bytes
->Flash cache emptied: 434 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 138130 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 8,00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Thales
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0,00 mb

Restore points cleared and new OTL Restore Point set!
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Unable to start service SrService!

OTL by OldTimer - Version 3.2.4.1 log created on 05112010_164010

Files\Folders moved on Reboot...
C:\WINDOWS\system32\mssrv32.exe moved successfully.

Registry entries deleted on Reboot...

#10 Příspěvek od **Caroprd111** » 11 kvě 2010 16:09

http://www.viry.cz/forum/viewtopic.php?f=29&t=6152

Obrázek

Poprosím o nový log z RSIT.

Thales · #11 Příspěvek od **Thales** » 11 kvě 2010 16:37

Co se týče bezpečnosti preferuji spíše samostatně spouštěná ne-rezidentní řešení. Mám dva PC - jeden pracovní a jeden testovací/na normální použití. na tom pracovním nemám (a nechci) mít nainstalovaný žádný rezident protože mi způsobují menší stabilitu systému, aplikací, kradou mi výkon a znepříjemňují život. Také se tam neleze na nebezpečné stránky a to že toto řešení je funkční dosvědčuje to že jsem tam žádný svinec neměl od roku 1997. Tedy až dodnes a ne mojí vinou. Nicméně rád bych měl po ruce něco co se dá čistě jen pro dobrý pocit občas spustit ručně a pak zase vypnout. Na druhém PC. Tam je mi to víceméně fuk co se děje ale agresivní a zbytečné chování rezidentů mi leze na nervy. Například Avast je na zastřelení. Předchozí verze nebyly tak otravné ale teď je to děs. Kdyby se to dalo alespoň nějak rozumně nakonfigurovat ale bohužel velký kulový.

Zde je ten log.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Thales at 2010-05-11 17:20:49
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 4 GB (51%) free of 8 GB
Total RAM: 495 MB (44% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:20:57, on 11.5.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\bin\jqs.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Profiles\Thales\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe
C:\Profiles\Thales\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\TotalCommander\TOTALCMD.EXE
C:\Profiles\Thales\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe
X:\RSIT.exe
C:\Program Files\trend micro\Thales.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\WINDOWS\system32\msupdt.exe,
O1 - Hosts: ˙ţ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe Acrobat Reader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Profiles\Thales\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4222579453
O17 - HKLM\System\CCS\Services\Tcpip\..\{03631067-D96F-497C-B706-01ED18F67944}: NameServer = 192.168.100.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{03631067-D96F-497C-B706-01ED18F67944}: NameServer = 192.168.100.254
O17 - HKLM\System\CS2\Services\Tcpip\..\{03631067-D96F-497C-B706-01ED18F67944}: NameServer = 192.168.100.254
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

--
End of file - 5026 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1935655697-1417001333-500Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1935655697-1417001333-500UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-04 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\bin\ssv.dll [2008-11-19 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\bin\jp2ssv.dll [2008-11-19 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-19 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-12-14 577536]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe Acrobat Reader\Reader\Reader_sl.exe [2010-04-04 36272]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-03-24 952768]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=C:\Profiles\Thales\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe [2010-05-11 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"ForceClassicControlPanel"=1
"NoSMConfigurePrograms"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ICQ6\ICQ.exe"="C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.ini - open - "C:\Program Files\GetDiz\GetDiz.exe" "%1"

======List of files/folders created in the last 1 months======

2010-05-11 17:20:49 ----D---- C:\rsit
2010-05-11 15:03:10 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-05-11 15:02:24 ----A---- C:\WINDOWS\ntbtlog.txt
2010-05-11 14:39:58 ----D---- C:\Program Files\trend micro
2010-05-11 11:55:51 ----A---- C:\WINDOWS\system32\wpcap.dll
2010-05-11 11:55:51 ----A---- C:\WINDOWS\system32\Packet.dll
2010-05-09 18:47:35 ----D---- C:\Profiles\Thales\Data aplikací\K-Meleon
2010-05-09 01:08:01 ----A---- C:\WINDOWS\system32\sblog.txt
2010-05-09 01:07:43 ----A---- C:\WINDOWS\system32\wzrd_1.dll
2010-05-09 00:59:08 ----D---- C:\Program Files\CCleaner

