SPAMujici PC

Zpráva

pepik24 · #1 Příspěvek od **pepik24** » 08 úno 2010 15:18

Zdravim Vas a snazne prosim o pomoc.
Na kontakty v Outlooku rozesila PC SPAMy a jiz se nam nekolikrat stalo, ze jsme se ocitli na blacklistech. Museli jsme ho od site odpojit, nebot porad probihala nejaka sitova komunikace a zahlcovalo to nasi sit.

Log z RSIT:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Uživatel at 2010-02-08 15:07:32
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 44 GB (38%) free of 114 GB
Total RAM: 511 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:07:36, on 8.2.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Uživatel\Plocha\RSIT.exe
C:\Documents and Settings\Uživatel\Plocha\Uživatel.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7773216750
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 4853 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2004-04-16 405504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"=C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe [2007-08-09 528384]
"ATICCC"=C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [2006-01-02 45056]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"Easy-PrintToolBox"=C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE [2004-01-14 409600]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-05-03 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 265096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41268d82-0593-11df-8b56-00e04c2c0586}]
shell\AutoRun\command - F:\RECYCLER\autorun.exe
shell\open\command - F:\RECYCLER\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{705ce036-cd25-11de-be08-00e04c2c0586}]
shell\AutoRun\command - I:\RECYCLER\autorun.exe
shell\open\command - I:\RECYCLER\autorun.exe

======List of files/folders created in the last 1 months======

2010-02-08 15:07:32 ----D---- C:\rsit
2010-01-13 07:40:40 ----D---- C:\Config.Msi
2010-01-13 07:38:22 ----A---- C:\WINDOWS\ntbtlog.txt

======List of files/folders modified in the last 1 months======

2010-02-08 15:07:16 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-08 15:07:13 ----SD---- C:\WINDOWS\Tasks
2010-02-08 15:05:28 ----D---- C:\WINDOWS\Temp
2010-02-08 15:01:13 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-08 15:00:41 ----D---- C:\WINDOWS\Prefetch
2010-02-08 08:31:49 ----RSHD---- C:\RECYCLER
2010-02-03 12:59:15 ----D---- C:\WINDOWS\system32
2010-01-13 07:58:19 ----HD---- C:\WINDOWS\inf
2010-01-13 07:58:18 ----D---- C:\WINDOWS\system32\CatRoot
2010-01-13 07:45:02 ----D---- C:\WINDOWS\system32\config
2010-01-13 07:44:18 ----D---- C:\WINDOWS\system32\wbem
2010-01-13 07:44:15 ----D---- C:\WINDOWS\Registration
2010-01-13 07:42:44 ----DC---- C:\WINDOWS\$NtUninstallKB971737$
2010-01-13 07:42:44 ----D---- C:\WINDOWS
2010-01-13 07:42:43 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-01-13 07:42:43 ----DC---- C:\WINDOWS\$NtUninstallKB974392$
2010-01-13 07:42:42 ----DC---- C:\WINDOWS\$NtUninstallKB973904$
2010-01-13 07:42:35 ----D---- C:\Program Files\Internet Explorer
2010-01-13 07:42:19 ----DC---- C:\WINDOWS\$NtUninstallKB974318$
2010-01-13 07:42:15 ----DC---- C:\WINDOWS\$NtUninstallKB970430$
2010-01-13 07:42:15 ----D---- C:\WINDOWS\system32\drivers
2010-01-13 07:41:44 ----D---- C:\Zakazky
2010-01-13 07:41:44 ----D---- C:\Program Files\E-Zak
2010-01-13 07:41:43 ----D---- C:\Idapi
2010-01-13 07:41:19 ----SHD---- C:\WINDOWS\Installer
2010-01-13 07:41:14 ----D---- C:\Program Files\Nero
2010-01-13 07:41:13 ----RD---- C:\Program Files
2010-01-13 07:41:12 ----D---- C:\Documents and Settings\All Users\Data aplikací\page
2010-01-13 07:38:53 ----D---- C:\Documents and Settings

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
R3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-05-03 1540608]
R3 atinrvxx;ATI WDM Rage Theater Video; C:\WINDOWS\system32\DRIVERS\atinrvxx.sys [2004-08-04 105984]
R3 ativraxx;ATI WDM Rage Theater Audio; C:\WINDOWS\system32\DRIVERS\atinraxx.sys [2004-08-04 53760]
R3 ATIXSAudio;ATI WDM TV Audio Crossbar; C:\WINDOWS\system32\DRIVERS\atinxsxx.sys [2004-08-04 64512]
R3 MVDCODEC;ATI WDM Specialized MVD Codec; C:\WINDOWS\system32\DRIVERS\atinmdxx.sys [2004-08-04 13824]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 VIAudio;Vinyl AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\vinyl97.sys [2007-06-27 207488]
S3 CCDECODE;Dekodér Closed Caption; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 WSTCODEC;Dálnopisný kodek světového standardu; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-05-03 413696]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2006-05-03 520192]
S3 aspnet_state;Stavová služba ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Služba Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 NetTcpPortSharing;Služba sdílení portů Net.Tcp; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

A jeste ted, kdyz jsem provedl scan a log ulozil na flashku, tak mi po jejim prendani do meho PC zahlasil NOD infekci na v Recycler/autorun a E:/autorun

Predem velmi dekuji za pomoc!!!

pepik24 · #2 Příspěvek od **pepik24** » 08 úno 2010 16:29

Combofix ani po 10ti minutach nic neudelal, "vytuhl" na hlasce Cekejte prosim. Combofix se pripravuje na spusteni.
Jednotky G,H,I,J jsou od ctecky karet, F je moje flashka (ktera ma ikonu adresare a ne diskove jednotky).
Kdyz skusim Nouzova rezim tak se PC se restartuje:(

pepik24 · #3 Příspěvek od **pepik24** » 08 úno 2010 16:55

ted po restartu mi naskoci okno:
Aplikace nebo knihovna dll C:\Doc&Sett\netwok~1\ntload.dll neni platnou bitovou kopii systemu Windows. Porovnejte soubor s instalacni disketou.

V prubehu scanu nekolikrat vyskocilo okno:
Windows chybi disk - dal jsem pokracovat
pote nejaky Error s Exception - odklepl jsem OK
a pokracoval v praci.
Ted asi 10min pise Creating restore point- do not interrupt a evidentne se nic nedeje.
necham to prez noc zapnute, uvidime rano. Ted uz musim bezet...

pepik24 · #4 Příspěvek od **pepik24** » 09 úno 2010 07:22

Tak jste mel pravdu, opravdu to prez noc nic neudelalo. Nicmene jsem to po restartu zkusil znovu a bez chybovych hlasek scan probehl.

