Vírus winlogon.exe

Zpráva

Tino009 · #1 Příspěvek od **Tino009** » 30 led 2010 17:12

Dostal sa ku mne PC, ktorý nemal antivír a bol moc zavíreny cez Eset online scaner som odstránil okolo 200 vírusov, nainštaloval som Eset Smart Security 4 opäť skontroloval a vymazal ďalších 10 vírusov, potom som updatol windows, po resete mi Eset vypisuje okna s vírusmi:
- C:Windows/system32/winlogon.exe s infiltráciou win32/trojanproxy.agent.NIC.virus,
- C.Windows/system32/svchost.exe s infiltráciou win32/trojanproxy.agent.NIC.virus,
- C:Windows/system32/lssas.exe s infiltráciou win32/trojanproxy.agent.NIC.virus.
Taktiež Windows ma upozorňuje na vloženie inštalačného CD pretože súbory nevyhnutné pre správnu funkčnosť systému boli nahradené súbormi neznámej verzie. Kedže mám iba recovery DVD-ROM tak mi ho neberie.

PROSÍM o radu, nechcem preinštalovať windows pretože mám tam dôležité dáta. Za každú radu pekne ďakujem:

Pripájam LOG.RSIT

Logfile of random's system information tool 1.06 (written by random/random)
Run by Jan Kuzma at 2010-01-30 16:47:29
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 16 GB (22%) free of 76 GB
Total RAM: 383 MB (18% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-03-16 1088296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-07-05 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll [2009-07-28 669168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-07-05 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
Ask Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-07-10 1174920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-07-05 259696]
{D4027C7F-154A-4066-A1AD-4243D8127440} - Ask Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-07-10 1174920]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"=C:\WINDOWS\sm56hlpr.exe [2006-01-20 544768]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-05-04 16206848]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"Wireless Console 2"=C:\Program Files\Wireless Console 2\wcourier.exe [2005-10-17 987136]
"egui"=C:\Program Files\eset1\egui.exe [2009-02-06 2021400]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-03 15360]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-03-08 61440]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Documents and Settings\Jan Kuzma\jgshv.exe"="C:\Documents and Settings\Jan Kuzma\jgshv.exe:*:Enabled:ENABLE"
"C:\WINDOWS\system32\bufxh.exe"="C:\WINDOWS\system32\bufxh.exe:*:Enabled:ENABLE"
"C:\WINDOWS\system32\bufxh .exe"="C:\WINDOWS\system32\bufxh .exe:*:Enabled:ENABLE"
"C:\WINDOWS\System32\ifq.exe"="C:\WINDOWS\System32\ifq.exe:*:Enabled:ENABLE"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype "
"C:\Documents and Settings\Jan Kuzma\cgtsuhs.exe"="C:\Documents and Settings\Jan Kuzma\cgtsuhs.exe:*:Enabled:ENABLE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41e4438e-c139-11de-9373-0018f3b793ce}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41e4438f-c139-11de-9373-0018f3b793ce}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{910f3af6-3d58-11dd-9266-0018f3b793ce}]
shell\AutoRun\command - y82td3td.com
shell\explore\command - y82td3td.com
shell\open\command - y82td3td.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}]
shell\AutoRun\command - b.com
shell\explore\command - b.com
shell\open\command - b.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d443ff90-e241-11dc-91f0-0018f3b793ce}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

======List of files/folders created in the last 1 months======

2010-01-30 16:47:30 ----D---- C:\Program Files\trend micro
2010-01-30 16:47:29 ----D---- C:\rsit
2010-01-29 23:48:55 ----D---- C:\!KillBox
2010-01-29 22:34:54 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Windows Genuine Advantage
2010-01-29 22:30:32 ----SHD---- C:\FOUND.002
2010-01-29 22:27:39 ----HD---- C:\WINDOWS\$NtUninstallKB951376-v2$
2010-01-29 22:27:34 ----HD---- C:\WINDOWS\$NtUninstallKB952954$
2010-01-29 22:27:28 ----HD---- C:\WINDOWS\$NtUninstallKB959426$
2010-01-29 22:27:23 ----HD---- C:\WINDOWS\$NtUninstallKB946648$
2010-01-29 22:27:14 ----HD---- C:\WINDOWS\$NtUninstallKB956803$
2010-01-29 22:27:09 ----HD---- C:\WINDOWS\$NtUninstallKB935448$
2010-01-29 22:27:05 ----HD---- C:\WINDOWS\$NtUninstallKB958869$
2010-01-29 22:26:58 ----HD---- C:\WINDOWS\$NtUninstallKB976098-v2$
2010-01-29 22:26:41 ----HD---- C:\WINDOWS\$NtUninstallKB969059$
2010-01-29 22:26:37 ----HD---- C:\WINDOWS\$NtUninstallKB971657$
2010-01-29 22:26:32 ----HD---- C:\WINDOWS\$NtUninstallKB971557$
2010-01-29 22:26:27 ----HD---- C:\WINDOWS\$NtUninstallKB960225$
2010-01-29 22:26:21 ----HD---- C:\WINDOWS\$NtUninstallKB974112$
2010-01-29 22:26:17 ----HD---- C:\WINDOWS\$NtUninstallKB956844$
2010-01-29 22:26:12 ----HD---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2010-01-29 22:26:08 ----HD---- C:\WINDOWS\$NtUninstallKB971633$
2010-01-29 22:26:02 ----HD---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2010-01-29 22:25:57 ----HD---- C:\WINDOWS\$NtUninstallKB952004$
2010-01-29 22:25:49 ----HD---- C:\WINDOWS\$NtUninstallKB973507$
2010-01-29 22:25:37 ----D---- C:\WINDOWS\system32\MpEngineStore
2010-01-29 22:25:37 ----A---- C:\WINDOWS\system32\MRT.INI
2010-01-29 22:23:26 ----A---- C:\WINDOWS\system32\MRT.exe
2010-01-29 22:23:19 ----HD---- C:\WINDOWS\$NtUninstallKB973687$
2010-01-29 22:23:14 ----HD---- C:\WINDOWS\$NtUninstallKB957097$
2010-01-29 22:23:09 ----HD---- C:\WINDOWS\$NtUninstallKB952287$
2010-01-29 22:23:04 ----HD---- C:\WINDOWS\$NtUninstallKB973904$
2010-01-29 22:22:59 ----HD---- C:\WINDOWS\$NtUninstallKB951066$
2010-01-29 22:22:54 ----HD---- C:\WINDOWS\$NtUninstallKB974392$
2010-01-29 22:22:46 ----HD---- C:\WINDOWS\$NtUninstallKB951748$
2010-01-29 22:22:40 ----HD---- C:\WINDOWS\$NtUninstallKB970238$
2010-01-29 22:22:34 ----D---- C:\WINDOWS\ServicePackFiles
2010-01-29 22:22:32 ----HD---- C:\WINDOWS\$NtUninstallKB958470$
2010-01-29 22:22:25 ----HD---- C:\WINDOWS\$NtUninstallKB973815$
2010-01-29 22:22:16 ----HD---- C:\WINDOWS\$NtUninstallKB971032$
2010-01-29 22:22:10 ----HD---- C:\WINDOWS\$NtUninstallKB955069$
2010-01-29 22:22:05 ----HD---- C:\WINDOWS\$NtUninstallKB956802$
2010-01-29 22:21:34 ----D---- C:\Program Files\MSXML 4.0
2010-01-29 22:21:24 ----HD---- C:\WINDOWS\$NtUninstallKB923561$
2010-01-29 22:21:18 ----HD---- C:\WINDOWS\$NtUninstallKB975467$
2010-01-29 22:21:10 ----HD---- C:\WINDOWS\$NtUninstallKB968389$
2010-01-29 22:20:58 ----HD---- C:\WINDOWS\$NtUninstallKB969947$
2010-01-29 22:11:57 ----D---- C:\Documents and Settings\Jan Kuzma\Application Data\ESET
2010-01-29 22:07:57 ----D---- C:\Program Files\eset1
2010-01-29 19:47:00 ----A---- C:\WINDOWS\system32\xpsp3res.dll
2010-01-29 19:01:43 ----D---- C:\Documents and Settings\Jan Kuzma\Application Data\GlarySoft
2010-01-29 18:52:22 ----N---- C:\WINDOWS\system32\tzchange.exe
2010-01-29 18:32:44 ----D---- C:\WINDOWS\system32\CatRoot_bak
2010-01-29 18:24:22 ----A---- C:\WINDOWS\wininit.ini
2010-01-29 17:42:28 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-01-29 17:42:28 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-01-29 15:15:59 ----HD---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2010-01-29 15:15:54 ----HD---- C:\WINDOWS\$NtUninstallKB955759$
2010-01-29 15:15:24 ----HD---- C:\WINDOWS\$NtUninstallKB972270$
2010-01-29 15:15:13 ----HD---- C:\WINDOWS\$NtUninstallKB956572$
2010-01-29 15:15:06 ----HD---- C:\WINDOWS\$NtUninstallKB973869$
2010-01-29 15:14:59 ----HD---- C:\WINDOWS\$NtUninstallKB973540_WM9L$
2010-01-29 15:14:56 ----HD---- C:\WINDOWS\$NtUninstallKB950762$
2010-01-29 15:14:52 ----HD---- C:\WINDOWS\$NtUninstallKB958687$
2010-01-29 15:14:48 ----HD---- C:\WINDOWS\$NtUninstallKB973354$
2010-01-29 15:14:44 ----HD---- C:\WINDOWS\$NtUninstallKB971961$
2010-01-29 15:14:34 ----HD---- C:\WINDOWS\$NtUninstallKB971486$
2010-01-29 15:14:29 ----HD---- C:\WINDOWS\$NtUninstallKB960803$
2010-01-29 15:14:25 ----HD---- C:\WINDOWS\$NtUninstallKB973525$
2010-01-29 15:14:20 ----HD---- C:\WINDOWS\$NtUninstallKB958644$
2010-01-29 15:14:14 ----HD---- C:\WINDOWS\$NtUninstallKB944338-v2$
2010-01-29 14:27:14 ----D---- C:\Program Files\Alwil Software
2010-01-29 14:27:14 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software
2010-01-29 14:18:07 ----SHD---- C:\WINDOWS\CSC
2010-01-29 13:23:39 ----D---- C:\Program Files\CCleaner
2010-01-21 15:20:05 ----A---- C:\WINDOWS\rafazon.bat

======List of files/folders modified in the last 1 months======

2010-01-30 16:35:48 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-29 18:42:16 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-01-16 19:04:42 ----A---- C:\WINDOWS\NeroDigital.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2009-02-06 56280]
R1 InCDPass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2006-04-06 29440]
R1 incdrm;InCD Reader; C:\WINDOWS\system32\drivers\incdrm.sys [2006-04-06 33408]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 WS2IFSL;Prostredie podpory poskytovate¾a služby Windows Socket 2.0 Non-IFS Service; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
R2 Angelnt;Angelnt; C:\WINDOWS\System32\Drivers\ANGELNT.SYS [2009-02-04 51072]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2009-02-06 130952]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-03 87424]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2009-09-18 15781]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-03-08 1506816]
R3 BCM43XX;ASUS 802.11 ovládaè sieového adaptéru; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-02-11 371712]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-02-06 113448]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2009-02-06 33096]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-05-04 4271616]
R3 irsir;Microsoft Serial Infrared Driver; C:\WINDOWS\system32\DRIVERS\irsir.sys [2001-08-17 18688]
R3 MTsensor;ATK0100 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ATKACPI.sys [2005-02-17 5632]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 rimsptsk;rimsptsk; C:\WINDOWS\system32\DRIVERS\rimsptsk.sys [2005-07-12 51328]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-01-18 80512]
R3 smserial;smserial; C:\WINDOWS\system32\DRIVERS\smserial.sys [2006-01-20 862340]
R3 SynMini;USB2.0 1.3M WebCam; C:\WINDOWS\System32\Drivers\SynMini.sys [2006-07-03 1056512]
R3 SynScan;USB2.0 1.3M WebCam Still Image; C:\WINDOWS\System32\Drivers\SynScan.sys [2006-06-30 8064]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-10-21 191936]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys [2006-04-06 102016]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 ASNDIS5;ASNDIS5 Protocol Driver; \??\C:\WINDOWS\system32\ASNDIS5.SYS []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2008-03-17 101376]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2007-02-22 137216]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2007-02-22 8320]
S3 nmwcdcj;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2007-02-22 12288]
S3 nmwcdcm;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2007-02-22 12288]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-03 67584]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-03-08 405504]
R2 ekrn;ESET Service; C:\Program Files\eset1\ekrn.exe [2009-02-06 727720]
R2 InCDsrv;InCD Helper; C:\Program Files\Ahead\InCD\InCDsrv.exe [2006-04-06 880128]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2004-08-03 17408]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-04-24 73728]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 270336]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\eset1\EHttpSrv.exe [2009-02-06 20680]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-05 182768]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2007-12-10 353280]

-----------------EOF-----------------

pitimir · #2 Příspěvek od **pitimir** » 30 led 2010 18:30

Ahoj, vitaj na fore

Smiem vediet, co si saskoval s KillBoxom?