======List of files/folders modified in the last 1 months======

2010-05-11 17:02:29 ----A---- C:\WINDOWS\wincmd.ini
2010-05-11 16:46:50 ----D---- C:\WINDOWS\system32
2010-05-11 16:40:12 ----D---- C:\WINDOWS
2010-05-11 14:39:58 ----RD---- C:\Program Files
2010-05-11 13:40:41 ----D---- C:\_DOC
2010-05-11 13:38:16 ----SD---- C:\WINDOWS\Tasks
2010-05-11 13:34:04 ----D---- C:\WINDOWS\system32\drivers
2010-05-11 13:29:40 ----D---- C:\WINDOWS\Prefetch
2010-05-11 13:11:03 ----D---- C:\Profiles\All Users\Data aplikací\Spybot - Search & Destroy
2010-05-10 16:41:39 ----D---- C:\Program Files\ICQ
2010-05-09 01:02:36 ----D---- C:\WINDOWS\Debug
2010-05-09 00:53:41 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-05-09 00:49:58 ----D---- C:\Program Files\K-Meleon
2010-05-08 12:35:47 ----A---- C:\WINDOWS\wcx_ftp.ini
2010-05-08 11:36:33 ----A---- C:\WINDOWS\NeroDigital.ini
2010-04-26 05:49:17 ----D---- C:\WINDOWS\system32\oodag
2010-04-18 18:17:52 ----SHD---- C:\WINDOWS\Installer
2010-04-12 13:19:51 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
R1 PQNTDrv;PQNTDrv; C:\WINDOWS\system32\drivers\PQNTDrv.sys [2004-05-05 4228]
R2 Aspi32;Aspi32; C:\WINDOWS\System32\drivers\aspi32.sys [2002-05-06 16512]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-12-16 3842560]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2007-03-14 165760]
R3 hidusb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-09-20 1302332]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-11-06 12160]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 a91mhtbo;a91mhtbo; C:\WINDOWS\system32\drivers\a91mhtbo.sys []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 kvpndev;Kerio VPN adapter; C:\WINDOWS\system32\DRIVERS\kvpndrv.sys [2005-02-11 61440]
S3 NPF;WinPcap Packet Driver (NPF); C:\WINDOWS\system32\drivers\NPF.sys [2010-05-11 50704]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 usbser;Motorola USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-13 26112]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 sr;Ovladač filtru Obnovy systému; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73344]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\bin\jqs.exe [2008-11-19 152984]
R2 O&O Defrag;O&O Defrag; C:\WINDOWS\system32\oodag.exe [2005-05-11 225280]
S2 plzwls;Universal Microsoft; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-16 271920]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 913920]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-05-11 17:20:58