OTL logfile created on: 9.2.2010 7:11:33 - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Uživatel\Plocha
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

511,00 Mb Total Physical Memory | 226,00 Mb Available Physical Memory | 44,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 67,00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111,78 Gb Total Space | 44,32 Gb Free Space | 39,65% Space Free | Partition Type: NTFS
Drive D: | 149,05 Gb Total Space | 60,27 Gb Free Space | 40,44% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AAG-DBEED10067A
Current User Name: Uživatel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 7 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.02.08 16:38:00 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Uživatel\Plocha\OTL.exe
PRC - [2010.02.08 16:10:18 | 000,079,872 | ---- | M] () -- C:\Documents and Settings\Uživatel\reader_s.exe
PRC - [2010.02.08 16:10:17 | 000,079,872 | ---- | M] () -- C:\WINDOWS\System32\reader_s.exe
PRC - [2010.02.08 16:08:27 | 000,192,519 | RHS- | M] () -- C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
PRC - [2009.10.03 04:08:38 | 000,035,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
PRC - [2009.03.08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2008.04.14 08:52:56 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2008.04.14 08:52:24 | 001,034,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007.08.09 15:48:40 | 000,528,384 | R--- | M] (VIA Technologies, Inc.) -- C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
PRC - [2006.11.03 19:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006.11.03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006.05.03 17:43:46 | 000,471,040 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2006.01.02 16:41:22 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

========== Modules (SafeList) ==========

MOD - [2010.02.08 16:38:00 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Uživatel\Plocha\OTL.exe
MOD - [2009.03.21 15:09:02 | 000,036,864 | -HS- | M] (Microsoft) -- C:\WINDOWS\system32\notepad.dll
MOD - [2004.08.18 13:00:00 | 000,002,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\lz32.dll

========== Win32 Services (SafeList) ==========

SRV - [2009.11.06 16:10:01 | 000,000,000 | ---D | M] [On_Demand | Stopped] -- C:\WINDOWS\system32\msdtc -- (MSDTC)
SRV - [2008.07.29 19:16:38 | 000,132,096 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2006.11.03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006.05.03 17:43:46 | 000,471,040 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2006.05.03 11:57:00 | 000,520,192 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\ati2sgag.exe -- (ATI Smart)
SRV - [2003.07.28 20:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)

========== Driver Services (SafeList) ==========

DRV - [2008.04.13 22:09:16 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv)
DRV - [2007.06.27 14:42:00 | 000,207,488 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\vinyl97.sys -- (VIAudio) Vinyl AC'97 Audio Controller (WDM)
DRV - [2006.05.03 17:50:42 | 001,540,608 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2004.08.18 13:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink)
DRV - [2004.08.04 02:08:36 | 000,013,824 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\DRIVERS\atinmdxx.sys -- (MVDCODEC)
DRV - [2004.08.04 02:08:30 | 000,105,984 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\DRIVERS\atinrvxx.sys -- (atinrvxx)
DRV - [2004.08.04 02:08:08 | 000,064,512 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\DRIVERS\atinxsxx.sys -- (ATIXSAudio)
DRV - [2004.08.04 02:07:52 | 000,053,760 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\DRIVERS\atinraxx.sys -- (ativraxx)
DRV - [2004.08.03 23:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139) Realtek RTL8139(A/B/C)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1417001333-1604221776-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
IE - HKU\S-1-5-21-1417001333-1604221776-682003330-1003\S-1-5-21-1417001333-1604221776-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2004.08.18 13:00:00 | 000,000,737 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe (VIA Technologies, Inc.)
O4 - HKLM..\Run: [Calc32] C:\WINDOWS\System32\regedit.exe ()
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE (CANON INC.)
O4 - HKLM..\Run: [notepad] C:\WINDOWS\System32\notepad.DLL (Microsoft)
O4 - HKLM..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe ()
O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\System32\regedit.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20 File not found
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20 File not found
O4 - HKU\S-1-5-21-1417001333-1604221776-682003330-1003..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe ()
O4 - HKU\S-1-5-21-1417001333-1604221776-682003330-1003..\Run: [notepad] C:\Documents and Settings\NetworkService\ntload.dll ()
O4 - HKU\S-1-5-21-1417001333-1604221776-682003330-1003..\Run: [reader_s] C:\Documents and Settings\Uživatel\reader_s.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1417001333-1604221776-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1417001333-1604221776-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftup ... 7773216750 (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab (Shockwave Flash Object)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\DOCUME~1\UIVATE~1\LOCALS~1\Temp\init.exe) - C:\DOCUME~1\UIVATE~1\LOCALS~1\Temp\init.exe ()
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\System32\sdra64.exe File not found
O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-7209102360-5416138170-007389853-9757\wnzip32.exe) - C:\RECYCLER\S-1-5-21-7209102360-5416138170-007389853-9757\wnzip32.exe ()
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\cbssreg: DllName - C:\Documents and Settings\All Users\Dokumenty\Settings\cbss.dll - C:\Documents and Settings\All Users\Dokumenty\Settings\cbss.dll ()
O24 - Desktop Components:0 (Aktuální domovská stránka) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\web\wallpaper\Nebe.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\web\wallpaper\Nebe.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.11.06 16:13:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{41268d82-0593-11df-8b56-00e04c2c0586}\Shell\AutoRun\command - "" = F:\RECYCLER\autorun.exe -- File not found
O33 - MountPoints2\{41268d82-0593-11df-8b56-00e04c2c0586}\Shell\open\command - "" = F:\RECYCLER\autorun.exe -- File not found
O33 - MountPoints2\{705ce036-cd25-11de-be08-00e04c2c0586}\Shell\AutoRun\command - "" = I:\RECYCLER\autorun.exe -- File not found
O33 - MountPoints2\{705ce036-cd25-11de-be08-00e04c2c0586}\Shell\open\command - "" = I:\RECYCLER\autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (OODBS) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009.11.06 16:13:00 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (55172432624877568)

========== Files/Folders - Created Within 7 Days ==========

[2010.02.08 16:39:26 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Uživatel\Plocha\OTL.exe
[2010.02.08 16:20:48 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010.02.08 16:20:48 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010.02.08 16:20:48 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010.02.08 16:20:48 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010.02.08 16:20:32 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010.02.08 16:10:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010.02.08 16:10:23 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Dokumenty\Settings
[2010.02.08 16:10:16 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec
[2010.02.08 16:10:13 | 000,187,904 | ---- | C] (Syewygisryaluti) -- C:\brhpxf.exe
[2010.02.08 16:09:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010.02.08 15:07:32 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Uživatel\Plocha\Uživatel.exe
[2010.02.08 15:07:32 | 000,000,000 | ---D | C] -- C:\rsit
[2010.02.08 15:00:24 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Uživatel\Plocha\HijackThis.exe
[2010.01.19 10:02:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Data aplikací\PCHealth
[2009.11.13 12:41:46 | 026,679,000 | ---- | C] ( ) -- C:\Program Files\AdbeRdr920_cs_CZ.exe
[2009.11.06 17:02:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Data aplikací\Microsoft
[2009.11.06 16:16:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Data aplikací\Microsoft
[2009.11.06 16:13:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Data aplikací\Microsoft
[2009.11.06 16:13:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Data aplikací\Microsoft
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 7 Days ==========