1) Stiahni DDS. Uloz na plochu, ukonci vsetky spustene programy a spust ho. Po skonceni scanu sa otvoria vysledky v 2 oknach - DDS.txt a Attach.txt. Obsah oboch by som rad videl.

2) Stiahni GMER, rozbal ho na plochu a spust. Program automaticky zacne scan (po jeho skonceni vloz log c. 1) - pokial pri scanovani nieco najde (=vyskoci nejake upozornenie), klik na "NO" a nastavis program podla obrazku:
Obrázek

Klik na "Scan". Po scane klik na "Save" a log c. 2 vloz sem.

Ak nic nenajde (=nevyskoci nic), zaskrtaj vpravo vsetko a spusti scan. Po jeho ukonceni klik na "Copy" a vloz log c. 2.

Tino009 · #3 Příspěvek od **Tino009** » 30 led 2010 19:58

Tak tu sú tie logy, dúfam že som to scanoval správne:

1.
DDS (Ver_09-12-01.01) - FAT32x86
Run by Jan Kuzma at 19:32:26,60 on 30.01.2010
Internet Explorer: 6.0.2900.2180
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.383.70 [GMT 1:00]

AV: Kaspersky Internet Security 6.0 *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\eset1\egui.exe
C:\WINDOWS\system32\ctfmon.exe
SVCHOST.EXE
C:\Program Files\eset1\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jan Kuzma\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.sk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe
mRun: [egui] "c:\program files\eset1\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 6\PcSync2.exe" /NoDialog
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
LSP: c:\documents and settings\jan kuzma\application data\fajmwauuvmwo.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R2 Angelnt;Angelnt;c:\windows\system32\drivers\ANGELNT.SYS [2009-2-4 51072]
R2 ekrn;ESET Service;c:\program files\eset1\ekrn.exe [2009-2-6 727720]
R3 PSched;QoS Packet Scheduler;c:\windows\system32\drivers\psched.sys [2004-8-3 69120]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [2008-2-23 1056512]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [2008-2-23 8064]

=============== Created Last 30 ================

2010-01-30 15:47:30 0 d-----w- c:\program files\trend micro
2010-01-29 22:48:55 0 d-----w- C:\!KillBox
2010-01-29 21:30:32 0 d-sh--w- C:\FOUND.002
2010-01-29 21:25:37 282 ----a-w- c:\windows\system32\drivers\honmuzaz.dat
2010-01-29 21:25:37 127 ----a-w- c:\windows\system32\MRT.INI
2010-01-29 21:25:37 0 d-----w- c:\windows\system32\MpEngineStore
2010-01-29 21:22:34 0 d-----w- c:\windows\ServicePackFiles
2010-01-29 21:21:34 0 d-----w- c:\program files\MSXML 4.0
2010-01-29 21:11:57 0 d-----w- c:\docume~1\jankuz~1\applic~1\ESET
2010-01-29 21:07:57 0 d-----w- c:\program files\eset1
2010-01-29 18:47:15 453632 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-29 18:01:43 0 d-----w- c:\docume~1\jankuz~1\applic~1\GlarySoft
2010-01-29 17:32:44 0 d-----w- c:\windows\system32\CatRoot_bak
2010-01-29 17:24:22 547 ----a-w- c:\windows\wininit.ini
2010-01-29 17:01:18 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-29 16:42:28 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-29 16:42:28 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2010-01-29 13:27:14 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Alwil Software
2010-01-29 12:23:39 0 d-----w- c:\program files\CCleaner
2010-01-22 12:40:28 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-01-22 12:40:28 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-01-22 12:25:06 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-01-21 14:20:05 96 ----a-w- c:\windows\rafazon.bat
2010-01-21 09:31:37 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-12 10:09:55 2136064 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-12 10:09:51 2180352 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-01-12 10:09:44 2015744 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-12 10:09:41 2057728 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-10 18:43:33 42496 ---h--w- c:\windows\system32\secupdat.dat
2010-01-10 18:43:33 42496 ---h--w- c:\documents and settings\jan kuzma\secupdat.dat

==================== Find3M ====================

2009-11-21 16:36:14 470528 ----a-w- c:\windows\system32\dllcache\aclayers.dll

============= FINISH: 19:32:46,12 ===============

2.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Systém Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 23.02.2008 18:33:00
System Uptime: 30.01.2010 19:26:38 (0 hours ago)

Motherboard: ASUSTeK Computer Inc. | | A6Rp
Processor: Intel(R) Celeron(R) M CPU 440 @ 1.86GHz | CPU 1 | 1866/133mhz

==== Disk Partitions =========================

C: is FIXED (FAT32) - 75 GiB total, 16,047 GiB free.
D: is CDROM (CDFS)
E: is Removable
F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Packet Scheduler Miniport
Device ID: ROOT\MS_PSCHEDMP\0001
Manufacturer: Microsoft
Name: WAN Miniport (IP) - Packet Scheduler Miniport
PNP Device ID: ROOT\MS_PSCHEDMP\0001
Service: PSched

==== System Restore Points ===================

RP56: 17.09.2009 19:24:53 - Nainštalovaný ovládaè tlaèiarne doPDF 6 Printer Driver
RP57: 17.09.2009 19:24:54 - Installed Adobe Reader 9.1.
RP58: 17.09.2009 19:24:54 - Kontrolný bod systému
RP59: 17.09.2009 19:24:54 - Installed WinZip 12.0
RP60: 17.09.2009 19:24:55 - Kontrolný bod systému
RP61: 17.09.2009 19:24:55 - Kontrolný bod systému
RP62: 17.09.2009 19:24:55 - Odstránené: ESET NOD32 Antivirus
RP63: 17.09.2009 19:24:55 - Odstránené: ESET NOD32 Antivirus
RP64: 17.09.2009 19:24:55 - Odstránené: ESET NOD32 Antivirus
RP65: 17.09.2009 19:24:55 - Kontrolný bod systému
RP66: 17.09.2009 19:24:55 - Odstránené: ESET NOD32 Antivirus
RP67: 17.09.2009 19:24:55 - Odstránené: ESET NOD32 Antivirus
RP68: 17.09.2009 19:24:55 - Kontrolný bod systému
RP69: 17.09.2009 19:24:55 - Odstránené: ESET NOD32 Antivirus
RP70: 17.09.2009 19:24:55 - Odstránené: ESET NOD32 Antivirus
RP71: 17.09.2009 19:24:55 - Odstránené: ESET NOD32 Antivirus
RP72: 17.09.2009 19:24:55 - Odstránené: ESET NOD32 Antivirus
RP73: 17.09.2009 19:24:56 - Odstránené: ESET NOD32 Antivirus
RP74: 17.09.2009 19:24:56 - Installed 602XML Filler.
RP75: 17.09.2009 19:24:56 - Odstránené: ESET NOD32 Antivirus
RP76: 17.09.2009 19:24:56 - Odstránené: ESET NOD32 Antivirus
RP77: 17.09.2009 19:24:56 - Odstránené: ESET NOD32 Antivirus
RP78: 17.09.2009 19:24:56 - Odstránené: ESET NOD32 Antivirus
RP79: 17.09.2009 19:24:56 - Odstránené: ESET NOD32 Antivirus
RP80: 17.09.2009 19:24:57 - Kontrolný bod systému
RP81: 17.09.2009 19:24:57 - Kontrolný bod systému
RP82: 17.09.2009 19:24:57 - Odstránené: ESET NOD32 Antivirus
RP83: 17.09.2009 19:24:57 - Odstránené: ESET NOD32 Antivirus
RP84: 17.09.2009 19:24:57 - Odstránené: ESET NOD32 Antivirus
RP85: 17.09.2009 19:24:58 - Nainstalováno: ESET NOD32 Antivirus
RP86: 17.09.2009 19:24:58 - Odstránené: ESET NOD32 Antivirus
RP87: 17.09.2009 19:24:58 - Odstránené: ESET NOD32 Antivirus
RP88: 17.09.2009 19:24:58 - Removed Ad-Aware
RP89: 17.09.2009 19:24:58 - Spyware Terminator - restore point
RP90: 17.09.2009 19:24:59 - Operácia obnovovania
RP91: 17.09.2009 19:24:59 - Odstránené: ESET NOD32 Antivirus
RP92: 17.09.2009 19:24:59 - Odstránené: ESET NOD32 Antivirus
RP93: 17.09.2009 19:24:59 - Odstránené: ESET NOD32 Antivirus
RP94: 18.09.2009 7:30:17 - Removed Ad-Aware
RP95: 18.09.2009 7:33:41 - Installed ASUS WLAN Card Utilities/Driver
RP96: 18.09.2009 7:34:59 - Installed Wireless Console 2
RP97: 18.09.2009 10:44:10 - Software Distribution Service 3.0
RP98: 18.09.2009 10:46:22 - Software Distribution Service 3.0
RP99: 18.09.2009 10:47:01 - Software Distribution Service 3.0
RP100: 18.09.2009 10:47:50 - Software Distribution Service 3.0
RP101: 18.09.2009 10:48:17 - Software Distribution Service 3.0
RP102: 18.09.2009 11:08:30 - Nainštalované: ESET Smart Security
RP103: 22.09.2009 14:56:23 - Software Distribution Service 3.0
RP104: 01.10.2009 19:14:26 - Software Distribution Service 3.0
RP105: 01.10.2009 19:48:25 - Removed 602XML Filler.
RP106: 10.10.2009 19:27:08 - Kontrolný bod systému
RP107: 10.10.2009 22:49:16 - Software Distribution Service 3.0
RP108: 25.10.2009 8:45:01 - Nainštalované: ESET NOD32 Antivirus
RP109: 25.10.2009 8:52:03 - Odstránené: ESET NOD32 Antivirus
RP110: 25.10.2009 8:55:15 - Nainštalované: ESET NOD32 Antivirus
RP111: 25.10.2009 8:57:10 - Nainštalované: ESET NOD32 Antivirus
RP112: 25.10.2009 9:00:42 - Nainštalované: ESET NOD32 Antivirus
RP113: 25.10.2009 9:05:02 - Nainštalované: ESET NOD32 Antivirus
RP114: 25.10.2009 9:14:10 - Nainštalované: ESET NOD32 Antivirus
RP115: 25.10.2009 9:16:13 - Nainštalované: ESET NOD32 Antivirus
RP116: 25.10.2009 9:18:10 - Software Distribution Service 3.0
RP117: 30.11.2009 21:08:41 - Software Distribution Service 3.0
RP118: 13.12.2009 18:58:44 - Kontrolný bod systému
RP119: 13.12.2009 22:03:23 - Software Distribution Service 3.0
RP120: 12.01.2010 11:08:41 - Software Distribution Service 3.0
RP121: 12.01.2010 11:22:45 - Software Distribution Service 3.0
RP122: 17.01.2010 19:32:18 - Software Distribution Service 3.0
RP123: 20.01.2010 14:45:44 - Software Distribution Service 3.0
RP124: 20.01.2010 15:05:59 - Installed ESET NOD32 Antivirus
RP125: 20.01.2010 15:16:08 - Removed ESET NOD32 Antivirus
RP126: 20.01.2010 15:22:56 - Software Distribution Service 3.0
RP127: 21.01.2010 14:59:06 - Software Distribution Service 3.0
RP128: 21.01.2010 15:01:03 - Software Distribution Service 3.0
RP129: 21.01.2010 15:15:29 - Odstránené: ESET NOD32 Antivirus
RP130: 22.01.2010 13:36:16 - Removed ESET NOD32 Antivirus
RP131: 22.01.2010 22:21:08 - Software Distribution Service 3.0
RP132: 29.01.2010 12:33:13 - Removed ESET Smart Security
RP133: 29.01.2010 12:59:19 - Avira AntiVir Personal - 29.01.2010 12:59
RP134: 29.01.2010 15:14:10 - Software Distribution Service 3.0
RP135: 29.01.2010 22:07:54 - Installed ESET Smart Security
RP136: 29.01.2010 22:20:45 - Software Distribution Service 3.0
RP137: 29.01.2010 22:34:39 - Installed Windows XP WgaNotify.
RP138: 30.01.2010 0:07:01 - Software Distribution Service 3.0
RP139: 30.01.2010 10:19:05 - Software Distribution Service 3.0
RP140: 30.01.2010 12:50:41 - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.1.1
ALFA 14.53.00
Application Compatibility Toolkit
Ask Toolbar
ASUS WLAN Card Utilities/Driver
ASUS World Clock
ASUSDVD
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI Parental Control & Encoder
ATK0100 ACPI UTILITY
CCleaner (remove only)
Codec Pack - All In 1 6.0.3.0
doPDF 6.2 printer
ESET Smart Security
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976098-v2)
HP OrderReminder
hp print screen utility
IrfanView (remove only)
LaserJet 1018
LifeFrame2
LightScribe 1.4.89.1
Microsoft Office XP Professional
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mobile Partner
Motorola SM56 Data Fax Modem
MRP Aktualizaèný manažér
MRP Základ vizuálneho systému
MSVC80_x86
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MV2Player (remove only)
Nero Suite
Nokia Connectivity Cable Driver
Nokia PC Suite
Opera 9.61
PC Connectivity Solution
REALTEK GbE & FE Ethernet NIC Driver
Realtek High Definition Audio Driver
REALTEK PCIE NIC Driver
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB975467)
Skype™ 4.0
Synaptics Pointing Device Driver
The KMPlayer (remove only)
Update for Windows XP (KB898461)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB2.0 1.3M WebCam
WebFldrs XP
Winamp (remove only)
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2)
Windows Driver Package - Nokia Modem (10/12/2007 3.6)
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB885884
WinZip 12.0
Wireless Console 2

