VIRY.CZ

Dobrý den
mám notebook mého švagra, který je napaden virem W32/Katusha.BN. Na PC byl naistalovaný AVAST, ale nebyl funkční.
Projel jsem systém ActiveScanem od panda security, smazal všeechny napadené soubory, ale vir se neustále vrací.
Při pokusu nainstalovat jiný antivir je ten po chvilce napaden a zablokován.
prosím o pomoc.
Hynek

LOG:
Logfile of random's system information tool 1.09 (written by random/random)
Run by A at 2011-07-23 16:59:12
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (14%) free of 76 GB
Total RAM: 502 MB (74% free)

HijackThis download failed

======Scheduled tasks folder======

C:\windows\tasks\GoogleUpdateTaskMachineCore.job
C:\windows\tasks\GoogleUpdateTaskMachineUA.job
C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1935655697-1801674531-1003Core.job
C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1935655697-1801674531-1003UA.job
C:\windows\tasks\WGASetup.job

=========Mozilla firefox=========

ProfilePath - C:\Documents and Settings\A\Data aplikací\Mozilla\Firefox\Profiles\6hd2ya0i.default

prefs.js - "browser.startup.homepage" - "www.seznam.cz"

"{20a82645-c095-46ed-80e3-08825760534b}"=c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
"wrc@avast.com"=C:\PROGRA~1\AVASTS~1\Avast\WebRep\FF


[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Description"=Adobe® Flash® Player 10.1 Plugin
"Path"=C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5]
"Description"=Windows Presentation Foundation plug-in for Mozilla browsers
"Path"=c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@pandasecurity.com/activescan]
"Description"=Panda ActiveScan 2.0
"Path"=C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description"=Google Update
"Path"=C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"=Google Update
"Path"=C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\Adobe Reader]
"Description"=Handles PDFs in-place in Firefox
"Path"=C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd}
{B13721C7-F507-4982-B2E5-502A71474FED}

C:\Program Files\Mozilla Firefox\components\
binary.manifest
browsercomps.dll

C:\Program Files\Mozilla Firefox\plugins\
nppdf32.dll

C:\Program Files\Mozilla Firefox\searchplugins\
Cetrumcz_igeared.xml
google.xml
heureka-cz.xml
jyxo-cz.xml
seznam-cz.xml
slunecnice-cz.xml
wikipedia-cz.xml

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{984A9162-8891-4D19-8CFE-17648BB4E1EC}]
GamePlayLabsBHO Class - C:\Documents and Settings\A\Local Settings\Data aplikací\GamePlayLabs Plugin\BHO.dll [2011-03-08 432640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{D5D47440-0750-463D-BAEF-A47D02414806}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\windows\RTHDCPL.EXE [2006-08-16 16248320]
"SkyTel"=C:\windows\SkyTel.EXE [2006-08-16 2879488]
"Alcmtr"=C:\windows\ALCMTR.EXE [2006-08-16 69632]
"AzMixerSel"=C:\Program Files\Realtek\InstallShield\AzMixerSel.exe [2006-08-16 53248]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-03-03 761946]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2006-03-23 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2006-03-23 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2006-03-23 118784]
"LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe [2006-07-21 593920]
"wxpdrv"=C:\windows\services32.exe []
"tray_ico"= []
"tray_ico0"=C:\WINDOWS\update.tray-7-0\svchost.exe []
"tray_ico1"= []
"tray_ico2"= []
"tray_ico3"= []
"tray_ico4"= []
"sysdriver32.exe"=C:\windows\sysdriver32.exe rezerv []
"sysdriver32_.exe"=C:\windows\sysdriver32_.exe rezerv []
"systemup"=C:\WINDOWS\systemup.exe stand []
"l1rezerv.exe"=C:\WINDOWS\l1rezerv.exe []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2011-06-08 37296]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2011-03-30 937920]
"90470898-loader2.exe"=C:\DOCUME~1\A\LOCALS~1\Temp\90470898-loader2.exe []
"avast"=C:\Program Files\AVAST Software\Avast\avastUI.exe [2011-07-04 3493720]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\windows\system32\ctfmon.exe [2008-04-14 15360]
"uTorrent"=C:\Program Files\uTorrent\uTorrent.exe [2011-02-25 395128]
"365dni"=C:\Program Files\365dni\365dniNET.exe [2010-05-13 858624]
"Google Update"=C:\Documents and Settings\A\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe [2011-06-04 136176]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2007-12-07 21686568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2011-06-08 37296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\Winampa.exe [2002-04-24 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Nabídka Start^Programy^Po spuštění^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office10\OSA.EXE [2001-02-13 83360]