[2010.02.09 07:10:28 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.02.09 07:10:22 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.02.09 07:10:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.02.09 07:10:17 | 535,678,976 | -HS- | M] () -- C:\hiberfil.sys
[2010.02.09 07:08:31 | 002,097,152 | ---- | M] () -- C:\Documents and Settings\Uživatel\ntuser.dat
[2010.02.09 07:08:31 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\Uživatel\ntuser.ini
[2010.02.09 07:08:16 | 005,889,722 | -H-- | M] () -- C:\Documents and Settings\Uživatel\Local Settings\Data aplikací\IconCache.db
[2010.02.09 01:30:02 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010.02.08 16:38:00 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Uživatel\Plocha\OTL.exe
[2010.02.08 16:10:24 | 000,164,864 | ---- | M] () -- C:\uipcafn.exe
[2010.02.08 16:10:18 | 000,079,872 | ---- | M] () -- C:\Documents and Settings\Uživatel\reader_s.exe
[2010.02.08 16:10:18 | 000,038,912 | ---- | M] () -- C:\vswryyh.exe
[2010.02.08 16:10:17 | 000,079,872 | ---- | M] () -- C:\WINDOWS\System32\reader_s.exe
[2010.02.08 16:10:17 | 000,056,320 | ---- | M] () -- C:\vckjykp.exe
[2010.02.08 16:10:16 | 000,117,248 | ---- | M] () -- C:\rkfo.exe
[2010.02.08 16:10:15 | 000,187,904 | ---- | M] (Syewygisryaluti) -- C:\brhpxf.exe
[2010.02.08 16:10:14 | 000,200,704 | ---- | M] () -- C:\WINDOWS\System32\regedit.exe
[2010.02.08 16:06:32 | 003,851,305 | R--- | M] () -- C:\Documents and Settings\Uživatel\Plocha\ComboFix.exe
[2010.02.08 15:02:42 | 000,781,909 | ---- | M] () -- C:\Documents and Settings\Uživatel\Plocha\RSIT.exe
[2010.02.08 12:47:00 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\Uživatel\Plocha\text_film_cz-pl_final.doc
[2010.02.08 12:46:18 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\Uživatel\Plocha\Smlouv_UHK.doc
[2010.02.08 08:31:47 | 000,011,776 | ---- | M] () -- C:\Documents and Settings\Uživatel\Local Settings\Data aplikací\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.02.08 16:20:48 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010.02.08 16:20:48 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010.02.08 16:20:48 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010.02.08 16:20:48 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010.02.08 16:20:48 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010.02.08 16:10:21 | 000,164,864 | ---- | C] () -- C:\uipcafn.exe
[2010.02.08 16:10:18 | 000,079,872 | ---- | C] () -- C:\Documents and Settings\Uživatel\reader_s.exe
[2010.02.08 16:10:17 | 000,079,872 | ---- | C] () -- C:\WINDOWS\System32\reader_s.exe
[2010.02.08 16:10:17 | 000,038,912 | ---- | C] () -- C:\vswryyh.exe
[2010.02.08 16:10:16 | 000,056,320 | ---- | C] () -- C:\vckjykp.exe
[2010.02.08 16:10:15 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\regedit.exe
[2010.02.08 16:10:15 | 000,117,248 | ---- | C] () -- C:\rkfo.exe
[2010.02.08 16:08:55 | 003,851,305 | R--- | C] () -- C:\Documents and Settings\Uživatel\Plocha\ComboFix.exe
[2010.02.08 15:07:27 | 000,781,909 | ---- | C] () -- C:\Documents and Settings\Uživatel\Plocha\RSIT.exe
[2010.02.08 11:05:26 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\Uživatel\Plocha\Smlouv_UHK.doc
[2010.01.06 08:17:23 | 000,000,016 | ---- | C] () -- C:\Documents and Settings\LocalService\Data aplikací\hlusyf.dat
[2010.01.05 10:44:20 | 000,767,488 | ---- | C] () -- C:\WINDOWS\System32\drivers\gjsywwar.sys
[2010.01.05 10:43:54 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Uživatel\Data aplikací\avdrn.dat
[2010.01.05 10:43:51 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\Uživatel\Data aplikací\wiaservg.log
[2009.11.18 14:58:16 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Uživatel\Local Settings\Data aplikací\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.11.12 15:30:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2009.11.12 15:28:16 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS64.DLL
[2009.11.09 17:01:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\oodcnt.INI
[2009.11.09 12:42:57 | 000,000,390 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003.04.09 15:38:04 | 000,005,664 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010.01.04 11:02:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Data aplikací\ashampoo
[2010.01.13 07:41:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Data aplikací\page
[2009.11.19 09:24:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Uživatel\Data aplikací\CD-LabelPrint
[2010.02.09 01:30:02 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========

========== Custom Scans ==========

< HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /s >
"CTFMON.EXE" = C:\WINDOWS\system32\ctfmon.exe -- [2008.04.14 08:52:18 | 000,015,360 | ---- | M] (Microsoft Corporation)
"12CFG214-K641-12SF-N85P" = C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe -- [2010.02.08 16:08:27 | 000,192,519 | RHS- | M] ()
"notepad" = rundll32.exe C:\DOCUME~1\NETWOR~1\ntload.dll,_IWMPEvents@0 -- [2010.02.08 16:26:02 | 000,000,000 | -HS- | M] ()
"reader_s" = C:\Documents and Settings\Uživatel\reader_s.exe -- [2010.02.08 16:10:18 | 000,079,872 | ---- | M] ()

< c:\windows\*.* /U >
[4 c:\windows\*.tmp files -> c:\windows\*.tmp -> ]

< MD5 for: AGP440.SYS >
[2004.08.18 13:00:00 | 018,786,869 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008.04.14 09:10:02 | 020,102,206 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008.04.14 09:10:02 | 020,102,206 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008.04.14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008.04.14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\System32\drivers\agp440.sys
[2004.08.03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004.08.04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\System32\ReinstallBackups\0001\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2004.08.18 13:00:00 | 018,786,869 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008.04.14 09:10:02 | 020,102,206 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008.04.14 09:10:02 | 020,102,206 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008.04.14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008.04.14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\System32\drivers\atapi.sys
[2004.08.03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004.08.18 13:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\System32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[2004.08.03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\System32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

