Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz

Mebroot.K v MBR

Máte problém s virem? Vložte sem log z FRST nebo RSIT.

Moderátor: Moderátoři

Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]

Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.

!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Odpovědět
Zpráva
Autor
Zakov
Návštěvník
Návštěvník
Příspěvky: 118
Registrován: 15 úno 2010 20:22

Mebroot.K v MBR

#1 Příspěvek od Zakov »

Nod hlasi mebroot.K v MBR, prosim kontrolu logu.

Diky.

Logfile of random's system information tool 1.08 (written by random/random)
Run by vacekp at 2010-08-02 15:55:43
Microsoft® Windows Vista™ Business Service Pack 2
System drive C: has 589 GB (62%) free of 954 GB
Total RAM: 6132 MB (75% free)

HijackThis download failed

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-04 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{855F3B16-6D32-4FE6-8A56-BBB695989046} - ICQToolBar - C:\Program Files (x86)\ICQ6Toolbar\ICQToolBar.dll [2008-12-09 958200]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl8"=C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe [2008-03-20 83240]
"PDVD8LanguageShortcut"=C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe [2007-12-14 50472]
"Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-04-04 36272]
"Adobe ARM"=C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1555968]
"ICQ"=C:\PROGRA~2\ICQ6.5\ICQ.exe [2009-11-16 172792]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
TreeINFO časová aktivace.lnk - C:\Program Files (x86)\TreeINFO\TiTimer.exe
USB connection manager.lnk - C:\Program Files (x86)\HP USB Network Print Adapter\hpCtMgrE01.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=1
"NoActiveDesktopChanges"=1
"ForceActiveDesktopOn"=0
"BindDirectlyToPropertySetStorage"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\SysWOW64\Notepad.exe %1
.js - open - C:\Windows\SysWOW64\WScript.exe "%1" %*
.scr - open - C:\Windows\SysWOW64\notepad.exe "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2010-08-02 15:55:44 ----D---- C:\Program Files (x86)\trend micro
2010-08-02 15:55:43 ----D---- C:\rsit
2010-08-02 15:51:06 ----A---- C:\Windows\mbr.exe
2010-08-02 15:41:05 ----D---- C:\32788R22FWJFW

======List of files/folders modified in the last 1 months======

2010-08-02 15:55:44 ----RD---- C:\Program Files (x86)
2010-08-02 15:55:43 ----D---- C:\Windows\Temp
2010-08-02 15:53:29 ----D---- C:\Windows
2010-08-02 15:44:41 ----D---- C:\Windows\System32
2010-08-02 15:44:40 ----D---- C:\Windows\inf
2010-08-02 11:18:59 ----SHD---- C:\Windows\Installer
2010-07-31 18:17:31 ----SHD---- C:\System Volume Information
2010-07-31 18:13:41 ----HD---- C:\ProgramData
2010-07-16 15:19:18 ----D---- C:\Users\vacekp.CHATHB\AppData\Roaming\ICQ
2010-07-16 14:37:42 ----D---- C:\Windows\Minidump
2010-07-16 14:35:10 ----D---- C:\Windows\Prefetch
2010-07-14 12:14:45 ----D---- C:\Users\vacekp.CHATHB\AppData\Roaming\vlc
2010-07-14 11:49:08 ----D---- C:\Windows\winsxs
2010-07-14 11:42:02 ----D---- C:\Program Files (x86)\Windows Mail
2010-07-14 11:41:50 ----D---- C:\ProgramData\Microsoft Help
2010-07-08 07:36:26 ----D---- C:\Program Files (x86)\AutoCAD Civil 3D 2010
2010-07-08 07:36:24 ----D---- C:\Civil 3D Projects
2010-07-05 16:16:26 ----D---- C:\Windows\SysWOW64
2010-07-05 16:15:08 ----A---- C:\Windows\Codec Pack - All In 1 Setup Log.txt
2010-07-05 16:07:49 ----D---- C:\Program Files (x86)\Codec Pack - All In 1
2010-07-05 16:07:25 ----A---- C:\Windows\iun6002.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 iaStor;Intel RAID Controller; C:\Windows\system32\DRIVERS\iaStor.sys []
R1 ehdrv;ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys []
R2 eamon;eamon; C:\Windows\system32\DRIVERS\eamon.sys []
R2 epfwwfpr;epfwwfpr; C:\Windows\system32\DRIVERS\epfwwfpr.sys []
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver; C:\Windows\system32\DRIVERS\e1y60x64.sys []
R3 hpnuhst;HP NUSB Host; C:\Windows\system32\DRIVERS\hpnuhst.sys [2007-03-27 16384]
R3 HPNUHUB;HP NUSB Hub; C:\Windows\system32\DRIVERS\hpnuhub.sys [2007-03-27 40960]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys []
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys []
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys []
S3 drmkaud;Dekodér zvuků DRM jádra společnosti Microsoft; C:\Windows\system32\drivers\drmkaud.sys []
S3 HdAudAddService;Ovladač funkce Microsoft 1.1 UAA pro službu zvuku High Definition Audio; C:\Windows\system32\drivers\HdAudio.sys []
S3 mbr;mbr; \??\C:\Users\VACEKP~1.CHA\AppData\Local\Temp\mbr.sys []
S3 MSKSSRV;Server proxy služby datových proudů Microsoft; C:\Windows\system32\drivers\MSKSSRV.sys []
S3 MSPCLOCK;Server proxy hodin datových proudů Microsoft; C:\Windows\system32\drivers\MSPCLOCK.sys []
S3 MSPQM;Server proxy správce kvality datových proudů Microsoft; C:\Windows\system32\drivers\MSPQM.sys []
S3 MSTEE;Konvertor jímka-jímka typu T datových proudů Microsoft; C:\Windows\system32\drivers\MSTEE.sys []
S3 NAL;Nal Service ; \??\C:\Windows\system32\Drivers\iqvw64e.sys []
S3 PCAMp50a64;PCAMp50a64 NDIS Protocol Driver; C:\Windows\System32\Drivers\PCAMp50a64.sys []
S3 PCASp50a64;PCASp50a64 NDIS Protocol Driver; C:\Windows\System32\Drivers\PCASp50a64.sys []
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\Windows\system32\DRIVERS\pccsmcfdx64.sys []
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys []
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2009-09-11 735960]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2008-08-06 354840]
R2 ICQ Service;ICQ Service; C:\Program Files (x86)\ICQ6Toolbar\ICQ Service.exe [2008-10-19 222456]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0; C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe [2009-04-17 935208]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service; C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2008-12-11 4297728]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe []
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [2007-05-14 272024]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-09-11 23296]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2010-04-28 651720]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-21 21504]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PerfHost;@%systemroot%\sysWow64\perfhost.exe,-2; C:\Windows\SysWow64\perfhost.exe [2008-01-21 19968]
S3 ServiceLayer;ServiceLayer; C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe [2009-06-02 637952]

-----------------EOF-----------------
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: Mebroot.K v MBR

#2 Příspěvek od motji »

Hezké dopoledne :)

Vy jste spouštěl combofix?

:arrow: stáhněte MBR
http://www2.gmer.net/mbr/mbr.exe
-uložte ho na plochu a spusťte
-vytvoří se log s názvem mbr.log, vložte ho zde


:arrow: Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, klikněte na Save a tím si uložíte log,který sem vložíte

-Podle návodu v odkazu provedete druhý sken a log sem také vložíte.



:arrow: Stahněte OTL http://oldtimer.geekstogo.com/OTL.exe
-uložte ho na plochu a spustte soubor OTL.exe.
-do bílého okna dole skopírujte tento skript:

Kód: Vybrat vše

netsvcs
drivers32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /s
c:\windows\*.* /U
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
ndis.sys
winlogon.exe
explorer.exe
userinit.exe
lsass.exe
svchost.exe
smss.exe
hal.dll
ws2_32.dll
tcpip.sys
cryptsvc.dll
Changer.sys
JakNDis.sys
isapnp.sys
cdrom.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\*.dll /lockedfiles
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" /v GinaDLL /c
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v ImagePath /c
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v ImagePath /c
%systemroot%\system32\drivers\*.sys /3
%systemroot%\system32\*.* /3
CREATERESTOREPOINT
- zaškrtněte okénko Pro všechny uživatele.
-označte okénka Kontrola na havěť "LOP" a Kontrola na havěť "Purity"
- Klikněte na tlačítko Prohledat
-po dokončení skenu se objeví logy OTL.Txt a Extras.txt, vložte je zde :)
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
Zakov
Návštěvník
Návštěvník
Příspěvky: 118
Registrován: 15 úno 2010 20:22

Re: Mebroot.K v MBR

#3 Příspěvek od Zakov »

Combofix jsem pustil, protoze mi nedoslo, ze podporuje win jen do XP :-)

log MBR

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR


logy z GMER byly prazdne. Po spusteni GMER byly vpravo zskrtnute jen services, registry a files. Ostatni bylo sede. Gmer byl pusteny jako spravce....
Nahoru
Zakov
Návštěvník
Návštěvník
Příspěvky: 118
Registrován: 15 úno 2010 20:22