==== Event Viewer Messages From Past Week ========

29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor winlogon.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor winlogon.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor winlogon.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor winlogon.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor winlogon.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor svchost.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor svchost.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor svchost.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor svchost.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor svchost.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor svchost.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor lsass.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor lsass.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor explorer.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor explorer.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor explorer.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor explorer.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:51, informácie: Windows File Protection [64005] - Chránený systémový súbor explorer.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:44, informácie: Windows File Protection [64005] - Chránený systémový súbor winlogon.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:44, informácie: Windows File Protection [64005] - Chránený systémový súbor svchost.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:32:44, informácie: Windows File Protection [64005] - Chránený systémový súbor explorer.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je Neznáme.
29.01.2010 22:19:33, informácie: Windows File Protection [64005] - Chránený systémový súbor winlogon.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 5.1.2600.2180.
29.01.2010 22:19:33, informácie: Windows File Protection [64005] - Chránený systémový súbor winlogon.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 5.1.2600.2180.
29.01.2010 22:19:33, informácie: Windows File Protection [64005] - Chránený systémový súbor svchost.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 5.1.2600.2180.
29.01.2010 22:19:33, informácie: Windows File Protection [64005] - Chránený systémový súbor lsass.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 5.1.2600.2180.
29.01.2010 22:19:33, informácie: Windows File Protection [64005] - Chránený systémový súbor lsass.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 5.1.2600.2180.
29.01.2010 22:19:33, informácie: Windows File Protection [64005] - Chránený systémový súbor explorer.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 6.0.2900.2180.
29.01.2010 22:19:33, informácie: Windows File Protection [64005] - Chránený systémový súbor explorer.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 6.0.2900.2180.
29.01.2010 22:19:23, informácie: Windows File Protection [64005] - Chránený systémový súbor svchost.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 5.1.2600.2180.
29.01.2010 22:13:39, informácie: Windows File Protection [64005] - Chránený systémový súbor winlogon.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 5.1.2600.2180.
29.01.2010 22:13:39, informácie: Windows File Protection [64005] - Chránený systémový súbor lsass.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 5.1.2600.2180.
29.01.2010 22:13:39, informácie: Windows File Protection [64005] - Chránený systémový súbor explorer.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 6.0.2900.2180.
29.01.2010 22:13:24, informácie: Windows File Protection [64005] - Chránený systémový súbor svchost.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 5.1.2600.2180.
29.01.2010 22:13:24, informácie: Windows File Protection [64005] - Chránený systémový súbor explorer.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 6.0.2900.2180.
29.01.2010 20:37:10, informácie: Windows File Protection [64004] - Chránený systémový súbor winlogon.exe sa nedá obnovi na pôvodnú, platnú verziu. Verzia nesprávneho súboru je 5.1.2600.2180 Špecifický kód chyby je 0x800b0100 [Predmet neobsahoval podpis. ].
29.01.2010 20:37:10, informácie: Windows File Protection [64004] - Chránený systémový súbor svchost.exe sa nedá obnovi na pôvodnú, platnú verziu. Verzia nesprávneho súboru je 5.1.2600.2180 Špecifický kód chyby je 0x800b0100 [Predmet neobsahoval podpis. ].
29.01.2010 20:37:10, informácie: Windows File Protection [64004] - Chránený systémový súbor lsass.exe sa nedá obnovi na pôvodnú, platnú verziu. Verzia nesprávneho súboru je 5.1.2600.2180 Špecifický kód chyby je 0x800b0100 [Predmet neobsahoval podpis. ].
29.01.2010 20:37:10, informácie: Windows File Protection [64004] - Chránený systémový súbor explorer.exe sa nedá obnovi na pôvodnú, platnú verziu. Verzia nesprávneho súboru je 6.0.2900.2180 Špecifický kód chyby je 0x800b0100 [Predmet neobsahoval podpis. ].
29.01.2010 20:07:02, informácie: Windows File Protection [64005] - Chránený systémový súbor explorer.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 6.0.2900.2180.
29.01.2010 20:04:05, informácie: Windows File Protection [64004] - Chránený systémový súbor winlogon.exe sa nedá obnovi na pôvodnú, platnú verziu. Verzia nesprávneho súboru je 5.1.2600.2180 Špecifický kód chyby je 0x800b0100 [Predmet neobsahoval podpis. ].
29.01.2010 20:04:05, informácie: Windows File Protection [64004] - Chránený systémový súbor svchost.exe sa nedá obnovi na pôvodnú, platnú verziu. Verzia nesprávneho súboru je 5.1.2600.2180 Špecifický kód chyby je 0x800b0100 [Predmet neobsahoval podpis. ].
29.01.2010 20:04:05, informácie: Windows File Protection [64004] - Chránený systémový súbor lsass.exe sa nedá obnovi na pôvodnú, platnú verziu. Verzia nesprávneho súboru je 5.1.2600.2180 Špecifický kód chyby je 0x800b0100 [Predmet neobsahoval podpis. ].
29.01.2010 19:55:35, informácie: Windows File Protection [64005] - Chránený systémový súbor winlogon.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 5.1.2600.2180.
29.01.2010 19:55:35, informácie: Windows File Protection [64005] - Chránený systémový súbor svchost.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 5.1.2600.2180.
29.01.2010 19:55:35, informácie: Windows File Protection [64005] - Chránený systémový súbor lsass.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 5.1.2600.2180.
29.01.2010 19:55:17, informácie: Windows File Protection [64005] - Chránený systémový súbor explorer.exe nebol obnovený na pôvodnú platnú verziu, pretože obnovenie súborov vykonávané programom Ochrana súborov systému Windows bolo zrušené používate¾om Jan Kuzma. Verzia nesprávneho súboru je 6.0.2900.2180.
29.01.2010 19:27:27, informácie: Windows File Protection [64002] - Došlo k pokusu o nahradenie chráneného systémového súboru c:\windows\system32\msyuv.dll. Z dôvodu zachovania stability systému bol súbor obnovený na pôvodnú verziu. Verzia systémového súboru je 5.3.2600.2180.
29.01.2010 19:27:27, informácie: Windows File Protection [64002] - Došlo k pokusu o nahradenie chráneného systémového súboru c:\windows\system32\msvidc32.dll. Z dôvodu zachovania stability systému bol súbor obnovený na pôvodnú verziu. Verzia systémového súboru je 5.1.2600.0.
29.01.2010 19:27:27, informácie: Windows File Protection [64002] - Došlo k pokusu o nahradenie chráneného systémového súboru c:\windows\system32\msrle32.dll. Z dôvodu zachovania stability systému bol súbor obnovený na pôvodnú verziu. Verzia systémového súboru je 5.1.2600.2180.
29.01.2010 19:27:21, informácie: Windows File Protection [64002] - Došlo k pokusu o nahradenie chráneného systémového súboru c:\windows\system32\msadds32.ax. Z dôvodu zachovania stability systému bol súbor obnovený na pôvodnú verziu. Verzia systémového súboru je 8.0.0.4487.
29.01.2010 19:27:21, informácie: Windows File Protection [64002] - Došlo k pokusu o nahradenie chráneného systémového súboru c:\windows\system32\mpg4ds32.ax. Z dôvodu zachovania stability systému bol súbor obnovený na pôvodnú verziu. Verzia systémového súboru je 8.0.0.4487.
29.01.2010 19:27:21, informácie: Windows File Protection [64002] - Došlo k pokusu o nahradenie chráneného systémového súboru c:\windows\system32\mpg2splt.ax. Z dôvodu zachovania stability systému bol súbor obnovený na pôvodnú verziu. Verzia systémového súboru je 6.5.2600.2180.
29.01.2010 19:27:06, informácie: Windows File Protection [64002] - Došlo k pokusu o nahradenie chráneného systémového súboru c:\windows\system32\mpg4ds32.ax. Z dôvodu zachovania stability systému bol súbor obnovený na pôvodnú verziu. Verzia systémového súboru je 8.0.0.4487.
29.01.2010 19:27:06, informácie: Windows File Protection [64002] - Došlo k pokusu o nahradenie chráneného systémového súboru c:\windows\system32\mpg2splt.ax. Z dôvodu zachovania stability systému bol súbor obnovený na pôvodnú verziu. Verzia systémového súboru je 6.5.2600.2180.

==== End Of File ===========================

3.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-30 19:50:53
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\JANKUZ~1\LOCALS~1\Temp\fwlyrfow.sys

---- System - GMER 1.0.15 ----

SSDT 824B18A0 ZwAssignProcessToJobObject
SSDT 824B0CB0 ZwOpenProcess
SSDT 824B10D0 ZwOpenThread
SSDT 824B16D0 ZwSuspendProcess
SSDT 824B14F0 ZwSuspendThread
SSDT 824B0EE0 ZwTerminateProcess
SSDT 824B1310 ZwTerminateThread

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:596] 824AF930

---- Services - GMER 1.0.15 ----

Service system32\drivers\gasfkyakdmecdp.sys (*** hidden *** ) [SYSTEM] gasfkylnsrqppf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf@imagepath \systemroot\system32\drivers\gasfkyakdmecdp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf\main@aid 10438
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf\main\injector@* gasfkywsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkyakdmecdp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf\modules@gasfkycmd.dll \systemroot\system32\gasfkyiyputhxl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf\modules@gasfkylog.dat \systemroot\system32\gasfkylbxrmukt.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkylnsrqppf\modules@gasfkywsp.dll \systemroot\system32\gasfkylwhoqdpu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf@imagepath \systemroot\system32\drivers\gasfkyakdmecdp.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf\main@aid 10438
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf\main\injector@* gasfkywsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkyakdmecdp.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf\modules@gasfkycmd.dll \systemroot\system32\gasfkyiyputhxl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf\modules@gasfkylog.dat \systemroot\system32\gasfkylbxrmukt.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkylnsrqppf\modules@gasfkywsp.dll \systemroot\system32\gasfkylwhoqdpu.dll

---- EOF - GMER 1.0.15 ----

pitimir · #4 Příspěvek od **pitimir** » 30 led 2010 20:07

A ideme nato...

Stiahni ComboFix na plochu - NESPUSTAT.

Presun ikonu CF na plochu, vypni vsetky otvorene aplikacie, ako aj rezidenty antiviru, antispywaru a firewall a otvor poznamkovy blok. Donho skopiruj:

Kód: Vybrat vše

KillAll::
Rootkit::
c:\system32\drivers\gasfkyakdmecdp.sys

Driver::
gasfkylnsrqppf

DDS::
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
LSP: c:\documents and settings\jan kuzma\application data\fajmwauuvmwo.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab

Files::
c:\documents and settings\jan kuzma\application data\fajmwauuvmwo.dll
c:\windows\system32\drivers\honmuzaz.dat

Folder::
c:\program files\ask.com
c:\program files\skype\toolbars
c:\!KillBox
c:\FOUND.002

StelDel::

Uloz na plochu ako CFScript.txt a mysou pretiahni nad ikonou CF.

Obrázek

Program script spracuje a spravi novy log.

Pozor: Ak po aplikacii skriptu nenabehne Windows, restartuj PC, stlac F8 a zvol Poslednu znamu funkcnu konfiguraciu.

Tino009 · #5 Příspěvek od **Tino009** » 30 led 2010 21:35

Tak som spravil vsetko ako ste pisali, nabehlo modre okno a uz dobru polhodinku sa nic nedeje, iba blika kurzor, co s tym???