C:\Documents and Settings\A\Nabídka Start\Programy\Po spuštění
OpenOffice.org 3.3.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\windows\system32\igfxdev.dll [2006-03-23 139264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\wxpdrivers]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0
"EnableSecureUIAPaths"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Documents and Settings\A\Plocha\Flash-Player.exe"="C:\Documents and Settings\A\Plocha\Flash-Player.exe:*:Enabled:C:\Documents and Settings\A\Plocha\Flash-Player.exe"
"C:\WINDOWS\update.1\svchost.exe"="C:\windows\update.1\svchost.exe:*:Enabled:C:\windows\update.1\svchost.exe"
"C:\WINDOWS\update.tray-7-0\svchost.exe"="C:\WINDOWS\update.tray-7-0\svchost.exe:*:Enabled:C:\WINDOWS\update.tray-7-0\svchost.exe"
"C:\WINDOWS\update.2\svchost.exe"="C:\WINDOWS\update.2\svchost.exe:*:Enabled:C:\WINDOWS\update.2\svchost.exe"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"=midimap.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msadpcm"=msadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.trspch"=tssoft32.acm
"vidc.cvid"=iccvid.dll
"vidc.I420"=msh263.drv
"vidc.iv31"=ir32_32.dll
"vidc.iv32"=ir32_32.dll
"vidc.iv41"=ir41_32.ax
"vidc.iyuv"=iyuv_32.dll
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvu9"=tsbyuv.dll
"vidc.yvyu"=msyuv.dll
"wavemapper"=msacm32.drv
"msacm.msg723"=msg723.acm
"vidc.M263"=msh263.drv
"vidc.M261"=msh261.drv
"msacm.msaudio1"=msaud32.acm
"msacm.sl_anet"=sl_anet.acm
"msacm.iac2"=C:\WINDOWS\system32\iac25_32.ax
"vidc.iv50"=ir50_32.dll
"msacm.l3acm"=L3codeca.acm
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv
"vidc.DIVX"=DivX.dll
"vidc.DIV3"=DivXc32.dll
"vidc.DIV4"=DivXc32f.dll
"msacm.divxa32"=DivXa32.acm
"vidc.MPG4"=Mpg4c32.dll
"vidc.MP42"=Mpg4c32.dll
"vidc.MP43"=Mpg4c32.dll
"VIDC.VIFP"=VFCodec.dll
"msacm.lameacm"=LameACM.dll
"msacm.vorbis"=vorbis.acm
"vidc.xvid"=xvid.dll