Re: Mebroot.K v MBR

#4 Příspěvek od Zakov »

log OTL - 1 cast

OTL logfile created on: 2.8.2010 20:04:23 - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\vacekp.CHATHB\Desktop
64bit-Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

6,00 Gb Total Physical Memory | 4,00 Gb Available Physical Memory | 73,00% Memory free
12,00 Gb Paging File | 11,00 Gb Available in Paging File | 87,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 931,51 Gb Total Space | 574,70 Gb Free Space | 61,70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 3,73 Gb Total Space | 0,45 Gb Free Space | 12,03% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VACEKP
Current User Name: vacekp
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.08.02 17:59:14 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\vacekp.CHATHB\Desktop\OTL.exe
PRC - [2009.12.15 11:24:48 | 000,293,376 | ---- | M] () -- C:\Users\vacekp.CHATHB\Desktop\gmer.exe
PRC - [2009.11.16 17:36:19 | 000,172,792 | ---- | M] (ICQ, LLC.) -- C:\Program Files (x86)\ICQ6.5\ICQ.exe
PRC - [2009.09.11 07:24:32 | 000,735,960 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
PRC - [2009.04.17 10:09:46 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2008.10.19 14:30:02 | 000,222,456 | ---- | M] () -- C:\Program Files (x86)\ICQ6Toolbar\ICQ Service.exe
PRC - [2008.08.06 16:00:50 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008.08.06 16:00:48 | 000,182,808 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008.03.20 20:23:22 | 000,083,240 | ---- | M] (Cyberlink Corp.) -- C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe
PRC - [2001.07.27 13:05:08 | 000,045,056 | ---- | M] (TreeINFO s.r.o.) -- C:\Program Files (x86)\TreeINFO\Titimer.exe


========== Modules (SafeList) ==========

MOD - [2010.08.02 17:59:14 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\vacekp.CHATHB\Desktop\OTL.exe
MOD - [2008.01.21 04:48:23 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009.09.11 07:33:20 | 000,023,296 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV:64bit: - [2009.09.11 07:24:32 | 000,735,960 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe -- (ekrn)
SRV:64bit: - [2009.04.11 09:11:27 | 000,252,928 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService)
SRV:64bit: - [2009.04.11 09:11:14 | 000,604,672 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\cscsvc.dll -- (CscService)
SRV:64bit: - [2008.12.11 07:08:52 | 004,297,728 | ---- | M] () [Auto | Running] -- C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe -- (NVIDIA Performance Driver Service)
SRV:64bit: - [2008.01.21 04:49:41 | 000,195,584 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2008.01.21 04:45:48 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2010.04.28 10:57:52 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009.06.02 10:10:08 | 000,637,952 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009.04.17 10:09:46 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2008.10.19 14:30:02 | 000,222,456 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\ICQ6Toolbar\ICQ Service.exe -- (ICQ Service)
SRV - [2008.08.06 16:00:50 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ipinip.sys -- (IpInIp)
DRV:64bit: - [2009.09.11 07:27:16 | 000,123,200 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\epfwwfpr.sys -- (epfwwfpr)
DRV:64bit: - [2009.09.11 07:23:52 | 000,136,584 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\ehdrv.sys -- (ehdrv)
DRV:64bit: - [2009.09.11 07:17:20 | 000,144,824 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\SysNative\DRIVERS\eamon.sys -- (eamon)
DRV:64bit: - [2009.04.11 06:56:24 | 000,460,800 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\csc.sys -- (CSC)
DRV:64bit: - [2008.08.28 12:44:42 | 000,025,600 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\pccsmcfdx64.sys -- (pccsmcfd)
DRV:64bit: - [2008.07.20 17:44:54 | 000,402,456 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\iaStor.sys -- (iaStor)
DRV:64bit: - [2008.06.13 10:41:54 | 000,316,544 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\e1y60x64.sys -- (e1yexpress) Intel(R)
DRV:64bit: - [2008.05.23 16:54:38 | 000,033,888 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\iqvw64e.sys -- (NAL)
DRV:64bit: - [2007.03.27 19:28:38 | 000,040,960 | ---- | M] (Hewlett-Packard Development Company) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\hpnuhub.sys -- (HPNUHUB)
DRV:64bit: - [2007.03.27 19:14:12 | 000,016,384 | ---- | M] (Hewlett-Packard Development Company) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\hpnuhst.sys -- (hpnuhst)
DRV:64bit: - [2006.11.28 21:46:20 | 000,043,328 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\PCAMp50a64.sys -- (PCAMp50a64)
DRV:64bit: - [2006.11.28 21:46:20 | 000,041,280 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\PCASp50a64.sys -- (PCASp50a64)
DRV:64bit: - [2006.09.18 23:36:24 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\Wbem\ntfs.mof -- (Ntfs)
DRV - [2007.03.27 19:28:38 | 000,040,960 | ---- | M] (Hewlett-Packard Development Company) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\hpnuhub.sys -- (HPNUHUB)
DRV - [2007.03.27 19:14:12 | 000,016,384 | ---- | M] (Hewlett-Packard Development Company) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\hpnuhst.sys -- (hpnuhst)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2382166588-2017641859-2650136724-1152\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
IE - HKU\S-1-5-21-2382166588-2017641859-2650136724-1152\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 09 1C AC 8A 7A DF CA 01 [binary data]
IE - HKU\S-1-5-21-2382166588-2017641859-2650136724-1152\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-2382166588-2017641859-2650136724-1152\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files (x86)\ICQ6Toolbar\ICQToolBar.dll (ICQ)
IE - HKU\S-1-5-21-2382166588-2017641859-2650136724-1152\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files (x86)\Nokia\Nokia PC Suite 7\bkmrksync\ [2009.10.05 10:13:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2009.10.01 13:03:30 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006.09.18 23:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files (x86)\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O4:64bit: - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\SysNative\NvCpl.DLL (NVIDIA Corporation)
O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\Windows\SysNative\NvMcTray.DLL (NVIDIA Corporation)
O4:64bit: - HKLM..\Run: [nwiz] C:\Windows\SysNative\nwiz.exe ()
O4:64bit: - HKLM..\Run: [pdfFactory Dispatcher v3] C:\Windows\SysNative\spool\DRIVERS\x64\3\fppdis3a.exe (FinePrint Software, LLC)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Windows\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PDVD8LanguageShortcut] C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe ()
O4 - HKLM..\Run: [RemoteControl8] C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe (Cyberlink Corp.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2382166588-2017641859-2650136724-1152..\Run: [ICQ] C:\Program Files (x86)\ICQ6.5\ICQ.exe (ICQ, LLC.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6.5\ICQ.exe (ICQ, LLC.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/200 ... ader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} http://www.ostrava.unas.cz/kamery/AxisCamControl.cab (CamImage Class)
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://webcam01.khnet.info/activex/AMC.cab (AxisMediaControlEmb Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab (IWinAmpActiveX Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1 213.226.248.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chathb.local
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\vacekp.CHATHB\Desktop\Janí a Paví.JPG
O24 - Desktop BackupWallPaper: C:\Users\vacekp.CHATHB\Desktop\Janí a Paví.JPG
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.10.28 23:49:26 | 000,000,144 | -HS- | M] () - E:\autorun.ini -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32:64bit: VIDC.FFDS - ff_vfw.dll ()
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2010.08.02 18:05:54 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\vacekp.CHATHB\Desktop\OTL.exe
[2010.08.02 15:55:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\trend micro
[2010.08.02 15:55:43 | 000,000,000 | ---D | C] -- C:\rsit
[2010.08.02 15:41:05 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW

========== Files - Modified Within 30 Days ==========

[2010.08.02 20:03:27 | 003,407,872 | -HS- | M] () -- C:\Users\vacekp.CHATHB\NTUSER.DAT
[2010.08.02 19:55:02 | 000,003,712 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010.08.02 19:55:02 | 000,003,712 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010.08.02 18:35:42 | 000,524,288 | -HS- | M] () -- C:\Users\vacekp.CHATHB\NTUSER.DAT{865d07f1-6a85-11db-acd0-9270719989e3}.TMContainer00000000000000000001.regtrans-ms
[2010.08.02 18:35:42 | 000,065,536 | -HS- | M] () -- C:\Users\vacekp.CHATHB\NTUSER.DAT{865d07f1-6a85-11db-acd0-9270719989e3}.TM.blf
[2010.08.02 18:35:37 | 003,115,582 | -H-- | M] () -- C:\Users\vacekp.CHATHB\AppData\Local\IconCache.db
[2010.08.02 18:07:15 | 001,402,426 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010.08.02 18:07:15 | 000,601,848 | ---- | M] () -- C:\Windows\SysNative\perfh005.dat
[2010.08.02 18:07:15 | 000,589,884 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010.08.02 18:07:15 | 000,115,976 | ---- | M] () -- C:\Windows\SysNative\perfc005.dat
[2010.08.02 18:07:15 | 000,101,896 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010.08.02 17:59:14 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\vacekp.CHATHB\Desktop\OTL.exe
[2010.08.02 17:58:42 | 000,077,312 | ---- | M] () -- C:\Users\vacekp.CHATHB\Desktop\mbr.exe
[2010.08.02 17:54:57 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010.08.02 17:54:49 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.08.02 15:49:24 | 000,077,312 | ---- | M] () -- C:\Windows\mbr.exe
[2010.07.31 18:13:41 | 000,002,958 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2010.07.22 19:22:03 | 000,016,384 | ---- | M] () -- C:\Users\vacekp.CHATHB\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.07.16 12:05:25 | 000,167,085 | ---- | M] () -- C:\Users\vacekp.CHATHB\Desktop\valník.jpg
[2010.07.14 12:51:24 | 137,216,992 | ---- | M] () -- C:\Users\vacekp.CHATHB\Desktop\Powertool_1986_by_RapidRise.org.part2.rar
[2010.07.14 12:10:00 | 137,221,500 | ---- | M] () -- C:\Users\vacekp.CHATHB\Desktop\Powertool_1986_by_RapidRise.org.part1.rar
[2010.07.14 09:27:44 | 114,577,674 | ---- | M] () -- C:\Users\vacekp.CHATHB\Desktop\Comics_Pack_01.zip
[2010.07.08 07:37:07 | 000,002,489 | ---- | M] () -- C:\Users\vacekp.CHATHB\Desktop\AutoCAD 2010.lnk
[2010.07.08 07:36:06 | 000,735,950 | ---- | M] () -- C:\Users\vacekp.CHATHB\Desktop\Chotěboř D8-7-2010.dwg
[2010.07.05 16:07:25 | 000,737,280 | ---- | M] (Indigo Rose Corporation) -- C:\Windows\iun6002.exe
[2010.07.05 15:41:49 | 1918,789,432 | ---- | M] () -- C:\Users\vacekp.CHATHB\Desktop\Prison.avi

========== Files Created - No Company Name ==========

[2010.08.02 18:05:38 | 000,293,376 | ---- | C] () -- C:\Users\vacekp.CHATHB\Desktop\gmer.exe
[2010.08.02 18:05:31 | 000,077,312 | ---- | C] () -- C:\Users\vacekp.CHATHB\Desktop\mbr.exe
[2010.08.02 15:51:06 | 000,077,312 | ---- | C] () -- C:\Windows\mbr.exe
[2010.07.16 12:05:35 | 000,167,085 | ---- | C] () -- C:\Users\vacekp.CHATHB\Desktop\valník.jpg
[2010.07.14 12:51:22 | 137,216,992 | ---- | C] () -- C:\Users\vacekp.CHATHB\Desktop\Powertool_1986_by_RapidRise.org.part2.rar
[2010.07.14 12:09:58 | 137,221,500 | ---- | C] () -- C:\Users\vacekp.CHATHB\Desktop\Powertool_1986_by_RapidRise.org.part1.rar
[2010.07.14 09:27:40 | 114,577,674 | ---- | C] () -- C:\Users\vacekp.CHATHB\Desktop\Comics_Pack_01.zip
[2010.07.08 07:36:06 | 000,735,950 | ---- | C] () -- C:\Users\vacekp.CHATHB\Desktop\Chotěboř D8-7-2010.dwg
[2010.07.05 15:40:41 | 1918,789,432 | ---- | C] () -- C:\Users\vacekp.CHATHB\Desktop\Prison.avi
[2010.02.01 14:43:56 | 000,000,008 | ---- | C] () -- C:\Windows\SysWow64\vchelpex.sys
[2009.11.09 14:27:01 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2009.10.05 15:07:50 | 001,420,948 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009.10.05 09:47:11 | 000,000,119 | ---- | C] () -- C:\Windows\ODBC.INI
[2009.09.29 16:51:51 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009.09.29 16:51:02 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009.09.29 09:57:14 | 001,507,328 | ---- | C] () -- C:\Windows\SysWow64\nView.dll
[2009.09.29 09:57:14 | 001,101,824 | ---- | C] () -- C:\Windows\SysWow64\nvwimg.dll
[2008.01.21 04:48:25 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2005.10.14 11:56:50 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2005.10.14 11:56:50 | 000,921,600 | ---- | C] () -- C:\Windows\SysWow64\VorbisEnc.dll
[2005.10.14 11:56:50 | 000,761,856 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2005.10.14 11:56:50 | 000,344,064 | ---- | C] () -- C:\Windows\SysWow64\xvid.dll
[2005.10.14 11:56:50 | 000,237,568 | ---- | C] () -- C:\Windows\SysWow64\OggDS.dll
[2005.10.14 11:56:50 | 000,188,416 | ---- | C] () -- C:\Windows\SysWow64\vorbis.dll
[2005.10.14 11:56:50 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\ogg.dll
[2000.03.29 22:00:00 | 000,125,440 | ---- | C] () -- C:\Windows\SysWow64\UNZDLL.DLL
[1999.10.23 18:29:44 | 000,053,248 | ---- | C] () -- C:\Windows\SysWow64\UNRAR.DLL
[1999.08.11 15:28:02 | 000,101,888 | ---- | C] () -- C:\Windows\SysWow64\LIBBZ2.DLL
[1999.05.21 21:10:00 | 000,129,024 | ---- | C] () -- C:\Windows\SysWow64\ZIPDLL.DLL
[1998.01.28 00:06:04 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\UNACE.DLL

========== LOP Check ==========

[2010.04.28 10:36:46 | 000,000,000 | ---D | M] -- C:\Users\administrator\AppData\Roaming\Autodesk
[2009.10.05 09:58:57 | 000,000,000 | ---D | M] -- C:\Users\administrator\AppData\Roaming\IrfanView
[2009.10.05 10:18:06 | 000,000,000 | ---D | M] -- C:\Users\administrator\AppData\Roaming\Nokia
[2009.10.05 10:18:05 | 000,000,000 | ---D | M] -- C:\Users\administrator\AppData\Roaming\PC Suite
[2009.10.08 14:18:11 | 000,000,000 | ---D | M] -- C:\Users\vacekp\AppData\Roaming\Autodesk
[2010.04.16 14:46:44 | 000,000,000 | ---D | M] -- C:\Users\vacekp\AppData\Roaming\ICQ
[2009.10.05 13:44:31 | 000,000,000 | ---D | M] -- C:\Users\vacekp\AppData\Roaming\PC Suite
[2010.05.03 06:25:56 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\Autodesk
[2010.07.16 15:19:18 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\ICQ
[2010.04.28 12:32:17 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\PC Suite
[2010.08.02 16:53:49 | 000,032,612 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /s >
"Sidebar" = C:\Program Files\Windows Sidebar\sidebar.exe /autoRun -- [2009.04.11 09:10:53 | 001,555,968 | ---- | M] (Microsoft Corporation)
"ICQ" = "C:\PROGRA~2\ICQ6.5\ICQ.exe" silent -- [2009.11.16 17:36:19 | 000,172,792 | ---- | M] (ICQ, LLC.)

< c:\windows\*.* /U >

< %SYSTEMDRIVE%\*.exe >

< %ALLUSERSPROFILE%\Application Data\*. >

< %ALLUSERSPROFILE%\Application Data\*.exe /s >

< %APPDATA%\*. >
[2010.04.19 08:58:48 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\Adobe
[2010.05.03 06:25:56 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\Autodesk
[2010.07.16 15:19:18 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\ICQ
[2010.04.18 17:22:15 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\Identities
[2010.04.19 10:04:32 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\InstallShield
[2010.04.19 06:41:35 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\Macromedia
[2010.08.02 18:26:11 | 000,000,000 | --SD | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\Microsoft
[2010.04.19 07:55:06 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\Mozilla
[2010.04.19 07:52:09 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\Nero
[2010.04.28 12:32:17 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\PC Suite
[2010.07.14 12:14:45 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\vlc
[2010.06.23 10:05:30 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\Winamp
[2010.04.19 07:51:11 | 000,000,000 | ---D | M] -- C:\Users\vacekp.CHATHB\AppData\Roaming\WinRAR

< %APPDATA%\*.exe /s >
[2010.04.28 11:04:47 | 000,010,134 | R--- | M] () -- C:\Users\vacekp.CHATHB\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe


< MD5 for: AGP440.SYS >
[2001.08.17 20:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\dllcache\agp440.sys
[2001.08.17 20:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\drivers\AGP440.SYS
[2001.08.17 22:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\ReinstallBackups\0001\DriverFiles\i386\AGP440.SYS
[2001.08.17 22:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\drivers\AGP440.SYS
[2008.01.21 04:45:05 | 000,064,568 | ---- | M] (Microsoft Corporation) MD5=F6F6793B7F17B550ECFDBD3B229173F7 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_163188bf770e4ab0\AGP440.sys
[2008.01.21 04:45:05 | 000,064,568 | ---- | M] (Microsoft Corporation) MD5=F6F6793B7F17B550ECFDBD3B229173F7 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_181d01cb743015fc\AGP440.sys