< MD5 for: CRYPTSVC.DLL >
[2004.08.18 13:00:00 | 000,060,416 | ---- | M] (Microsoft Corporation) MD5=70D2A1756F4B2067658A186C963FCABD -- C:\WINDOWS\$NtServicePackUninstall$\cryptsvc.dll
[2008.04.14 08:51:40 | 000,062,464 | ---- | M] (Microsoft Corporation) MD5=F3AB0933CBD166D271992F411C27CCAF -- C:\WINDOWS\ServicePackFiles\i386\cryptsvc.dll
[2008.04.14 08:51:40 | 000,062,464 | ---- | M] (Microsoft Corporation) MD5=F3AB0933CBD166D271992F411C27CCAF -- C:\WINDOWS\system32\cryptsvc.dll

< MD5 for: EVENTLOG.DLL >
[2008.04.14 08:51:42 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=2EE99F67C930931EB404DADCE57E976E -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008.04.14 08:51:42 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=2EE99F67C930931EB404DADCE57E976E -- C:\WINDOWS\system32\eventlog.dll
[2004.08.18 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=6EB66066D5C0175320CFEA0A4C74C88F -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: EXPLORER.EXE >
[2008.04.14 08:52:24 | 001,034,240 | ---- | M] (Microsoft Corporation) MD5=27AFD587C462E280EE046B8CCA3C2CD1 -- C:\WINDOWS\explorer.exe
[2008.04.14 08:52:24 | 001,034,240 | ---- | M] (Microsoft Corporation) MD5=27AFD587C462E280EE046B8CCA3C2CD1 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004.08.18 13:00:00 | 001,032,704 | ---- | M] (Microsoft Corporation) MD5=53114D57AB73A406AC7F602227781A99 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: HAL.DLL >
[2004.08.18 13:00:00 | 018,786,869 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:hal.dll
[2008.04.14 09:10:02 | 020,102,206 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:hal.dll
[2008.04.14 09:10:02 | 020,102,206 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:hal.dll
[2008.04.14 00:01:30 | 000,134,400 | ---- | M] (Microsoft Corporation) MD5=4329EE7D502C9113EBA0F9570392F5EE -- C:\WINDOWS\system32\HAL.DLL
[2008.04.14 00:01:34 | 000,105,344 | ---- | M] (Microsoft Corporation) MD5=6DB1E72AD3B372DFC451B7F54BA08AA7 -- C:\WINDOWS\ServicePackFiles\i386\hal.dll
[2004.08.18 13:00:00 | 000,134,400 | ---- | M] (Microsoft Corporation) MD5=DFCE51FD96909D1B97D4A1A72D060D77 -- C:\WINDOWS\$NtServicePackUninstall$\hal.dll

< MD5 for: LSASS.EXE >
[2004.08.18 13:00:00 | 000,013,312 | ---- | M] (Microsoft Corporation) MD5=82A362FE1D4980B71B588D9C10748511 -- C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
[2008.04.14 08:52:30 | 000,013,312 | ---- | M] (Microsoft Corporation) MD5=ED0A176354487CEED65B80A7148AB739 -- C:\WINDOWS\ServicePackFiles\i386\lsass.exe
[2008.04.14 08:52:30 | 000,013,312 | ---- | M] (Microsoft Corporation) MD5=ED0A176354487CEED65B80A7148AB739 -- C:\WINDOWS\System32\lsass.exe

< MD5 for: NDIS.SYS >
[2004.08.18 13:00:00 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
[2008.04.14 00:50:38 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\ServicePackFiles\i386\ndis.sys
[2010.01.05 10:44:43 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\System32\dllcache\ndis.sys
[2010.01.05 10:44:43 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\System32\drivers\ndis.sys

< MD5 for: NETLOGON.DLL >
[2004.08.18 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=2591CADAEF7D2242039255028E577688 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008.04.14 08:51:52 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=C2ED0E3408F50BBC149D4F0936E67832 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008.04.14 08:51:52 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=C2ED0E3408F50BBC149D4F0936E67832 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004.08.18 13:00:00 | 000,184,832 | ---- | M] (Microsoft Corporation) MD5=07119058D451CB7EA4317BCFDA8599A6 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008.04.14 08:51:56 | 000,185,856 | ---- | M] (Microsoft Corporation) MD5=830CE8951C71F361D7D2F38416CC8BC1 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008.04.14 08:51:56 | 000,185,856 | ---- | M] (Microsoft Corporation) MD5=830CE8951C71F361D7D2F38416CC8BC1 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SMSS.EXE >
[2004.08.18 13:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) MD5=04B69D49D7FC3358A372E97DB6D39447 -- C:\WINDOWS\$NtServicePackUninstall$\smss.exe
[2008.04.14 08:52:48 | 000,050,688 | ---- | M] (Microsoft Corporation) MD5=9B08A8C6331C2DA9C30377BCB4262721 -- C:\WINDOWS\ServicePackFiles\i386\smss.exe
[2008.04.14 08:52:48 | 000,050,688 | ---- | M] (Microsoft Corporation) MD5=9B08A8C6331C2DA9C30377BCB4262721 -- C:\WINDOWS\System32\smss.exe

< MD5 for: SVCHOST.EXE >
[2008.04.14 08:52:50 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=BE4A520E29B6391F49E79CCC52044D93 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008.04.14 08:52:50 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=BE4A520E29B6391F49E79CCC52044D93 -- C:\WINDOWS\System32\svchost.exe
[2004.08.18 13:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=DFBA2915B0BF58ABB288CD4C9318CB3F -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: TCPIP.SYS >
[2008.04.14 00:50:18 | 000,361,344 | ---- | M] (Microsoft Corporation) MD5=93EA8D04EC73A85DB02EB8805988F733 -- C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
[2008.06.20 12:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\System32\dllcache\tcpip.sys
[2008.06.20 12:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\System32\drivers\tcpip.sys
[2004.08.18 13:00:00 | 000,359,040 | ---- | M] (Microsoft Corporation) MD5=9F4B36614A0FC234525BA224957DE55C -- C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
[2008.06.20 12:59:02 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=AD978A1B783B5719720CFF204B666C8E -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys

< MD5 for: USERINIT.EXE >
[2008.04.14 08:52:52 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=7DC1830F22E7D275B438127B68030239 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008.04.14 08:52:52 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=7DC1830F22E7D275B438127B68030239 -- C:\WINDOWS\System32\userinit.exe
[2004.08.18 13:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=836F7960362FF95C5D49E40B891F2CFC -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004.08.18 13:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=221C29AE1B4CC61D11D8B27DE78B2307 -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008.04.14 08:52:54 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=CDDB1F8E1AEA356F3AD106F2CF9B7FEA -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008.04.14 08:52:54 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=CDDB1F8E1AEA356F3AD106F2CF9B7FEA -- C:\WINDOWS\System32\winlogon.exe

