Infikovany svchost.exe + Vyřešeno

Sekce věnovaná virům a jiným škodlivým kódům, rovněž ale nástrojům, kterým se lze proti nim bránit…

Moderátoři: Mods_senior, Security team

Zamčeno
raZeR
Level 1
Level 1
Příspěvky: 65
Registrován: duben 10
Bydliště: Chomutov
Pohlaví: Muž
Stav:
Offline

Infikovany svchost.exe +

Příspěvekod raZeR » 07 říj 2010 21:07

Zdravim casto ctu jak casto maji lide infikovany svchost .exe tak jsem se dneska nudil a na /C: jsem nasel 4svchosty tak jsem je projel VT a co jsem nasel u dvou... : (neni to cely vypis)

eSafe 7.0.17.0 2010.10.07 Win32.TrojanHorse :evil:

pc jsem projel mbamem a naslo to infikovany 1 svchost tak jsem dal vymazat .ale problem stale pretrvava projel jsem to avastem ,ccleanerem mbamem a spybotem, ale porad to stejne no a tak me napadlo ze kdyby nebylo reseni tak jestli se nedaji svchost.exe neakym zpusobem resetovat.. vlozenim W7 a nabootovat a neak opravit..?? predem diky za rady a tady je jeste log z HJT:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:03:44, on 7.10.2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Users\Majkl\AppData\Roaming\uTorrent\utorrent.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Avast 5 IS\AvastUI.exe
C:\Program Files (x86)\Opera\opera.exe
C:\Users\Majkl\Desktop\Programy\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O4 - HKLM\..\Run: [avast5] "C:\Program Files (x86)\Avast 5 IS\avastUI.exe" /nogui
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
O4 - HKCU\..\Run: [uTorrent] "C:\Users\Majkl\AppData\Roaming\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files (x86)\ICQ7.2\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files (x86)\ICQ7.2\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\Microsoft Office\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files (x86)\Avast 5 IS\AvastSvc.exe
O23 - Service: avast! Firewall - ALWIL Software - C:\Program Files (x86)\Avast 5 IS\afwServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files (x86)\Avast 5 IS\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files (x86)\Avast 5 IS\AvastSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: ServiceLayer - Nokia - C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: Služba Windows Media Player Network Sharing (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 6520 bytes
Nahoru
Reklama
Top
Uživatelský avatar
memphisto
Guru Level 13
Guru Level 13
Příspěvky: 21113
Registrován: září 06
Bydliště: Zlín - České Budějovice
Pohlaví: Muž
Stav:
Offline

Re: Infikovany svchost.exe

Příspěvekod memphisto » 07 říj 2010 21:28

odinstaluj Spybot, máš už AVAST.

v logu fixni:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)

Stáhni si OTL
na plochu. Ujisti se , že máš zavřena všechna ostatní okna a poklepej na ikonu OTL.Nahoře v okně pod Výstup klikni na minimální výstup.Pod Běžné registry změň na Vše. Zatrhni Kontrola na havěť “LOP“ a Kontrola na havěť “ Purity“ . Klikni na Prohledat. Všechny ostatní nastavení ponech jak jsou. Sken může trvat dlouho, až skončí otevřou se dva logy:
OTL.Txt
Extras.Txt
Jsou uloženy ve stejném místě jako OTL. Oba logy sem prosím zkopíruj.
PRAVIDLA PC-HELP.CZ, PRAVIDLA sekce HijackThis, HijackThis návod, Memtest, CCleaner
Logy z programu HijackThis neposílejte prosím přes SZ, ale vkládejte je do patřičné sekce. Děkuji
Nahoru
raZeR
Level 1
Level 1
Příspěvky: 65
Registrován: duben 10
Bydliště: Chomutov
Pohlaví: Muž
Stav:
Offline

Re: Infikovany svchost.exe +

Příspěvekod raZeR » 07 říj 2010 21:46

tak jsem to fixnul v hjt , a OTL jsem nastavil presne jak jsi napsal ale vyjelo mi akorat 3x OTL.txt mam to zkusit jeste jednou?? nebo to sem hodit??
Nahoru
Uživatelský avatar
jaro3
člen Security týmu
Guru Level 15
Guru Level 15
Příspěvky: 43072
Registrován: červen 07
Bydliště: Jižní Čechy
Pohlaví: Muž
Stav:
Offline

Re: Infikovany svchost.exe +

Příspěvekod jaro3 » 07 říj 2010 21:55

Předtím udělej ještě toto:

Vypni si rez.ochrany i firewall.
Stáhni si Dr. Web CureIt
dej update , po aktualizaci dej start.
Tlacitky dole můzeš soubor léčit(systémové soubory), smazat, přesunout nebo přejmenovat

potom:
Stáhni si OTH
na svojí plochu( pokud používáš Firefox , pravým klikni na OTH link a vyber uložit jako (Save as..).

Stáhni si OTL
na svojí plochu (pokud používáš Firefox , pravým klikni na OTL link a vyber uložit jako (Save as..).

Stáhni si soubor Scan.txt
na svojí plochu (pokud používáš Firefox , pravým klikni na OTL link a vyber uložit jako (Save as..).

Poklepej na soubor OTH na ploše , po spuštění programu klikni na Kill All Processes.Poté klikni na Start OTL .Poklepej Do prázdného okna pod Vlastní skenování /opravy ( Custom Scans box). Objeví se zpráva: Kliknutím na OK vyberete cestu k souboru, kliknutím na Zrušit zrušíte výběr.
Klikni na OK. Objeví se okno průzkumníku , zde klikneš na plochu a najdeš na ní soubor Scan.txt .Klikni na Otevřít.
Poté klikni na Rychle prohledat (Quick Scan). Neměň žádná jiná nastavení . Sken může trvat dlouho.
Kdy sken skončí , objeví se na ploše dva logy:
OTL.Txt a Extras.Txt , jsou uloženy ve stejném místě jako OTL.
Zkopíruj sem prosím celý obsah obou logů.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Nahoru
raZeR
Level 1
Level 1
Příspěvky: 65
Registrován: duben 10
Bydliště: Chomutov
Pohlaví: Muž
Stav:
Offline

Re: Infikovany svchost.exe

Příspěvekod raZeR » 07 říj 2010 22:48

sry nechtene jsem to poslal 2x
Naposledy upravil(a) raZeR dne 07 říj 2010 22:49, celkem upraveno 1 x.
Nahoru
raZeR
Level 1
Level 1
Příspěvky: 65
Registrován: duben 10
Bydliště: Chomutov
Pohlaví: Muž
Stav:
Offline

Re: Infikovany svchost.exe

Příspěvekod raZeR » 07 říj 2010 22:48

udelal jsem presne co jsi napsal... dr. nic nenasel a z otl vyjel jen 1 log netusim proc ale udelal jsem vsechno presne jak si napsal... tady je :

OTL logfile created on: 7.10.2010 22:36:44 - Run 3
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Users\Majkl\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

4,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 75,00% Memory free
10,00 Gb Paging File | 9,00 Gb Available in Paging File | 89,00% Paging File free
Paging file location(s): C:\pagefile.sys 6142 6142 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465,75 Gb Total Space | 322,86 Gb Free Space | 69,32% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAJKL-PC
Current User Name: Majkl
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Users\Majkl\Desktop\otl.exe (OldTimer Tools)
PRC - C:\Users\Majkl\Desktop\OTH.scr (OldTimer Tools)
PRC - C:\Windows\SysWOW64\PnkBstrA.exe ()
PRC - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Program Files (x86)\Avast 5 IS\AvastUI.exe (ALWIL Software)
PRC - C:\Program Files (x86)\Avast 5 IS\AvastSvc.exe (ALWIL Software)
PRC - C:\Program Files (x86)\Avast 5 IS\afwServ.exe (ALWIL Software)