< MD5 for: ATAPI.SYS >
[2002.09.20 17:17:54 | 010,174,968 | ---- | M] () .cab file -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\Driver Cache\i386\sp1.cab:atapi.sys
[2002.09.20 17:17:54 | 010,174,968 | ---- | M] () .cab file -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\sp1.cab:atapi.sys
[2003.01.12 22:08:22 | 012,110,692 | ---- | M] () .cab file -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\Driver Cache\i386\sp1.cab:atapi.sys
[2003.01.12 22:08:22 | 012,110,692 | ---- | M] () .cab file -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\sp1.cab:atapi.sys
[2008.01.21 04:45:04 | 000,022,584 | ---- | M] (Microsoft Corporation) MD5=1898FAE8E07D97F2F6C2D5326C633FAC -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_3956c39dd9e73fd2\atapi.sys
[2002.08.29 00:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\atapi.sys
[2002.08.29 00:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\drivers\atapi.sys
[2002.08.29 09:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\atapi.sys
[2002.08.29 09:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\drivers\atapi.sys
[2001.08.17 20:51:56 | 000,086,656 | ---- | M] (Microsoft Corporation) MD5=A64013E98426E1877CB653685C5C0009 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\atapi.sys
[2001.08.17 20:51:56 | 000,086,656 | ---- | M] (Microsoft Corporation) MD5=A64013E98426E1877CB653685C5C0009 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys
[2001.10.25 13:00:00 | 000,086,656 | ---- | M] (Microsoft Corporation) MD5=A64013E98426E1877CB653685C5C0009 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\atapi.sys
[2009.04.11 09:15:00 | 000,020,952 | ---- | M] (Microsoft Corporation) MD5=E68D9B3A3905619732F7FE039466A623 -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_3b423ca9d7090b1e\atapi.sys

< MD5 for: CDROM.SYS >
[2002.09.20 17:17:54 | 010,174,968 | ---- | M] () .cab file -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\Driver Cache\i386\sp1.cab:cdrom.sys
[2002.09.20 17:17:54 | 010,174,968 | ---- | M] () .cab file -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\sp1.cab:cdrom.sys
[2003.01.12 22:08:22 | 012,110,692 | ---- | M] () .cab file -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\Driver Cache\i386\sp1.cab:cdrom.sys
[2003.01.12 22:08:22 | 012,110,692 | ---- | M] () .cab file -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\sp1.cab:cdrom.sys
[2008.01.21 04:45:08 | 000,079,872 | ---- | M] (Microsoft Corporation) MD5=3B2FB35363423ED60C8FBF15FC8680BD -- C:\Windows\winsxs\amd64_cdrom.inf_31bf3856ad364e35_6.0.6001.18000_none_bbc7f7665c24db80\cdrom.sys
[2002.08.29 00:27:56 | 000,047,488 | ---- | M] (Microsoft Corporation) MD5=6506E033AD04CFEC9EE56DBEFD1083DD -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\cdrom.sys
[2002.08.29 00:27:56 | 000,047,488 | ---- | M] (Microsoft Corporation) MD5=6506E033AD04CFEC9EE56DBEFD1083DD -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\drivers\cdrom.sys
[2002.08.29 09:27:56 | 000,047,488 | ---- | M] (Microsoft Corporation) MD5=6506E033AD04CFEC9EE56DBEFD1083DD -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\cdrom.sys
[2002.08.29 09:27:56 | 000,047,488 | ---- | M] (Microsoft Corporation) MD5=6506E033AD04CFEC9EE56DBEFD1083DD -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\drivers\cdrom.sys
[2009.04.11 07:34:39 | 000,079,872 | ---- | M] (Microsoft Corporation) MD5=C025AA69BE3D0D25C7A2E746EF6F94FC -- C:\Windows\winsxs\amd64_cdrom.inf_31bf3856ad364e35_6.0.6002.18005_none_bdb370725946a6cc\cdrom.sys
[2002.05.30 13:00:00 | 000,047,488 | ---- | M] (Microsoft Corporation) MD5=CB762E814F602229A574F4D78D3D6A30 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\cdrom.sys
[2001.10.25 13:00:00 | 000,047,488 | ---- | M] (Microsoft Corporation) MD5=CB762E814F602229A574F4D78D3D6A30 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\cdrom.sys

< MD5 for: CNGAUDIT.DLL >
[2006.11.02 13:16:48 | 000,014,848 | ---- | M] (Microsoft Corporation) MD5=21322B1A2AD337C579F4A65EA0D25193 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_424bc4aceb06de1c\cngaudit.dll
[2006.11.02 11:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\SysWOW64\cngaudit.dll
[2006.11.02 11:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\SysWOW64\cngaudit.dll
[2006.11.02 11:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: CRYPTSVC.DLL >
[2002.09.20 17:03:40 | 000,053,248 | ---- | M] (Microsoft Corporation) MD5=031E7FF41B13B658CAE7D6C98086F76A -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\cryptsvc.dll
[2002.09.20 17:03:40 | 000,053,248 | ---- | M] (Microsoft Corporation) MD5=031E7FF41B13B658CAE7D6C98086F76A -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\cryptsvc.dll
[2002.09.21 02:03:40 | 000,053,248 | ---- | M] (Microsoft Corporation) MD5=031E7FF41B13B658CAE7D6C98086F76A -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\cryptsvc.dll
[2002.09.21 02:03:40 | 000,053,248 | ---- | M] (Microsoft Corporation) MD5=031E7FF41B13B658CAE7D6C98086F76A -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\cryptsvc.dll
[2009.04.11 09:11:14 | 000,166,912 | ---- | M] (Microsoft Corporation) MD5=18918613E63F387CDE4D95CA7D49DCF7 -- C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18005_none_d409adf4504e8a6b\cryptsvc.dll
[2008.01.21 04:47:27 | 000,165,376 | ---- | M] (Microsoft Corporation) MD5=4374F784121D8B3BB466B03F5E5EBD33 -- C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6001.18000_none_d21e34e8532cbf1f\cryptsvc.dll
[2008.01.21 04:48:14 | 000,128,000 | ---- | M] (Microsoft Corporation) MD5=6DE363F9F99334514C46AEC02D3E3678 -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6001.18000_none_75ff99649acf4de9\cryptsvc.dll
[2002.05.30 13:00:00 | 000,051,200 | ---- | M] (Microsoft Corporation) MD5=849D84F975D682B333AF158B8ABFD221 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\cryptsvc.dll
[2001.10.25 13:00:00 | 000,051,200 | ---- | M] (Microsoft Corporation) MD5=849D84F975D682B333AF158B8ABFD221 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\cryptsvc.dll
[2009.04.11 08:28:18 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=FB27772BEAF8E1D28CCD825C09DA939B -- C:\Windows\SysWOW64\cryptsvc.dll
[2009.04.11 08:28:18 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=FB27772BEAF8E1D28CCD825C09DA939B -- C:\Windows\SysWOW64\cryptsvc.dll
[2009.04.11 08:28:18 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=FB27772BEAF8E1D28CCD825C09DA939B -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18005_none_77eb127097f11935\cryptsvc.dll

< MD5 for: EVENTLOG.DLL >
[2002.05.30 13:00:00 | 000,047,616 | ---- | M] (Microsoft Corporation) MD5=8DAEFE31BA545A98E07A976F7435CC5B -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\eventlog.dll
[2001.10.25 13:00:00 | 000,047,616 | ---- | M] (Microsoft Corporation) MD5=8DAEFE31BA545A98E07A976F7435CC5B -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\eventlog.dll
[2002.09.20 17:03:50 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=E8508E7F865490D8AE71D00C8DF4D227 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\eventlog.dll
[2002.09.20 17:03:50 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=E8508E7F865490D8AE71D00C8DF4D227 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\eventlog.dll
[2002.09.21 02:03:50 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=E8508E7F865490D8AE71D00C8DF4D227 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\eventlog.dll
[2002.09.21 02:03:50 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=E8508E7F865490D8AE71D00C8DF4D227 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\eventlog.dll