======Uninstall list======

@BIOS Ver.2.03-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B2DC3F08-2EB2-49A5-AA24-15DFC8B1CB83}\Setup.exe" -l0x9 -removeonly
-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
ACDSee-->C:\PROGRA~1\ACD\ACDSee\UNWISE.EXE C:\PROGRA~1\ACD\ACDSee\INSTALL.LOG
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.3.2 - Czech-->MsiExec.exe /I{AC76BA86-7AD7-1029-7B44-A93000000001}
Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Aktualizace zabezpečení systému Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Angel Writer 3.2-->"C:\Program Files\Angel Writer\unins000.exe"
Arta Software version 1.4.1-->"C:\Program Files\Arta\unins000.exe"
ASIO4ALL-->C:\Program Files\ASIO4ALL\uninstall.exe
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CmdHere Powertoy For Windows XP-->MsiExec.exe /I{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}
DameK UltraBlue-->C:\WINDOWS\iun6002.exe "C:\WINDOWS\Resources\Themes\DameK UltraBlue\irunin.ini"
Foxit Reader-->C:\Program Files\Foxit Reader\Uninstall.exe
GetDiz 3.0-->C:\PROGRA~1\GetDiz\UNINST~1\UNWISE.EXE C:\PROGRA~1\GetDiz\UNINST~1\install.log
HD Tach 2.61-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\HD Tach\Uninst.isu"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
ICQ-->C:\PROGRA~1\ICQ\ICQUninstall.EXE
Intel(R) Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel(R) PRO Network Connections 12.2.41.0-->MsiExec.exe /i{BBBF4CFE-9D26-4D93-A869-B2B021B3CA85} ARPREMOVE=1
Java(TM) 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
K-Lite Mega Codec Pack 4.3.4-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
K-Meleon 1.5.4 en-US (remove only)-->C:\Program Files\K-Meleon\uninstall.exe
Longhorn Theme 4-->C:\WINDOWS\unvise32.exe C:\WINDOWS\Resources\Themes\Longhorn 4 Uninstall.log
Metallic Shades 2.0 Visual Style-->C:\WINDOWS\MetShadesUninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Excel Viewer 2003-->MsiExec.exe /I{90840405-6000-11D3-8CFE-0150048383C9}
Microsoft Office PowerPoint Viewer 2003-->MsiExec.exe /X{90AF0405-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003-->MsiExec.exe /I{90850405-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mobile PhoneTools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}\setup.exe" -l0x9
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
Nero 7 Ultra Edition-->MsiExec.exe /X{293C9DF5-7669-4826-BBB2-E1F182D71029}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Norton PartitionMagic 8.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{21DBBDD6-93A5-4326-9A04-C9A5C9148502}
O&O Defrag Professional Edition-->MsiExec.exe /I{53480370-6CA2-47EC-BC05-02B4B9271C31}
OpenOffice.org 3.0-->MsiExec.exe /I{BE8BE32F-F595-4693-9F82-1E0A5A047BB6}
Opera 10.10-->MsiExec.exe /X{FB8148DD-C575-4B0A-9F6C-0CFC46937930}
RAMBooster.Net-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E20C5E13-DE01-4938-A776-E7563FDA86B4}\setup.exe"
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x5 -removeonly
R-Studio 4.5-->C:\Program Files\R-Studio\Uninstall.exe
SpeedFan (remove only)-->"C:\Program Files\SpeedFan\uninstall.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Sundaze (theme)-->C:\WINDOWS\unins000.exe
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinISO 5.3-->"C:\Program Files\WinISO\unins000.exe"
WinRAR-->C:\Program Files\WinRAR\uninstall.exe
XBOX-->"C:\WINDOWS\lsb_un20.exe" /C=UC /N=XBOX

======Hosts File======

::1 localhost

======System event log======

Computer Name: C2D
Event Code: 20159
Message: Připojení k GPRS vytvořené uživatelem pomocí zařízení COM3 bylo odpojeno.

Record Number: 3053
Source Name: RemoteAccess
Time Written: 20090517003118.000000+120
Event Type: Informace
User:

Computer Name: C2D
Event Code: 20158
Message: Uživatel úspěšně vytvořil připojení k GPRS pomocí zařízení COM3.

Record Number: 3052
Source Name: RemoteAccess
Time Written: 20090516224645.000000+120
Event Type: Informace
User:

Computer Name: C2D
Event Code: 20159
Message: Připojení k GPRS vytvořené uživatelem pomocí zařízení COM3 bylo odpojeno.

Record Number: 3051
Source Name: RemoteAccess
Time Written: 20090516224248.000000+120
Event Type: Informace
User:

Computer Name: C2D
Event Code: 35
Message: Služba Systémový čas nyní synchronizuje systémový čas s časem
zdroje time.windows.com (ntp.m|0x1|10.23.143.56:123->207.46.197.32:123).

Record Number: 3050
Source Name: W32Time
Time Written: 20090516223403.000000+120
Event Type: Informace
User:

Computer Name: C2D
Event Code: 20158
Message: Uživatel úspěšně vytvořil připojení k GPRS pomocí zařízení COM3.