========== Modules (SafeList) ==========

MOD - C:\Users\Majkl\Desktop\otl.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1\ATL80.dll (Microsoft Corporation)
MOD - C:\Program Files (x86)\Internet Explorer\ieproxy.dll (Microsoft Corporation)
MOD - C:\Program Files (x86)\Avast 5 IS\snxBorder.dll (ALWIL Software)
MOD - C:\Program Files (x86)\Avast 5 IS\snxPlugins.dll (ALWIL Software)
MOD - C:\Windows\SysWOW64\rsaenh.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\WindowsCodecs.dll (Microsoft Corporation)
MOD - C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\thumbcache.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\StructuredQuery.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\srvcli.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\slc.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\SearchFolder.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\RpcRtRemote.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\ntshrui.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\networkexplorer.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\EhStorShell.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\cscapi.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\actxprxy.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\normaliz.dll (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4927_none_d08a205e442db5b5\msvcr80.dll (Microsoft Corporation)
MOD - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
MOD - C:\Program Files (x86)\Microsoft Office\Office12\GrooveUtil.dll (Microsoft Corporation)
MOD - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
MOD - C:\Program Files (x86)\Microsoft Office\Office12\GrooveNew.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV:64bit: - (PnkBstrA) -- C:\Windows\SysNative\PnkBstrA.exe File not found
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (UmRdpService) -- C:\Windows\SysNative\umrdp.dll (Microsoft Corporation)
SRV:64bit: - (PeerDistSvc) -- C:\Windows\SysNative\PeerDistSvc.dll (Microsoft Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (WAS) -- C:\Windows\SysNative\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV:64bit: - (W3SVC) -- C:\Windows\SysNative\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV:64bit: - (CscService) -- C:\Windows\SysNative\cscsvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV:64bit: - (AppHostSvc) -- C:\Windows\SysNative\inetsrv\apphostsvc.dll (Microsoft Corporation)
SRV - (PnkBstrA) -- C:\Windows\SysWOW64\PnkBstrA.exe ()
SRV - (ServiceLayer) -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (Stereo Service) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (aspnet_state) -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_64) -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (avast! Web Scanner) -- C:\Program Files (x86)\Avast 5 IS\AvastSvc.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files (x86)\Avast 5 IS\AvastSvc.exe (ALWIL Software)
SRV - (avast! Antivirus) -- C:\Program Files (x86)\Avast 5 IS\AvastSvc.exe (ALWIL Software)
SRV - (avast! Firewall) -- C:\Program Files (x86)\Avast 5 IS\afwServ.exe (ALWIL Software)
SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (WAS) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (W3SVC) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (AppHostSvc) -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV:64bit: - (WPRO_40_1340) WinPcap Packet Driver (WPRO_40_1340) -- C:\Windows\SysNative\drivers\WPRO_40_1340.sys File not found
DRV:64bit: - (pfc) -- C:\Windows\SysNative\drivers\pfc.sys File not found
DRV:64bit: - (EIO64) -- C:\Windows\SysNative\DRIVERS\EIO64.sys File not found
DRV:64bit: - (atksgt) -- C:\Windows\SysNative\drivers\atksgt.sys ()
DRV:64bit: - (lirsgt) -- C:\Windows\SysNative\drivers\lirsgt.sys ()
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (AtiHdmiService) -- C:\Windows\SysNative\drivers\AtiHdmi.sys (ATI Technologies, Inc.)
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (sptd) -- C:\Windows\SysNative\drivers\sptd.sys ()
DRV:64bit: - (aswMonFlt) -- C:\Windows\SysNative\drivers\aswMonFlt.sys (ALWIL Software)
DRV:64bit: - (UsbserFilt) -- C:\Windows\SysNative\drivers\usbser_lowerfltx64j.sys (Nokia)
DRV:64bit: - (upperdev) -- C:\Windows\SysNative\drivers\usbser_lowerfltx64.sys (Nokia)
DRV:64bit: - (nmwcdcx64) -- C:\Windows\SysNative\drivers\ccdcmbox64.sys (Nokia)
DRV:64bit: - (nmwcdx64) -- C:\Windows\SysNative\drivers\ccdcmbx64.sys (Nokia)
DRV:64bit: - (nmwcdnsux64) -- C:\Windows\SysNative\drivers\nmwcdnsux64.sys (Nokia)
DRV:64bit: - (nmwcdnsucx64) -- C:\Windows\SysNative\drivers\nmwcdnsucx64.sys (Nokia)
DRV:64bit: - (aswNdis) -- C:\Windows\SysNative\drivers\aswNdis.sys (ALWIL Software)
DRV:64bit: - (Revoflt) -- C:\Windows\SysNative\drivers\revoflt.sys (VS Revo Group)
DRV:64bit: - (VIAHdAudAddService) -- C:\Windows\SysNative\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (vmbus) -- C:\Windows\SysNative\drivers\vmbus.sys (Microsoft Corporation)
DRV:64bit: - (storflt) -- C:\Windows\SysNative\drivers\vmstorfl.sys (Microsoft Corporation)
DRV:64bit: - (storvsc) -- C:\Windows\SysNative\drivers\storvsc.sys (Microsoft Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (usbser) -- C:\Windows\SysNative\drivers\usbser.sys (Microsoft Corporation)
DRV:64bit: - (s3cap) -- C:\Windows\SysNative\drivers\vms3cap.sys (Microsoft Corporation)
DRV:64bit: - (VMBusHID) -- C:\Windows\SysNative\drivers\VMBusHID.sys (Microsoft Corporation)
DRV:64bit: - (CSC) -- C:\Windows\SysNative\drivers\csc.sys (Microsoft Corporation)
DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\wbem\ntfs.mof ()
DRV:64bit: - (RTL8023x64) -- C:\Windows\SysNative\drivers\Rtnic64.sys (Realtek Semiconductor Corporation )
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek Corporation )
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (AtiPcie) AMD PCI Express (3GIO) -- C:\Windows\SysNative\drivers\AtiPcie.sys (Advanced Micro Devices Inc.)
DRV:64bit: - (cpuz132) -- C:\Windows\SysNative\drivers\cpuz132_x64.sys (Windows (R) Codename Longhorn DDK provider)
DRV:64bit: - (pccsmcfd) -- C:\Windows\SysNative\drivers\pccsmcfdx64.sys (Nokia)
DRV - (gdrv) -- C:\Windows\gdrv.sys (Windows (R) Server 2003 DDK provider)
DRV - (pfc) -- C:\Windows\SysWOW64\drivers\pfc.sys (Padus, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKLM\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - Reg Error: Key error. File not found

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.cz/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = cs
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D0 A4 50 0F 1F D6 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



Hosts file not found
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [WindowsErrorHook] C:\Cache\\WindowsErrorHook.exe ()
O4 - HKLM..\Run: [avast5] C:\Program Files (x86)\Avast 5 IS\avastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [uTorrent] C:\Users\Majkl\AppData\Roaming\uTorrent\utorrent.exe (BitTorrent, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files (x86)\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files (x86)\ICQ7.2\ICQ.exe (ICQ, LLC.)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 93.91.144.100 212.80.67.98
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010.04.07 00:23:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c7c7041f-42fd-11df-ada3-001fd035a455}\Shell - "" = AutoRun
O33 - MountPoints2\{c7c7041f-42fd-11df-ada3-001fd035a455}\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 90 Days ==========