Tino009 · #6 Příspěvek od **Tino009** » 30 led 2010 22:52

Tak som ten ComboFix po hodine zrusil a neviem ci som nespravil chybu, ale dal som PC restartovat a spustil som to podla poslednej znamej konfiguracie, Windows nabehol, zmenil sa jazyk zo slovenciny na anglictinu, opat mi zacali vyskakovat tie virusy, tak som vypol Eset aj Firewall a znova som zkopiroval CFScript.txt do ComboFix, nabehlo modre okno, ale ked ani po pol hodinke sa neudialo nic, tak som to zrusil a vypol PC. Dakujem za trpezlivost a prosim o dalsiu radu.

pitimir · #7 Příspěvek od **pitimir** » 31 led 2010 13:21

Tam budeme mazat postupne

1) Stiahni Avenger. Spust ho a suhlas s podmienkami atd.
Do bieleho pola v strede programu vloz skript:

Kód: Vybrat vše

Files to delete:
c:\system32\drivers\gasfkyakdmecdp.sys

Drivers to delete:
gasfkylnsrqppf
gasfkyakdmecdp

Stlac "Execute" -> "Yes". Restart a vloz log.

2) Stiahni OTL. Uloz na plochu a spust dvojklikom subor "OTL.exe". Otvori sa okno programu, v nom zaskrtni "Scan All Users", "Lop" aj "Purity Check" a "File Scan" zmen na 7 dni miesto 30. Do policka pod nazvom "Custom Scans/Fixes" skopiruj:

Kód: Vybrat vše

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT

Potom klikni na "Run Scan". Zacne scan pocitaca, po jeho ukonceni sa otvoria dva reporty - obsah oboch potrebujem vidiet.

Tino009 · #8 Příspěvek od **Tino009** » 31 led 2010 14:08

Tak tu su tie reporty. Musim teraz odist surne, na nete budem az vecer. Dakujem.

1.
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not open file "c:\system32\drivers\gasfkyakdmecdp.sys"
Deletion of file "c:\system32\drivers\gasfkyakdmecdp.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Driver "gasfkylnsrqppf" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gasfkyakdmecdp" not found!
Deletion of driver "gasfkyakdmecdp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

2.
OTL logfile created on: 31.01.2010 13:56:37 - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Jan Kuzma\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 0000041B | Country: Slovakia | Language: SKY | Date Format: dd.MM.yyyy

383,00 Mb Total Physical Memory | 76,00 Mb Available Physical Memory | 20,00% Memory free
921,00 Mb Paging File | 633,00 Mb Available in Paging File | 69,00% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,51 Gb Total Space | 16,87 Gb Free Space | 22,64% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 983,47 Mb Total Space | 70,20 Mb Free Space | 7,14% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JAN-2BCD3090F0D
Current User Name: Jan Kuzma
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 7 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.01.31 13:43:36 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jan Kuzma\Desktop\OTL.exe
PRC - [2009.02.06 14:23:36 | 000,727,720 | ---- | M] (ESET) -- C:\Program Files\eset1\ekrn.exe
PRC - [2009.02.06 14:23:12 | 002,021,400 | ---- | M] (ESET) -- C:\Program Files\eset1\egui.exe
PRC - [2006.05.04 08:59:16 | 016,206,848 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2006.04.24 14:25:44 | 000,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2006.04.06 17:53:50 | 000,880,128 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe
PRC - [2006.03.08 15:42:00 | 000,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2006.01.20 05:34:26 | 000,544,768 | R--- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe
PRC - [2005.10.17 17:09:34 | 000,987,136 | ---- | M] () -- C:\Program Files\Wireless Console 2\wcourier.exe
PRC - [2004.08.03 23:56:58 | 000,506,368 | ---- | M] () -- C:\WINDOWS\system32\winlogon.exe
PRC - [2004.08.03 23:56:58 | 000,017,408 | ---- | M] () -- C:\WINDOWS\system32\svchost.exe
PRC - [2004.08.03 23:56:58 | 000,017,408 | ---- | M] () -- C:\WINDOWS\system32\svchost.exe
PRC - [2004.08.03 23:56:58 | 000,017,408 | ---- | M] () -- C:\WINDOWS\system32\svchost.exe
PRC - [2004.08.03 23:56:58 | 000,017,408 | ---- | M] () -- C:\WINDOWS\system32\svchost.exe
PRC - [2004.08.03 23:56:58 | 000,017,408 | ---- | M] () -- C:\WINDOWS\system32\svchost.exe
PRC - [2004.08.03 23:56:58 | 000,017,408 | ---- | M] () -- C:\WINDOWS\system32\svchost.exe
PRC - [2004.08.03 23:56:58 | 000,017,408 | ---- | M] () -- C:\WINDOWS\system32\svchost.exe
PRC - [2004.08.03 23:56:52 | 000,014,848 | ---- | M] () -- C:\WINDOWS\system32\lsass.exe
PRC - [2004.08.03 23:56:50 | 001,034,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010.01.31 13:43:36 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jan Kuzma\Desktop\OTL.exe
MOD - [2004.08.03 23:57:02 | 001,050,624 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2009.07.05 17:37:44 | 000,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009.02.06 14:27:06 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\eset1\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009.02.06 14:23:36 | 000,727,720 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\eset1\ekrn.exe -- (ekrn)
SRV - [2007.12.10 13:59:04 | 000,353,280 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2006.04.24 14:25:44 | 000,073,728 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2006.04.06 17:53:50 | 000,880,128 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2006.03.08 15:42:00 | 000,405,504 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2004.08.04 00:56:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\irmon.dll -- (Irmon)
SRV - [2004.08.03 23:56:52 | 000,014,848 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
SRV - [2004.08.03 23:56:52 | 000,014,848 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2004.08.03 23:56:52 | 000,014,848 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2004.08.03 23:56:52 | 000,014,848 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (NtLmSsp)
SRV - [2004.08.03 23:56:52 | 000,014,848 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2003.09.01 12:10:20 | 000,266,240 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\hpdj -- (hpdj)

========== Driver Services (SafeList) ==========

DRV - [2009.09.18 07:34:08 | 000,015,781 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2009.02.06 14:24:22 | 000,056,280 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)
DRV - [2009.02.06 14:24:22 | 000,033,096 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2009.02.06 14:24:18 | 000,130,952 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)
DRV - [2009.02.06 14:23:18 | 000,106,208 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009.02.06 14:19:52 | 000,113,448 | ---- | M] (ESET) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2009.02.04 17:41:44 | 000,051,072 | ---- | M] (Identcode Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\ANGELNT.SYS -- (Angelnt)
DRV - [2008.03.17 11:03:46 | 000,101,376 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2007.02.22 10:15:56 | 000,137,216 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcd.sys -- (nmwcd)
DRV - [2007.02.22 10:15:14 | 000,012,288 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdcm.sys -- (nmwcdcm)
DRV - [2007.02.22 10:15:14 | 000,012,288 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdcj.sys -- (nmwcdcj)
DRV - [2007.02.22 10:15:14 | 000,008,320 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdc.sys -- (nmwcdc)
DRV - [2006.07.03 03:33:24 | 001,056,512 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynMini.sys -- (SynMini)
DRV - [2006.06.30 03:40:52 | 000,008,064 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynScan.sys -- (SynScan)
DRV - [2006.05.04 09:13:52 | 004,271,616 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006.04.06 18:02:10 | 000,102,016 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2006.04.06 18:02:10 | 000,029,440 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2006.04.06 17:02:08 | 000,033,408 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDrm.sys -- (incdrm)
DRV - [2006.03.08 15:49:20 | 001,506,816 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006.01.20 05:44:42 | 000,862,340 | R--- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2006.01.18 11:41:58 | 000,080,512 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005.10.21 07:13:08 | 000,191,936 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005.07.14 12:14:34 | 000,027,904 | ---- | M] (REDC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\risdptsk.sys -- (risdptsk)
DRV - [2005.07.12 19:00:30 | 000,051,328 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005.02.17 16:07:48 | 000,005,632 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ATKACPI.sys -- (MTsensor)
DRV - [2005.02.11 21:46:22 | 000,371,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005.01.07 17:07:18 | 000,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004.08.03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004.07.17 10:36:38 | 000,027,440 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2002.09.09 19:54:06 | 000,016,269 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\ASNDIS5.sys -- (ASNDIS5)
DRV - [2001.08.23 12:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001.08.17 13:51:32 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-507921405-861567501-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-507921405-861567501-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.sk/
IE - HKU\S-1-5-21-507921405-861567501-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-507921405-861567501-725345543-1003\S-1-5-21-507921405-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\eset1\Mozilla Thunderbird [2010.01.29 22:08:04 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2001.08.23 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKU\S-1-5-21-507921405-861567501-725345543-1003\..\Toolbar\ShellBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
O3 - HKU\S-1-5-21-507921405-861567501-725345543-1003\..\Toolbar\ShellBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKU\S-1-5-21-507921405-861567501-725345543-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-507921405-861567501-725345543-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [egui] C:\Program Files\eset1\egui.exe (ESET)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe ()
O4 - HKU\.DEFAULT..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-18..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-861567501-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Documents and Settings\Jan Kuzma\Application Data\fajmwauuvmwo.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Documents and Settings\Jan Kuzma\Application Data\fajmwauuvmwo.dll ()
O12 - Plugin for: .pdf - C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll (Adobe Systems Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shoc ... wflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.108.125.2 193.87.52.5
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-507921405-861567501-725345543-1003 Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Jan Kuzma\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jan Kuzma\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.10.17 03:01:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O33 - MountPoints2\{41e4438e-c139-11de-9373-0018f3b793ce}\Shell - "" = AutoRun
O33 - MountPoints2\{41e4438e-c139-11de-9373-0018f3b793ce}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found
O33 - MountPoints2\{41e4438f-c139-11de-9373-0018f3b793ce}\Shell - "" = AutoRun
O33 - MountPoints2\{41e4438f-c139-11de-9373-0018f3b793ce}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found
O33 - MountPoints2\{64729abc-f035-11dc-9208-0018f3b793ce}\Shell - "" = AutoRun
O33 - MountPoints2\{910f3af6-3d58-11dd-9266-0018f3b793ce}\Shell\AutoRun\command - "" = y82td3td.com
O33 - MountPoints2\{910f3af6-3d58-11dd-9266-0018f3b793ce}\Shell\explore\Command - "" = y82td3td.com
O33 - MountPoints2\{910f3af6-3d58-11dd-9266-0018f3b793ce}\Shell\open\Command - "" = y82td3td.com
O33 - MountPoints2\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}\Shell\AutoRun\command - "" = b.com
O33 - MountPoints2\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}\Shell\explore\Command - "" = b.com
O33 - MountPoints2\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}\Shell\open\Command - "" = b.com
O33 - MountPoints2\{d443ff90-e241-11dc-91f0-0018f3b793ce}\Shell - "" = AutoRun
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2006.10.17 02:49:10 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (55172488459452416)

========== Files/Folders - Created Within 7 Days ==========

[2010.01.31 13:52:09 | 000,000,000 | ---D | C] -- C:\Avenger
[2010.01.31 13:48:34 | 000,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jan Kuzma\Desktop\OTL.exe
[2010.01.30 22:05:07 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010.01.30 20:57:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010.01.30 20:55:52 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010.01.30 17:23:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan Kuzma\My Documents\ASUSTek
[2010.01.30 16:47:30 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2010.01.30 16:47:29 | 000,000,000 | ---D | C] -- C:\rsit
[2010.01.29 23:48:55 | 000,000,000 | ---D | C] -- C:\!KillBox
[2010.01.29 23:33:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jan Kuzma\Recent
[2010.01.29 22:34:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Windows Genuine Advantage
[2010.01.29 22:30:32 | 000,000,000 | -HSD | C] -- C:\FOUND.002
[2010.01.29 22:25:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010.01.29 22:22:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2010.01.29 22:21:34 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2010.01.29 22:11:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan Kuzma\Application Data\ESET
[2010.01.29 22:07:57 | 000,000,000 | ---D | C] -- C:\Program Files\eset1
[2010.01.29 19:47:15 | 000,453,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2010.01.29 19:47:00 | 000,351,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp3res.dll
[2010.01.29 19:08:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan Kuzma\Desktop\Tino
[2010.01.29 19:01:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan Kuzma\Application Data\GlarySoft
[2010.01.29 18:59:34 | 002,117,576 | ---- | C] (GlarySoft.com ) -- C:\Documents and Settings\Jan Kuzma\Desktop\uninstallersetup.exe
[2010.01.29 18:32:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[2010.01.29 17:42:28 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010.01.29 17:42:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
[2010.01.29 14:27:14 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010.01.29 14:27:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software
[2010.01.29 14:18:07 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010.01.29 13:23:39 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 7 Days ==========