======List of files/folders created in the last 1 month======

2011-07-23 16:53:53 ----D---- C:\rsit
2011-07-23 16:53:53 ----D---- C:\Program Files\trend micro
2011-07-23 16:21:00 ----A---- C:\windows\system32\drivers\aswSnx.sys
2011-07-23 16:20:37 ----D---- C:\Program Files\AVAST Software
2011-07-23 16:20:37 ----D---- C:\Documents and Settings\All Users.WINDOWS\Data aplikací\Alwil Software
2011-07-23 11:50:15 ----HDC---- C:\windows\$NtUninstallKB2481109$
2011-07-23 11:50:03 ----HDC---- C:\windows\$NtUninstallKB2507618$
2011-07-23 11:49:58 ----HDC---- C:\windows\$NtUninstallKB2508429$
2011-07-23 11:49:52 ----HDC---- C:\windows\$NtUninstallKB2506212$
2011-07-23 11:47:37 ----D---- C:\Documents and Settings\All Users.WINDOWS\Data aplikací\Windows Genuine Advantage
2011-07-23 11:34:42 ----D---- C:\Documents and Settings\A\Data aplikací\Mozilla
2011-07-21 22:27:21 ----D---- C:\windows\system32\LogFiles
2011-07-21 22:18:50 ----A---- C:\windows\system32\drivers\pavboot.sys
2011-07-21 22:18:37 ----D---- C:\Program Files\Panda Security
2011-07-21 22:05:02 ----HD---- C:\Documents and Settings\All Users.WINDOWS\Data aplikací\Common Files
2011-07-21 22:02:34 ----D---- C:\Documents and Settings\All Users.WINDOWS\Data aplikací\MFAData
2011-07-20 22:16:15 ----SHD---- C:\windows\CSC
2011-07-20 22:05:34 ----HDC---- C:\windows\$NtUninstallKB2509553$
2011-07-20 22:05:17 ----HDC---- C:\windows\$NtUninstallKB2555917$
2011-07-20 21:30:58 ----A---- C:\windows\ntbtlog.txt
2011-07-20 21:23:37 ----HDC---- C:\windows\$NtUninstallKB2479943$
2011-07-20 21:23:30 ----HDC---- C:\windows\$NtUninstallKB2485663$
2011-07-20 21:23:07 ----HDC---- C:\windows\$NtUninstallKB961118$
2011-07-20 21:22:52 ----HDC---- C:\windows\$NtUninstallKB2530548$
2011-07-20 21:22:43 ----HDC---- C:\windows\$NtUninstallKB2507938$
2011-07-20 21:22:34 ----HDC---- C:\windows\$NtUninstallKB2510581$
2011-07-20 21:22:27 ----HDC---- C:\windows\$NtUninstallKB2476490$
2011-07-20 21:22:20 ----HDC---- C:\windows\$NtUninstallKB2503665$
2011-07-20 21:21:29 ----HDC---- C:\windows\$NtUninstallKB2524375$
2011-07-20 21:21:23 ----HDC---- C:\windows\$NtUninstallKB2535512$
2011-07-20 21:21:16 ----HDC---- C:\windows\$NtUninstallKB2412687$
2011-07-20 21:15:37 ----HDC---- C:\windows\$NtUninstallKB2508272$
2011-07-20 21:15:28 ----HDC---- C:\windows\$NtUninstallKB2536276$
2011-07-20 21:09:54 ----HDC---- C:\windows\$NtUninstallKB2544893$
2011-07-20 21:02:32 ----HDC---- C:\windows\$NtUninstallKB2541763$
2011-07-20 21:02:27 ----HDC---- C:\windows\$NtUninstallKB2544521$
2011-07-20 20:26:43 ----D---- C:\Program Files\ESET
2011-07-20 17:55:42 ----D---- C:\Documents and Settings\A\Data aplikací\Malwarebytes
2011-07-20 17:55:36 ----A---- C:\windows\system32\drivers\mbamswissarmy.sys
2011-07-20 17:55:35 ----D---- C:\Documents and Settings\All Users.WINDOWS\Data aplikací\Malwarebytes
2011-07-20 17:55:32 ----A---- C:\windows\system32\drivers\mbam.sys
2011-07-20 17:55:31 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2011-07-20 12:05:16 ----D---- C:\Program Files\Common Files\Adobe
2011-07-20 12:05:16 ----D---- C:\Program Files\Adobe
2011-07-20 12:01:29 ----A---- C:\windows\ddh_iplist.txt
2011-07-20 12:00:23 ----D---- C:\windows\ufa
2011-07-20 12:00:23 ----D---- C:\windows\rpcminer
2011-07-20 12:00:23 ----D---- C:\windows\phoenix
2011-07-20 12:00:09 ----A---- C:\windows\iecheck_iplist.txt
2011-07-20 11:59:19 ----HD---- C:\windows\update.2
2011-07-20 11:59:08 ----A---- C:\windows\unrar.exe
2011-07-20 11:58:29 ----A---- C:\windows\btc_client_iplist.txt
2011-07-20 11:58:08 ----HD---- C:\windows\update.5.0
2011-07-20 11:57:58 ----A---- C:\windows\iplist.txt
2011-07-20 11:57:23 ----A---- C:\windows\front_ip_list.txt
2011-07-20 11:57:18 ----D---- C:\windows\av_ico
2011-07-20 11:56:01 ----HD---- C:\windows\update.1
2011-07-20 11:55:50 ----HD---- C:\windows\update.tray-7-0-lnk
2011-07-20 11:55:50 ----HD---- C:\windows\update.tray-7-0
2011-07-20 11:44:00 ----A---- C:\windows\winlog-ids.txt
2011-07-20 11:44:00 ----A---- C:\windows\winlog-dirs.txt