[2010.10.07 21:58:47 | 000,000,000 | ---D | C] -- C:\Users\Majkl\DoctorWeb
[2010.10.07 21:57:12 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Users\Majkl\Desktop\OTH.scr
[2010.10.07 21:34:20 | 000,576,512 | ---- | C] (OldTimer Tools) -- C:\Users\Majkl\Desktop\OTL.exe
[2010.10.07 19:18:21 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Documents\KONAMI
[2010.10.07 19:11:05 | 000,000,000 | ---D | C] -- C:\ProgramData\KONAMI
[2010.10.07 19:11:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\KONAMI
[2010.10.06 21:13:56 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Documents\NFS SHIFT
[2010.10.05 19:49:44 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Desktop\Svchost!!
[2010.10.03 21:05:26 | 000,000,000 | ---D | C] -- C:\ProgramData\BioWare
[2010.10.03 20:58:36 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\AGEIA
[2010.10.03 20:58:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AGEIA Technologies
[2010.10.03 20:58:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Media Center Programs
[2010.10.02 13:52:50 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Unigine Heaven
[2010.10.02 13:45:39 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Unigine Sanctuary
[2010.09.30 16:01:33 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\HD Tune Pro
[2010.09.29 22:01:05 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\Autodesk
[2010.09.29 21:56:32 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Local\Autodesk
[2010.09.29 21:51:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Autodesk
[2010.09.29 21:51:43 | 000,000,000 | ---D | C] -- C:\Program Files\Autodesk
[2010.09.27 15:09:32 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\Hacks4Sale_installer
[2010.09.26 14:53:21 | 000,000,000 | ---D | C] -- C:\Windows\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP
[2010.09.25 20:58:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Electronic Arts
[2010.09.25 18:03:10 | 000,000,000 | ---D | C] -- C:\Windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
[2010.09.24 12:17:33 | 000,000,000 | -HSD | C] -- C:\ProgramData\SecuROM
[2010.09.24 12:16:47 | 000,000,000 | ---D | C] -- C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
[2010.09.22 21:33:32 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Local\My Games
[2010.09.19 18:53:42 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010.09.17 18:16:31 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Desktop\Freesinger
[2010.09.16 20:35:21 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Documents\Poznámkové bloky aplikace OneNote
[2010.09.13 15:22:31 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\Leadertech
[2010.09.11 18:03:44 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\runic games
[2010.09.11 17:03:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\The KMPlayer
[2010.09.09 17:06:54 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\uTorrent
[2010.09.09 16:49:38 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010.09.07 20:05:41 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\Allstar
[2010.09.05 20:56:02 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Local\Ascaron Entertainment
[2010.09.05 19:21:37 | 000,000,000 | ---D | C] -- C:\Windows\95FC26FB19FD4A96BBB1B1062E8648F5.TMP
[2010.09.04 20:39:18 | 000,000,000 | ---D | C] -- C:\3c452369bd5df954132d0b8904
[2010.09.04 19:50:00 | 000,000,000 | ---D | C] -- C:\Windows\6833245EDD86479A882A8360D62C8194.TMP
[2010.09.04 19:47:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD
[2010.09.04 13:06:31 | 000,000,000 | ---D | C] -- C:\Windows\EFC1B35CFFF241D8A70ACE6037F8040B.TMP
[2010.09.03 22:33:59 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Local\StickyNotes
[2010.09.02 22:03:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Google
[2010.09.01 19:57:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Works
[2010.09.01 19:56:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio
[2010.09.01 19:56:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\DESIGNER
[2010.09.01 19:55:41 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH
[2010.09.01 19:52:48 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2010.09.01 19:52:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio 8
[2010.09.01 19:52:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Office
[2010.09.01 19:51:03 | 000,000,000 | RH-D | C] -- C:\MSOCache
[2010.08.30 18:14:17 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2010.08.30 15:08:43 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Local\VS Revo Group
[2010.08.30 15:08:40 | 000,031,800 | ---- | C] (VS Revo Group) -- C:\Windows\SysNative\drivers\revoflt.sys
[2010.08.30 15:08:38 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2010.08.30 15:00:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Winamp
[2010.08.28 15:11:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Opera
[2010.08.27 22:19:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Activision
[2010.08.27 15:19:54 | 000,000,000 | ---D | C] -- C:\Windows\DEA314C409294250BC9298E4C105F28D.TMP
[2010.08.25 15:31:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\KB350e
[2010.08.25 14:01:06 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft
[2010.08.20 18:16:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Nokia
[2010.08.18 15:07:39 | 001,380,352 | ---- | C] (Blue Ripple Sound Limited) -- C:\Windows\SysWow64\rapture3d_oal.dll
[2010.08.18 15:07:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BRS
[2010.08.18 13:46:59 | 000,000,000 | -HSD | C] -- C:\Users\Majkl\AppData\Roaming\.#
[2010.08.17 17:09:59 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2010.08.17 17:08:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ATI Technologies
[2010.08.17 17:08:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\ATI Technologies
[2010.08.17 17:08:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ATI
[2010.08.17 17:06:04 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies
[2010.08.17 14:50:05 | 000,242,176 | ---- | C] (Windows (R) Codename Longhorn DDK provider) -- C:\Windows\SysNative\Dts2APO.dll
[2010.08.17 14:50:05 | 000,193,024 | ---- | C] (Windows (R) Codename Longhorn DDK provider) -- C:\Windows\SysNative\ViaMicArrayAPO.dll
[2010.08.17 14:50:05 | 000,086,016 | ---- | C] (QSound Labs, Inc.) -- C:\Windows\SysNative\nQPropPageExt.dll
[2010.08.17 14:50:05 | 000,082,432 | ---- | C] (QSound Labs, Inc.) -- C:\Windows\SysNative\nQAPO.dll
[2010.08.17 14:50:05 | 000,076,288 | ---- | C] (VIA Technologies,Inc.) -- C:\Windows\SysNative\ViaMicArrayPropPageExt.dll
[2010.08.17 14:48:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\VIA
[2010.08.17 09:21:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\GIGABYTE
[2010.08.12 10:10:38 | 000,178,800 | ---- | C] (Sony DADC Austria AG.) -- C:\Windows\SysWow64\CmdLineExt_x64.dll
[2010.08.11 22:05:56 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Documents\Rockstar Games
[2010.08.11 18:16:50 | 000,000,000 | ---D | C] -- C:\ATI
[2010.08.11 18:01:56 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\ATI
[2010.08.11 18:01:56 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Local\ATI
[2010.08.11 17:58:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ATI Technologies
[2010.08.11 17:58:04 | 000,000,000 | ---D | C] -- C:\Program Files\ATI
[2010.08.07 19:35:39 | 000,000,000 | ---D | C] -- C:\ProgramData\CanonIJPLM
[2010.08.07 19:30:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\CANON
[2010.08.07 19:30:23 | 000,000,000 | ---D | C] -- C:\Program Files\Canon
[2010.08.07 19:28:31 | 000,000,000 | -H-D | C] -- C:\Windows\SysNative\CanonIJ Uninstaller Information
[2010.08.07 19:28:02 | 000,000,000 | -H-D | C] -- C:\Program Files\CanonBJ
[2010.08.07 19:26:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Canon
[2010.08.07 18:05:53 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonBJ
[2010.08.05 20:48:47 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Documents\OneNote Notebooks
[2010.08.04 09:39:13 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Local\Caphyon
[2010.08.04 09:39:04 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\Caphyon
[2010.08.02 14:28:21 | 000,019,432 | ---- | C] (Windows (R) Codename Longhorn DDK provider) -- C:\Windows\SysNative\drivers\cpuz132_x64.sys
[2010.08.02 14:28:20 | 000,000,000 | ---D | C] -- C:\Program Files\CPUID
[2010.08.02 14:07:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Lavalys
[2010.08.02 09:37:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment
[2010.07.22 20:52:28 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010.07.21 21:02:20 | 000,000,000 | RHSD | C] -- C:\Users\Majkl\AppData\Roaming\DisplayDriverTEMP
[2010.07.21 21:02:14 | 000,000,000 | ---D | C] -- C:\Windows\XSxS
[2010.07.21 21:02:14 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Local\Xenocode
[2010.07.19 14:57:46 | 000,000,000 | -HSD | C] -- C:\[Smad-Cage]
[2010.07.18 18:58:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\PCSuite