[2010.01.31 13:52:30 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.01.31 13:52:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.01.31 13:51:12 | 004,456,448 | ---- | M] () -- C:\Documents and Settings\Jan Kuzma\ntuser.dat
[2010.01.31 13:51:12 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Jan Kuzma\ntuser.ini
[2010.01.31 13:43:36 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jan Kuzma\Desktop\OTL.exe
[2010.01.31 13:42:12 | 000,731,136 | ---- | M] () -- C:\Documents and Settings\Jan Kuzma\Desktop\avenger.exe
[2010.01.30 22:01:04 | 000,000,242 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010.01.30 20:49:06 | 003,840,721 | R--- | M] () -- C:\Documents and Settings\Jan Kuzma\Desktop\ComboFix.exe
[2010.01.30 19:49:22 | 000,007,244 | ---- | M] () -- C:\Documents and Settings\Jan Kuzma\My Documents\gmer.rtf
[2010.01.30 19:00:22 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\Jan Kuzma\Desktop\dds.scr
[2010.01.30 17:50:40 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010.01.30 17:35:06 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Jan Kuzma\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.01.30 11:20:12 | 000,781,909 | ---- | M] () -- C:\Documents and Settings\Jan Kuzma\Desktop\RSIT.exe
[2010.01.30 10:19:52 | 004,845,976 | -H-- | M] () -- C:\Documents and Settings\Jan Kuzma\Local Settings\Application Data\IconCache.db
[2010.01.29 23:41:04 | 000,000,292 | ---- | M] () -- C:\Documents and Settings\Jan Kuzma\Desktop\Odkaz na HijackThis.lnk
[2010.01.29 23:36:56 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.01.29 23:16:12 | 000,000,502 | ---- | M] () -- C:\Documents and Settings\Jan Kuzma\Desktop\Opera.lnk
[2010.01.29 22:30:40 | 000,119,744 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.01.29 22:25:38 | 000,000,282 | ---- | M] () -- C:\WINDOWS\System32\drivers\honmuzaz.dat
[2010.01.29 22:25:38 | 000,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010.01.29 19:43:04 | 000,002,621 | ---- | M] () -- C:\WINDOWS\System32\config.nt
[2010.01.29 19:00:56 | 002,117,576 | ---- | M] (GlarySoft.com ) -- C:\Documents and Settings\Jan Kuzma\Desktop\uninstallersetup.exe
[2010.01.29 18:42:16 | 000,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.01.29 18:42:16 | 000,311,938 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.01.29 18:42:16 | 000,040,326 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.01.29 18:24:24 | 000,000,547 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010.01.29 18:01:20 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010.01.29 15:11:06 | 000,001,611 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\avast! Free Antivirus.lnk
[2010.01.29 14:04:14 | 040,244,536 | ---- | M] () -- C:\Documents and Settings\Jan Kuzma\Desktop\setup_av_free_eng.exe
[2010.01.26 21:06:28 | 000,002,283 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Skype.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.01.31 13:48:16 | 000,731,136 | ---- | C] () -- C:\Documents and Settings\Jan Kuzma\Desktop\avenger.exe
[2010.01.30 20:54:39 | 003,840,721 | R--- | C] () -- C:\Documents and Settings\Jan Kuzma\Desktop\ComboFix.exe
[2010.01.30 19:49:20 | 000,007,244 | ---- | C] () -- C:\Documents and Settings\Jan Kuzma\My Documents\gmer.rtf
[2010.01.30 19:42:22 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Jan Kuzma\Desktop\gmer.exe
[2010.01.30 19:32:16 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Jan Kuzma\Desktop\dds.scr
[2010.01.30 16:47:18 | 000,781,909 | ---- | C] () -- C:\Documents and Settings\Jan Kuzma\Desktop\RSIT.exe
[2010.01.29 23:41:02 | 000,000,292 | ---- | C] () -- C:\Documents and Settings\Jan Kuzma\Desktop\Odkaz na HijackThis.lnk
[2010.01.29 23:16:11 | 000,000,502 | ---- | C] () -- C:\Documents and Settings\Jan Kuzma\Desktop\Opera.lnk
[2010.01.29 22:25:37 | 000,000,282 | ---- | C] () -- C:\WINDOWS\System32\drivers\honmuzaz.dat
[2010.01.29 22:25:37 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010.01.29 18:24:22 | 000,000,547 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010.01.29 18:01:18 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010.01.29 14:30:01 | 000,001,611 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\avast! Free Antivirus.lnk
[2010.01.29 14:14:13 | 040,244,536 | ---- | C] () -- C:\Documents and Settings\Jan Kuzma\Desktop\setup_av_free_eng.exe
[2009.09.17 19:05:37 | 000,286,720 | RHS- | C] () -- C:\Documents and Settings\Jan Kuzma\Application Data\fajmwauuvmwo.dll
[2009.03.02 17:02:44 | 000,106,496 | R--- | C] () -- C:\WINDOWS\System32\vshp1018.dll
[2009.03.02 15:07:48 | 000,009,354 | ---- | C] () -- C:\WINDOWS\hpdj3600.ini
[2009.02.04 17:41:42 | 000,000,405 | ---- | C] () -- C:\WINDOWS\System32\ANGELDOS.SYS
[2008.11.20 15:12:00 | 000,668,166 | ---- | C] () -- C:\Documents and Settings\Jan Kuzma\Application Data\NMM-MetaData.db
[2008.06.11 16:10:01 | 000,000,699 | ---- | C] () -- C:\WINDOWS\WEBTRAN4.INI
[2008.02.23 19:58:04 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2008.02.23 19:47:22 | 000,000,714 | ---- | C] () -- C:\WINDOWS\m3jpeg.ini
[2008.02.23 19:30:40 | 000,002,214 | ---- | C] () -- C:\WINDOWS\WDICT32.INI
[2008.02.23 19:29:24 | 000,005,018 | ---- | C] () -- C:\WINDOWS\WTRAN32.INI
[2008.02.23 19:26:16 | 000,000,095 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2008.02.23 19:23:04 | 000,000,612 | ---- | C] () -- C:\WINDOWS\WINCMD.INI
[2008.02.23 19:08:06 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008.02.23 19:08:05 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Jan Kuzma\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008.02.23 19:00:04 | 000,014,848 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynSam.sys
[2008.02.23 19:00:04 | 000,008,064 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynScan.sys
[2008.02.23 19:00:00 | 000,498,688 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynPin.sys
[2008.02.23 19:00:00 | 000,030,592 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynCamd.sys
[2008.02.23 18:59:59 | 001,056,512 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynMini.sys
[2008.02.23 18:56:17 | 000,005,632 | R--- | C] () -- C:\WINDOWS\System32\drivers\ATKACPI.sys
[2008.02.23 18:53:39 | 000,135,168 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008.02.23 18:52:27 | 000,069,632 | R--- | C] () -- C:\WINDOWS\sm56spn.dll
[2008.02.23 18:52:27 | 000,069,632 | R--- | C] () -- C:\WINDOWS\sm56itl.dll
[2008.02.23 18:52:27 | 000,069,632 | R--- | C] () -- C:\WINDOWS\sm56eng.dll
[2008.02.23 18:52:27 | 000,069,632 | R--- | C] () -- C:\WINDOWS\sm56brz.dll
[2008.02.23 18:52:27 | 000,061,440 | R--- | C] () -- C:\WINDOWS\sm56ger.dll
[2008.02.23 18:52:27 | 000,061,440 | R--- | C] () -- C:\WINDOWS\sm56fra.dll
[2008.02.23 18:52:27 | 000,053,248 | R--- | C] () -- C:\WINDOWS\sm56jpn.dll
[2008.02.23 18:52:27 | 000,049,152 | R--- | C] () -- C:\WINDOWS\sm56cht.dll
[2008.02.23 18:52:27 | 000,049,152 | R--- | C] () -- C:\WINDOWS\sm56chs.dll
[2008.02.23 18:48:10 | 000,007,424 | R--- | C] () -- C:\WINDOWS\System32\drivers\MMIOPORT.SYS
[2008.02.23 18:44:49 | 000,000,384 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007.03.29 22:00:40 | 000,203,264 | R--- | C] () -- C:\WINDOWS\System32\CddbCdda.dll
[2005.10.14 11:56:50 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005.10.14 11:56:50 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2004.08.03 23:56:44 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004.07.17 10:36:38 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2002.11.06 11:16:26 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\angel32.dll
[2002.01.20 13:26:36 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\SimpleResize.dll

========== LOP Check ==========

[2008.11.20 15:03:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Installations
[2008.11.20 15:07:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Suite
[2009.04.29 19:50:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
[2009.09.18 09:36:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ESET
[2010.01.29 14:27:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software
[2008.11.20 15:06:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan Kuzma\Application Data\PC Suite
[2008.11.20 15:07:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan Kuzma\Application Data\Nokia
[2008.11.23 17:14:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan Kuzma\Application Data\Nokia Multimedia Player
[2009.09.18 07:25:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan Kuzma\Application Data\Opera
[2010.01.29 19:01:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan Kuzma\Application Data\GlarySoft
[2010.01.29 22:11:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan Kuzma\Application Data\ESET
[2010.01.30 22:01:04 | 000,000,242 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2004.08.04 00:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008.04.13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys

< MD5 for: ATAPI.SYS >
[2004.08.04 00:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008.04.13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[2004.08.03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008.04.14 01:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll
[2004.08.04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004.08.03 23:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008.04.14 01:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll
[2009.02.06 19:46:10 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009.02.06 19:46:10 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2009.02.06 19:46:10 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e\sp2qfe\netlogon.dll
[2009.02.06 19:46:10 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\sp2qfe\netlogon.dll
[2004.08.04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004.08.03 23:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004.08.04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004.08.03 23:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008.04.14 01:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
< End of report >

3.
OTL Extras logfile created on: 31.01.2010 13:56:37 - Run 1
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Jan Kuzma\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 0000041B | Country: Slovakia | Language: SKY | Date Format: dd.MM.yyyy

383,00 Mb Total Physical Memory | 76,00 Mb Available Physical Memory | 20,00% Memory free
921,00 Mb Paging File | 633,00 Mb Available in Paging File | 69,00% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,51 Gb Total Space | 16,87 Gb Free Space | 22,64% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 983,47 Mb Total Space | 70,20 Mb Free Space | 7,14% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JAN-2BCD3090F0D
Current User Name: Jan Kuzma
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 7 Days
Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- C:\Program Files\Opera\opera.exe (Opera Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software)
https [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\Jan Kuzma\jgshv.exe" = C:\Documents and Settings\Jan Kuzma\jgshv.exe:*:Enabled:ENABLE -- File not found
"C:\WINDOWS\system32\bufxh.exe" = C:\WINDOWS\system32\bufxh.exe:*:Enabled:ENABLE -- File not found
"C:\WINDOWS\system32\bufxh .exe" = C:\WINDOWS\system32\bufxh .exe:*:Enabled:ENABLE -- File not found
"C:\WINDOWS\System32\ifq.exe" = C:\WINDOWS\System32\ifq.exe:*:Enabled:ENABLE -- File not found
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Documents and Settings\Jan Kuzma\cgtsuhs.exe" = C:\Documents and Settings\Jan Kuzma\cgtsuhs.exe:*:Enabled:ENABLE -- File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A3D3C54-2EC0-4D67-B265-FF17926E6D67}" = Nokia Connectivity Cable Driver
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{17E2F183-BAC4-4D01-BD7A-59F781E17EFA}" = REALTEK PCIE NIC Driver
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1DBD1F12-ED93-49C0-A7CC-56CBDE488158}" = LifeFrame2
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{2792F12C-3515-4D69-8083-B557AF35F06F}" = LightScribe 1.4.89.1
"{29466F9C-7C6A-419C-B301-F440FAF78760}" = Nokia PC Suite
"{296EB02D-B675-4336-992F-99CD14666C63}" = ALFA 14.53.00
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = ASUSDVD
"{71FF9607-1710-45D6-95AD-D4A27272DAD3}" = ASUS World Clock
"{83F73CB1-7705-49D1-9852-84D839CA2A45}" = Wireless Console 2
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8F722FA9-B994-4C9B-B292-FD32D6206EDF}" = ASUS WLAN Card Utilities/Driver
"{90437E5F-0A9E-4B63-AD8B-D232897D18BF}" = ATI Parental Control & Encoder
"{92110405-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.1
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet NIC Driver
"{B4CF72FF-4A3F-44A7-BFF2-31A8E1CC70B6}" = Application Compatibility Toolkit
"{BA084E7C-8ABA-4670-BDE8-B85E689A5C1B}" = PC Connectivity Solution
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F3E2505F-AA57-476B-9F67-F8C5E3938080}" = ESET Smart Security
"{F8CCEF4F-6EEF-4B81-B70D-821E72451D93}" = Opera 9.61
"6A630DCEC5EEC912115F2FF59D8C2C769798D930" = Windows Driver Package - Nokia Modem (10/12/2007 3.6)
"819D45A9F73817F5B6D7C71A33ADAB88C5DA1765" = Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2)
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner (remove only)
"Cool's_Codec_pack_4.12" = Codec Pack - All In 1 6.0.3.0
"doPDF 6 printer_is1" = doPDF 6.2 printer
"HControl" = ATK0100 ACPI UTILITY
"HijackThis" = HijackThis 1.99.1
"HP OrderReminder" = HP OrderReminder
"hp print screen utility" = hp print screen utility
"HP-LaserJet 1018" = LaserJet 1018
"IrfanView" = IrfanView (remove only)
"Mobile Partner" = Mobile Partner
"MRP NetAgent" = MRP Aktualizačný manažér
"MRP Zaklad" = MRP Základ vizuálneho systému
"MV2Player" = MV2Player (remove only)
"NeroMultiInstaller!UninstallKey" = Nero Suite
"Nokia PC Suite" = Nokia PC Suite
"SMSERIAL" = Motorola SM56 Data Fax Modem
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"The KMPlayer" = The KMPlayer (remove only)
"USB2.0 1.3M WebCam" = USB2.0 1.3M WebCam
"Winamp" = Winamp (remove only)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 20.01.2010 10:12:55 | Computer Name = JAN-2BCD3090F0D | Source = MsiInstaller | ID = 11406
Description = Product: ESET NOD32 Antivirus -- Error 1406. Could not write value
Params to key \Software\ESET\ESET Security\CurrentVersion\Scheduler\4. System
error . Verify that you have sufficient access to that key, or contact your support
personnel.