< MD5 for: EXPLORER.EXE >
[2002.05.30 13:00:00 | 001,001,472 | ---- | M] (Microsoft Corporation) MD5=0348A56A9E9A658AE3AD15B42026498E -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\explorer.exe
[2001.10.25 13:00:00 | 001,001,472 | ---- | M] (Microsoft Corporation) MD5=0348A56A9E9A658AE3AD15B42026498E -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\explorer.exe
[2002.09.20 17:05:24 | 001,004,544 | ---- | M] (Microsoft Corporation) MD5=11D80755545CFB5EB9659EE88440EAE2 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\explorer.exe
[2002.09.20 17:05:24 | 001,004,544 | ---- | M] (Microsoft Corporation) MD5=11D80755545CFB5EB9659EE88440EAE2 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\explorer.exe
[2002.09.21 02:05:24 | 001,004,544 | ---- | M] (Microsoft Corporation) MD5=11D80755545CFB5EB9659EE88440EAE2 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\explorer.exe
[2002.09.21 02:05:24 | 001,004,544 | ---- | M] (Microsoft Corporation) MD5=11D80755545CFB5EB9659EE88440EAE2 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\explorer.exe
[2008.10.29 08:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_b5f700fe698beb14\explorer.exe
[2008.10.29 08:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_b7eb106e66a7ac19\explorer.exe
[2008.10.29 08:15:50 | 003,087,360 | ---- | M] (Microsoft Corporation) MD5=50514057C28A74BAC2BD04B7B990D615 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_aba256ac352b2919\explorer.exe
[2008.10.30 05:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_b8583e9d7fda0512\explorer.exe
[2009.04.11 09:10:17 | 003,079,168 | ---- | M] (Microsoft Corporation) MD5=6B08E54A451B3F95E4109DBA7E594270 -- C:\Windows\explorer.exe
[2009.04.11 09:10:17 | 003,079,168 | ---- | M] (Microsoft Corporation) MD5=6B08E54A451B3F95E4109DBA7E594270 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_afbebba22f3bab41\explorer.exe
[2008.10.28 04:30:12 | 003,086,848 | ---- | M] (Microsoft Corporation) MD5=72B9990E45C25AA3C75C4FB50A9D6CE0 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_ac5266dd4e2b0a41\explorer.exe
[2008.10.29 08:49:22 | 003,080,704 | ---- | M] (Microsoft Corporation) MD5=BBD8E74F23D7605CB0CDB57A1B25D826 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_ad96661c3246ea1e\explorer.exe
[2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\SysWOW64\explorer.exe
[2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\SysWOW64\explorer.exe
[2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_ba1365f4639c6d3c\explorer.exe
[2008.10.30 07:30:07 | 003,081,216 | ---- | M] (Microsoft Corporation) MD5=E404A65EF890140410E9F3D405841C95 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_ae03944b4b794317\explorer.exe
[2008.10.28 04:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_b6a7112f828bcc3c\explorer.exe
[2008.01.21 04:47:02 | 003,080,704 | ---- | M] (Microsoft Corporation) MD5=F6D765FB6B457542D954682F50C26E4F -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_add342963219dff5\explorer.exe
[2008.01.21 04:47:42 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_b827ece8667aa1f0\explorer.exe

< MD5 for: HAL.DLL >
[2002.09.20 17:17:54 | 010,174,968 | ---- | M] () .cab file -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\Driver Cache\i386\sp1.cab:hal.dll
[2002.09.20 17:17:54 | 010,174,968 | ---- | M] () .cab file -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\sp1.cab:hal.dll
[2003.01.12 22:08:22 | 012,110,692 | ---- | M] () .cab file -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\Driver Cache\i386\sp1.cab:hal.dll
[2003.01.12 22:08:22 | 012,110,692 | ---- | M] () .cab file -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\sp1.cab:hal.dll
[2002.08.29 00:05:06 | 000,101,376 | ---- | M] (Microsoft Corporation) MD5=14899FB16E1263BDC6E17AEC0A69BB97 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\hal.dll
[2002.08.29 09:05:06 | 000,101,376 | ---- | M] (Microsoft Corporation) MD5=14899FB16E1263BDC6E17AEC0A69BB97 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\hal.dll
[2009.04.11 09:15:31 | 000,233,448 | ---- | M] (Microsoft Corporation) MD5=822EA80D8E91D1BD5F31954348842AAA -- C:\Windows\winsxs\amd64_hal.inf_31bf3856ad364e35_6.0.6002.18005_none_612624babd6ea012\hal.dll
[2002.05.30 13:00:00 | 000,128,768 | ---- | M] (Microsoft Corporation) MD5=AF609C7C513B3857107FF875B26A57F2 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\hal.dll
[2001.10.25 13:00:00 | 000,128,768 | ---- | M] (Microsoft Corporation) MD5=AF609C7C513B3857107FF875B26A57F2 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\hal.dll
[2008.01.21 04:45:05 | 000,233,528 | ---- | M] (Microsoft Corporation) MD5=D63C785A6EF1A3DE684781698A0CC9AF -- C:\Windows\winsxs\amd64_hal.inf_31bf3856ad364e35_6.0.6001.18000_none_5f3aabaec04cd4c6\hal.dll
[2002.08.29 00:05:04 | 000,127,872 | ---- | M] (Microsoft Corporation) MD5=E8D2B5D5186A9B93D7019D7A74D77A1E -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\HAL.DLL
[2002.08.29 09:05:04 | 000,127,872 | ---- | M] (Microsoft Corporation) MD5=E8D2B5D5186A9B93D7019D7A74D77A1E -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\HAL.DLL

< MD5 for: IASTOR.SYS >
[2008.07.20 17:44:44 | 000,324,120 | ---- | M] (Intel Corporation) MD5=707C1692214B1C290271067197F075F6 -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\driver\IaStor.sys
[2008.07.20 17:44:54 | 000,402,456 | ---- | M] (Intel Corporation) MD5=FC28E90F2204D8FD147FA9BFA8A51C01 -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\driver64\IaStor.sys

< MD5 for: IASTORV.SYS >
[2008.01.21 04:45:13 | 000,290,872 | ---- | M] (Intel Corporation) MD5=3E3BF3627D886736D0B4E90054F929F6 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_0b2fedfc40256bc5\iaStorV.sys

< MD5 for: IDECHNDR.SYS >
[2002.03.25 23:00:00 | 000,093,242 | ---- | M] (Intel Corporation) MD5=83C96EA7322B109A225D0A6C611D8881 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\drivers\IdeChnDr.sys
[2002.03.25 23:00:00 | 000,093,242 | ---- | M] (Intel Corporation) MD5=83C96EA7322B109A225D0A6C611D8881 -- C:\Pavel Vacek data\zaloha\Program Files\Intel\Intel Application Accelerator\Driver\idechndr.sys

< MD5 for: ISAPNP.SYS >
[2008.01.21 04:45:05 | 000,023,608 | ---- | M] (Microsoft Corporation) MD5=0672BFCEDC6FC468A2B0500D81437F4F -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_163188bf770e4ab0\isapnp.sys
[2008.01.21 04:45:05 | 000,023,608 | ---- | M] (Microsoft Corporation) MD5=0672BFCEDC6FC468A2B0500D81437F4F -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_181d01cb743015fc\isapnp.sys
[2001.10.24 10:44:12 | 000,035,840 | ---- | M] (Microsoft Corporation) MD5=1091528512E4DD7ED5FDDCC4DF1C53D7 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\dllcache\isapnp.sys
[2001.10.24 10:44:12 | 000,035,840 | ---- | M] (Microsoft Corporation) MD5=1091528512E4DD7ED5FDDCC4DF1C53D7 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\drivers\isapnp.sys
[2002.05.30 13:00:00 | 000,035,840 | ---- | M] (Microsoft Corporation) MD5=1091528512E4DD7ED5FDDCC4DF1C53D7 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\ReinstallBackups\0003\DriverFiles\i386\isapnp.sys
[2001.10.25 13:00:00 | 000,035,840 | ---- | M] (Microsoft Corporation) MD5=1091528512E4DD7ED5FDDCC4DF1C53D7 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\drivers\isapnp.sys
Nahoru
Zakov
Návštěvník
Návštěvník
Příspěvky: 118
Registrován: 15 úno 2010 20:22

Re: Mebroot.K v MBR

#5 Příspěvek od Zakov »

