prosím o kontrolu logu, vopred ďakujem

[Lilinka]

Logfile of random's system information tool 1.06 (written by random/random)
Run by E at 2010-02-22 13:08:29
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 55 GB (82%) free of 67 GB
Total RAM: 766 MB (42% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:08:54, on 22.2.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Eset\nod32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\E\My Documents\Preberanie\RSIT.exe
C:\Program Files\trend micro\E.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportovať do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6359 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
HP Print Enhancer - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll [2007-03-02 1298024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
HP Print Clips - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll [2007-03-02 177768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-08-04 1586472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-05-18 16207872]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"AzMixerSel"=C:\Program Files\Realtek\InstallShield\AzMixerSel.exe [2006-04-15 53248]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2005-11-11 1236992]
"ATICCC"=C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [2006-01-02 45056]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-03-11 49152]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-07-13 292128]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2009-10-13 949376]
"NPSStartup"= []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2009-10-09 25623336]
"ICQ"=C:\Program Files\ICQ6.5\ICQ.exe [2009-11-16 172792]
"AutoStartNPSAgent"=C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe [2009-11-25 116056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-06-22 61440]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Warcraft III\War3.exe"="C:\Program Files\Warcraft III\War3.exe:*:Disabled:Warcraft III"
"C:\Program Files\Garena\Garena.exe"="C:\Program Files\Garena\Garena.exe:*:Enabled:Garena"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Documents and Settings\E\Application Data\Facebook\facebook.exe"="C:\Documents and Settings\E\Application Data\Facebook\facebook.exe:*:Enabled:facebook"
"C:\Documents and Settings\E\Desktop\World of Warcraft\Launcher.exe"="C:\Documents and Settings\E\Desktop\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe"="C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe:*:Enabled:KTF MUSIC AoD Server"
"C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe"="C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe:*:Enabled:KTF MUSIC VoD Server"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-02-22 13:08:29 ----D---- C:\rsit
2010-02-12 15:49:48 ----D---- C:\Documents and Settings\All Users\Application Data\Samsung
2010-02-12 15:49:21 ----A---- C:\WINDOWS\system32\FsUsbExService.Exe
2010-02-12 15:49:20 ----A---- C:\WINDOWS\system32\FsUsbExDevice.Dll
2010-02-12 15:49:06 ----D---- C:\Documents and Settings\E\Application Data\Samsung
2010-02-12 15:48:16 ----D---- C:\Program Files\MarkAny
2010-02-12 15:47:10 ----D---- C:\Program Files\Samsung
2010-02-12 15:40:26 ----A---- C:\0x0405.ini
2010-01-28 14:55:36 ----D---- C:\Documents and Settings\All Users\Application Data\hps
2010-01-28 14:45:13 ----D---- C:\Program Files\Fotolab

======List of files/folders modified in the last 1 months======

2010-02-22 13:08:39 ----D---- C:\Program Files\trend micro
2010-02-22 13:08:36 ----D---- C:\WINDOWS\Prefetch
2010-02-22 13:06:57 ----D---- C:\WINDOWS\Temp
2010-02-22 13:06:42 ----D---- C:\Documents and Settings\E\Application Data\Skype
2010-02-22 13:06:13 ----D---- C:\Program Files\Mozilla Firefox
2010-02-22 08:07:08 ----D---- C:\Documents and Settings\E\Application Data\skypePM
2010-02-22 08:06:50 ----D---- C:\WINDOWS
2010-02-21 23:22:22 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-16 19:48:14 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-12 15:58:16 ----D---- C:\WINDOWS\system32\drivers
2010-02-12 15:58:15 ----HD---- C:\WINDOWS\inf
2010-02-12 15:54:25 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-02-12 15:52:15 ----SHD---- C:\WINDOWS\Installer
2010-02-12 15:52:15 ----HD---- C:\Program Files\InstallShield Installation Information
2010-02-12 15:52:15 ----HD---- C:\Config.Msi
2010-02-12 15:49:21 ----D---- C:\WINDOWS\system32
2010-02-12 15:48:33 ----D---- C:\WINDOWS\WinSxS
2010-02-12 15:48:16 ----RD---- C:\Program Files
2010-02-12 15:35:37 ----D---- C:\Program Files\Common Files\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 nod32drv;nod32drv; C:\WINDOWS\system32\drivers\nod32drv.sys [2009-10-13 15424]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-04 8832]
R1 WS2IFSL;Prostredie podpory poskytovateľa služby Windows Socket 2.0 Non-IFS Service; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 AMON;AMON; C:\WINDOWS\system32\drivers\amon.sys [2009-10-13 512096]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-06-22 1540096]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 FsUsbExDisk;FsUsbExDisk; \??\C:\WINDOWS\system32\FsUsbExDisk.SYS []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-05-16 4275712]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-04 67584]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2004-08-04 78464]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 esihdrv;esihdrv; \??\C:\DOCUME~1\E\LOCALS~1\Temp\esihdrv.sys []
S3 GarenaPEngine;GarenaPEngine; \??\C:\DOCUME~1\E\LOCALS~1\Temp\DDA74FF.tmp []
S3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM); C:\WINDOWS\system32\DRIVERS\ss_bbus.sys [2009-09-21 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter); C:\WINDOWS\system32\DRIVERS\ss_bmdfl.sys [2009-09-21 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem; C:\WINDOWS\system32\DRIVERS\ss_bmdm.sys [2009-09-21 121856]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-06-22 405504]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 FsUsbExService;FsUsbExService; C:\WINDOWS\system32\FsUsbExService.Exe [2009-11-25 238952]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2009-10-13 552064]
R2 wltrysvc;Broadcom Wireless LAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2005-11-11 18944]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-07-13 542496]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