< MD5 for: WS2_32.DLL >
[2004.08.18 13:00:00 | 000,082,944 | ---- | M] (Microsoft Corporation) MD5=382E9B87F1282E697C67AF84E34E35E2 -- C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
[2008.04.14 08:52:08 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=951D473917C51F21496D914CF6E5DDD1 -- C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
[2008.04.14 08:52:08 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=951D473917C51F21496D914CF6E5DDD1 -- C:\WINDOWS\system32\ws2_32.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2006.05.03 17:12:26 | 000,286,720 | ---- | M] (ATI Technologies Inc.) Unable to obtain MD5 -- C:\WINDOWS\system32\ATIDEMGR.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" /v GinaDLL /c >
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
< End of report >

pepik24 · #5 Příspěvek od **pepik24** » 09 úno 2010 11:50

OK:)
ComboFix predtim nic nehlasil, nebot se ani nespustil:(
Zalohu mam hotovou.

Log:
========== OTL ==========
Process reader_s.exe killed successfully!
No active process named reader_s.exe was found!
Process vsbntlo.exe killed successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\reader_s deleted successfully.
C:\WINDOWS\system32\reader_s.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-1417001333-1604221776-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run\\12CFG214-K641-12SF-N85P deleted successfully.
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-1417001333-1604221776-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run\\notepad deleted successfully.
C:\Documents and Settings\NetworkService\ntload.dll moved successfully.
Registry value HKEY_USERS\S-1-5-21-1417001333-1604221776-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run\\reader_s deleted successfully.
C:\Documents and Settings\Uživatel\reader_s.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\DOCUME~1\UIVATE~1\LOCALS~1\Temp\init.exe deleted successfully.
C:\Documents and Settings\Uživatel\Local Settings\Temp\init.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\sdra64.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\TaskMan:C:\RECYCLER\S-1-5-21-7209102360-5416138170-007389853-9757\wnzip32.exe deleted successfully.
File move failed. C:\RECYCLER\S-1-5-21-7209102360-5416138170-007389853-9757\wnzip32.exe scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbssreg\ deleted successfully.
File move failed. C:\Documents and Settings\All Users\Dokumenty\Settings\cbss.dll scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{41268d82-0593-11df-8b56-00e04c2c0586}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41268d82-0593-11df-8b56-00e04c2c0586}\ not found.
F:\RECYCLER\autorun.exe moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{41268d82-0593-11df-8b56-00e04c2c0586}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41268d82-0593-11df-8b56-00e04c2c0586}\ not found.
File F:\RECYCLER\autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{705ce036-cd25-11de-be08-00e04c2c0586}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{705ce036-cd25-11de-be08-00e04c2c0586}\ not found.
File I:\RECYCLER\autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{705ce036-cd25-11de-be08-00e04c2c0586}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{705ce036-cd25-11de-be08-00e04c2c0586}\ not found.
File I:\RECYCLER\autorun.exe not found.
C:\WINDOWS\System32\lowsec folder moved successfully.
C:\brhpxf.exe moved successfully.
C:\uipcafn.exe moved successfully.
File C:\Documents and Settings\Uživatel\reader_s.exe not found.
C:\vswryyh.exe moved successfully.
File C:\WINDOWS\System32\reader_s.exe not found.
C:\vckjykp.exe moved successfully.
C:\rkfo.exe moved successfully.
File C:\brhpxf.exe not found.
File C:\uipcafn.exe not found.
File C:\Documents and Settings\Uživatel\reader_s.exe not found.
File C:\WINDOWS\System32\reader_s.exe not found.
File C:\vswryyh.exe not found.
File C:\vckjykp.exe not found.
C:\WINDOWS\system32\regedit.exe moved successfully.
File C:\rkfo.exe not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Calc32 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\notepad deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Regedit32 deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\12CFG214-K641-12SF-N85P not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\notepad deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\reader_s not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.1.28.0 log created on 02092010_113044

Files\Folders moved on Reboot...
C:\RECYCLER\S-1-5-21-7209102360-5416138170-007389853-9757\wnzip32.exe moved successfully.
File move failed. C:\Documents and Settings\All Users\Dokumenty\Settings\cbss.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Ted na mem PC po pripojeni flashky mi opet hlasi vira autorun, je to cele zasekane, porad to neco na flashce dela a NOD zacal hlasit nakazu trojskym konem postupne u vsech exe souboru na ni.

C:\WINDOWS\System32\regedit.exe - jsem neotestoval, neni tam (nesmazal ho nahodou OTL?)
ale musel jsem to PC pripojit k netu. Chvili to slo, probehlo par packetu ale po chvili uz zase behaly data tam a zpatky po tisicich. Nemohlo se to smazane dostat zpatky?
Navic PC zadalo neustale vyhazovat chyba aplikace ecjew.exe ze s paameti nelze provest operaci read nebo write.

Co myslis ta moje flashka - nerad bych si to zanesl do meho PC.

pepik24 · #6 Příspěvek od **pepik24** » 09 úno 2010 13:02

tak jsme se ocitli na spamlistu a to to PC bylo na netu cca 10min, ani ne.
ted me jen napada, jestli jsem si to nezanesl tou flashkou na moje PC.

asi to nebudu dal trapit a to PC reinstaluju.

hlavne se mi ted jedna o moje PC a flashku

Z niceho nic mam CPU vytizene skoro na 100% a packetu za chvili prislo a odeslo taky dost...

pepik24 · #7 Příspěvek od **pepik24** » 09 úno 2010 13:57

nic se nedeje, to je prece tvoje dobra vule, ze tu pomahas lidem bojovat s haveti!

hned po startu tam neustale naskakuje chyba aplikace ecjew.exe ze s pameti nelze provest operaci read nebo write.
ted tam naskocil odpocet vypnuti systemu vyvolany windows/system32/services.exe
ale nevypnul se - mozna blokuje ta hlaska ecjew.exe.

combofix jsem prejmenoval, jak jsi rekl, ale porad stejne - napise pripravuje se na spusteni a nic nedela.