Error - 20.01.2010 10:12:55 | Computer Name = JAN-2BCD3090F0D | Source = MsiInstaller | ID = 11406
Description = Product: ESET NOD32 Antivirus -- Error 1406. Could not write value
Flags to key \Software\ESET\ESET Security\CurrentVersion\Scheduler\4. System error
. Verify that you have sufficient access to that key, or contact your support
personnel.

Error - 20.01.2010 10:13:00 | Computer Name = JAN-2BCD3090F0D | Source = MsiInstaller | ID = 11406
Description = Product: ESET NOD32 Antivirus -- Error 1406. Could not write value
StartFailSettings to key \Software\ESET\ESET Security\CurrentVersion\Scheduler\4.
System error . Verify that you have sufficient access to that key, or contact
your support personnel.

Error - 20.01.2010 10:16:28 | Computer Name = JAN-2BCD3090F0D | Source = MsiInstaller | ID = 11404
Description = Product: ESET NOD32 Antivirus -- Error 1404. Could not delete key
\Software\ESET\ESET Security\CurrentVersion\Plugins\01000103\Profiles\@My profile.
System error . Verify that you have sufficient access to that key, or contact
your support personnel.

Error - 20.01.2010 10:16:28 | Computer Name = JAN-2BCD3090F0D | Source = MsiInstaller | ID = 11404
Description = Product: ESET NOD32 Antivirus -- Error 1404. Could not delete key
\Software\ESET\ESET Security. System error . Verify that you have sufficient access
to that key, or contact your support personnel.

Error - 21.01.2010 10:15:48 | Computer Name = JAN-2BCD3090F0D | Source = MsiInstaller | ID = 11404
Description = Produkt: ESET NOD32 Antivirus -- Chyba 1404. Nie je možné odstrániť
kľúč: \Software\ESET\ESET Security\CurrentVersion\Plugins\01000103\Profiles\@My
profile. Systémová chyba . Presvedčte sa, či máte ku kľúču dostatočný prístup,
alebo sa obráťte na pracovníkov odbornej pomoci.

Error - 21.01.2010 10:15:49 | Computer Name = JAN-2BCD3090F0D | Source = MsiInstaller | ID = 11404
Description = Produkt: ESET NOD32 Antivirus -- Chyba 1404. Nie je možné odstrániť
kľúč: \Software\ESET\ESET Security\CurrentVersion\Plugins\01000103\Profiles\@My
profile. Systémová chyba . Presvedčte sa, či máte ku kľúču dostatočný prístup,
alebo sa obráťte na pracovníkov odbornej pomoci.

Error - 21.01.2010 10:15:50 | Computer Name = JAN-2BCD3090F0D | Source = MsiInstaller | ID = 11404
Description = Produkt: ESET NOD32 Antivirus -- Chyba 1404. Nie je možné odstrániť
kľúč: \Software\ESET\ESET Security\CurrentVersion\Plugins\01000103\Profiles\@My
profile. Systémová chyba . Presvedčte sa, či máte ku kľúču dostatočný prístup,
alebo sa obráťte na pracovníkov odbornej pomoci.

Error - 21.01.2010 10:15:50 | Computer Name = JAN-2BCD3090F0D | Source = MsiInstaller | ID = 11404
Description = Produkt: ESET NOD32 Antivirus -- Chyba 1404. Nie je možné odstrániť
kľúč: \Software\ESET\ESET Security. Systémová chyba . Presvedčte sa, či máte ku
kľúču dostatočný prístup, alebo sa obráťte na pracovníkov odbornej pomoci.

Error - 29.01.2010 7:33:41 | Computer Name = JAN-2BCD3090F0D | Source = MsiInstaller | ID = 11404
Description = Product: ESET Smart Security -- Error 1404. Could not delete key \Software\ESET\ESET
Security. System error . Verify that you have sufficient access to that key,
or contact your support personnel.

[ System Events ]
Error - 29.01.2010 17:32:05 | Computer Name = JAN-2BCD3090F0D | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL.
Reference
error message: Operácia sa úspešne dokončila. .

Error - 29.01.2010 17:32:07 | Computer Name = JAN-2BCD3090F0D | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was Zostava určená odkazom nie je v počítači nainštalovaná.

Error - 29.01.2010 17:32:07 | Computer Name = JAN-2BCD3090F0D | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: Zostava určená odkazom nie je v počítači nainštalovaná. .

Error - 29.01.2010 17:32:07 | Computer Name = JAN-2BCD3090F0D | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL.
Reference
error message: Operácia sa úspešne dokončila. .

Error - 29.01.2010 17:32:08 | Computer Name = JAN-2BCD3090F0D | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was Zostava určená odkazom nie je v počítači nainštalovaná.

Error - 29.01.2010 17:32:08 | Computer Name = JAN-2BCD3090F0D | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: Zostava určená odkazom nie je v počítači nainštalovaná. .

Error - 29.01.2010 17:32:08 | Computer Name = JAN-2BCD3090F0D | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL.
Reference
error message: Operácia sa úspešne dokončila. .

Error - 29.01.2010 17:32:08 | Computer Name = JAN-2BCD3090F0D | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was Zostava určená odkazom nie je v počítači nainštalovaná.

Error - 29.01.2010 17:32:08 | Computer Name = JAN-2BCD3090F0D | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: Zostava určená odkazom nie je v počítači nainštalovaná. .

Error - 29.01.2010 17:32:08 | Computer Name = JAN-2BCD3090F0D | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL.
Reference
error message: Operácia sa úspešne dokončila. .

< End of report >

pitimir · #9 Příspěvek od **pitimir** » 31 led 2010 15:41

Tolko bordelu, to je az krasa...rootkit, zrejme Virtumonde, patchnute systemove subory, smejd aj v LSP, zasrate flasky a USB kluce (mimochodom, vsetky pouzivane rovno nastrkaj do PC, vycistime ich) a deravy firewall...proste nadhera

1) Stiahni USBFix. Ukonci vsetky spustene veci a spust program. Vyber jazyk - v pripade anglictiny stlac E -> Enter. Dostanes do dalsieho menu. V nom stlac 2 -> Enter. Zacne sa scan, nezasahuj donho. Mozny je restart PC. Vytvoreny log najdes na "C:\UsbFix.txt", vloz ho sem.

2) Stiahni SystemLook. Uloz na plochu a spust. Do okna skopiruj:

Kód: Vybrat vše

:filefind
gasfkyakdmecdp.sys

:regfind
gasfkyakdmecdp.sys

Klikni na "Look" a nechaj program dokoncit scan. Po jeho skonceni sa ti zobrazi log, ktory potrebujem vidiet. V pripade problemov sa nachadza aj na ploche.

3) Skopiruj v OTL do policka pod nazvom "Custom Scans/Fixes":

Kód: Vybrat vše

:otl
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKU\S-1-5-21-507921405-861567501-725345543-1003\..\Toolbar\ShellBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
O3 - HKU\S-1-5-21-507921405-861567501-725345543-1003\..\Toolbar\ShellBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKU\S-1-5-21-507921405-861567501-725345543-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shoc ... wflash.cab (Shockwave Flash Object)
O33 - MountPoints2\{41e4438e-c139-11de-9373-0018f3b793ce}\Shell - "" = AutoRun
O33 - MountPoints2\{41e4438e-c139-11de-9373-0018f3b793ce}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found
O33 - MountPoints2\{41e4438f-c139-11de-9373-0018f3b793ce}\Shell - "" = AutoRun
O33 - MountPoints2\{41e4438f-c139-11de-9373-0018f3b793ce}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found
O33 - MountPoints2\{64729abc-f035-11dc-9208-0018f3b793ce}\Shell - "" = AutoRun
O33 - MountPoints2\{910f3af6-3d58-11dd-9266-0018f3b793ce}\Shell\AutoRun\command - "" = y82td3td.com
O33 - MountPoints2\{910f3af6-3d58-11dd-9266-0018f3b793ce}\Shell\explore\Command - "" = y82td3td.com
O33 - MountPoints2\{910f3af6-3d58-11dd-9266-0018f3b793ce}\Shell\open\Command - "" = y82td3td.com
O33 - MountPoints2\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}\Shell\AutoRun\command - "" = b.com
O33 - MountPoints2\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}\Shell\explore\Command - "" = b.com
O33 - MountPoints2\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}\Shell\open\Command - "" = b.com
O33 - MountPoints2\{d443ff90-e241-11dc-91f0-0018f3b793ce}\Shell - "" = AutoRun

:files
C:\Documents and Settings\Jan Kuzma\Application Data\fajmwauuvmwo.dll /lsp
C:\Program Files\Skype\Toolbars
C:\Program Files\Ask.com
C:\!KillBox
C:\FOUND.002
C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software
C:\Documents and Settings\Jan Kuzma\jgshv.exe
C:\WINDOWS\system32\bufxh.exe
C:\WINDOWS\system32\bufxh .exe
C:\Documents and Settings\Jan Kuzma\cgtsuhs.exe

:commands
[emptytemp]
[reboot]

Klikni na "Run Fix". Program zacne pracovat, mozny je restart PC. Po nom by sa ti mal objavit log, ten by som rad videl.

4) Znova skusime ComboFix...tentokrat ale inak:
Stiahni ComboFix, najlepsie na plochu. Vypni vsetky otvorene aplikacie, ako aj rezidenty antiviru, antispywaru a firewall. Spust program cez ucet s administratorskymi pravami a postupuj podla instrukcii. Cely sken bude trvat cca 10 minut. Pocas neho moze byt PC restartovane. Log, ktory ComboFix vytvori, najdes na adrese "C:\ComboFix.txt".
Ten vloz sem.

Pozor: Kym ComboFix nevytvori log, na nic neklikat, nic nestlacat !!