Record Number: 3049
Source Name: RemoteAccess
Time Written: 20090516223341.000000+120
Event Type: Informace
User:

=====Application event log=====

Computer Name: C2D
Event Code: 1000
Message: Čítače výkonu pro službu MSDTC (MSDTC) byly úspěšně načteny.
Data záznamu obsahují nové indexové hodnoty přiřazené
této službě.

Record Number: 5
Source Name: LoadPerf
Time Written: 20081119001205.000000+060
Event Type: Informace
User:

Computer Name: C2D
Event Code: 1000
Message: Čítače výkonu pro službu TermService (Terminálová služba) byly úspěšně načteny.
Data záznamu obsahují nové indexové hodnoty přiřazené
této službě.

Record Number: 4
Source Name: LoadPerf
Time Written: 20081119001202.000000+060
Event Type: Informace
User:

Computer Name: C2D
Event Code: 1000
Message: Čítače výkonu pro službu RemoteAccess (Směrování a vzdálený přístup) byly úspěšně načteny.
Data záznamu obsahují nové indexové hodnoty přiřazené
této službě.

Record Number: 3
Source Name: LoadPerf
Time Written: 20081119001110.000000+060
Event Type: Informace
User:

Computer Name: C2D
Event Code: 1000
Message: Čítače výkonu pro službu PSched (PSched) byly úspěšně načteny.
Data záznamu obsahují nové indexové hodnoty přiřazené
této službě.

Record Number: 2
Source Name: LoadPerf
Time Written: 20081119001046.000000+060
Event Type: Informace
User:

Computer Name: C2D
Event Code: 1000
Message: Čítače výkonu pro službu RSVP (QoS RSVP) byly úspěšně načteny.
Data záznamu obsahují nové indexové hodnoty přiřazené
této službě.

Record Number: 1
Source Name: LoadPerf
Time Written: 20081119001045.000000+060
Event Type: Informace
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Intel\DMIX
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0f02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

#12 Příspěvek od **Caroprd111** » 11 kvě 2010 16:41

Spusťte OTL a do spodního okna vložte následující skript.

Kód: Vybrat vše

:processes
explorer.exe

:Services
plzwls

:Commands
[REBOOT]

Poté klikněte na Opravit, PC se restartuje, log vložte sem.

Thales · #13 Příspěvek od **Thales** » 12 kvě 2010 03:06

========== PROCESSES ==========
Process explorer.exe killed successfully!
========== SERVICES/DRIVERS ==========
Service plzwls stopped successfully!
Service plzwls deleted successfully!
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.4.1 log created on 05122010_040332

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#14 Příspěvek od **Caroprd111** » 12 kvě 2010 05:03

Stáhněte TFC http://oldtimer.geekstogo.com/TFC.exe

Spusťte.
Klikněte na "Start". Potvrďte hlášku kliknutím na "Ok" (Bude následovat restart)

Stáhněte OTC http://oldtimer.geekstogo.com/OTC.exe

Spusťte.
Klikněte na "CleanUp!". Potvrďte hlášky kliknutím na "Yes" (Bude následovat restart)

Stáhněte Ccleaner http://viry.cz/forum/viewtopic.php?t=7478

Nainstalujte a v průběhu instalace odškrtněte, že chcete instalovat yahoo toolbar.

Záložka Čistič
Dejte analyzovat, po dokončení dejte Spustit Ccleaner.

Záložka Registry
Klikněte na Hledej problémy, po dokončení klikněte na Opravit problémy, zálohu dělat nemusíte, potom dejte Opravit všechny problémy.
OK Zavřít

Thales · #15 Příspěvek od **Thales** » 13 kvě 2010 02:17

Všechno krom TFC jsem provedl automaticky předtím, dočasné adresáře promazávám sám ručně.

VIRY.CZ

Podezřelý proces gtkxxx.tmp

Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp

Re: Podezřelý proces gtkxxx.tmp