P.S. Jak sem ted mam vlozit log, kdyz ke svemu PC flashku pripojit nemam a inkriminovane PC k netu take ne?

pepik24 · #8 Příspěvek od **pepik24** » 09 úno 2010 13:58

jeste jsem zapomel - nouzovy rezim se nespusti - v prubehu nacitani se PC restartuje.
combofix alias abraka.com jsem zkousel spustit v normalnim rezimu.

pepik24 · #9 Příspěvek od **pepik24** » 09 úno 2010 14:14

je to zajimave, po tvrdem restartu (na sw nereagoval) se zadne okno s hlaskou neobjevilo.
spustil jsem zakamuflovany combofix a ono to jede. Nechapu proc.
ale jak mam sem ted dat log?

pepik24 · #10 Příspěvek od **pepik24** » 09 úno 2010 14:30

log Combofix:
ComboFix 10-02-07.08 - Uživatel 09.02.2010 14:12:19.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.511.275 [GMT 1:00]
Spuštěný z: c:\documents and settings\Uživatel\Plocha\abraka.com

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\UIVATE~1\LOCALS~1\Temp\init.exe
c:\documents and settings\All Users\Data aplikací\Macromedia\SwUpdate
c:\documents and settings\All Users\Data aplikací\Macromedia\SwUpdate\B32.dtd
c:\documents and settings\All Users\Data aplikací\Macromedia\SwUpdate\B64.dtd
c:\documents and settings\All Users\Data aplikací\Macromedia\SwUpdate\Flags.dtd
c:\documents and settings\All Users\Data aplikací\Macromedia\SwUpdate\Local.dtd
c:\documents and settings\All Users\Data aplikací\Macromedia\SwUpdate\UA.dtd
c:\documents and settings\All Users\Data aplikací\Macromedia\SwUpdate\UAcpt.dtd
c:\documents and settings\All Users\Data aplikací\Macromedia\SwUpdate\Ui.dtd
c:\documents and settings\All Users\Dokumenty\Settings
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
C:\lsass.exe
C:\ntldrs
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1811
c:\recycler\S-1-5-21-3182098414-2997487408-323660692-6693
c:\recycler\S-1-5-21-4411569278-6196654044-719940071-9351
c:\recycler\S-1-5-21-6158704021-8982484387-740387381-6845
c:\recycler\S-1-5-21-7209102360-5416138170-007389853-9757
c:\windows\Help\kfdtk.chm
c:\windows\system32\drivers\gjsywwar.sys
c:\windows\system32\imPlayok.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\notepad.dll
c:\windows\system32\sdra64.exe

Nakažená kopie c:\windows\system32\drivers\cdrom.sys byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ServicePackFiles\i386\cdrom.sys

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-01-09 do 2010-02-09 )))))))))))))))))))))))))))))))
.

2010-02-09 10:37 . 2010-02-09 10:37 40996 ----a-w- C:\uipcafn.exe
2010-02-09 10:37 . 2010-02-09 13:12 56832 ----a-w- C:\vckjykp.exe
2010-02-09 10:37 . 2010-02-09 10:37 17920 ----a-w- C:\bdxcphif.exe
2010-02-09 10:37 . 2010-02-09 13:12 128512 ----a-w- C:\brhpxf.exe
2010-02-09 10:37 . 2010-02-09 13:06 0 ----a-w- C:\ecjew.exe
2010-02-09 10:37 . 2010-02-09 13:12 117760 ----a-w- C:\rkfo.exe
2010-02-09 10:32 . 2010-02-09 10:32 0 --sha-w- c:\documents and settings\NetworkService\ntload.dll
2010-02-09 10:30 . 2010-02-09 10:30 -------- d-----w- C:\_OTL
2010-02-08 14:07 . 2010-02-08 14:07 -------- d-----w- C:\rsit
2010-01-13 06:44 . 2010-01-13 06:44 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-13 06:39 . 2010-01-13 06:39 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2010-01-13 06:38 . 2010-01-13 06:40 -------- d-----w- c:\documents and settings\Administrator\Data aplikací
2010-01-13 06:38 . 2010-01-13 06:40 -------- d-----w- c:\documents and settings\Administrator\Šablony
2010-01-13 06:38 . 2010-01-13 06:40 -------- d-s---w- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 06:41 . 2009-12-16 10:23 -------- d-----w- c:\program files\E-Zak
2010-01-13 06:41 . 2010-01-04 09:43 -------- d-----w- c:\program files\Nero
2010-01-05 09:44 . 2004-08-18 12:00 212224 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-01-04 10:57 . 2010-01-04 10:57 -------- d-----w- c:\program files\Burn4Free Toolbar
2010-01-04 09:44 . 2010-01-04 09:43 -------- d-----w- c:\program files\Common Files\Nero
2009-12-10 08:18 . 2004-08-18 12:00 79040 ----a-w- c:\windows\system32\perfc005.dat
2009-12-10 08:18 . 2004-08-18 12:00 431998 ----a-w- c:\windows\system32\perfh005.dat
2009-11-13 11:41 . 2009-11-13 11:41 26679000 ----a-w- c:\program files\AdbeRdr920_cs_CZ.exe
.

------- Sigcheck -------

[-] 2010-01-05 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-01-05 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2004-08-18 . 1DF7F42665C94B825322FAE71721130D . 182912 . . [5.1.2600.5512] . . c:\windows\$NtServicePackUninstall$\ndis.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\U§ivatel\Nabˇdka Start\Programy\Po spuçtŘnˇ\
scandisk.dll [2009-3-21 36864]
scandisk.lnk - c:\windows\system32\rundll32.exe [2004-8-18 33280]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 19:19 13592]
.
Obsah adresáře 'Naplánované úlohy'