======List of files/folders modified in the last 1 month======

2011-07-23 16:53:57 ----D---- C:\windows\Prefetch
2011-07-23 16:53:53 ----RD---- C:\Program Files
2011-07-23 16:37:38 ----D---- C:\windows\Temp
2011-07-23 16:25:21 ----D---- C:\windows\system32\CatRoot2
2011-07-23 16:24:19 ----D---- C:\Documents and Settings\A\Data aplikací\Skype
2011-07-23 16:23:21 ----D---- C:\Documents and Settings\A\Data aplikací\uTorrent
2011-07-23 16:22:19 ----D---- C:\windows\system32\drivers
2011-07-23 16:20:49 ----D---- C:\windows\system32
2011-07-23 16:20:49 ----D---- C:\WINDOWS
2011-07-23 16:10:04 ----A---- C:\windows\SchedLgU.Txt
2011-07-23 11:50:18 ----RSHDC---- C:\windows\system32\dllcache
2011-07-23 11:50:18 ----HD---- C:\windows\inf
2011-07-23 11:48:09 ----D---- C:\windows\Debug
2011-07-23 11:47:57 ----SHD---- C:\windows\Installer
2011-07-23 11:43:06 ----D---- C:\windows\SoftwareDistribution
2011-07-23 11:34:32 ----D---- C:\Program Files\Mozilla Firefox
2011-07-23 11:19:00 ----D---- C:\Documents and Settings\A\Data aplikací\skypePM
2011-07-22 00:35:24 ----SHD---- C:\System Volume Information
2011-07-22 00:35:24 ----D---- C:\windows\system32\Restore
2011-07-22 00:25:55 ----D---- C:\Program Files\COMODO BackUp
2011-07-21 22:32:11 ----D---- C:\windows\Microsoft.NET
2011-07-21 22:31:57 ----RSD---- C:\windows\assembly
2011-07-21 22:18:07 ----SD---- C:\windows\Downloaded Program Files
2011-07-20 22:12:51 ----A---- C:\windows\system32\PerfStringBackup.INI
2011-07-20 22:12:11 ----D---- C:\windows\WinSxS
2011-07-20 21:25:15 ----D---- C:\windows\system32\CatRoot
2011-07-20 21:23:29 ----HD---- C:\windows\$hf_mig$
2011-07-20 20:58:51 ----D---- C:\windows\Minidump
2011-07-20 18:49:58 ----A---- C:\windows\winamp.ini
2011-07-20 12:06:06 ----D---- C:\Documents and Settings\All Users.WINDOWS\Data aplikací\Adobe
2011-07-20 12:05:16 ----D---- C:\Program Files\Common Files
2011-07-20 12:00:13 ----D---- C:\windows\system32\drivers\etc
2011-07-20 00:06:51 ----D---- C:\Documents and Settings\A\Data aplikací\vlc
2011-07-19 13:32:12 ----D---- C:\Documents and Settings\A\Data aplikací\dvdcss
2011-07-04 13:43:51 ----A---- C:\windows\system32\aswBoot.exe
2011-07-01 09:54:42 ----A---- C:\windows\system32\MRT.exe
2011-06-25 11:13:35 ----SD---- C:\Documents and Settings\A\Data aplikací\Microsoft

Zdravím,

Vidím nainstalovaný Malwarebytes' Anti-Malware
Spustit > na 3.záložce "Aktualizace" > Kontrola aktualizací
následně na 1.záložce "Kontrolor" -> Úplná kontrola -> Prohledat
po dokončení scanu vyskočí okno Notepad s výsledkem - obsah zkopíruj do své odpovědi
zatím nic nemazat - počkej na posouzení a program nech spuštěný

Bohužel malwabytes nefunguje.
Zkusil jsem naistalovat znovu a jede to. Za chvíli přidám výpis.

Tak už je taky zablokovaný. Výpis nebude

Zkus to v Nouzovém režimu - při problému se ozvi

zkusil jsem i v nouzáku.
Nejde nic.

Restartuj do nouzového režimu s prací v síti.