[franticek]

Zdravím.
Na logu se již pracuje.

[Lilinka]

Super Ďakujem

[franticek]

Takže jdeme na to:

1. Stáhněte OTMoveIt3 z podpisu a použijte tento skript:

Kód: Vybrat vše

:processes
explorer.exe

:services
esihdrv
GarenaPEngine

:files
C:\DOCUME~1\E\LOCALS~1\Temp\esihdrv.sys
C:\DOCUME~1\E\LOCALS~1\Temp\DDA74FF.tmp

:reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NPSStartup"=-
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page"=""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"=""

:commands
[purity]
[emptytemp]
[reboot]

2. ověřit na VT tento soubor

Kód: Vybrat vše

C:\WINDOWS\system32\FsUsbExDisk.SYS

3. nový log z RSIT

4. Stáhnout z podpisu GMER a postupovat dle instrukcí.

[Lilinka]

z toho prvého:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
Service esihdrv stopped successfully!
Service esihdrv deleted successfully!
Service GarenaPEngine stopped successfully!
Service GarenaPEngine deleted successfully!
========== FILES ==========
File/Folder C:\DOCUME~1\E\LOCALS~1\Temp\esihdrv.sys not found.
File/Folder C:\DOCUME~1\E\LOCALS~1\Temp\DDA74FF.tmp not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NPSStartup deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\"Start Page"|"" /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\"ProxyOverride"|"" /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: E
->Temp folder emptied: 33451719 bytes
->Temporary Internet Files folder emptied: 6650432 bytes
->FireFox cache emptied: 127952223 bytes
->Google Chrome cache emptied: 856432 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1000165 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 12994302 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 177,00 mb


OTM by OldTimer - Version 3.1.9.0 log created on 02232010_105051

Files moved on Reboot...

Registry entries deleted on Reboot...

Z toho druhého :


Antivirus Verze Poslední aktualizace Výsledek
a-squared 4.5.0.50 2010.02.23 -
AhnLab-V3 5.0.0.2 2010.02.23 -
AntiVir 8.2.1.172 2010.02.23 -
Antiy-AVL 2.0.3.7 2010.02.23 -
Authentium 5.2.0.5 2010.02.23 -
Avast 4.8.1351.0 2010.02.23 -
AVG 9.0.0.730 2010.02.22 -
BitDefender 7.2 2010.02.23 -
CAT-QuickHeal 10.00 2010.02.23 -
ClamAV 0.96.0.0-git 2010.02.23 -
Comodo 4034 2010.02.23 -
DrWeb 5.0.1.12222 2010.02.23 -
eSafe 7.0.17.0 2010.02.22 -
eTrust-Vet 35.2.7323 2010.02.23 -
F-Prot 4.5.1.85 2010.02.22 -
F-Secure 9.0.15370.0 2010.02.23 -
Fortinet 4.0.14.0 2010.02.21 -
GData 19 2010.02.23 -
Ikarus T3.1.1.80.0 2010.02.23 -
Jiangmin 13.0.900 2010.02.23 -
K7AntiVirus 7.10.980 2010.02.22 -
Kaspersky 7.0.0.125 2010.02.23 -
McAfee 5900 2010.02.22 -
McAfee+Artemis 5900 2010.02.22 -
McAfee-GW-Edition 6.8.5 2010.02.23 -
Microsoft 1.5406 2010.02.23 -
NOD32 4888 2010.02.22 -
Norman 6.04.08 2010.02.23 -
nProtect 2009.1.8.0 2010.02.23 -
Panda 10.0.2.2 2010.02.22 -
PCTools 7.0.3.5 2010.02.23 -
Prevx 3.0 2010.02.23 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.23 -
Sunbelt 5694 2010.02.23 -
Symantec 20091.2.0.41 2010.02.23 -
TheHacker 6.5.1.6.206 2010.02.23 -
TrendMicro 9.120.0.1004 2010.02.23 -
VBA32 3.12.12.2 2010.02.23 -
ViRobot 2010.2.23.2197 2010.02.23 -
VirusBuster 5.0.27.0 2010.02.22 -
Rozšiřující informace
File size: 36608 bytes
MD5...: 790a4ca68f44be35967b3df61f3e4675
SHA1..: bd0ea1bd82cfff4129b486d4d2f6661e3f28d318
SHA256: 7cbc77c620aba75fef4ba8ad9c38766d50cd18106eba4693f162f2c5a7d46aa8
ssdeep: 768:o04pOmckpdHXCDwdGSlAK5uVEWA69ir1FmU:oncUyEdGShwEWG1FmU
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6d1f
timedatestamp.....: 0x48c8bdc2 (Thu Sep 11 06:42:10 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x260 0x6cfe 0x6d00 6.57 8022e15a8918cb4af57e6d43d51c9b4c
.data 0x6f60 0x11a0 0x11a0 0.82 9d966a7c58463c4d95af560266df5b39
INIT 0x8100 0x564 0x580 5.17 24e35a4a457a8a9b599721f5c8fbc294
.reloc 0x8680 0x876 0x880 6.44 74e8722b79e3fe3758d06246890e01d2