Tino009 · #10 Příspěvek od **Tino009** » 31 led 2010 19:52

) ... hej je dosť v zlom stave .... tak som spravil tie logy ... dufam že v poho...
1. usbfix

############################## | UsbFix V6.083 |

User : Jan Kuzma (Administrators) # JAN-2BCD3090F0D
Update on 30/01/2010 by El Desaparecido , C_XX & Chimay8
Start at: 19:03:48 | 31.01.2010
Website : http://pagesperso-orange.fr/NosTools/index.html
Contact : FindyKill.Contact@gmail.com

Intel(R) Celeron(R) M CPU 440 @ 1.86GHz
Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 2
Internet Explorer 6.0.2900.2180
Windows Firewall Status : Disabled
AV : Kaspersky Internet Security 6.0 6.0.0.300 [ (!) Disabled | Updated ]
AV : ESET Smart Security 4.0 4.0 [ Enabled | Updated ]
FW : ESET Personal firewall[ Enabled ]4.0.314.0

C:\ -> Local Fixed Disk # 74,51 Go (16,75 Go free) # FAT32
D:\ -> CD-ROM Disc
F:\ -> Removable Disk # 983,47 Mo (68,52 Mo free) [PKBACK# 001] # FAT

############################## | Active processes |

C:\WINDOWS\System32\smss.exe 1000
C:\WINDOWS\system32\csrss.exe 1120
C:\WINDOWS\system32\winlogon.exe 1148
C:\WINDOWS\system32\services.exe 1192
C:\WINDOWS\system32\lsass.exe 1204
C:\WINDOWS\system32\Ati2evxx.exe 1344
C:\WINDOWS\system32\svchost.exe 1356
C:\WINDOWS\system32\svchost.exe 1460
C:\WINDOWS\System32\svchost.exe 1532
C:\Program Files\Ahead\InCD\InCDsrv.exe 1560
C:\WINDOWS\system32\svchost.exe 1672
C:\WINDOWS\system32\svchost.exe 1828
C:\WINDOWS\system32\Ati2evxx.exe 2000
C:\WINDOWS\Explorer.EXE 440
C:\WINDOWS\system32\svchost.exe 252
C:\Program Files\eset1\ekrn.exe 292
C:\Program Files\Common Files\LightScribe\LSSrvc.exe 336
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe 312
C:\WINDOWS\system32\svchost.exe 408
C:\WINDOWS\system32\wuauclt.exe 1304
C:\WINDOWS\system32\rundll32.exe 1968
C:\WINDOWS\system32\wbem\wmiprvse.exe 324
C:\WINDOWS\System32\alg.exe 1068
C:\WINDOWS\system32\wbem\wmiprvse.exe 1752

################## | Files # Infected Folders |

Deleted ! F:\log.txt

################## | Registry # Infected Keys |

################## | Registry # Mountpoints2 |

Deleted ! HKCU\...\Explorer\MountPoints2\{2f96a216-f12a-11dc-920a-0018f3b793ce}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{2f96a217-f12a-11dc-920a-0018f3b793ce}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{34114f96-eecb-11dc-9202-0018f3b793ce}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{41e4438e-c139-11de-9373-0018f3b793ce}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{41e4438f-c139-11de-9373-0018f3b793ce}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{4f284114-63e1-11dd-927f-0018f3b793ce}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{64729abc-f035-11dc-9208-0018f3b793ce}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{910f3af6-3d58-11dd-9266-0018f3b793ce}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{918b79ce-e568-11dc-91f9-0018f3b793ce}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{9bf9739a-ef98-11dc-9204-0018f3b793ce}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{9e27a416-f5f1-11dc-9216-0018f3b793ce}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{d443ff90-e241-11dc-91f0-0018f3b793ce}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{f199c1c2-3df1-11dd-926a-0018f3aabef8}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{f2f45780-8c98-11dd-9289-0018f3b793ce}\Shell\AutoRun\Command

################## | Listing of the present files |

[19.02.2003 16:28|--a------|37] C:\Store.LOG
[19.07.2006 21:46|-r-h-----|524288] C:\A6Rp.BIN
[06.06.2006 03:16|-r-------|11] C:\A6Rp.20
[27.06.2005 04:32|--a------|10] C:\NIS_ENG.LOG
[04.11.2004 08:57|--a------|14] C:\NERO.LOG
[21.09.2005 07:19|--a------|35] C:\ASUSDVD.LOG
[18.08.2004 13:00|-rahs----|4952] C:\Bootfont.bin
[19.11.2004 17:33|--a------|14] C:\XPHZ_SP2.CZH
[17.10.2006 03:01|--a------|0] C:\CONFIG.SYS
[17.10.2006 03:01|--a------|0] C:\AUTOEXEC.BAT
[17.10.2006 03:01|-rahs----|0] C:\IO.SYS
[17.10.2006 03:01|-rahs----|0] C:\MSDOS.SYS
[17.10.2006 03:19|--a------|499] C:\RHDSetup.log
[17.10.2006 03:22|--a------|86] C:\setup.log
[17.10.2006 03:36|--a------|9] C:\Finish.log
[17.10.2006 03:36|--a------|10563] C:\devlist.txt
[18.09.2009 07:54|--a------|170] C:\ASWL2K.ini
[23.02.2008 18:02|--ahs----|402051072] C:\hiberfil.sys
[?|?|?] C:\pagefile.sys
[31.01.2010 13:52|--a------|1942] C:\avenger.txt
[31.01.2010 19:04|--a------|4603] C:\UsbFix.txt
[03.08.2004 21:59|-rahs----|250032] C:\ntldr
[03.08.2004 21:38|-rahs----|47564] C:\NTDETECT.COM
[23.02.2008 18:21|---hs----|211] C:\boot.ini
[06.05.2009 06:07|--a------|30075904] F:\avira_antivir_personal_en.exe
[08.10.2009 07:39|--a------|36180480] F:\eav_nt32_sky.msi
[05.01.2010 12:32|--a------|34258992] F:\Free-Dwg-Viewer_6.3.0.16.exe
[21.01.2010 13:19|--a------|17418059] F:\SO+052.1.3.zip
[09.12.2009 09:32|--a------|22725] F:\CURRICULUM VITAE.docx
[29.01.2010 09:54|--a------|14998522] F:\Mš.pdf
[29.01.2010 10:26|--a------|207816] F:\MŠ-dvere.pdf
[29.01.2010 10:27|--a------|57994] F:\MŠ-dvere drevene.pdf
[29.01.2010 11:20|--a------|34724010] F:\ESET.Smart.Security.4.0.314-working updates-by-marsmela.zip
[22.01.2010 11:15|--a------|512000] F:\ESETUninstaller.exe
[17.08.2009 12:42|--a------|3278552] F:\ccsetup222.exe
[29.01.2010 14:04|--a------|40244536] F:\setup_av_free_eng.exe
[29.01.2010 14:08|--a------|16409960] F:\Spybot-Search-Destroy_1.6.2-0.exe
[29.01.2010 14:44|--a------|1906] F:\~ESETUninstaller.log
[29.01.2010 14:16|--a------|91338304] F:\Ad-AwareInstallation.exe
[29.01.2010 18:54|--a------|0] F:\EasyUninstaller6.1TrialVersion.exe
[29.01.2010 23:22|--a------|212849] F:\hijackthis.zip
[29.01.2010 23:10|--a------|92672] F:\KillBox.exe
[16.02.2005 11:06|--a------|218112] F:\HijackThis.exe
[29.01.2010 23:52|--a------|9843] F:\hijackthis.log
[30.01.2010 11:20|--a------|781909] F:\RSIT.exe
[30.01.2010 19:23|--a------|3072054] F:\untitled1.bmp
[30.01.2010 19:23|--a------|3072054] F:\untitled2.bmp

################## | Vaccination |

# C:\autorun.inf -> Folder created by UsbFix.
# F:\autorun.inf -> Folder created by UsbFix.

################## | Upload |

Please send the file : C:\UsbFix_Upload_Me_JAN-2BCD3090F0D.zip : http://chiquitine.changelog.fr/Sample/Upload.php
Thank you for your contribution .

################## | ! End of report # UsbFix V6.083 ! |

2.
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:17 on 31/01/2010 by Jan Kuzma (Administrator - Elevation successful)

========== filefind ==========

Searching for "gasfkyakdmecdp.sys"
No files found.

========== regfind ==========

Searching for "gasfkyakdmecdp.sys"
No data found.

-=End Of File=-

3. OTL (trošku s problemom, musel som restartovať PC, log som našiel v C:/OTL
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\ deleted successfully.
C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
C:\Program Files\Ask.com\GenericAskToolbar.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_USERS\S-1-5-21-507921405-861567501-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
Registry value HKEY_USERS\S-1-5-21-507921405-861567501-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_USERS\S-1-5-21-507921405-861567501-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Starting removal of ActiveX control {D27CDB6E-AE6D-11CF-96B8-444553540000}
C:\WINDOWS\Downloaded Program Files\swflash.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{41e4438e-c139-11de-9373-0018f3b793ce}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41e4438e-c139-11de-9373-0018f3b793ce}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{41e4438e-c139-11de-9373-0018f3b793ce}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41e4438e-c139-11de-9373-0018f3b793ce}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{41e4438f-c139-11de-9373-0018f3b793ce}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41e4438f-c139-11de-9373-0018f3b793ce}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{41e4438f-c139-11de-9373-0018f3b793ce}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41e4438f-c139-11de-9373-0018f3b793ce}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{64729abc-f035-11dc-9208-0018f3b793ce}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64729abc-f035-11dc-9208-0018f3b793ce}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{910f3af6-3d58-11dd-9266-0018f3b793ce}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{910f3af6-3d58-11dd-9266-0018f3b793ce}\ not found.
File y82td3td.com not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{910f3af6-3d58-11dd-9266-0018f3b793ce}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{910f3af6-3d58-11dd-9266-0018f3b793ce}\ not found.
File y82td3td.com not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{910f3af6-3d58-11dd-9266-0018f3b793ce}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{910f3af6-3d58-11dd-9266-0018f3b793ce}\ not found.
File y82td3td.com not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}\ not found.
File b.com not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}\ not found.
File b.com not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bbbdf3a8-3c56-11dd-9264-0018f3b793ce}\ not found.
File b.com not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d443ff90-e241-11dc-91f0-0018f3b793ce}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d443ff90-e241-11dc-91f0-0018f3b793ce}\ not found.
========== FILES ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
C:\Documents and Settings\Jan Kuzma\Application Data\fajmwauuvmwo.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\ deleted successfully.
File C:\Documents and Settings\Jan Kuzma\Application Data\fajmwauuvmwo.dll not found.
C:\Program Files\Skype\Toolbars\Shared folder moved successfully.
C:\Program Files\Skype\Toolbars\Internet Explorer folder moved successfully.
C:\Program Files\Skype\Toolbars folder moved successfully.
C:\Program Files\Ask.com folder moved successfully.
C:\!KillBox\Logs folder moved successfully.
C:\!KillBox folder moved successfully.
C:\FOUND.002 folder moved successfully.
C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5\arpot\TEMP folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5\arpot folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5\fw folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5\moved folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5\chest folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5\integ folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5\report folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5\log folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5\backup folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5\journal folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5\HtmlData folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5\sounds\1033 folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5\sounds folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software\Avast5 folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software folder moved successfully.
File\Folder C:\Documents and Settings\Jan Kuzma\jgshv.exe not found.
File\Folder C:\WINDOWS\system32\bufxh.exe not found.
File\Folder C:\WINDOWS\system32\bufxh .exe not found.
File\Folder C:\Documents and Settings\Jan Kuzma\cgtsuhs.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 9814266 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: user
->Temp folder emptied: 13902755 bytes
->Temporary Internet Files folder emptied: 107427800 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users.WINDOWS

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 31232 bytes
->Temporary Internet Files folder emptied: 95634 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 8263802 bytes

User: Jan Kuzma
->Temp folder emptied: 451437364 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Opera cache emptied: 6631676 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 27608229 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 64402 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 599,00 mb

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.

OTL by OldTimer - Version 3.1.27.1 log created on 01312010_192154

4. ComboFix

ComboFix 10-01-29.09 - Jan Kuzma 31.01.2010 19:35:34.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.383.96 [GMT 1:00]
Running from: c:\documents and settings\Jan Kuzma\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Kaspersky Internet Security 6.0 *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jan Kuzma\secupdat.dat
c:\windows\system32\ctfmon .exe
c:\windows\system32\gasfkylbxrmukt.dat
c:\windows\system32\nerocheck .exe
c:\windows\system32\secupdat.dat

.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-31 )))))))))))))))))))))))))))))))
.

2010-01-31 18:21 . 2010-01-31 18:21 -------- d-----w- C:\_OTL
2010-01-31 18:04 . 2010-01-31 18:04 7368 ----a-w- C:\UsbFix_Upload_Me_JAN-2BCD3090F0D.zip
2010-01-31 17:56 . 2010-01-31 17:56 -------- d-----w- C:\UsbFix
2010-01-30 15:47 . 2010-01-30 15:47 -------- d-----w- c:\program files\trend micro
2010-01-30 15:47 . 2010-01-30 15:47 -------- d-----w- C:\rsit
2010-01-29 21:32 . 2010-01-29 21:32 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\ESET
2010-01-29 21:25 . 2010-01-29 21:25 282 ----a-w- c:\windows\system32\drivers\honmuzaz.dat
2010-01-29 21:25 . 2010-01-29 21:25 -------- d-----w- c:\windows\system32\MpEngineStore
2010-01-29 21:22 . 2010-01-29 21:22 -------- d-----w- c:\windows\ServicePackFiles
2010-01-29 21:21 . 2010-01-29 21:21 -------- d-----w- c:\program files\MSXML 4.0
2010-01-29 21:11 . 2010-01-29 21:11 -------- d-----w- c:\documents and settings\Jan Kuzma\Application Data\ESET
2010-01-29 21:07 . 2010-01-29 21:07 -------- d-----w- c:\program files\eset1
2010-01-29 18:47 . 2008-10-24 11:10 453632 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-29 18:01 . 2010-01-29 18:01 -------- d-----w- c:\documents and settings\Jan Kuzma\Application Data\GlarySoft
2010-01-29 17:32 . 2010-01-29 17:32 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-01-29 17:01 . 2010-01-29 17:01 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-29 16:42 . 2010-01-29 16:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-29 16:42 . 2010-01-29 16:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-01-29 13:27 . 2010-01-29 13:27 -------- d-----w- c:\program files\Alwil Software
2010-01-29 12:23 . 2010-01-29 12:23 -------- d-----w- c:\program files\CCleaner
2010-01-22 12:40 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-01-22 12:40 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-01-22 12:25 . 2009-02-06 17:14 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-01-21 14:20 . 2010-01-22 10:26 96 ----a-w- c:\windows\rafazon.bat
2010-01-21 09:31 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-12 10:09 . 2009-08-04 13:58 2136064 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-12 10:09 . 2009-08-04 14:00 2180352 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-01-12 10:09 . 2009-08-04 13:13 2015744 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-12 10:09 . 2009-08-04 13:13 2057728 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 16:36 . 2004-08-03 22:56 470528 ----a-w- c:\windows\AppPatch\AcLayers.dll
.