[2010.07.18 18:35:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Nokia
[2010.07.18 18:34:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Installations
[2010.07.18 18:25:10 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\Nseries
[2010.07.18 18:07:48 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Local\NokiaAccount
[2010.07.18 18:03:21 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2010.07.18 18:03:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PC Connectivity Solution
[2010.07.18 18:01:27 | 000,000,000 | ---D | C] -- C:\ProgramData\NokiaInstallerCache
[2010.07.18 14:46:10 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Documents\Visual Studio 2008
[2010.07.15 12:59:51 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Local\Deployment
[2010.07.15 12:59:51 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Local\Apps
[2010.07.14 10:18:44 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\Adobe Mini Bridge CS5
[2010.07.14 10:18:43 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2010.07.13 21:36:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft ActiveSync
[2010.06.15 15:40:44 | 000,836,464 | ---- | C] (Opera Software) -- C:\Users\Majkl\AppData\Roaming\spread.exe
[8 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010.10.07 22:38:46 | 008,912,896 | ---- | M] () -- C:\Users\Majkl\ntuser.dat
[2010.10.07 22:34:13 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010.10.07 22:33:59 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.10.07 22:33:55 | 3220,676,608 | -HS- | M] () -- C:\hiberfil.sys
[2010.10.07 21:57:52 | 050,436,768 | ---- | M] () -- C:\Users\Majkl\Desktop\launch.exe
[2010.10.07 21:57:18 | 000,576,512 | ---- | M] (OldTimer Tools) -- C:\Users\Majkl\Desktop\OTL.exe
[2010.10.07 21:57:12 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Users\Majkl\Desktop\OTH.scr
[2010.10.07 21:22:02 | 000,233,960 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
[2010.10.07 21:22:02 | 000,233,960 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2010.10.07 20:44:49 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010.10.07 20:44:49 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010.10.07 20:36:18 | 002,500,957 | -H-- | M] () -- C:\Users\Majkl\AppData\Local\IconCache.db
[2010.10.07 20:13:54 | 000,000,042 | ---- | M] () -- C:\Windows\SysWow64\scud.udf
[2010.10.07 15:02:26 | 001,741,110 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010.10.07 15:02:26 | 000,733,546 | ---- | M] () -- C:\Windows\SysNative\perfh005.dat
[2010.10.07 15:02:26 | 000,700,602 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010.10.07 15:02:26 | 000,164,212 | ---- | M] () -- C:\Windows\SysNative\perfc005.dat
[2010.10.07 15:02:26 | 000,141,548 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010.10.06 21:06:41 | 000,062,172 | ---- | M] () -- C:\Users\Majkl\Desktop\absolut hacker.png
[2010.10.06 20:54:47 | 000,075,064 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2010.10.05 19:30:23 | 000,007,597 | ---- | M] () -- C:\Users\Majkl\AppData\Local\resmon.resmoncfg
[2010.10.04 21:12:29 | 000,126,354 | -H-- | M] () -- C:\treeinfo.wc
[2010.09.29 21:51:24 | 000,017,588 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\services
[2010.09.27 18:42:45 | 000,669,184 | ---- | M] () -- C:\Windows\SysWow64\pbsvc.exe
[2010.09.25 17:40:44 | 000,014,848 | ---- | M] () -- C:\ProgramData\Catalyst.exe
[2010.09.23 18:49:45 | 000,466,520 | ---- | M] (Creative Labs) -- C:\Windows\SysNative\wrap_oal.dll
[2010.09.23 18:49:45 | 000,445,016 | ---- | M] (Creative Labs) -- C:\Windows\SysWow64\wrap_oal.dll
[2010.09.23 18:49:45 | 000,122,968 | ---- | M] (Portions (C) Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\SysNative\OpenAL32.dll
[2010.09.23 18:49:45 | 000,109,144 | ---- | M] (Portions (C) Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\SysWow64\OpenAL32.dll
[2010.09.21 21:21:19 | 000,000,008 | RHS- | M] () -- C:\Users\Majkl\ntuser.pol
[2010.09.19 08:56:32 | 005,504,208 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010.09.18 19:13:08 | 000,248,472 | ---- | M] () -- C:\Users\Majkl\AppData\Local\GDIPFONTCACHEV1.DAT
[2010.09.13 20:04:50 | 000,000,910 | ---- | M] () -- C:\Windows\Rtcw.INI
[2010.09.12 10:59:41 | 000,000,684 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20100927-131543.backup
[2010.09.09 20:50:27 | 000,000,116 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2010.09.04 21:04:59 | 001,719,396 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010.09.02 20:25:13 | 000,000,000 | ---- | M] () -- C:\out.html
[2010.09.01 21:29:56 | 000,524,288 | -HS- | M] () -- C:\Users\Majkl\ntuser.dat{2140c998-b5f1-11df-9509-0008a16922da}.TMContainer00000000000000000002.regtrans-ms
[2010.09.01 21:29:56 | 000,524,288 | -HS- | M] () -- C:\Users\Majkl\ntuser.dat{2140c998-b5f1-11df-9509-0008a16922da}.TMContainer00000000000000000001.regtrans-ms
[2010.09.01 21:29:56 | 000,065,536 | -HS- | M] () -- C:\Users\Majkl\ntuser.dat{2140c998-b5f1-11df-9509-0008a16922da}.TM.blf
[2010.09.01 19:52:30 | 000,000,478 | ---- | M] () -- C:\Windows\win.ini
[2010.08.26 21:48:01 | 000,000,000 | -H-- | M] () -- C:\Users\Majkl\Documents\Default.rdp
[2010.08.17 21:58:26 | 000,000,023 | ---- | M] () -- C:\Windows\BlendSettings.ini
[2010.08.12 10:10:38 | 000,178,800 | ---- | M] (Sony DADC Austria AG.) -- C:\Windows\SysWow64\CmdLineExt_x64.dll
[2010.08.11 18:27:40 | 000,000,000 | ---- | M] () -- C:\Windows\ativpsrm.bin
[2010.08.01 21:30:36 | 000,047,104 | ---- | M] () -- C:\Windows\SysWow64\KMVIDC32.DLL
[2010.07.28 19:10:48 | 001,380,352 | ---- | M] (Blue Ripple Sound Limited) -- C:\Windows\SysWow64\rapture3d_oal.dll
[2010.07.21 21:44:18 | 000,028,160 | ---- | M] () -- C:\Users\Majkl\AppData\Roaming\msconfig_settings.exe
[2010.07.21 10:02:09 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
[2010.07.19 10:12:45 | 000,004,096 | ---- | M] () -- C:\Windows\d3dx.dat
[2010.07.18 18:08:38 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_ccdcmbx64_01009.Wdf
[8 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.10.07 21:57:07 | 050,436,768 | ---- | C] () -- C:\Users\Majkl\Desktop\launch.exe
[2010.10.07 20:13:54 | 000,000,042 | ---- | C] () -- C:\Windows\SysWow64\scud.udf
[2010.10.06 21:06:41 | 000,062,172 | ---- | C] () -- C:\Users\Majkl\Desktop\absolut hacker.png
[2010.09.25 17:40:44 | 000,014,848 | ---- | C] () -- C:\ProgramData\Catalyst.exe
[2010.09.13 18:04:42 | 000,000,910 | ---- | C] () -- C:\Windows\Rtcw.INI
[2010.09.02 20:25:13 | 000,000,000 | ---- | C] () -- C:\out.html
[2010.09.01 20:05:12 | 000,524,288 | -HS- | C] () -- C:\Users\Majkl\ntuser.dat{2140c998-b5f1-11df-9509-0008a16922da}.TMContainer00000000000000000002.regtrans-ms
[2010.09.01 20:05:12 | 000,524,288 | -HS- | C] () -- C:\Users\Majkl\ntuser.dat{2140c998-b5f1-11df-9509-0008a16922da}.TMContainer00000000000000000001.regtrans-ms
[2010.09.01 20:05:12 | 000,065,536 | -HS- | C] () -- C:\Users\Majkl\ntuser.dat{2140c998-b5f1-11df-9509-0008a16922da}.TM.blf
[2010.08.26 21:48:01 | 000,000,000 | -H-- | C] () -- C:\Users\Majkl\Documents\Default.rdp
[2010.08.11 18:27:40 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010.08.01 21:28:47 | 000,047,104 | ---- | C] () -- C:\Windows\SysWow64\KMVIDC32.DLL
[2010.07.21 21:36:16 | 000,028,160 | ---- | C] () -- C:\Users\Majkl\AppData\Roaming\msconfig_settings.exe
[2010.07.21 10:02:09 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010.07.19 10:12:45 | 000,004,096 | ---- | C] () -- C:\Windows\d3dx.dat
[2010.07.18 18:08:38 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_ccdcmbx64_01009.Wdf
[2010.07.11 18:35:45 | 000,000,116 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2010.07.03 19:22:16 | 000,061,956 | ---- | C] () -- C:\Users\Majkl\AppData\Roaming\data.dat
[2010.07.01 15:16:38 | 000,000,068 | ---- | C] () -- C:\Windows\DVDRegionFree.INI
[2010.07.01 15:12:03 | 000,000,043 | -HS- | C] () -- C:\ProgramData\.zreglib
[2010.05.29 22:04:15 | 000,886,272 | ---- | C] () -- C:\Users\Majkl\AppData\Roaming\System.Data.SQLite.DLL
[2010.05.27 14:29:55 | 000,000,023 | ---- | C] () -- C:\Windows\BlendSettings.ini
[2010.05.19 21:02:44 | 000,007,597 | ---- | C] () -- C:\Users\Majkl\AppData\Local\resmon.resmoncfg
[2010.05.10 14:57:43 | 001,719,396 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010.05.03 21:22:37 | 000,013,312 | ---- | C] () -- C:\Users\Majkl\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.05.01 21:42:52 | 000,000,186 | ---- | C] () -- C:\Windows\wininit.ini
[2010.04.29 14:49:07 | 000,006,852 | ---- | C] () -- C:\Windows\SysWow64\drivers\Vcs.sys
[2010.04.08 21:14:49 | 000,004,872 | ---- | C] () -- C:\ProgramData\mtbjfghn.xbe
[2010.04.07 08:11:28 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2009.11.06 10:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009.07.13 23:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2008.10.07 09:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008.10.07 09:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll

========== LOP Check ==========

[2010.08.18 13:46:59 | 000,000,000 | -HSD | M] -- C:\Users\Majkl\AppData\Roaming\.#
[2010.09.07 20:05:41 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Allstar
[2010.09.29 22:01:05 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Autodesk
[2010.08.04 09:39:04 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Caphyon
[2010.05.09 13:29:07 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Command and Conquer 3 Tiberium Wars
[2010.04.25 19:07:45 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Command and Conquer 4
[2010.04.09 15:22:33 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\DAEMON Tools Lite
[2010.07.22 11:08:18 | 000,000,000 | RHSD | M] -- C:\Users\Majkl\AppData\Roaming\DisplayDriverTEMP
[2010.04.22 14:45:12 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Foxit
[2010.06.09 19:36:51 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\GHISLER
[2010.09.27 15:09:32 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Hacks4Sale_installer
[2010.06.24 12:33:20 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Hardcore
[2010.09.30 16:01:33 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\HD Tune Pro
[2010.10.07 21:16:31 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\ICQ
[2010.09.13 15:22:31 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Leadertech
[2010.07.18 18:46:19 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Nokia
[2010.07.18 18:25:10 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Nseries
[2010.06.27 10:38:37 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Opera
[2010.05.14 21:20:15 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\PC Suite
[2010.09.11 18:05:01 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\runic games
[2010.06.13 13:19:26 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Sony
[2010.07.14 10:18:43 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2010.04.28 20:59:42 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\TeamViewer
[2010.06.02 19:39:39 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Ubisoft
[2010.06.16 10:13:28 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\Uniblue
[2010.10.07 22:36:06 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\uTorrent
[2010.09.20 15:49:28 | 000,000,000 | ---D | M] -- C:\Users\Majkl\AppData\Roaming\VSO
[2010.09.23 17:44:26 | 000,032,552 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010.04.07 00:23:23 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010.04.07 00:16:50 | 000,000,211 | -H-- | M] () -- C:\Boot.BAK
[2010.04.07 01:54:46 | 000,000,355 | RHS- | M] () -- C:\Boot.ini.saved
[2001.10.25 18:00:00 | 000,004,952 | RHS- | M] () -- C:\Bootfont.bin
[2009.07.14 03:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2010.04.07 01:54:47 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2010.04.07 00:23:23 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010.04.07 08:40:52 | 000,000,087 | ---- | M] () -- C:\csb.log
[2010.04.12 11:37:12 | 000,000,212 | ---- | M] () -- C:\da.bat
[2010.04.23 21:51:53 | 000,000,119 | ---- | M] () -- C:\download.txt
[2007.11.07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
[2007.11.07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
[2007.11.07 08:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
[2007.11.07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
[2007.11.07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
[2007.11.07 08:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
[2007.11.07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
[2007.11.07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
[2007.11.07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
[2010.04.28 13:46:27 | 000,000,097 | ---- | M] () -- C:\FLV.EXE
[2007.11.07 08:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
[2010.04.07 01:03:02 | 000,203,464 | RHS- | M] () -- C:\grldr
[2010.10.07 22:33:55 | 3220,676,608 | -HS- | M] () -- C:\hiberfil.sys
[2007.11.07 08:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe
[2007.11.07 08:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
[2007.11.07 08:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
[2007.11.07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
[2007.11.07 08:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
[2007.11.07 08:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
[2007.11.07 08:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
[2007.11.07 08:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
[2007.11.07 08:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
[2007.11.07 08:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
[2007.11.07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
[2010.04.07 00:23:23 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009.01.12 20:32:32 | 000,901,137 | ---- | M] () -- C:\libcurl-4.dll
[2006.12.01 23:37:14 | 000,904,704 | ---- | M] (Microsoft Corporation) -- C:\msdia80.dll
[2010.04.07 00:23:23 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008.04.14 00:13:04 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008.04.14 02:01:48 | 000,250,576 | RHS- | M] () -- C:\ntldr
[2010.06.08 14:31:46 | 000,000,738 | -H-- | M] () -- C:\os245324.bin
[2010.09.02 20:25:13 | 000,000,000 | ---- | M] () -- C:\out.html
[2010.10.07 22:33:57 | 2145,386,495 | -HS- | M] () -- C:\pagefile.sys
[2010.04.20 18:48:24 | 000,000,306 | ---- | M] () -- C:\Radi-radi.wsf
[2010.04.07 08:14:29 | 000,000,390 | ---- | M] () -- C:\RHDSetup.log
[2010.10.04 21:12:29 | 000,126,354 | -H-- | M] () -- C:\treeinfo.wc
[2007.11.07 08:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
[2007.11.07 08:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
[2007.11.07 08:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI
[2010.04.07 01:03:03 | 000,000,012 | RHS- | M] () -- C:\win7.ld
[2008.09.24 18:12:22 | 000,075,264 | ---- | M] (Zlib) -- C:\zlib1.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\drivers\*.sys /90 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:054B9966
< End of report >
Nahoru
Uživatelský avatar
jaro3
člen Security týmu
Guru Level 15
Guru Level 15
Příspěvky: 43072
Registrován: červen 07
Bydliště: Jižní Čechy
Pohlaví: Muž
Stav:
Offline

Re: Infikovany svchost.exe +

Příspěvekod jaro3 » 08 říj 2010 00:10

Odinstaluj:
Spybot - Search & Destroy --stačí antispyware v Avastu 5.

Odinstalu:
Hacks4Sale_installer


Nejspíš máš ilegální windows co?

Poklepej na ikonu OTL na ploše.Ujisti se , že máš všechny ostatní aplikace a prohlížeče zavřeny.
Pod Vlastní skenování/opravy do okénka vlož následující text, zobrazený zeleně:

Kód: Vybrat vše

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
SRV:64bit: - (PnkBstrA) -- C:\Windows\SysNative\PnkBstrA.exe File not found
DRV:64bit: - (WPRO_40_1340) WinPcap Packet Driver (WPRO_40_1340) -- C:\Windows\SysNative\drivers\WPRO_40_1340.sys File not found
DRV:64bit: - (pfc) -- C:\Windows\SysNative\drivers\pfc.sys File not found
DRV:64bit: - (EIO64) -- C:\Windows\SysNative\DRIVERS\EIO64.sys File not found
IE - HKLM\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKLM\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - Reg Error: Key error. File not found
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.cz/
O3:64bit: - HKLM\..\Toolbar: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O33 - MountPoints2\{c7c7041f-42fd-11df-ada3-001fd035a455}\Shell - "" = AutoRun
O33 - MountPoints2\{c7c7041f-42fd-11df-ada3-001fd035a455}\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:054B9966

:Files
C:\WINDOWS\System32\*.tmp
C:\WINDOWS\*.tmp
C:\WINDOWS\system32\*.tmp.dll
C:\WINDOWS\system32\SET*.tmp
c:\windows\Tasks\*.job
C:\*.tmp
C:\Windows\SysNative\drivers\*.tmp
C:\Windows\SysWow64\drivers\*.tmp
C:\Program Files (x86)\*.tmp
C:\Windows\SysWow64\*.tmp
C:\Windows\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP
C:\Windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
C:\Windows\95FC26FB19FD4A96BBB1B1062E8648F5.TMP
C:\Windows\6833245EDD86479A882A8360D62C8194.TMP
C:\Windows\EFC1B35CFFF241D8A70ACE6037F8040B.TMP
C:\Windows\DEA314C409294250BC9298E4C105F28D.TMP
C:\Windows\tasks\SA.DAT
C:\Windows\SysNative\perfh005.dat
C:\Windows\SysNative\perfh009.dat
C:\Windows\SysNative\perfc005.dat
C:\Windows\SysNative\perfc009.dat
C:\Windows\SysNative\drivers\etc\hosts.20100927-131543.backup
C:\Windows\ativpsrm.bin
C:\Windows\d3dx.dat
C:\Users\Majkl\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\ProgramData\mtbjfghn.xbe
C:\os245324.bin
C:\win7.ld
C:\install.exe

:Reg
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[start explorer]
[Reboot]


Poté klikni nahoře na Opravit. Nech program nerušeně běžet, na konci se provede restart PC.
Po restartu se objeví log , prosím zkopíruj sem celý jeho obsah.

Tyto složky znáš:
C:\Users\Majkl\Desktop\Svchost!!
C:\Users\Majkl\AppData\Roaming\.#
C:\Users\Majkl\AppData\Roaming\DisplayDriverTEMP
Co v nich je???

V možnostech složky si povol zobrazování skrytých souborů a složek+ odškrtni zatržítko skrýt chráněné soubory operačního systému

Toto otestuj na Virustotal
C:\Users\Majkl\AppData\Roaming\msconfig_settings.exe
C:\Users\Majkl\AppData\Roaming\data.dat
C:\Cache\\WindowsErrorHook.exe

Klikni vpravo od okénka na Vybrat a v Exploreru najdi požadovaný soubor v Tvém PC. Označ ho myší a klikni na Otevřít , poté klikni na Send File. Pokud už byl soubor testován , objeví se okno ve kterém klikni na Reanalyze. Soubor se začne postupně testovat více antivirovými programy. Až skončí test posledního antiviru , objeví se nahoře result a červeně počet nákaz , např. 0/40 , nebo 1/40. Pak zkopíruj myší odkaz na tuto stránku a vlož ji do svého příspěvku.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Nahoru
raZeR
Level 1
Level 1
Příspěvky: 65
Registrován: duben 10
Bydliště: Chomutov
Pohlaví: Muž
Stav:
Offline

Re: Infikovany svchost.exe +

Příspěvekod raZeR » 08 říj 2010 12:31

takze Spybot je pryc

Hacks4sale_installer nic jsem nenasel jen zbyle prazdne slozky,ty sem odstranil

v OTL jsem to opravil(log dole), a k tem slozkam:
C:\Users\Majkl\Desktop\Svchost!! - do toho jsem si vykopiroval svchost.exe ktery jsem nasel abych je mohl otestovat,uz je to pryc
C:\Users\Majkl\AppData\Roaming\.# - prazdna slozka
C:\Users\Majkl\AppData\Roaming\DisplayDriverTEMP - prazdna slozka

testy na VT :
data.dat - http://www.virustotal.com/file-scan/rep ... 1286533211 0/43
msconfig_settings.exe - http://www.virustotal.com/file-scan/rep ... 1286533405 6/43 :nervous:
WindowsErrorHook.exe - http://www.virustotal.com/file-scan/rep ... 1286533586 1/43