( 2 imports )
> ntoskrnl.exe: KeEnterCriticalRegion, sprintf, ExAcquireResourceSharedLite, IoFreeIrp, KeSetEvent, KeWaitForSingleObject, IofCallDriver, KeGetCurrentThread, IoAllocateIrp, KeInitializeEvent, RtlFreeAnsiString, RtlUnicodeStringToAnsiString, IoGetCurrentProcess, PsGetCurrentProcessId, strncpy, ZwClose, ObfDereferenceObject, IoAttachDeviceToDeviceStack, IoCreateDevice, IoGetRelatedDeviceObject, ObReferenceObjectByHandle, ZwCreateFile, ExAcquireResourceExclusiveLite, IoQueryVolumeInformation, IoAttachDeviceByPointer, KeQuerySystemTime, ExInterlockedPopEntrySList, ExInterlockedPushEntrySList, ProbeForWrite, _except_handler3, IoDeleteDevice, IoDetachDevice, ExQueueWorkItem, IofCompleteRequest, MmMapLockedPages, DbgPrint, IoDeleteSymbolicLink, ExInitializeNPagedLookasideList, ExInitializeResourceLite, IoCreateSymbolicLink, NtBuildNumber, ExReleaseResourceLite, KeLeaveCriticalRegion, ExAllocatePoolWithTag, RtlInitUnicodeString, ExFreePool
> HAL.dll: KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex, KeGetCurrentIrql

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

[Lilinka]

nový log z RSIT

Logfile of random's system information tool 1.06 (written by random/random)
Run by E at 2010-02-23 11:00:40
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 55 GB (82%) free of 67 GB
Total RAM: 766 MB (33% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:45, on 23.2.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\E\My Documents\Preberanie\RSIT(2).exe
C:\Program Files\trend micro\E.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportovať do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6181 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
HP Print Enhancer - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll [2007-03-02 1298024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
HP Print Clips - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll [2007-03-02 177768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-08-04 1586472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-05-18 16207872]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"AzMixerSel"=C:\Program Files\Realtek\InstallShield\AzMixerSel.exe [2006-04-15 53248]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2005-11-11 1236992]
"ATICCC"=C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [2006-01-02 45056]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-03-11 49152]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-07-13 292128]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2009-10-13 949376]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2009-10-09 25623336]
"ICQ"=C:\Program Files\ICQ6.5\ICQ.exe [2009-11-16 172792]
"AutoStartNPSAgent"=C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe [2009-11-25 116056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-06-22 61440]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Warcraft III\War3.exe"="C:\Program Files\Warcraft III\War3.exe:*:Disabled:Warcraft III"
"C:\Program Files\Garena\Garena.exe"="C:\Program Files\Garena\Garena.exe:*:Enabled:Garena"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Documents and Settings\E\Application Data\Facebook\facebook.exe"="C:\Documents and Settings\E\Application Data\Facebook\facebook.exe:*:Enabled:facebook"
"C:\Documents and Settings\E\Desktop\World of Warcraft\Launcher.exe"="C:\Documents and Settings\E\Desktop\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe"="C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe:*:Enabled:KTF MUSIC AoD Server"
"C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe"="C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe:*:Enabled:KTF MUSIC VoD Server"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-02-23 10:50:51 ----D---- C:\_OTM
2010-02-22 13:08:29 ----D---- C:\rsit
2010-02-12 15:49:48 ----D---- C:\Documents and Settings\All Users\Application Data\Samsung
2010-02-12 15:49:21 ----A---- C:\WINDOWS\system32\FsUsbExService.Exe
2010-02-12 15:49:20 ----A---- C:\WINDOWS\system32\FsUsbExDevice.Dll
2010-02-12 15:49:06 ----D---- C:\Documents and Settings\E\Application Data\Samsung
2010-02-12 15:48:16 ----D---- C:\Program Files\MarkAny
2010-02-12 15:47:10 ----D---- C:\Program Files\Samsung
2010-02-12 15:40:26 ----A---- C:\0x0405.ini
2010-01-28 14:55:36 ----D---- C:\Documents and Settings\All Users\Application Data\hps
2010-01-28 14:45:13 ----D---- C:\Program Files\Fotolab