Stáhni Rkill z jednoho z odkazů, pokud by ho vir blokoval, zkus stáhnout jiný

Rkill EXE:
http://download.bleepingcomputer.com/grinler/rkill.exe

Rkill COM:
http://download.bleepingcomputer.com/grinler/rkill.com

Rkill SCR:
http://download.bleepingcomputer.com/grinler/rkill.scr

Rkill PIF:
http://download.bleepingcomputer.com/grinler/rkill.pif

-spusť a nechej ho pracovat. Sám se ukončí.

- Teď nesmíš restartovat počítač!

Spusť MBAM

Stáhnout jsem ho musel u jiného počítače.
Spustit to nešlo musel jsem to spustit z flešky.
Tady je jeho log.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 23.07.2011 at 19:15:36.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

\\.\globalroot\Device\svchost.exe\svchost.exe


Rkill completed on 23.07.2011 at 19:15:39.


Co dál?

Máš to v mé předchozí radě - MBAM

MBAM nejde spustit. Zapomněl jsem to předtím napsat

stáhni
http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe
spouštěj postupně s volbami "2" - "3" - "4" - "5"
výsledky dávej v odpovědi sem

RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User: A [Admin rights]
Mode: Scan -- Date : 07/23/2011 20:04:53

Bad processes: 0

Registry Entries: 11
[SUSP PATH] HKLM\[...]\Run : wxpdrv (C:\windows\services32.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Run : sysdriver32.exe ("C:\windows\sysdriver32.exe" rezerv) -> FOUND
[SUSP PATH] HKLM\[...]\Run : sysdriver32_.exe ("C:\windows\sysdriver32_.exe" rezerv) -> FOUND
[SUSP PATH] HKLM\[...]\Run : systemup ("C:\WINDOWS\systemup.exe" stand) -> FOUND
[SUSP PATH] HKLM\[...]\Run : l1rezerv.exe ("C:\WINDOWS\l1rezerv.exe") -> FOUND
[SUSP PATH] HKLM\[...]\Run : 90470898-loader2.exe ("C:\DOCUME~1\A\LOCALS~1\Temp\90470898-loader2.exe") -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[...]


Finished : << RKreport[1].txt >>
RKreport[1].txt


RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User: A [Admin rights]
Mode: Remove -- Date : 07/23/2011 20:05:52

Bad processes: 0

Registry Entries: 11
[SUSP PATH] HKLM\[...]\Run : wxpdrv (C:\windows\services32.exe) -> DELETED
[SUSP PATH] HKLM\[...]\Run : sysdriver32.exe ("C:\windows\sysdriver32.exe" rezerv) -> DELETED
[SUSP PATH] HKLM\[...]\Run : sysdriver32_.exe ("C:\windows\sysdriver32_.exe" rezerv) -> DELETED
[SUSP PATH] HKLM\[...]\Run : systemup ("C:\WINDOWS\systemup.exe" stand) -> DELETED
[SUSP PATH] HKLM\[...]\Run : l1rezerv.exe ("C:\WINDOWS\l1rezerv.exe") -> DELETED
[SUSP PATH] HKLM\[...]\Run : 90470898-loader2.exe ("C:\DOCUME~1\A\LOCALS~1\Temp\90470898-loader2.exe") -> DELETED
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[...]


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User: A [Admin rights]
Mode: HOSTSFix -- Date : 07/23/2011 20:06:12

Bad processes: 0

HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[...]


Resetted HOSTS:
127.0.0.1 localhost

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User: A [Admin rights]
Mode: ProxyFix -- Date : 07/23/2011 20:06:32

Bad processes: 0

Registry Entries: 0

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User: A [Admin rights]
Mode: DNSFix -- Date : 07/23/2011 20:06:58

Bad processes: 0

Registry Entries: 0

Finished : << RKreport[5].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt

šestku jsem nespouštěl.

OK, pokud by nešel spustit MBAM, aplikuj ještě
stáhni http://www.raktor.net/exeHelper/exeHelper.com na plochu a dvojklikem spusť.
po skončení opravy vyskočí log, který sem zkopíruj.

Tady to je:

exeHelper by Raktor
Build 20100414
Run at 20:23:56 on 07/23/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

a MBAM?

Nejde spustit