log OTL 2 cast




< MD5 for: LSASS.EXE >
[2009.06.15 15:21:28 | 000,011,264 | ---- | M] (Microsoft Corporation) MD5=02474FBCB00AA5C622E92F620DB9A041 -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22450_none_02bcb9272e6ecc60\lsass.exe
[2009.09.10 17:22:14 | 000,009,728 | ---- | M] (Microsoft Corporation) MD5=1104B18819392FEA12FB5F9E170E66B3 -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.21125_none_00fbc3d9312b9991\lsass.exe
[2009.02.13 10:52:40 | 000,011,264 | ---- | M] (Microsoft Corporation) MD5=1979F94B28107233315DD6220F2304DD -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22376_none_02ad19252e799f25\lsass.exe
[2008.01.21 04:46:34 | 000,011,264 | ---- | M] (Microsoft Corporation) MD5=1B461E9F6DB0EF829B4369F47A24BBEC -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_026926461528a96c\lsass.exe
[2008.01.21 04:46:34 | 000,011,264 | ---- | M] (Microsoft Corporation) MD5=1B461E9F6DB0EF829B4369F47A24BBEC -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18215_none_02635b98152c3e5e\lsass.exe
[2008.01.21 04:46:34 | 000,011,264 | ---- | M] (Microsoft Corporation) MD5=1B461E9F6DB0EF829B4369F47A24BBEC -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18005_none_04549f52124a74b8\lsass.exe
[2009.06.15 15:34:54 | 000,009,728 | ---- | M] (Microsoft Corporation) MD5=1E766E4C5BF9E230AD37A56BF7DB6C94 -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.21067_none_00d282d7314a3edc\lsass.exe
[2009.06.15 15:32:30 | 000,009,728 | ---- | M] (Microsoft Corporation) MD5=306E4503E083A498AE797FF59FA72839 -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.16870_none_00373bf8183ad660\lsass.exe
[2002.09.20 17:05:32 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=32F7074BAC9A5F899CCA9C046C9FA6EB -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\lsass.exe
[2002.09.20 17:05:32 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=32F7074BAC9A5F899CCA9C046C9FA6EB -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\lsass.exe
[2002.09.21 02:05:32 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=32F7074BAC9A5F899CCA9C046C9FA6EB -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\lsass.exe
[2002.09.21 02:05:32 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=32F7074BAC9A5F899CCA9C046C9FA6EB -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\lsass.exe
[2009.06.15 15:15:02 | 000,011,264 | ---- | M] (Microsoft Corporation) MD5=40348DCEC0712ED42231C5F90A69A690 -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18051_none_041a8e8e12769b11\lsass.exe
[2009.09.09 13:32:36 | 000,011,264 | ---- | M] (Microsoft Corporation) MD5=41FB90DF49F203672F459122EF1F13B1 -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22518_none_02effd0d2e47247b\lsass.exe
[2009.02.13 07:14:46 | 000,009,728 | ---- | M] (Microsoft Corporation) MD5=563B71CEF1D46A24C5980FA2988DB67F -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.21010_none_0101906d312801c6\lsass.exe
[2009.06.15 15:26:45 | 000,011,264 | ---- | M] (Microsoft Corporation) MD5=80F4593E92FF960E4763380D3168E498 -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18272_none_021f7b32155f99ff\lsass.exe
[2009.09.10 16:57:16 | 000,011,264 | ---- | M] (Microsoft Corporation) MD5=BBBCE2DACDCCD5EA60A50D0023AE2DE9 -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22223_none_04c69d972b7a16dd\lsass.exe
[2009.02.13 09:46:54 | 000,009,728 | ---- | M] (Microsoft Corporation) MD5=E231BDBD7D69857EEFFDEB3A48A53824 -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.16820_none_006d4b9418124aab\lsass.exe
[2009.06.15 15:12:52 | 000,011,264 | ---- | M] (Microsoft Corporation) MD5=EBDAEE60E442BEA413E5D7CEDFB09463 -- C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22152_none_04a52ba32b935432\lsass.exe
[2002.05.30 13:00:00 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=F80A83B21434C30A788EB8991E6A61ED -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\lsass.exe
[2001.10.25 13:00:00 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=F80A83B21434C30A788EB8991E6A61ED -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\lsass.exe

< MD5 for: NDIS.SYS >
[2008.01.21 04:48:57 | 000,739,384 | ---- | M] (Microsoft Corporation) MD5=2A2EE457AF36C5C9A6808C768BD3A12B -- C:\Windows\winsxs\amd64_microsoft-windows-ndis_31bf3856ad364e35_6.0.6001.18000_none_03e5c74ad46c7e4e\ndis.sys
[2002.08.29 01:09:26 | 000,167,552 | ---- | M] (Microsoft Corporation) MD5=3B350E5A2A5E951453F3993275A4523A -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\ndis.sys
[2002.08.29 01:09:26 | 000,167,552 | ---- | M] (Microsoft Corporation) MD5=3B350E5A2A5E951453F3993275A4523A -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\drivers\ndis.sys
[2002.08.29 10:09:26 | 000,167,552 | ---- | M] (Microsoft Corporation) MD5=3B350E5A2A5E951453F3993275A4523A -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\ndis.sys
[2002.08.29 10:09:26 | 000,167,552 | ---- | M] (Microsoft Corporation) MD5=3B350E5A2A5E951453F3993275A4523A -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\drivers\ndis.sys
[2002.05.30 13:00:00 | 000,161,536 | ---- | M] (Microsoft Corporation) MD5=3EFD4F59BA0A340DE0A3AB984001DBF7 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\ndis.sys
[2001.10.25 13:00:00 | 000,161,536 | ---- | M] (Microsoft Corporation) MD5=3EFD4F59BA0A340DE0A3AB984001DBF7 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\ndis.sys
[2009.04.11 09:15:34 | 000,738,264 | ---- | M] (Microsoft Corporation) MD5=65950E07329FCEE8E6516B17C8D0ABB6 -- C:\Windows\winsxs\amd64_microsoft-windows-ndis_31bf3856ad364e35_6.0.6002.18005_none_05d14056d18e499a\ndis.sys

< MD5 for: NETLOGON.DLL >
[2008.01.21 04:49:23 | 000,716,800 | ---- | M] (Microsoft Corporation) MD5=5D0A4891F8CD0E9E64FF57A6A34044F5 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_59d652c6f057598d\netlogon.dll
[2002.05.30 13:00:00 | 000,397,824 | ---- | M] (Microsoft Corporation) MD5=606FAB9689DA902468D0D150B90D93A9 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\netlogon.dll
[2001.10.25 13:00:00 | 000,397,824 | ---- | M] (Microsoft Corporation) MD5=606FAB9689DA902468D0D150B90D93A9 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\netlogon.dll
[2009.04.11 08:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SysWOW64\netlogon.dll
[2009.04.11 08:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SysWOW64\netlogon.dll
[2009.04.11 08:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_6616762521d9e6d4\netlogon.dll
[2009.04.11 09:11:16 | 000,717,312 | ---- | M] (Microsoft Corporation) MD5=A3F1B171702CA04744EE514243B45BFB -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_5bc1cbd2ed7924d9\netlogon.dll
[2008.01.21 04:46:46 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_642afd1924b81b88\netlogon.dll
[2002.09.20 17:04:34 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=CF03E300B5CEEFFEFBE6F67532BD0EF1 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\netlogon.dll
[2002.09.20 17:04:34 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=CF03E300B5CEEFFEFBE6F67532BD0EF1 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\netlogon.dll
[2002.09.21 02:04:34 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=CF03E300B5CEEFFEFBE6F67532BD0EF1 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\netlogon.dll
[2002.09.21 02:04:34 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=CF03E300B5CEEFFEFBE6F67532BD0EF1 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\netlogon.dll

< MD5 for: NVRAID.SYS >
[2008.01.21 04:45:08 | 000,128,056 | ---- | M] (NVIDIA Corporation) MD5=2C040B7ADA5B06F6FACADAC8514AA034 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_95f95eab775c159d\nvraid.sys

< MD5 for: NVSTOR.SYS >
[2008.01.21 04:45:08 | 000,054,328 | ---- | M] (NVIDIA Corporation) MD5=F7EA0FE82842D05EDA3EFDD376DBFDBA -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_95f95eab775c159d\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008.01.21 04:48:49 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_9e812831c5d9a243\scecli.dll
[2008.01.21 04:48:07 | 000,235,520 | ---- | M] (Microsoft Corporation) MD5=35F1DD99F9903BC267C2AF16B09F9BF7 -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_942c7ddf9178e048\scecli.dll
[2002.05.30 13:00:00 | 000,178,688 | ---- | M] (Microsoft Corporation) MD5=88CA7CD14736FAC776C2F0EAC14CC269 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\scecli.dll
[2001.10.25 13:00:00 | 000,178,688 | ---- | M] (Microsoft Corporation) MD5=88CA7CD14736FAC776C2F0EAC14CC269 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\scecli.dll
[2009.04.11 08:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SysWOW64\scecli.dll
[2009.04.11 08:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SysWOW64\scecli.dll
[2009.04.11 08:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_a06ca13dc2fb6d8f\scecli.dll
[2009.04.11 09:11:23 | 000,235,520 | ---- | M] (Microsoft Corporation) MD5=9922ADB6DCA8F0F5EA038BEFF339C08B -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_9617f6eb8e9aab94\scecli.dll
[2002.09.20 17:04:42 | 000,179,200 | ---- | M] (Microsoft Corporation) MD5=B2666CAB5E8C8A741D63F18D551A47FB -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\scecli.dll
[2002.09.20 17:04:42 | 000,179,200 | ---- | M] (Microsoft Corporation) MD5=B2666CAB5E8C8A741D63F18D551A47FB -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\scecli.dll
[2002.09.21 02:04:42 | 000,179,200 | ---- | M] (Microsoft Corporation) MD5=B2666CAB5E8C8A741D63F18D551A47FB -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\scecli.dll
[2002.09.21 02:04:42 | 000,179,200 | ---- | M] (Microsoft Corporation) MD5=B2666CAB5E8C8A741D63F18D551A47FB -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\scecli.dll

< MD5 for: SMSS.EXE >
[2002.09.20 17:05:44 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=7763D73255AD4046FA999D42EAF22C26 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\smss.exe
[2002.09.20 17:05:44 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=7763D73255AD4046FA999D42EAF22C26 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\smss.exe
[2002.09.21 02:05:44 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=7763D73255AD4046FA999D42EAF22C26 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\smss.exe
[2002.09.21 02:05:44 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=7763D73255AD4046FA999D42EAF22C26 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\smss.exe
[2008.01.21 04:48:55 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=9FC8E8C0F344EAE043740B72794DA3CC -- C:\Windows\winsxs\amd64_microsoft-windows-smss_31bf3856ad364e35_6.0.6001.18000_none_08594380d18f10f0\smss.exe
[2009.04.11 09:10:54 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=C17704EA5B0F83D78F1377075FFE1C89 -- C:\Windows\winsxs\amd64_microsoft-windows-smss_31bf3856ad364e35_6.0.6002.18005_none_0a44bc8cceb0dc3c\smss.exe
[2002.05.30 13:00:00 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=ED12D92A7B26E99E3A5BF4B043F7314E -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\smss.exe
[2001.10.25 13:00:00 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=ED12D92A7B26E99E3A5BF4B043F7314E -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\smss.exe