======List of files/folders modified in the last 1 months======

2010-02-23 11:00:43 ----D---- C:\Program Files\trend micro
2010-02-23 10:53:56 ----D---- C:\Documents and Settings\E\Application Data\Skype
2010-02-23 10:53:00 ----D---- C:\WINDOWS\Temp
2010-02-23 10:52:43 ----D---- C:\Program Files\Mozilla Firefox
2010-02-23 10:52:30 ----D---- C:\WINDOWS
2010-02-23 10:51:23 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-23 10:51:05 ----D---- C:\WINDOWS\system32
2010-02-23 10:50:57 ----D---- C:\WINDOWS\Prefetch
2010-02-23 10:07:30 ----D---- C:\Documents and Settings\E\Application Data\skypePM
2010-02-16 19:48:14 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-12 15:58:16 ----D---- C:\WINDOWS\system32\drivers
2010-02-12 15:58:15 ----HD---- C:\WINDOWS\inf
2010-02-12 15:54:25 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-02-12 15:52:15 ----SHD---- C:\WINDOWS\Installer
2010-02-12 15:52:15 ----HD---- C:\Program Files\InstallShield Installation Information
2010-02-12 15:52:15 ----HD---- C:\Config.Msi
2010-02-12 15:48:33 ----D---- C:\WINDOWS\WinSxS
2010-02-12 15:48:16 ----RD---- C:\Program Files
2010-02-12 15:35:37 ----D---- C:\Program Files\Common Files\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 nod32drv;nod32drv; C:\WINDOWS\system32\drivers\nod32drv.sys [2009-10-13 15424]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-04 8832]
R1 WS2IFSL;Prostredie podpory poskytovateľa služby Windows Socket 2.0 Non-IFS Service; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 AMON;AMON; C:\WINDOWS\system32\drivers\amon.sys [2009-10-13 512096]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-06-22 1540096]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 FsUsbExDisk;FsUsbExDisk; \??\C:\WINDOWS\system32\FsUsbExDisk.SYS []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-05-16 4275712]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-04 67584]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2004-08-04 78464]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM); C:\WINDOWS\system32\DRIVERS\ss_bbus.sys [2009-09-21 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter); C:\WINDOWS\system32\DRIVERS\ss_bmdfl.sys [2009-09-21 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem; C:\WINDOWS\system32\DRIVERS\ss_bmdm.sys [2009-09-21 121856]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-06-22 405504]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 FsUsbExService;FsUsbExService; C:\WINDOWS\system32\FsUsbExService.Exe [2009-11-25 238952]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2009-10-13 552064]
R2 wltrysvc;Broadcom Wireless LAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2005-11-11 18944]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-07-13 542496]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

[Lilinka]

No a k tomu GMER-u
stiahla som ho, rozbalila, no hneď ako som na ten súbor klikla, resetlo mi PC vypol sa zase zapol a napísalo mi že sa stala vážna chyba. Tak som to zopakovala no stalo sa to isté

[franticek]

Ahoj.

Poradím se s kolegy, co dále.
Zkus mezitím provést skan s MBAM (informace v podpise), vidím, že ho máš nainstalovaný.
Nic zatím nemaž, jen postni log.

[Lilinka]

mbam log


Malwarebytes' Anti-Malware 1.44
Verzia databázy: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

23.2.2010 15:15:00
mbam-log-2010-02-23 (15-15-00).txt

Typ kontroly: Úplná (C:\|D:\|E:\|)
Objektov kontrolovaných: 160490
Uplynutý cas: 30 minute(s), 7 second(s)

Infikovaných procesov pamäte: 0
Infikovaných modulov pamäte: 0
Infikovaných registracných klúcov: 0
Infikovaných registracných hodnôt: 0
Infikovaných registracných údajov položiek: 0
Infikovaných priecinkov: 0
Infikovaných súborov: 0

Infikovaných procesov pamäte:
(Žiadne škodlivé položky)

Infikovaných modulov pamäte:
(Žiadne škodlivé položky)

Infikovaných registracných klúcov:
(Žiadne škodlivé položky)