Log OTL:

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
No active process named firefox.exe was found!
Service PnkBstrA stopped successfully!
Service PnkBstrA deleted successfully!
File C:\Windows\SysNative\PnkBstrA.exe File not found not found.
Error: No service named WPRO_40_1340) WinPcap Packet Driver (WPRO_40_1340 was found to stop!
Service\Driver key WPRO_40_1340) WinPcap Packet Driver (WPRO_40_1340 not found.
File C:\Windows\SysNative\drivers\WPRO_40_1340.sys File not found not found.
Service pfc stopped successfully!
Service pfc deleted successfully!
File C:\Windows\SysNative\drivers\pfc.sys File not found not found.
Service EIO64 stopped successfully!
Service EIO64 deleted successfully!
File C:\Windows\SysNative\DRIVERS\EIO64.sys File not found not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{855F3B16-6D32-4fe6-8A56-BBB695989046} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache| /E : value set successfully!
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{32099AAC-C132-4136-9E9A-4E364A424E17} deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32099AAC-C132-4136-9E9A-4E364A424E17} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\grooveLocalGWS\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88FED34C-F0CA-4636-A375-3CB6248B04CD}\ not found.
File {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\ not found.
File {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype4com\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}\ not found.
File {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c7c7041f-42fd-11df-ada3-001fd035a455}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c7c7041f-42fd-11df-ada3-001fd035a455}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c7c7041f-42fd-11df-ada3-001fd035a455}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c7c7041f-42fd-11df-ada3-001fd035a455}\ not found.
File F:\autorun.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully.
ADS C:\ProgramData\TEMP:054B9966 deleted successfully.
========== FILES ==========
File\Folder C:\WINDOWS\System32\*.tmp not found.
C:\WINDOWS\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP folder moved successfully.
C:\WINDOWS\6833245EDD86479A882A8360D62C8194.TMP folder moved successfully.
C:\WINDOWS\95FC26FB19FD4A96BBB1B1062E8648F5.TMP folder moved successfully.
C:\WINDOWS\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP folder moved successfully.
C:\WINDOWS\DEA314C409294250BC9298E4C105F28D.TMP folder moved successfully.
C:\WINDOWS\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP folder moved successfully.
C:\WINDOWS\EFC1B35CFFF241D8A70ACE6037F8040B.TMP folder moved successfully.
C:\WINDOWS\msdownld.tmp folder moved successfully.
File\Folder C:\WINDOWS\system32\*.tmp.dll not found.
File\Folder C:\WINDOWS\system32\SET*.tmp not found.
File\Folder c:\windows\Tasks\*.job not found.
File\Folder C:\*.tmp not found.
File\Folder C:\Windows\SysNative\drivers\*.tmp not found.
File\Folder C:\Windows\SysWow64\drivers\*.tmp not found.
File\Folder C:\Program Files (x86)\*.tmp not found.
File\Folder C:\Windows\SysWow64\*.tmp not found.
File\Folder C:\Windows\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP not found.
File\Folder C:\Windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP not found.
File\Folder C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP not found.
File\Folder C:\Windows\95FC26FB19FD4A96BBB1B1062E8648F5.TMP not found.
File\Folder C:\Windows\6833245EDD86479A882A8360D62C8194.TMP not found.
File\Folder C:\Windows\EFC1B35CFFF241D8A70ACE6037F8040B.TMP not found.
File\Folder C:\Windows\DEA314C409294250BC9298E4C105F28D.TMP not found.
C:\Windows\tasks\SA.DAT moved successfully.
C:\Windows\SysNative\perfh005.dat moved successfully.
C:\Windows\SysNative\perfh009.dat moved successfully.
C:\Windows\SysNative\perfc005.dat moved successfully.
C:\Windows\SysNative\perfc009.dat moved successfully.
C:\Windows\SysNative\drivers\etc\hosts.20100927-131543.backup moved successfully.
C:\Windows\ativpsrm.bin moved successfully.
C:\Windows\d3dx.dat moved successfully.
C:\Users\Majkl\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
C:\ProgramData\mtbjfghn.xbe moved successfully.
C:\os245324.bin moved successfully.
C:\win7.ld moved successfully.
C:\install.exe moved successfully.
========== REGISTRY ==========
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: alr5000

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Majkl
->Temp folder emptied: 812572 bytes
->Temporary Internet Files folder emptied: 1146232 bytes
->Java cache emptied: 3463 bytes
->Opera cache emptied: 8705602 bytes
->Flash cache emptied: 5172 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67844 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 10,00 mb


[EMPTYFLASH]

User: All Users

User: alr5000

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Majkl
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 10082010_121046

Files\Folders moved on Reboot...
C:\Users\Majkl\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Windows\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...
Nahoru
Uživatelský avatar
jaro3
člen Security týmu
Guru Level 15
Guru Level 15
Příspěvky: 43072
Registrován: červen 07
Bydliště: Jižní Čechy
Pohlaví: Muž
Stav:
Offline

Re: Infikovany svchost.exe +

Příspěvekod jaro3 » 08 říj 2010 13:32

C:\Users\Majkl\AppData\Roaming\msconfig_settings.exe
C:\Cache\\WindowsErrorHook.exe

---smažeme potom...

C:\Cache-----to tam máš na co??

Poklepej znovu na ikonu OTL by OldTimer, pod Vlastní skenování/opravy (Custom Scans/Fixes) vlož následující text , zeleně zbarvený:

Kód: Vybrat vše

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT


Neměň nastavení, jen klikni na Prohledat (Run Scan), nech sken dokončit. Až se se objeví textový soubor , tak sem vlož prosím jeho celý obsah.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Nahoru
raZeR
Level 1
Level 1
Příspěvky: 65
Registrován: duben 10
Bydliště: Chomutov
Pohlaví: Muž
Stav:
Offline

Re: Infikovany svchost.exe +

Příspěvekod raZeR » 08 říj 2010 15:23

v C:\Cache mam prave ten WindowsErrorHook.exe a Majk.txt ,to se mi zda ze je neaky log nebo tak neco... a tady je ten OTL log :

OTL logfile created on: 8.10.2010 14:27:57 - Run 4
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Users\Majkl\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

4,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 68,00% Memory free
10,00 Gb Paging File | 9,00 Gb Available in Paging File | 87,00% Paging File free
Paging file location(s): C:\pagefile.sys 6142 6142 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465,75 Gb Total Space | 322,03 Gb Free Space | 69,14% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAJKL-PC
Current User Name: Majkl
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Majkl\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Program Files (x86)\Avast 5 IS\AvastUI.exe (ALWIL Software)
PRC - C:\Program Files (x86)\Avast 5 IS\AvastSvc.exe (ALWIL Software)
PRC - C:\Program Files (x86)\Avast 5 IS\afwServ.exe (ALWIL Software)