< MD5 for: SVCHOST.EXE >
[2002.05.30 13:00:00 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=329945887A0C684C38A4845330BC9100 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\dllcache\svchost.exe
[2002.05.30 13:00:00 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=329945887A0C684C38A4845330BC9100 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\svchost.exe
[2001.10.25 13:00:00 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=329945887A0C684C38A4845330BC9100 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\dllcache\svchost.exe
[2001.10.25 13:00:00 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=329945887A0C684C38A4845330BC9100 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\svchost.exe
[2008.01.21 04:46:20 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\SysWOW64\svchost.exe
[2008.01.21 04:46:20 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\SysWOW64\svchost.exe
[2008.01.21 04:46:20 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe
[2008.01.21 04:48:43 | 000,027,648 | ---- | M] (Microsoft Corporation) MD5=CDA9F1373805AF88F6FA4F2064BBA24D -- C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_11d9f524bdab2f1b\svchost.exe

< MD5 for: TCPIP.SYS >
[2002.08.29 00:58:12 | 000,332,928 | ---- | M] (Microsoft Corporation) MD5=244A2F9816BC9B593957281EF577D976 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\tcpip.sys
[2002.08.29 00:58:12 | 000,332,928 | ---- | M] (Microsoft Corporation) MD5=244A2F9816BC9B593957281EF577D976 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\drivers\tcpip.sys
[2002.08.29 09:58:12 | 000,332,928 | ---- | M] (Microsoft Corporation) MD5=244A2F9816BC9B593957281EF577D976 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\tcpip.sys
[2002.08.29 09:58:12 | 000,332,928 | ---- | M] (Microsoft Corporation) MD5=244A2F9816BC9B593957281EF577D976 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\drivers\tcpip.sys
[2009.12.08 20:22:57 | 001,199,616 | ---- | M] (Microsoft Corporation) MD5=2F822AF5E70467F827F5B4010A7FD57F -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16973_none_bb7549d64ac6920e\tcpip.sys
[2010.02.18 17:01:57 | 001,420,688 | ---- | M] (Microsoft Corporation) MD5=30C4ABC8075DEA44D7E775D434AF1753 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18427_none_0f2e179c1ecd900b\tcpip.sys
[2009.08.14 16:44:27 | 001,200,640 | ---- | M] (Microsoft Corporation) MD5=34B30202AECCB530FDDC6C6CCFA2FB46 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16908_none_bbc5fabc4a894d2a\tcpip.sys
[2010.02.18 14:25:21 | 001,200,640 | ---- | M] (Microsoft Corporation) MD5=396CF3FD8D2A4FDF55570C01894DB9DF -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.17021_none_bba931004aa006ed\tcpip.sys
[2009.08.14 20:05:16 | 001,418,840 | ---- | M] (Microsoft Corporation) MD5=3BCD46BE9988B09D3510A0EF54F0D65B -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18311_none_0f32e3e61ecadee9\tcpip.sys
[2010.02.18 17:04:06 | 001,414,032 | ---- | M] (Microsoft Corporation) MD5=4680D08A2E8A2509CD9B751D7AF59606 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_0fabe61737f42f96\tcpip.sys
[2010.02.18 16:22:15 | 001,423,752 | ---- | M] (Microsoft Corporation) MD5=4AD4600DF1F09EE7462152C061B683C8 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22341_none_118286a1352721f8\tcpip.sys
[2009.08.14 18:42:31 | 001,413,208 | ---- | M] (Microsoft Corporation) MD5=74B776CA1B328095FE23A3306B1613A3 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22497_none_0f6c030d3823f645\tcpip.sys
[2008.01.21 04:49:37 | 001,421,368 | ---- | M] (Microsoft Corporation) MD5=7A1183FBB802F5ABAD7FA18BC67E0858 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18000_none_0f3cadd61ec3b22c\tcpip.sys
[2010.02.18 14:27:40 | 001,198,080 | ---- | M] (Microsoft Corporation) MD5=7B0B928E318CADC23C87226BE0A1097D -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.21226_none_bc37d12363b92291\tcpip.sys
[2009.12.08 22:59:37 | 001,418,840 | ---- | M] (Microsoft Corporation) MD5=8C94F5E4F9DE14A495BAA86F643CF31D -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18377_none_0ef8061a1ef61e99\tcpip.sys
[2008.04.26 10:55:25 | 001,421,368 | ---- | M] (Microsoft Corporation) MD5=8E041924441FF8755E5B4F135C8C3767 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18063_none_0efecf2c1ef1a5d7\tcpip.sys
[2009.04.11 09:15:48 | 001,426,408 | ---- | M] (Microsoft Corporation) MD5=99D07AD0EF2C535610F6573C29BC045E -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18005_none_112826e21be57d78\tcpip.sys
[2009.08.14 18:39:38 | 001,425,992 | ---- | M] (Microsoft Corporation) MD5=A7BFF59C2F610F62E6C292074FF36A1E -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18091_none_10c2d66e1c321395\tcpip.sys
[2010.02.18 16:28:06 | 001,427,336 | ---- | M] (Microsoft Corporation) MD5=B4B7B375FDD672AF79B0CBE9B9A48B47 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18209_none_112c2bd61be1dd22\tcpip.sys
[2009.12.08 20:21:46 | 001,196,032 | ---- | M] (Microsoft Corporation) MD5=BB6FB43B431CCAD6FC367648C87205C0 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.21175_none_bc00bf5763e297c8\tcpip.sys
[2009.12.08 23:13:33 | 001,411,656 | ---- | M] (Microsoft Corporation) MD5=D1A6D398865E0686533E13DD2558D64B -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22577_none_0f81a4cb3813bb8a\tcpip.sys
[2009.08.14 18:32:21 | 001,424,952 | ---- | M] (Microsoft Corporation) MD5=D45D67A18C9FD4CC637BC9D4585C0646 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22200_none_11acc42135079bb6\tcpip.sys
[2009.08.16 00:55:23 | 001,196,032 | ---- | M] (Microsoft Corporation) MD5=D4E30E6BADFF21865C3A075457CF9C00 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.21108_none_bc4f6fa963a72036\tcpip.sys
[2009.12.08 22:22:19 | 001,425,480 | ---- | M] (Microsoft Corporation) MD5=E52F99B1160A1A1DE83223379D2C1828 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18160_none_10e247ce1c1aa392\tcpip.sys
[2002.05.30 13:00:00 | 000,327,168 | ---- | M] (Microsoft Corporation) MD5=E7774698BB0D14B0710A9A31E209F9B6 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\tcpip.sys
[2001.10.25 13:00:00 | 000,327,168 | ---- | M] (Microsoft Corporation) MD5=E7774698BB0D14B0710A9A31E209F9B6 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\tcpip.sys
[2009.12.08 22:04:59 | 001,423,944 | ---- | M] (Microsoft Corporation) MD5=EE84432AD7DCADE2931528C319C55097 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22283_none_1159459f3545c743\tcpip.sys
[2008.04.26 10:47:15 | 001,421,368 | ---- | M] (Microsoft Corporation) MD5=F10A60005FB50698E33A1940C6EBB010 -- C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22167_none_0f8c6d1f380baafd\tcpip.sys