Infikovaných registracných hodnôt:
(Žiadne škodlivé položky)

Infikovaných registracných údajov položiek:
(Žiadne škodlivé položky)

Infikovaných priecinkov:
(Žiadne škodlivé položky)

Infikovaných súborov:
(Žiadne škodlivé položky)

[franticek]

Jedeme dál
1. Stáhni SystemLook z podpisu a použij skript:

Kód: Vybrat vše

:filefind
DDA74FF.tmp
esihdrv.sys

2. Stáhnout Combofix z podpisu, uložit jej na plochu, vypnout všechny bezpečnostní rezidentní programy - nod32 atd. a spustit jej pod právy administrátora. Povolit případnou instalaci konzole pro zotavení, nechat CF doběhnout (neklikat do okna) a postnout log (C:\Combofix.txt).

3. zazipuj C:\WINDOWS\tasks\WGASetup.job a pošli jako přílohu.

4. co počítač - jsou nějaké problémy?

[Lilinka]

Dobré ránko
takže SystemLook:
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:07 on 24/02/2010 by E (Administrator - Elevation successful)

========== filefind ==========

Searching for "DDA74FF.tmp"
No files found.

Searching for "esihdrv.sys"
No files found.

-=End Of File=-



no s počítačom moc problémy nie sú, len v pondelok som chytila B.Gen vírus či čo to keď som šla posielať smsku cez net síce mi ho nod zachytil ale nebola som si istá. PC potrebujem mať čistý kvôli IB, PayPal Ebay ... atď

[franticek]

Ahoj.

1. Na VT ověř pro jistotu C:\WINDOWS\system32\KB905474\wgasetup.exe

2. Zkus ještě zobrazit skryté soubory. Pokud nenajdeš, budeš ho muset spustit znova. Combofix se musí spouštět z Plochy, pokud jsi tak neučinila, stáhni jej znovu - při dotazu kde soubor uložit vyber Plochu a ulož jej pod jiným názvem - třeba CF.

[Lilinka]

VT: a-squared 4.5.0.50 2010.02.24 -
AhnLab-V3 5.0.0.2 2010.02.24 -
AntiVir 8.2.1.172 2010.02.23 -
Antiy-AVL 2.0.3.7 2010.02.24 -
Authentium 5.2.0.5 2010.02.24 -
Avast 4.8.1351.0 2010.02.23 -
AVG 9.0.0.730 2010.02.24 -
BitDefender 7.2 2010.02.24 -
CAT-QuickHeal 10.00 2010.02.24 -
ClamAV 0.96.0.0-git 2010.02.24 -
Comodo 4045 2010.02.24 -
DrWeb 5.0.1.12222 2010.02.24 -
eSafe 7.0.17.0 2010.02.23 Win32.TrojanHorse
eTrust-Vet 35.2.7326 2010.02.24 -
F-Prot 4.5.1.85 2010.02.23 -
F-Secure 9.0.15370.0 2010.02.24 -
Fortinet 4.0.14.0 2010.02.21 -
GData 19 2010.02.24 -
Ikarus T3.1.1.80.0 2010.02.24 -
Jiangmin 13.0.900 2010.02.24 -
K7AntiVirus 7.10.981 2010.02.23 -
Kaspersky 7.0.0.125 2010.02.24 -
McAfee 5901 2010.02.23 -
McAfee+Artemis 5901 2010.02.23 -
McAfee-GW-Edition 6.8.5 2010.02.23 -
Microsoft 1.5406 2010.02.24 -
NOD32 4891 2010.02.23 -
Norman 6.04.08 2010.02.23 -
nProtect 2009.1.8.0 2010.02.24 -
Panda 10.0.2.2 2010.02.23 -
PCTools 7.0.3.5 2010.02.24 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.24 -
Sunbelt 5696 2010.02.24 -
Symantec 20091.2.0.41 2010.02.24 -
TheHacker 6.5.1.6.208 2010.02.24 -
TrendMicro 9.120.0.1004 2010.02.24 -
VBA32 3.12.12.2 2010.02.23 -
ViRobot 2010.2.24.2199 2010.02.24 -
VirusBuster 5.0.27.0 2010.02.24 -
Rozšiřující informace
File size: 453512 bytes
MD5...: 1d7ba0cfbdb204b0a3be40bfa79ce6f1
SHA1..: 1be31376adf16e12cb20eb2968c51fc80f09faf8
SHA256: e0abea18583b34cebab4dcca5c717aa5897d1c810401707a3f827b177eaf5fa7
ssdeep: 6144:TESQdtRrH8+qbavdj2jJSVkh+x3840aCOusOkTBksi3Kjqccgg2s4:TES8H
pqevJ2jCkhqFC5MWsqbN4
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1338f
timedatestamp.....: 0x49b7410a (Wed Mar 11 04:41:46 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5a82e 0x5aa00 6.71 839a84f9e2048a87bf64a6fc630ecb9b
.data 0x5c000 0xc178 0x7800 4.71 59e53451189eb911f63310bed006fe40
.rsrc 0x69000 0x4950 0x4a00 4.95 c65975a3907b31f625346a50c10b86c0
.reloc 0x6e000 0x5fe6 0x6000 4.97 cbc708b39bb6659ea65de5c3795aacbf