2010-02-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-09 14:24
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x82339530]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf859bf28
\Driver\ACPI -> ACPI.sys @ 0xf84eecb8
\Driver\atapi -> atapi.sys @ 0xf8480852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0x822dfbd4
PacketIndicateHandler -> NDIS.sys @ 0x822cda0d
SendHandler -> NDIS.sys @ 0x822e1b40
user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="38EC70ADEB1AA032C4D0525A672960D7B4540BB6CF4DE082BCDC5549E2D901210C77C81537A9CF94CA4F70D7844132D1B0766C1501C28DD82182AFF348A7087BE7EF416A57D3D66D71DB123B98789CA8A20EE840FD4356263950D28AA6DC5D61C1192F48A2BB7228957E400B33C35C44F18657CBAC379BEF9238874A5F78209371886E3A1095A1E4799308C0832D73C2E7A098BC99217DECA2FE9EE87690B489322BDF42BEAA2877434AF94BE055A57334F10B107113E30E3FBE698E914BBFEDA63DE6D46DD910E6F9A6AA0A466B7DDA6863973509B2F7F2A4E43ED57FE6AF9FD153E95B0392A46F8C80B2564FB748327CAF250CD63DA8F1FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452A9C6AECB7A5D1407BA7FD869164D67948D5689AB90495396E90E38F444592DEB5C944DDCBB85F662A6C27D0B23F172C62423B514A8BA3A71E7BB3F8ADEED6BB9D328F6D19E46693A520010D60CBCA8629610F08397ED9062EFE2158E9D416958AA9986968EF2D4D80315E091ACDE6740286C6A0752203C5AD136BB1C4F07ABD6D9A2EF715356038A79E174CEE4D25886845CD8217324E67DBE403643E7867D75BC51299F58CC7CCCD9175219BA2BE612375873C6B85F7CA3CCDC91067D9A6CA91485AC50AD4492522E3E85EAD70EC371322C776383CC2F5BF73B59DBCBB1CB1D80F678A80843D603DFAF9E370733E169CA76A5545A7BF2631E63A0B0B05130AE8A2F913E3EE1A077429B3063B9E8FA70BAAB426C678C82B001AB7BE1AE8E746E1F8B7B21CC4B8B7F8784D24686900A329E1415707737D86B47C283C2EE9537A18C3EC34D5441771DC941222FA41F500EF84A6C1B7E45B9F07CA7599BBAA459C3844C77B917160607847B3DDEF01E51982E3F1999101428510D309BA68091827FA190294C7D339FA7973348886DA9D41808366E10E7966E524C04709254419CB95DB7EF621596ED9DC83BE9573EF4E78835C5C512E1D31AE970A102036CAFD4051744E6CB8B4CE13A3FB94FE6ABC3D91AC4DBFBAA02E5FA4615587D8E24EC1D2D910CAB4C36FC2D0788AAA64924EF3F2FAEB7EFD86C7927C8B64D9640F89BACAD76B7621B8CDE48BB145BA4033865EF60496C898DECD37783B9F97F1710F2FD3ACF47AF65A93D6DC7B6EE008C1CA88878D4E0AE2E7048094162AA74072FBD4EB60E0ABFCBCEF91CCD29DB7553A8CB697770534D958842BC7EDC00B2F5C1DC203D822740E15F899725866EC4395B79B590A3D155926AC0B869B66EFB40D5C1399AE598652E6373E556D0443092D56FD5ABD6413CE5F155E5E8E1BF94331E732451532A642E0653D3216C5001A85B7E77E35758F9471CA57014368FC6927210AF96CA017851185B6FF8"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3008)
c:\windows\system32\webcheck.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2010-02-09 14:27:36 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-02-09 13:27

Před spuštěním: Volných bajtů: 47 552 266 240
Po spuštění: Volných bajtů: 47 941 296 128

- - End Of File - - D74A4418CBA29B69B646302D565DD813

nezavisly scan bude cca za hodinu...

pepik24 · #11 Příspěvek od **pepik24** » 09 úno 2010 14:36

jeste k te flashce - kdyz jsem ji pripojil k memu PC, tak po otevreni (nod detekoval autorun.inf) se zacala menit velikost exe souborů na ni. Ted jsem zrusil automat. spousteni flashky, ty exe soubory s podezrelym dnesnim datumem smazal (u jednoho pote nod hlasil nejakeho trojskeho kone) a projizdim to scanem.
Moje otazka je, jestli je me PC nejak nakazeno, kdyz se velikost tech souboru sama zacala menit az po pripojeni k memu PC?

pepik24 · #12 Příspěvek od **pepik24** » 09 úno 2010 15:10

OTL log fix:
Error: Unable to interpret <2010-02-09 10:37 . 2010-02-09 10:37 40996 ----a-w- C:\uipcafn.exe> in the current context!
Error: Unable to interpret <2010-02-09 10:37 . 2010-02-09 13:12 56832 ----a-w- C:\vckjykp.exe> in the current context!
Error: Unable to interpret <2010-02-09 10:37 . 2010-02-09 10:37 17920 ----a-w- C:\bdxcphif.exe> in the current context!
Error: Unable to interpret <2010-02-09 10:37 . 2010-02-09 13:12 128512 ----a-w- C:\brhpxf.exe> in the current context!
Error: Unable to interpret <2010-02-09 10:37 . 2010-02-09 13:06 0 ----a-w- C:\ecjew.exe> in the current context!
Error: Unable to interpret <2010-02-09 10:37 . 2010-02-09 13:12 117760 ----a-w- C:\rkfo.exe> in the current context!
Error: Unable to interpret <2010-02-09 10:32 . 2010-02-09 10:32 0 --sha-w- c:\documents and settings\NetworkService\ntload.dll> in the current context!

OTL by OldTimer - Version 3.1.28.0 log created on 02092010_140515

test ndis.sys - http://www.virustotal.com/cs/analisis/4 ... 1265724508
- 0%

pepik24 · #13 Příspěvek od **pepik24** » 09 úno 2010 15:56

OTL vse tebou uvedene smazal a zde je log:

OTL logfile created on: 9.2.2010 14:50:45 - Run 2
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Uživatel\Plocha
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

511,00 Mb Total Physical Memory | 323,00 Mb Available Physical Memory | 63,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 87,00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111,78 Gb Total Space | 44,66 Gb Free Space | 39,95% Space Free | Partition Type: NTFS
Drive D: | 149,05 Gb Total Space | 50,51 Gb Free Space | 33,89% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 1,86 Gb Total Space | 0,61 Gb Free Space | 32,80% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AAG-DBEED10067A
Current User Name: Uživatel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 7 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.02.08 16:38:00 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Uživatel\Plocha\OTL.exe
PRC - [2008.04.14 08:52:56 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008.04.14 08:52:24 | 001,034,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006.05.03 17:43:46 | 000,471,040 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe

========== Modules (SafeList) ==========

MOD - [2010.02.08 16:38:00 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Uživatel\Plocha\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008.07.29 19:16:38 | 000,132,096 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2006.11.03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006.05.03 17:43:46 | 000,471,040 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2006.05.03 11:57:00 | 000,520,192 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2003.07.28 20:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)

========== Driver Services (SafeList) ==========

DRV - [2008.04.13 22:09:16 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007.06.27 14:42:00 | 000,207,488 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vinyl97.sys -- (VIAudio) Vinyl AC'97 Audio Controller (WDM)
DRV - [2006.05.03 17:50:42 | 001,540,608 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004.08.18 13:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004.08.04 02:08:36 | 000,013,824 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinmdxx.sys -- (MVDCODEC)
DRV - [2004.08.04 02:08:30 | 000,105,984 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinrvxx.sys -- (atinrvxx)
DRV - [2004.08.04 02:08:08 | 000,064,512 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinxsxx.sys -- (ATIXSAudio)
DRV - [2004.08.04 02:07:52 | 000,053,760 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinraxx.sys -- (ativraxx)
DRV - [2004.08.03 23:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1417001333-1604221776-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
IE - HKU\S-1-5-21-1417001333-1604221776-682003330-1003\S-1-5-21-1417001333-1604221776-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2010.02.09 14:24:05 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Uživatel\Nabídka Start\Programy\Po spuštění\scandisk.dll (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1417001333-1604221776-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1417001333-1604221776-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1417001333-1604221776-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1417001333-1604221776-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1417001333-1604221776-682003330-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftup ... 7773216750 (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab (Shockwave Flash Object)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (Aktuální domovská stránka) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Nebe.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Nebe.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.11.06 16:13:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (OODBS) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 7 Days ==========