< MD5 for: USERINIT.EXE >
[2008.01.21 04:48:55 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\SysWOW64\userinit.exe
[2008.01.21 04:48:55 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\SysWOW64\userinit.exe
[2008.01.21 04:48:55 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
[2002.05.30 13:00:00 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=95C5E6E59DF2B91E8A5CD181B1C96174 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\userinit.exe
[2001.10.25 13:00:00 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=95C5E6E59DF2B91E8A5CD181B1C96174 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\userinit.exe
[2008.01.21 04:48:04 | 000,028,160 | ---- | M] (Microsoft Corporation) MD5=A0AB2BB9A92293D9CE66E252719AB5FE -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_384755998a0d6941\userinit.exe
[2002.09.20 17:05:48 | 000,022,016 | ---- | M] (Microsoft Corporation) MD5=B26871B5CE92F9D95AE6E62119799EB9 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\userinit.exe
[2002.09.20 17:05:48 | 000,022,016 | ---- | M] (Microsoft Corporation) MD5=B26871B5CE92F9D95AE6E62119799EB9 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\userinit.exe
[2002.09.21 02:05:48 | 000,022,016 | ---- | M] (Microsoft Corporation) MD5=B26871B5CE92F9D95AE6E62119799EB9 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\userinit.exe
[2002.09.21 02:05:48 | 000,022,016 | ---- | M] (Microsoft Corporation) MD5=B26871B5CE92F9D95AE6E62119799EB9 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2002.05.30 13:00:00 | 000,430,080 | ---- | M] (Microsoft Corporation) MD5=674D88B0BE536B5FF62F5C3D71A177A4 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtUninstallQ306676$\winlogon.exe
[2001.10.25 13:00:00 | 000,430,080 | ---- | M] (Microsoft Corporation) MD5=674D88B0BE536B5FF62F5C3D71A177A4 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\$NtServicePackUninstall$\winlogon.exe
[2009.04.11 09:11:08 | 000,405,504 | ---- | M] (Microsoft Corporation) MD5=6D0773A3A65D28B663F334C90441D01A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_cdcd15a68a70b877\winlogon.exe
[2002.02.21 10:47:04 | 000,429,056 | ---- | M] (Microsoft Corporation) MD5=7DD2FC9E25CA954205349F2C98F363E8 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\$NtServicePackUninstall$\winlogon.exe
[2008.01.21 04:48:05 | 000,406,016 | ---- | M] (Microsoft Corporation) MD5=856491FCED98093D824B9EB2892F564A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_cbe19c9a8d4eed2b\winlogon.exe
[2009.04.11 08:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\SysWOW64\winlogon.exe
[2009.04.11 08:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\SysWOW64\winlogon.exe
[2009.04.11 08:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2008.01.21 04:48:57 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe
[2002.09.20 17:05:50 | 000,516,608 | ---- | M] (Microsoft Corporation) MD5=FF8857D1AF59071F172C0FAD0FD33E87 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\ServicePackFiles\i386\winlogon.exe
[2002.09.20 17:05:50 | 000,516,608 | ---- | M] (Microsoft Corporation) MD5=FF8857D1AF59071F172C0FAD0FD33E87 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\winlogon.exe
[2002.09.21 02:05:50 | 000,516,608 | ---- | M] (Microsoft Corporation) MD5=FF8857D1AF59071F172C0FAD0FD33E87 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\ServicePackFiles\i386\winlogon.exe
[2002.09.21 02:05:50 | 000,516,608 | ---- | M] (Microsoft Corporation) MD5=FF8857D1AF59071F172C0FAD0FD33E87 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\winlogon.exe

< MD5 for: WS2_32.DLL >
[2008.01.21 04:48:03 | 000,265,216 | ---- | M] (Microsoft Corporation) MD5=63944ECFE4878C1C4889689324CABFAB -- C:\Windows\winsxs\amd64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.0.6001.18000_none_4ed64c4686b376fa\ws2_32.dll
[2002.05.30 13:00:00 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=748494B94A871A828C64D1D5C738D2B7 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\dllcache\ws2_32.dll
[2002.05.30 13:00:00 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=748494B94A871A828C64D1D5C738D2B7 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS.OLD\system32\ws2_32.dll
[2001.10.25 13:00:00 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=748494B94A871A828C64D1D5C738D2B7 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\dllcache\ws2_32.dll
[2001.10.25 13:00:00 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=748494B94A871A828C64D1D5C738D2B7 -- C:\Pavel Vacek data\zaloha\Plocha\Zaloha\WINDOWS0.OLD\system32\ws2_32.dll
[2008.01.21 04:48:54 | 000,179,200 | ---- | M] (Microsoft Corporation) MD5=B304D47D5744BA20FCB99FB8B2C07B0B -- C:\Windows\SysWOW64\ws2_32.dll
[2008.01.21 04:48:54 | 000,179,200 | ---- | M] (Microsoft Corporation) MD5=B304D47D5744BA20FCB99FB8B2C07B0B -- C:\Windows\SysWOW64\ws2_32.dll
[2008.01.21 04:48:54 | 000,179,200 | ---- | M] (Microsoft Corporation) MD5=B304D47D5744BA20FCB99FB8B2C07B0B -- C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.0.6001.18000_none_f2b7b0c2ce5605c4\ws2_32.dll
[2008.01.21 04:48:54 | 000,179,200 | ---- | M] (Microsoft Corporation) MD5=B304D47D5744BA20FCB99FB8B2C07B0B -- C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.0.6002.18005_none_f4a329cecb77d110\ws2_32.dll
[2009.04.11 09:11:31 | 000,264,704 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\winsxs\amd64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.0.6002.18005_none_50c1c55283d54246\ws2_32.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\*.dll /lockedfiles >

< reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" /v GinaDLL /c >

< reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v ImagePath /c >
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\WUAUSERV
IMAGEPATH REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k netsvcs

< reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v ImagePath /c >
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\BITS
IMAGEPATH REG_EXPAND_SZ %SystemRoot%\System32\svchost.exe -k netsvcs

< %systemroot%\system32\drivers\*.sys /3 >

< %systemroot%\system32\*.* /3 >
< End of report >
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: Mebroot.K v MBR

#6 Příspěvek od motji »

Gmer taky moc nefunguje na Vašem OS :roll:
Potřebuji vědět, kolik máte disků, kolik systémů. Kde přesně NOD meebrota hlásí?

:arrow: Stáhněte Bootkit Remover http://www.esagelab.com/files/bootkit_remover.rar
-uložte ho na plochu a spusťte
- pravým tlačítkem myši klikněte do černého okna, zvolte Vybrat vše, stiskněte CTRL+C a pak zde na foru CTRL+V.
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
Zakov
Návštěvník
Návštěvník
Příspěvky: 118
Registrován: 15 úno 2010 20:22

Re: Mebroot.K v MBR

#7 Příspěvek od Zakov »

V Pc jsou 2 HDD v raid 1 (zrcadlo) takze windows vidi jeden HDD, System je jen jeden (Visty), NOD hlasi mebroota v 5 sektoru MBR. Prosel jsem starsi logy a hlasil ho i v 1 a 6 sektoru.

Log bootkit remover:

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows Vista Business Edition Service Pack 2 (build 6002)
, 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000
Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: Mebroot.K v MBR

#8 Příspěvek od motji »

Máte zazálohované všechny důležité soubory? Pokud ne, zazálohujte :!: .
Máte inst.cd?

:arrow: Stáhněte HxD portable http://mh-nexus.de/en/downloads.php?product=HxD
-uložte ho na plochu
-rozbalte ho a program uložte přímo na disk C
-spustte ho
-klikněte na otevřít disk - zvolte pevné disky(fyzické disky) :!: (nepoplette to)
-vyberte pevný disk 1
-do nabídky napište, který sektor chcete otevřít, potvrdíte enter, a budete přímo v tom sektoru
-napište mi, co máte na sektoru 1-62
-napište, kde máte záznam NTDLR (já ho mám mezi 63. a 64. sektorem)

Aby jste měl představu, co hledat, takto vypadá můj 60.sektor, měly by tak vypadat všechny od 1-62, ale Vy je tak mít pravděpodobně nebudete.

Obrázek
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
Zakov
Návštěvník
Návštěvník
Příspěvky: 118
Registrován: 15 úno 2010 20:22

Re: Mebroot.K v MBR

#9 Příspěvek od Zakov »

Zaloha bude chvili trvat. Zitra se ozvu.
Zatim diky.
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: Mebroot.K v MBR

#10 Příspěvek od motji »

Radši tu zálohu udělejte. Sice bootkit remover nic nehlásí, ale vzhedem k otmu, co máte za OS, může mít u něj bug. A zásah do MBR je vždycky risk, že přijdete o nějaká data.

Zítra tu budu hlavně večer, kolem 22.hodiny, někdy i dřív :)
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
Zakov
Návštěvník
Návštěvník
Příspěvky: 118
Registrován: 15 úno 2010 20:22

Re: Mebroot.K v MBR

#11 Příspěvek od Zakov »

Dobreho vecera preji :-).

Nejake zaznamy jsou v sektorech 0, 32 a 33. V sektoru 48 je pismenko B. Nejsem si jisty jak se pozna zaznam NTLDR, v sektoru 63 je na prvnim radku zminka o freedos a na posledim radku KERNEL SYS. To bude asi ono, ze? :-)
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: Mebroot.K v MBR

#12 Příspěvek od motji »

Asi bych zatím nic neopravovala, na 5. ani 6.sektoru nic nemáte.
Zkusíme zatím webcureit.

Jak často Vám NOD infekci hlásí?

:arrow: Stahněte dr. Web CureIt http://www.viry.cz/forum/viewtopic.php?f=29&t=47721
-udělejte sken , co najde nechte léčit, smazat
-sken může trvat několik hodin
-Soubor/Uložit výsledky - uložíte jako textovy soubor a zkopírujete zde
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
Zakov
Návštěvník
Návštěvník
Příspěvky: 118
Registrován: 15 úno 2010 20:22

Re: Mebroot.K v MBR

#13 Příspěvek od Zakov »

NOD ho hlasil s prestavkami asi 1,5 mesice. PC neni muj, ja bych to tak daleko zajit nenechal :-). Ted jsem zkusil nastavit v NODu kontrolu RAM a boot sektoru a nic :-).
Zkusime jsete curelt a kdyz senic neukaze, nechame to ulezet :-)
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: Mebroot.K v MBR

#14 Příspěvek od motji »

NOD je někdy poněkud paranoidní :roll: . HxD také nic envykazuje abnormálního, Bootkit remover také nic.
Zkuste Webcureit a uvidíme.
Záloha dat se vždycky hodí :D
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
Odpovědět

Zpět na „Řešení problémů, logy“