( 13 imports )
> ADVAPI32.dll: RegCloseKey, RegSetValueExW, RegCreateKeyExW, DeregisterEventSource, ReportEventW, RegisterEventSourceW, FreeSid, CheckTokenMembership, DuplicateToken, AllocateAndInitializeSid, GetTokenInformation, OpenProcessToken, CreateProcessAsUserW, DuplicateTokenEx, RevertToSelf, ImpersonateLoggedOnUser, RegQueryInfoKeyW, RegEnumValueW, OpenThreadToken, GetLengthSid, CopySid, LookupAccountNameW, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExW, RegQueryValueExW, RegQueryValueExA, RegOpenKeyExA
> KERNEL32.dll: SetEndOfFile, CreateMutexW, GetLocalTime, SystemTimeToFileTime, GetSystemDirectoryW, CreateEventW, ResetEvent, Sleep, CreateProcessW, LoadLibraryW, VirtualProtect, WaitForSingleObject, InitializeCriticalSectionAndSpinCount, DeviceIoControl, DosDateTimeToFileTime, LocalFileTimeToFileTime, SetFileTime, ReleaseMutex, GetComputerNameW, CompareFileTime, TryEnterCriticalSection, GetExitCodeProcess, GetCurrentProcess, GetProcessHeap, DeleteFileA, MoveFileA, LocalAlloc, GetTempPathA, GetCurrentDirectoryW, CreateMutexA, HeapAlloc, GetVersion, HeapFree, GetSystemDirectoryA, FindFirstFileA, ReadProcessMemory, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, LCMapStringW, LCMapStringA, GetStringTypeW, GetStringTypeA, WTSGetActiveConsoleSessionId, GetCurrentProcessId, ProcessIdToSessionId, CompareStringW, RemoveDirectoryW, DeleteFileW, MoveFileExW, FindFirstFileW, CopyFileW, FindNextFileW, FindClose, CreateDirectoryW, GetFileAttributesW, SetFileAttributesW, LocalFree, GetModuleFileNameW, FormatMessageW, CreateThread, CreateFileW, GetFileSize, ReadFile, WaitForMultipleObjects, GetLastError, GetModuleHandleW, OpenEventW, SetEvent, CloseHandle, GetVersionExA, GetStartupInfoW, RtlUnwind, SetUnhandledExceptionFilter, GetProcAddress, GetModuleHandleA, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, MultiByteToWideChar, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, GetCurrentThread, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, IsDebuggerPresent, HeapSize, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, FreeLibrary, LoadLibraryA, InitializeCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RaiseException, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetLocaleInfoA, GetUserDefaultLCID
> GDI32.dll: StartPage, StartDocA, SetMapMode, GetDeviceCaps, GetStockObject, SetBkMode, SetTextColor, CreateFontA, GetTextFaceA, GetTextMetricsW, SelectObject, DeleteObject, CreateSolidBrush, EndDoc, EndPage, DeleteDC
> USER32.dll: GetParent, ShowWindow, GetDlgItem, SetTimer, DrawMenuBar, PostMessageW, GetSystemMenu, EnableWindow, SetWindowTextW, SendMessageW, KillTimer, LoadStringW, SetWindowLongW, EnableMenuItem, CheckDlgButton, GetDesktopWindow, LoadStringA, GetSysColor, MessageBoxW, GetDC, GetClientRect, MapWindowPoints, MoveWindow, ReleaseDC, GetWindowLongW, GetDlgCtrlID, SetCursor, CallWindowProcW, FillRect, DrawTextW, DrawFocusRect, LoadCursorW, DestroyCursor, SetDlgItemTextA, IsWindow, IsDlgButtonChecked, SetDlgItemTextW, GetWindowRect, GetSystemMetrics, SetWindowPos
> ole32.dll: CoCreateInstance, CoUninitialize, CoSetProxyBlanket, CoInitialize, CoCreateGuid, StringFromGUID2, CLSIDFromProgID
> comdlg32.dll: CommDlgExtendedError, PrintDlgA
> COMCTL32.dll: PropertySheetW, CreatePropertySheetPageW
> USERENV.dll: CreateEnvironmentBlock, DestroyEnvironmentBlock
> VERSION.dll: VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
> WTSAPI32.dll: WTSQueryUserToken, WTSEnumerateSessionsW, WTSFreeMemory
> CRYPT32.dll: CryptUnprotectData
> SHELL32.dll: ShellExecuteA
> OLEAUT32.dll: -, -, -, -, -, -, -