Kód: Vybrat vše

<pre>
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\ASUSTeK\ASUSDVD\pdvdserv .exe
c:\program files\Ahead\InCD\incd .exe
c:\program files\Asus\WLAN Card Utilities\center .exe
c:\program files\Wireless Console 2\wcourier .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\ESET\ESET Smart Security\egui .exe
c:\program files\Nokia\Nokia PC Suite 6\pcsuite .exe
c:\program files\Hewlett-Packard\OrderReminder\orderreminder .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\windows\ATK0100\hcontrol .exe
</pre>

------- Sigcheck -------

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\lsass.exe
[-] 2004-08-03 . 7471EEA1DFB2BAA638B79E9AFEE8C746 . 14848 . . [5.1.2600.2180] . . c:\windows\system32\lsass.exe

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\spoolsv.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
[-] 2004-08-03 . D9BC8BCF463A057E9EED66E3488E1D87 . 506368 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe
[-] 2004-08-03 . 9491C2135C30B82BB1A6ACF928063A59 . 16896 . . [5.1.2600.2180] . . c:\windows\system32\svchost.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 2004-08-03 . 6B06B770BADD3BA36DA67304FF587CE2 . 1034240 . . [6.00.2900.2180] . . c:\windows\explorer.exe

[-] 2008-04-14 00:12 . C7E39EA41233E9F5B86C8DA3A9F1E4A8 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\mspmsnsv.dll
[-] 2003-02-01 11:09 . 9E1381B2DE2A23F8E4C22E814D55F475 . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
[-] 2003-02-01 11:09 . 9E1381B2DE2A23F8E4C22E814D55F475 . 52224 . . [9.0.1.56] . . c:\windows\system32\dllcache\mspmsnsv.dll

c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 544768]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-04 16206848]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"egui"="c:\program files\eset1\egui.exe" [2009-02-06 2021400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [06.02.2009 14:23 106208]
R2 Angelnt;Angelnt;c:\windows\system32\drivers\ANGELNT.SYS [04.02.2009 17:41 51072]
R2 ekrn;ESET Service;c:\program files\eset1\ekrn.exe [06.02.2009 14:23 727720]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [23.02.2008 18:59 1056512]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [23.02.2008 19:00 8064]
.
.
------- Supplementary Scan -------
.
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
AddRemove-HijackThis - E:\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-31 19:39
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1148)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-01-31 19:41:12
ComboFix-quarantined-files.txt 2010-01-31 18:41

Pre-Run: 18 487 541 760 bytes free
Post-Run: 18 449 170 432 bytes free

- - End Of File - - 0B1133CA973FFAE65DF46E10943D6D1A

pitimir · #11 Příspěvek od **pitimir** » 01 úno 2010 16:09

Ahoj, takze najhorsie obavy sa potvrdili...skusime najprv vyliecit Virtumonde a potom nahradit patchnute systemove subory (a samozrejme dosadit chybajuce). Mas instalacne CD?

1) Menom autorov USBFixu ta prosim, aby si subor C:\UsbFix_Upload_Me_JAN-2BCD3090F0D.zip uploadol na >>tuto<< stranku. Vdaka.

2) Presun ikonu CF na plochu, vypni vsetky otvorene aplikacie, ako aj rezidenty antiviru, antispywaru a firewall a otvor poznamkovy blok. Donho skopiruj:

Kód: Vybrat vše

KillAll::
SecCenter::
{2C4D4BC6-0793-4956-A9F9-E252435469C0}

Folder::
c:\program files\Alwil Software

File::
c:\windows\system32\drivers\honmuzaz.dat

Rootkit::
c:\windows\system32\drivers\avgntflt.sys

Driver::
avgntflt

RenV::
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\ASUSTeK\ASUSDVD\pdvdserv .exe
c:\program files\Ahead\InCD\incd .exe
c:\program files\Asus\WLAN Card Utilities\center .exe
c:\program files\Wireless Console 2\wcourier .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\ESET\ESET Smart Security\egui .exe
c:\program files\Nokia\Nokia PC Suite 6\pcsuite .exe
c:\program files\Hewlett-Packard\OrderReminder\orderreminder .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\windows\ATK0100\hcontrol .exe

SRPeek::
c:\windows\system32\lsass.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\svchost.exe
c:\windows\explorer.exe
c:\windows\system32\mspmsnsv.dll

MIA::
c:\windows\System32\spoolsv.exe

Uloz na plochu ako CFScript.txt a mysou pretiahni nad ikonou CF.

Obrázek

Program script spracuje a spravi novy log.

Pozor: Ak po aplikacii skriptu nenabehne Windows, restartuj PC, stlac F8 a zvol Poslednu znamu funkcnu konfiguraciu.

3) Otestuj subor(y) na >>VIRUSTOTALe<<:

Kód: Vybrat vše

c:\windows\system32\lsass.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\svchost.exe
c:\windows\explorer.exe

Ak vypise, ze subor uz bol testovany, daj ho otestovat znovu. Vysledok posli ako LINK.

Tino009 · #12 Příspěvek od **Tino009** » 01 úno 2010 20:10

Ahoj, tak som to dal do CF jak si vravel, pripajam log, len ten test na Virustotal mi nejak nevyšiel, neviem či je to pripojením na net ale nejak dlho načitava a potom vypíše chybu ... inštalačne CD nemám , mám len recovery DVD, neviem či to stačí.

CF log

ComboFix 10-02-01.01 - Jan Kuzma 01.02.2010 19:37:52.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.383.142 [GMT 1:00]
Running from: c:\documents and settings\Jan Kuzma\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jan Kuzma\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

FILE ::
"c:\windows\system32\drivers\honmuzaz.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Alwil Software
c:\windows\system32\drivers\honmuzaz.dat

c:\windows\system32\lsass.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\System32\spoolsv.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-01-01 to 2010-02-01 )))))))))))))))))))))))))))))))
.

2010-02-01 18:16 . 2010-02-01 18:16 -------- d-----w- c:\windows\LastGood.Tmp
2010-01-31 18:21 . 2010-01-31 18:21 -------- d-----w- C:\_OTL
2010-01-31 18:04 . 2010-01-31 18:04 7368 ----a-w- C:\UsbFix_Upload_Me_JAN-2BCD3090F0D.zip
2010-01-31 17:56 . 2010-01-31 17:56 -------- d-----w- C:\UsbFix
2010-01-30 15:47 . 2010-01-30 15:47 -------- d-----w- c:\program files\trend micro
2010-01-30 15:47 . 2010-01-30 15:47 -------- d-----w- C:\rsit
2010-01-29 21:32 . 2010-01-29 21:32 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\ESET
2010-01-29 21:25 . 2010-01-29 21:25 -------- d-----w- c:\windows\system32\MpEngineStore
2010-01-29 21:22 . 2010-01-29 21:22 -------- d-----w- c:\windows\ServicePackFiles
2010-01-29 21:21 . 2010-01-29 21:21 -------- d-----w- c:\program files\MSXML 4.0
2010-01-29 21:11 . 2010-01-29 21:11 -------- d-----w- c:\documents and settings\Jan Kuzma\Application Data\ESET
2010-01-29 21:07 . 2010-01-29 21:07 -------- d-----w- c:\program files\eset1
2010-01-29 18:47 . 2008-10-24 11:10 453632 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-29 18:01 . 2010-01-29 18:01 -------- d-----w- c:\documents and settings\Jan Kuzma\Application Data\GlarySoft
2010-01-29 17:32 . 2010-01-29 17:32 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-01-29 17:01 . 2010-01-29 17:01 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-29 16:42 . 2010-01-29 16:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-29 16:42 . 2010-01-29 16:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-01-29 12:23 . 2010-01-29 12:23 -------- d-----w- c:\program files\CCleaner
2010-01-22 12:40 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-01-22 12:40 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-01-22 12:25 . 2009-02-06 17:14 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-01-21 14:20 . 2010-01-22 10:26 96 ----a-w- c:\windows\rafazon.bat
2010-01-21 09:31 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-12 10:09 . 2009-08-04 13:58 2136064 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-12 10:09 . 2009-08-04 14:00 2180352 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-01-12 10:09 . 2009-08-04 13:13 2015744 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-12 10:09 . 2009-08-04 13:13 2057728 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 16:36 . 2004-08-03 22:56 470528 ----a-w- c:\windows\AppPatch\AcLayers.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

[-] 6B06B770BADD3BA36DA67304FF587CE2 1034240 c:\windows\explorer.exe
[-] 52994178288D592AA073260B283F4DB7 1034752 \RP137\A0020237.EXE

[-] 9491C2135C30B82BB1A6ACF928063A59 16896 c:\windows\System32\svchost.exe
[-] 44F67D9A424D28EE2AE68400056A19F9 17408 \RP141\A0020477.EXE
.
------- Sigcheck -------

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\lsass.exe
[-] 2004-08-03 22:56 . !HASH: COULD NOT OPEN FILE !!!!! . 14848 . . [------] . . c:\windows\system32\lsass.exe

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\spoolsv.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
[-] 2004-08-03 22:56 . !HASH: COULD NOT OPEN FILE !!!!! . 506368 . . [------] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe
[-] 2004-08-03 . 9491C2135C30B82BB1A6ACF928063A59 . 16896 . . [5.1.2600.2180] . . c:\windows\system32\svchost.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[-] 2004-08-03 . 6B06B770BADD3BA36DA67304FF587CE2 . 1034240 . . [6.00.2900.2180] . . c:\windows\explorer.exe

[-] 2008-04-14 00:12 . C7E39EA41233E9F5B86C8DA3A9F1E4A8 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\mspmsnsv.dll
[-] 2003-02-01 11:09 . 9E1381B2DE2A23F8E4C22E814D55F475 . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
[-] 2003-02-01 11:09 . 9E1381B2DE2A23F8E4C22E814D55F475 . 52224 . . [9.0.1.56] . . c:\windows\system32\dllcache\mspmsnsv.dll

c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-01-31_18.39.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-23 17:56 . 2006-02-23 04:40 106496 c:\windows\ATK0100\hcontrol.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 544768]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-04 16206848]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"egui"="c:\program files\eset1\egui.exe" [2009-02-06 2021400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [06.02.2009 14:23 106208]
R2 Angelnt;Angelnt;c:\windows\system32\drivers\ANGELNT.SYS [04.02.2009 17:41 51072]
R2 ekrn;ESET Service;c:\program files\eset1\ekrn.exe [06.02.2009 14:23 727720]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [23.02.2008 18:59 1056512]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [23.02.2008 19:00 8064]
.
.
------- Supplementary Scan -------
.
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-01 19:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1148)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(364)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\sm56hlpr.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
.
**************************************************************************
.
Completion time: 2010-02-01 19:56:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-01 18:56
ComboFix2.txt 2010-01-31 18:41

Pre-Run: 18 337 202 176 bytes free
Post-Run: 18 297 749 504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 755A512FB155D700750F45D78B5BEA09

pitimir · #13 Příspěvek od **pitimir** » 03 úno 2010 17:27

Pardon za oneskorenu reakciu, nejak som tento thread vcera prehliadol

Tak tu vidim problem, bez instalacneho CD sa nemame kam pohnut, system ledva bezi. Nemas moznost si ho pozicat?

Tino009 · #14 Příspěvek od **Tino009** » 03 úno 2010 17:46

zdravim..nevadi, ja som včera bol tiež na služobke tak v pohode.... no myslím že si viem od niekoho zaobstarať inštalačné CD, takže ak to dobre chápem postačí akékoľvek inštalačné CD XP Profesionál?

pitimir · #15 Příspěvek od **pitimir** » 03 úno 2010 18:00

Postaci

VIRY.CZ

Vírus winlogon.exe

Vírus winlogon.exe

Re: Vírus winlogon.exe

Re: Vírus winlogon.exe

Re: Vírus winlogon.exe

Re: Vírus winlogon.exe

Re: Vírus winlogon.exe

Re: Vírus winlogon.exe

Re: Vírus winlogon.exe

Re: Vírus winlogon.exe

Re: Vírus winlogon.exe

Re: Vírus winlogon.exe

Re: Vírus winlogon.exe

Re: Vírus winlogon.exe

Re: Vírus winlogon.exe

Re: Vírus winlogon.exe