[2010.02.09 14:27:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010.02.09 14:10:36 | 000,000,000 | ---D | C] -- C:\abraka
[2010.02.09 14:07:08 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010.02.09 11:30:44 | 000,000,000 | ---D | C] -- C:\_OTL
[2010.02.08 16:39:26 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Uživatel\Plocha\OTL.exe
[2010.02.08 16:20:48 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010.02.08 16:20:48 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010.02.08 16:20:48 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010.02.08 16:20:48 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010.02.08 16:10:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010.02.08 16:09:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010.02.08 15:07:32 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Uživatel\Plocha\Uživatel.exe
[2010.02.08 15:07:32 | 000,000,000 | ---D | C] -- C:\rsit
[2010.02.08 15:00:24 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Uživatel\Plocha\HijackThis.exe
[2010.01.19 10:02:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Data aplikací\PCHealth
[2009.11.13 12:41:46 | 026,679,000 | ---- | C] ( ) -- C:\Program Files\AdbeRdr920_cs_CZ.exe
[2009.11.06 17:02:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Data aplikací\Microsoft
[2009.11.06 16:16:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Data aplikací\Microsoft
[2009.11.06 16:13:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Data aplikací\Microsoft
[2009.11.06 16:13:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Data aplikací\Microsoft
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 7 Days ==========

[2010.02.09 14:48:48 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.02.09 14:48:43 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.02.09 14:48:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.02.09 14:48:39 | 535,678,976 | -HS- | M] () -- C:\hiberfil.sys
[2010.02.09 14:47:38 | 002,097,152 | ---- | M] () -- C:\Documents and Settings\Uživatel\ntuser.dat
[2010.02.09 14:47:38 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\Uživatel\ntuser.ini
[2010.02.09 14:24:14 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010.02.09 14:24:05 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010.02.09 13:46:23 | 005,889,722 | -H-- | M] () -- C:\Documents and Settings\Uživatel\Local Settings\Data aplikací\IconCache.db
[2010.02.09 11:38:02 | 000,040,996 | ---- | M] () -- C:\Documents and Settings\Uživatel\imPlayok.exe
[2010.02.09 11:35:32 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010.02.09 11:01:02 | 000,012,288 | ---- | M] () -- C:\Documents and Settings\Uživatel\Local Settings\Data aplikací\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.02.08 16:38:00 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Uživatel\Plocha\OTL.exe
[2010.02.08 16:10:27 | 000,000,657 | -HS- | M] () -- C:\Documents and Settings\Uživatel\Nabídka Start\Programy\Po spuštění\scandisk.lnk
[2010.02.08 16:06:32 | 003,851,305 | R--- | M] () -- C:\Documents and Settings\Uživatel\Plocha\abraka.com
[2010.02.08 15:02:42 | 000,781,909 | ---- | M] () -- C:\Documents and Settings\Uživatel\Plocha\RSIT.exe
[2010.02.08 12:47:00 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\Uživatel\Plocha\text_film_cz-pl_final.doc
[2010.02.08 12:46:18 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\Uživatel\Plocha\Smlouv_UHK.doc
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.02.09 11:38:02 | 000,040,996 | ---- | C] () -- C:\Documents and Settings\Uživatel\imPlayok.exe
[2010.02.08 16:20:48 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010.02.08 16:20:48 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010.02.08 16:20:48 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010.02.08 16:20:48 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010.02.08 16:20:48 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010.02.08 16:08:55 | 003,851,305 | R--- | C] () -- C:\Documents and Settings\Uživatel\Plocha\abraka.com
[2010.02.08 15:07:27 | 000,781,909 | ---- | C] () -- C:\Documents and Settings\Uživatel\Plocha\RSIT.exe
[2010.02.08 11:05:26 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\Uživatel\Plocha\Smlouv_UHK.doc
[2010.01.06 08:17:23 | 000,000,016 | ---- | C] () -- C:\Documents and Settings\LocalService\Data aplikací\hlusyf.dat
[2010.01.05 10:43:54 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Uživatel\Data aplikací\avdrn.dat
[2010.01.05 10:43:51 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\Uživatel\Data aplikací\wiaservg.log
[2009.11.18 14:58:16 | 000,012,288 | ---- | C] () -- C:\Documents and Settings\Uživatel\Local Settings\Data aplikací\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.11.12 15:30:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2009.11.12 15:28:16 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS64.DLL
[2009.11.09 17:01:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\oodcnt.INI
[2009.11.09 12:42:57 | 000,000,390 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003.04.09 15:38:04 | 000,005,664 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010.01.04 11:02:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Data aplikací\ashampoo
[2010.01.13 07:41:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Data aplikací\page
[2009.11.19 09:24:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Uživatel\Data aplikací\CD-LabelPrint
[2010.02.09 11:35:32 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========

< End of report >

Na mem PC hlasi combofix nekompatibilni OS (win7), scan se i presto spustil, ale spadlo to do BSOD

ale jinak se zda, ze se me PC zatim chova normalne

pepik24 · #14 Příspěvek od **pepik24** » 09 úno 2010 16:18

C:\Documents and Settings\Uživatel\imPlayok.exe mi to nebere, ale ten soubor tam vidim. Muzu manualne smazat (shift+delete)?
bohuzel jsem se uklikl a dal cleanup. sem to ale motovidlo, omlouvam se. ted ti tu karantenu asi neposlu:(

poustim scan AV

pepik24 · #15 Příspěvek od **pepik24** » 10 úno 2010 11:33

projel jsem to avastem, hlasi spoustu exe souboru (notepad, skype, wmplayer,...desitky souboru) napadeny virem Win32:Polipos.
bohuzel ten log je v grafickem prostredi a nejde stahnout do txt.

VIRY.CZ

SPAMujici PC

SPAMujici PC

Re: SPAMujici PC

Re: SPAMujici PC

Re: SPAMujici PC

Re: SPAMujici PC

Re: SPAMujici PC

Re: SPAMujici PC

Re: SPAMujici PC

Re: SPAMujici PC

Re: SPAMujici PC

Re: SPAMujici PC

Re: SPAMujici PC

Re: SPAMujici PC

Re: SPAMujici PC

Re: SPAMujici PC