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) 1995-2009 Microsoft Corporation
product......: Microsoft Genuine Advantage
description..: Windows Genuine Advantage Notifications Setup
original name: WGASetup.exe
internal name: WGASetup
file version.: 1.9.0040.0
comments.....: n/a
signers......: Microsoft Corporation
Microsoft Code Signing PCA
Microsoft Root Authority
signing date.: 6:17 AM 3/11/2009
verified.....: -

idem na ten combofix

[Lilinka]

a teb combofix no neviem či je to ono, ale našla som toto:

[0x0405]
TITLE=Vybrat jazyk instalace
DESCRIPTION=Z níže uvedených možností vyberte jazyk instalace.
REBOOTMESSAGE=Instalační program musí restartovat operační systém, aby mohl dokončit konfiguraci služby Windows Installer. Klepnutím na tlačítko Ano restartování provedete ihned, pokud chcete restartování provést později, klepněte na tlačítko Ne.
ONUPGRADE=Tato instalace provede aktualizaci '%s'. Chcete pokračovat?
LATERVERSIONINSTALLED=V počítači je již nainstalována novější verze aplikace '%s'. Instalace nemůže pokračovat.
OK=OK
Cancel=Storno
Password=Heslo:
Install=Instalovat
Next=&Další >
1100=Chyba inicializace instalace
1101=%s
1102=%2 připravuje instalaci %1 na vašem počítači. Vyčkejte prosím.
1103=Probíhá kontrola verze operačního systému
1104=Probíhá kontrola verze instalačního programu systému Windows(R)
1105=Probíhá konfigurace instalačního programu systému Windows
1106=Probíhá konfigurace programu %s
1107=Byla dokončena konfigurace instalačního programu systému Windows v systému. Chcete-li v instalaci pokračovat, je nutné restartovat systém. Chcete-li znovu zavést systém, klepněte na tlačítko Restartovat.
1108=%s
1150=Byla zjištěna nekompatibilní verze systému Windows. Klepněte na tlačítko OK a znovu spusťte instalaci v systému Windows 95, Windows NT 4.0 SP6 nebo vyšším
1151=Při zápisu na dočasné místo došlo k chybě.
1152=Při extrakci %s na dočasné místo došlo k chybě.
1153=Při čtení inicializačního souboru instalace došlo k chybě.
1154=Instalační program nebyl v adresáři %s nalezen.
1155=Soubor %s nebyl nalezen.
1156=Vnitřní chyba instalačního programu systému Windows
1158=Došlo k chybě při přípravě řetězců. Ujistěte se, že všechny řetězce v souboru Setup.ini jsou platné.
1200=Restartovat
1603=Došlo k chybě při instalaci instalačního stroje systému Windows. Soubor, který je nutné nahradit, je pravděpodobně používán. Zavřete všechny aplikace a zopakujte akci.
1201=Instalační program vyžaduje %lu kB volného místa na jednotce %s. Uvolněte místo a akci opakujte.
1202=Nemáte dostatečná oprávnění k dokončení této instalace pro všechny uživatele tohoto počítače. Přihlašte se jako správce a pak tuto instalaci zopakujte.
1203=Parametry příkazového řádku:
1204=/L ID jazyka
1205=/S Skrytí inicializačního dialogu. Pro režim bez obsluhy použijte: /S /v/qn.
1206=/V parametry programu MsiExec.exe
1207=Nalezen instalační program %s systému Windows(R). Jedná se o starší verzi instalačního programu systému Windows(R). Pokračujte klepnutím na tlačítko OK.
1208=Znaková stránka ANSI pro jazyk %s není v počítači nainstalována, a proto nelze instalaci spustit ve vybraném jazyce. Spusťte instalační program a vyberte jiný jazyk.
1210=Instalační program vyžaduje k instalaci aplikace Microsoft .NET Framework verze 2.0 Instalační službu systému Windows verze %s nebo novější. Nainstalujte prosím Instalační službu systému Windows verze %s nebo novější a zkuste to znovu.
1604=Tato instalace neobsahuje modul Windows Installer (%s) potřebný pro běh instalace v tomto operačním systému.
1607=Nelze nainstalovat %s Scripting Runtime.
1608=Nebylo možné vytvořit instanci programu InstallDriver. Návratový kód: %d
1609=Určete prosím cílové umístění instalačního balíku.
1611=Nelze rozbalit soubor %s.
1612=Rozbalují se soubory.
1613=Stahuje se soubor %s.
1614=Při stahování souboru %s došlo k chybě. Jak si přejete pokračovat?
1615=hod.
1616=min.
1617=s
1618=MB
1619=kB
1620=/s
1621=Nelze ověřit podpis souboru %s.
1622=Zbývající čas:
1623=Staženo %d z %d KB rychlostí
1624=Připravuje se instalace...
1625=Nápověda k této instalaci.
1626=Nápověda
1627=Nelze uložit soubor: %s
1628=Instalaci podle skriptu nebylo možné dokončit.
1629=Neplatný příkazový řádek.
1630=/UA<url to InstMsiA.exe>
1631=/UW<url to InstMsiW.exe>
1632=/UM<url to msi package>
1633=/US<url to IsScript.msi>
1634=Inicializace instalátoru selhala, nepodařilo se zkopírovat proces.
1635=Soubor %s již existuje. Chcete jej nahradit?
1636=/P režim s heslem
1637=/A instalace pro správce
1638=/J režim minimální instalace
1639=/X režim odinstalace
1640=/F opravný režim
1641=/B místní instalace mezipaměti
1642=Podpis nelze ověřit. Potřebujete prohlížeč Internet Explorer verze 3.02 nebo vyšší s inovací Authenticode.
1643=Instalace vyžaduje novější verzi souboru WinInet.dll. Pravděpodobně bude nutné nainstalovat aplikaci Internet Explorer 3.02 nebo novější.
1644=Nemáte dostatečná oprávnění k dokončení této instalace pro všechny uživatele tohoto počítače. Přihlaste se jako správce a pak tuto instalaci zopakujte.
1645=Chyba při instalaci programu Microsoft(R) .NET Framework. Návratový kód: %d
1646=%s může také používat Microsoft (R) .NET %s Framework. Chcete aplikaci nyní nainstalovat?
1648=Byla zjištěna nekompatibilní verze systému Windows. Klepněte na tlačítko OK a znovu spusťte instalaci v systému Windows 95, Windows NT 4.0 SP3 nebo vyšším
1649=%s může někdy použít Visual J# Redistributable Package. Chcete jej nyní nainstalovat?
1650= (Nainstaluje se také .NET Framework.)
1651=Instalační program rozpoznal nekompatibilní verzi systému Windows. Klepněte na tlačítko OK a před opětovným spuštěním instalace zkontrolujte, zda je na cílovém počítači spuštěn systém Windows 2000 s aktualizací Service Pack 3 (nebo novější).
1652=%s vyžaduje, aby ve vašem počítači byly instalovány následující položky. Klepnutím na Instalovat se spustí instalace těchto potřebných prvků.
1653=Probíhá instalace %s
1654=Chcete zrušit instalační program po dokončení instalace %s?
1655=Soubory pro požadavek instalace %s nelze nalézt. Instalace bude nyní ukončena. Příčinou je zřejmě selhání nebo zrušení stahování.
1656=Zdá se, že instalace %s se nezdařila. Má se v instalaci pokračovat?
1657=Úspěšně
1658=Instalace
1659=Čeká na vyřízení
1660=Nainstalováno
1661=Stav
1662=Požadavek
1663=Nezdařilo se
1664=Extrahování
1665=Stahování
1666=Přeskočeno
1667=Instalace %s selhala. Instalační program se ukončí.
1668=Instalace %s vyžaduje restart. Klepnutím na tlačítko Ano (Yes) restartujte okamžitě nebo proveďte restart později klepnutím na tlačítko Ne (No).
1669=%1 volitelně používá %2. Chcete ho nainstalovat?
1670=Není možné nahrát modul %s, Kód chyby: %d
1671=Stahuje se %2. soubor z %3: %1
1700=Při inicializaci služby InstallScript se vyskytla chyba
1701=Není možné dekomprimovat podpůrné soubory služby InstallScript do dočasného umístění

1702=Tato instalace umožňuje instalovat několik instancí produktu. Vyberte instanci, kterou si přejete instalovat, a pokračujte klepnutím na Další:
1703=&Instalovat novou instanci
1704=&Provést údržbu nebo aktualizovat existující instanci
1705=Výchozí
1706=ID instance
1707=Název produktu
1708=Místo
1710=Tato instalace umožňuje opravit několik instancí produktu. Dole vyberte odpovídající možnost a uveďte, jak si přejete použít tuto opravu. Poté pokračujte klepnutím na Další.
1711=Opr&avit všechny existující instance
1712=O&pravit existující instanci
1713=Tato instalace vyžaduje instalátor Windows Installer verze 4.5 nebo novější. Instalace se nyní ukončí.
1714=Probíhá rozbalování

[Languages]
0x0404=Čínština (tradiční)
0x0804=Čínština (zjednodušená)

[franticek]

Toto určitě není ono, takže stáhnout na plochu a uložit pod jiným jménem. Poklepáním jej spustit a postupovat dle instrukcí (odsouhlasit vše). Podrobný popis (v EN) je tady.