========== Modules (SafeList) ==========

MOD - C:\Users\Majkl\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files (x86)\Avast 5 IS\snxBorder.dll (ALWIL Software)
MOD - C:\Program Files (x86)\Avast 5 IS\snxPlugins.dll (ALWIL Software)
MOD - C:\Windows\SysWOW64\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (UmRdpService) -- C:\Windows\SysNative\umrdp.dll (Microsoft Corporation)
SRV:64bit: - (PeerDistSvc) -- C:\Windows\SysNative\PeerDistSvc.dll (Microsoft Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (WAS) -- C:\Windows\SysNative\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV:64bit: - (W3SVC) -- C:\Windows\SysNative\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV:64bit: - (CscService) -- C:\Windows\SysNative\cscsvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV:64bit: - (AppHostSvc) -- C:\Windows\SysNative\inetsrv\apphostsvc.dll (Microsoft Corporation)
SRV - (ServiceLayer) -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (Stereo Service) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (aspnet_state) -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_64) -- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (avast! Web Scanner) -- C:\Program Files (x86)\Avast 5 IS\AvastSvc.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files (x86)\Avast 5 IS\AvastSvc.exe (ALWIL Software)
SRV - (avast! Antivirus) -- C:\Program Files (x86)\Avast 5 IS\AvastSvc.exe (ALWIL Software)
SRV - (avast! Firewall) -- C:\Program Files (x86)\Avast 5 IS\afwServ.exe (ALWIL Software)
SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (WAS) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (W3SVC) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (AppHostSvc) -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV:64bit: - (WPRO_40_1340) WinPcap Packet Driver (WPRO_40_1340) -- C:\Windows\SysNative\drivers\WPRO_40_1340.sys File not found
DRV:64bit: - (atksgt) -- C:\Windows\SysNative\drivers\atksgt.sys ()
DRV:64bit: - (lirsgt) -- C:\Windows\SysNative\drivers\lirsgt.sys ()
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (AtiHdmiService) -- C:\Windows\SysNative\drivers\AtiHdmi.sys (ATI Technologies, Inc.)
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (sptd) -- C:\Windows\SysNative\drivers\sptd.sys ()
DRV:64bit: - (aswMonFlt) -- C:\Windows\SysNative\drivers\aswMonFlt.sys (ALWIL Software)
DRV:64bit: - (UsbserFilt) -- C:\Windows\SysNative\drivers\usbser_lowerfltx64j.sys (Nokia)
DRV:64bit: - (upperdev) -- C:\Windows\SysNative\drivers\usbser_lowerfltx64.sys (Nokia)
DRV:64bit: - (nmwcdcx64) -- C:\Windows\SysNative\drivers\ccdcmbox64.sys (Nokia)
DRV:64bit: - (nmwcdx64) -- C:\Windows\SysNative\drivers\ccdcmbx64.sys (Nokia)
DRV:64bit: - (nmwcdnsux64) -- C:\Windows\SysNative\drivers\nmwcdnsux64.sys (Nokia)
DRV:64bit: - (nmwcdnsucx64) -- C:\Windows\SysNative\drivers\nmwcdnsucx64.sys (Nokia)
DRV:64bit: - (aswNdis) -- C:\Windows\SysNative\drivers\aswNdis.sys (ALWIL Software)
DRV:64bit: - (Revoflt) -- C:\Windows\SysNative\drivers\revoflt.sys (VS Revo Group)
DRV:64bit: - (VIAHdAudAddService) -- C:\Windows\SysNative\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (vmbus) -- C:\Windows\SysNative\drivers\vmbus.sys (Microsoft Corporation)
DRV:64bit: - (storflt) -- C:\Windows\SysNative\drivers\vmstorfl.sys (Microsoft Corporation)
DRV:64bit: - (storvsc) -- C:\Windows\SysNative\drivers\storvsc.sys (Microsoft Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (usbser) -- C:\Windows\SysNative\drivers\usbser.sys (Microsoft Corporation)
DRV:64bit: - (s3cap) -- C:\Windows\SysNative\drivers\vms3cap.sys (Microsoft Corporation)
DRV:64bit: - (VMBusHID) -- C:\Windows\SysNative\drivers\VMBusHID.sys (Microsoft Corporation)
DRV:64bit: - (CSC) -- C:\Windows\SysNative\drivers\csc.sys (Microsoft Corporation)
DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\wbem\ntfs.mof ()
DRV:64bit: - (RTL8023x64) -- C:\Windows\SysNative\drivers\Rtnic64.sys (Realtek Semiconductor Corporation )
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek Corporation )
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (AtiPcie) AMD PCI Express (3GIO) -- C:\Windows\SysNative\drivers\AtiPcie.sys (Advanced Micro Devices Inc.)
DRV:64bit: - (cpuz132) -- C:\Windows\SysNative\drivers\cpuz132_x64.sys (Windows (R) Codename Longhorn DDK provider)
DRV:64bit: - (pccsmcfd) -- C:\Windows\SysNative\drivers\pccsmcfdx64.sys (Nokia)
DRV - (gdrv) -- C:\Windows\gdrv.sys (Windows (R) Server 2003 DDK provider)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = cs
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D0 A4 50 0F 1F D6 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: ([2010.10.08 12:10:48 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [WindowsErrorHook] C:\Cache\\WindowsErrorHook.exe ()
O4 - HKLM..\Run: [avast5] C:\Program Files (x86)\Avast 5 IS\avastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKCU..\Run: [uTorrent] C:\Users\Majkl\AppData\Roaming\uTorrent\utorrent.exe (BitTorrent, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files (x86)\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files (x86)\ICQ7.2\ICQ.exe (ICQ, LLC.)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 93.91.144.100 212.80.67.98
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (systempropertiesperformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (systempropertiesperformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010.04.07 00:23:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2010.10.07 21:58:47 | 000,000,000 | ---D | C] -- C:\Users\Majkl\DoctorWeb
[2010.10.07 21:57:12 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Users\Majkl\Desktop\OTH.scr
[2010.10.07 21:34:20 | 000,576,512 | ---- | C] (OldTimer Tools) -- C:\Users\Majkl\Desktop\OTL.exe
[2010.10.07 19:18:21 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Documents\KONAMI
[2010.10.07 19:11:05 | 000,000,000 | ---D | C] -- C:\ProgramData\KONAMI
[2010.10.07 19:11:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\KONAMI
[2010.10.06 21:13:56 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Documents\NFS SHIFT
[2010.10.03 21:05:26 | 000,000,000 | ---D | C] -- C:\ProgramData\BioWare
[2010.10.03 20:58:36 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\AGEIA
[2010.10.03 20:58:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AGEIA Technologies
[2010.10.03 20:58:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Media Center Programs
[2010.10.02 13:52:50 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Unigine Heaven
[2010.10.02 13:45:39 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Unigine Sanctuary
[2010.09.30 16:01:33 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\HD Tune Pro
[2010.09.29 21:56:32 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Local\Autodesk
[2010.09.29 21:51:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Autodesk
[2010.09.29 21:51:43 | 000,000,000 | ---D | C] -- C:\Program Files\Autodesk
[2010.09.25 22:15:15 | 002,870,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\sqlrcmd.dll
[2010.09.25 20:58:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Electronic Arts
[2010.09.24 12:17:33 | 000,000,000 | -HSD | C] -- C:\ProgramData\SecuROM
[2010.09.23 18:49:47 | 017,686,528 | ---- | C] (Intel Corporation / Blue Ripple Sound Limited) -- C:\Windows\SysWow64\mkl_blueripple.dll
[2010.09.22 21:33:32 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Local\My Games
[2010.09.19 18:53:42 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010.09.17 18:16:31 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Desktop\Freesinger
[2010.09.16 20:35:21 | 000,000,000 | ---D | C] -- C:\Users\Majkl\Documents\Poznámkové bloky aplikace OneNote
[2010.09.13 20:04:20 | 000,266,293 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\temp.002
[2010.09.13 18:53:04 | 000,266,293 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\temp.001
[2010.09.13 18:04:46 | 000,266,293 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\temp.000
[2010.09.13 15:22:31 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\Leadertech
[2010.09.11 18:03:44 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\runic games
[2010.09.11 17:03:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\The KMPlayer
[2010.09.09 17:06:54 | 000,000,000 | ---D | C] -- C:\Users\Majkl\AppData\Roaming\uTorrent
[2010.09.09 16:49:38 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010.06.15 15:40:44 | 000,836,464 | ---- | C] (Opera Software) -- C:\Users\Majkl\AppData\Roaming\spread.exe

========== Files - Modified Within 30 Days ==========

[2010.10.08 14:28:21 | 008,912,896 | ---- | M] () -- C:\Users\Majkl\ntuser.dat
[2010.10.08 12:19:34 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010.10.08 12:19:34 | 000,014,224 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010.10.08 12:12:06 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010.10.08 12:11:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010.10.08 12:11:54 | 000,000,000 | ---- | M] () -- C:\Windows\ativpsrm.bin
[2010.10.08 12:11:50 | 3220,676,608 | -HS- | M] () -- C:\hiberfil.sys
[2010.10.08 12:11:15 | 002,502,689 | -H-- | M] () -- C:\Users\Majkl\AppData\Local\IconCache.db
[2010.10.08 12:10:48 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\Hosts
[2010.10.07 21:57:52 | 050,436,768 | ---- | M] () -- C:\Users\Majkl\Desktop\launch.exe
[2010.10.07 21:57:18 | 000,576,512 | ---- | M] (OldTimer Tools) -- C:\Users\Majkl\Desktop\OTL.exe
[2010.10.07 21:57:12 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Users\Majkl\Desktop\OTH.scr
[2010.10.07 21:22:02 | 000,233,960 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
[2010.10.07 21:22:02 | 000,233,960 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2010.10.07 20:13:54 | 000,000,042 | ---- | M] () -- C:\Windows\SysWow64\scud.udf
[2010.10.07 15:02:26 | 001,741,110 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010.10.06 21:06:41 | 000,062,172 | ---- | M] () -- C:\Users\Majkl\Desktop\absolut hacker.png
[2010.10.06 20:54:47 | 000,075,064 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2010.10.05 19:30:23 | 000,007,597 | ---- | M] () -- C:\Users\Majkl\AppData\Local\resmon.resmoncfg
[2010.10.04 21:12:29 | 000,126,354 | -H-- | M] () -- C:\treeinfo.wc
[2010.09.29 21:51:24 | 000,017,588 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\services
[2010.09.27 18:42:45 | 000,669,184 | ---- | M] () -- C:\Windows\SysWow64\pbsvc.exe
[2010.09.25 22:15:15 | 002,870,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\sqlrcmd.dll
[2010.09.25 17:40:44 | 000,014,848 | ---- | M] () -- C:\ProgramData\Catalyst.exe
[2010.09.23 18:49:45 | 000,466,520 | ---- | M] (Creative Labs) -- C:\Windows\SysNative\wrap_oal.dll
[2010.09.23 18:49:45 | 000,445,016 | ---- | M] (Creative Labs) -- C:\Windows\SysWow64\wrap_oal.dll
[2010.09.23 18:49:45 | 000,122,968 | ---- | M] (Portions (C) Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\SysNative\OpenAL32.dll
[2010.09.23 18:49:45 | 000,109,144 | ---- | M] (Portions (C) Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\SysWow64\OpenAL32.dll
[2010.09.21 21:21:19 | 000,000,008 | RHS- | M] () -- C:\Users\Majkl\ntuser.pol
[2010.09.19 08:56:32 | 005,504,208 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010.09.18 19:13:08 | 000,248,472 | ---- | M] () -- C:\Users\Majkl\AppData\Local\GDIPFONTCACHEV1.DAT
[2010.09.13 20:04:50 | 000,000,910 | ---- | M] () -- C:\Windows\Rtcw.INI
[2010.09.09 20:50:27 | 000,000,116 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2010.09.09 16:49:06 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll

========== Files Created - No Company Name ==========

[2010.10.08 12:11:54 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010.10.07 21:57:07 | 050,436,768 | ---- | C] () -- C:\Users\Majkl\Desktop\launch.exe
[2010.10.07 20:13:54 | 000,000,042 | ---- | C] () -- C:\Windows\SysWow64\scud.udf
[2010.10.06 21:06:41 | 000,062,172 | ---- | C] () -- C:\Users\Majkl\Desktop\absolut hacker.png
[2010.09.25 17:40:44 | 000,014,848 | ---- | C] () -- C:\ProgramData\Catalyst.exe
[2010.09.13 18:04:42 | 000,000,910 | ---- | C] () -- C:\Windows\Rtcw.INI
[2010.08.01 21:28:47 | 000,047,104 | ---- | C] () -- C:\Windows\SysWow64\KMVIDC32.DLL
[2010.07.21 21:36:16 | 000,028,160 | ---- | C] () -- C:\Users\Majkl\AppData\Roaming\msconfig_settings.exe
[2010.07.11 18:35:45 | 000,000,116 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2010.07.03 19:22:16 | 000,061,956 | ---- | C] () -- C:\Users\Majkl\AppData\Roaming\data.dat
[2010.07.01 15:16:38 | 000,000,068 | ---- | C] () -- C:\Windows\DVDRegionFree.INI
[2010.07.01 15:12:03 | 000,000,043 | -HS- | C] () -- C:\ProgramData\.zreglib
[2010.05.29 22:04:15 | 000,886,272 | ---- | C] () -- C:\Users\Majkl\AppData\Roaming\System.Data.SQLite.DLL
[2010.05.27 14:29:55 | 000,000,023 | ---- | C] () -- C:\Windows\BlendSettings.ini
[2010.05.19 21:02:44 | 000,007,597 | ---- | C] () -- C:\Users\Majkl\AppData\Local\resmon.resmoncfg
[2010.05.10 14:57:43 | 001,719,396 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010.05.01 21:42:52 | 000,000,186 | ---- | C] () -- C:\Windows\wininit.ini
[2010.04.29 14:49:07 | 000,006,852 | ---- | C] () -- C:\Windows\SysWow64\drivers\Vcs.sys
[2010.04.07 08:11:28 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2009.11.06 10:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009.07.13 23:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2008.10.07 09:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2008.10.07 09:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2008.10.07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2010.04.28 13:46:27 | 000,000,097 | ---- | M] () -- C:\FLV.EXE


< MD5 for: AGP440.SYS >
[2009.07.14 03:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\SysWow64\DriverStore\FileRepository\machine.inf_amd64_neutral_9e6bb86c3b39a3e9\AGP440.sys
[2009.07.14 03:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_1607dee2d861e021\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009.07.14 03:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysWow64\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys
[2009.07.14 03:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009.07.14 03:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009.07.14 03:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009.07.14 03:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
[2009.07.14 03:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009.07.14 03:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\SysWow64\DriverStore\FileRepository\iastorv.inf_amd64_neutral_18cccb83b34e1453\iaStorV.sys
[2009.07.14 03:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_0b06441fa1790136\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009.07.14 03:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_59aca8ea51aaeefe\netlogon.dll
[2009.07.14 03:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009.07.14 03:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009.07.14 03:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_6401533c860bb0f9\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009.07.14 03:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\SysWow64\DriverStore\FileRepository\nvraid.inf_amd64_neutral_5bde3fe2945bce9e\nvstor.sys
[2009.07.14 03:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009.07.14 03:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009.07.14 03:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009.07.14 03:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9e577e55272d37b4\scecli.dll
[2009.07.14 03:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9402d402f2cc75b9\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >
Nahoru
Uživatelský avatar
jaro3
člen Security týmu
Guru Level 15
Guru Level 15
Příspěvky: 43072
Registrován: červen 07
Bydliště: Jižní Čechy
Pohlaví: Muž
Stav:
Offline

Re: Infikovany svchost.exe +

Příspěvekod jaro3 » 08 říj 2010 16:05

Poklepej na ikonu OTL na ploše.Ujisti se , že máš všechny ostatní aplikace a prohlížeče zavřeny.
Pod Vlastní skenování/opravy do okénka vlož následující text, zobrazený zeleně:

Kód: Vybrat vše

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
DRV:64bit: - (WPRO_40_1340) WinPcap Packet Driver (WPRO_40_1340) -- C:\Windows\SysNative\drivers\WPRO_40_1340.sys File not found
O4:64bit: - HKLM..\Run: [WindowsErrorHook] C:\Cache\\WindowsErrorHook.exe ()

:Files
C:\Windows\ativpsrm.bin
C:\Users\Majkl\AppData\Roaming\msconfig_settings.exe
C:\Cache\\WindowsErrorHook.exe
C:\Cache

:Reg
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Poté klikni nahoře na Opravit. Nech program nerušeně běžet, na konci se provede restart PC.
Po restartu se objeví log , prosím zkopíruj sem celý jeho obsah.

V možnostech složky si povol zobrazování skrytých souborů a složek+ odškrtni zatržítko skrýt chráněné soubory operačního systému

Toto otestuj na Virustotal
C:\Windows\SysWow64\temp.002
C:\Windows\SysWow64\temp.001
C:\Windows\SysWow64\temp.000
C:\Windows\SysNative\appmgmts.dll


Klikni vpravo od okénka na Vybrat a v Exploreru najdi požadovaný soubor v Tvém PC. Označ ho myší a klikni na Otevřít , poté klikni na Send File. Pokud už byl soubor testován , objeví se okno ve kterém klikni na Reanalyze. Soubor se začne postupně testovat více antivirovými programy. Až skončí test posledního antiviru , objeví se nahoře result a červeně počet nákaz , např. 0/40 , nebo 1/40. Pak zkopíruj myší odkaz na tuto stránku a vlož ji do svého příspěvku.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Nahoru
raZeR
Level 1
Level 1
Příspěvky: 65
Registrován: duben 10
Bydliště: Chomutov
Pohlaví: Muž
Stav:
Offline

Re: Infikovany svchost.exe +

Příspěvekod raZeR » 08 říj 2010 18:03

v OTL opraveno a tady je log
OTL:

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
No active process named firefox.exe was found!
Error: No service named WPRO_40_1340) WinPcap Packet Driver (WPRO_40_1340 was found to stop!
Service\Driver key WPRO_40_1340) WinPcap Packet Driver (WPRO_40_1340 not found.
File C:\Windows\SysNative\drivers\WPRO_40_1340.sys File not found not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\WindowsErrorHook deleted successfully.
File move failed. C:\Cache\\WindowsErrorHook.exe scheduled to be moved on reboot.
========== FILES ==========
C:\Windows\ativpsrm.bin moved successfully.
C:\Users\Majkl\AppData\Roaming\msconfig_settings.exe moved successfully.
File\Folder C:\Cache\\WindowsErrorHook.exe not found.
C:\Cache folder moved successfully.
========== REGISTRY ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: alr5000

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Majkl
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1191710 bytes
->Java cache emptied: 0 bytes
->Opera cache emptied: 1419981 bytes
->Flash cache emptied: 1706 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 108626053 bytes

Total Files Cleaned = 106,00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 10082010_174846

Files\Folders moved on Reboot...
File\Folder C:\Cache\\WindowsErrorHook.exe not found!
C:\Users\Majkl\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Windows\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...

VirusTotal:

C:\Windows\SysWow64\temp.002 - http://www.virustotal.com/file-scan/rep ... 1286553477 0/43
C:\Windows\SysWow64\temp.001 - http://www.virustotal.com/file-scan/rep ... 1286553395 0/43
C:\Windows\SysWow64\temp.000 - http://www.virustotal.com/file-scan/rep ... 1286553249 0/43
C:\Windows\SysNative\appmgmts.dll - http://www.virustotal.com/file-scan/rep ... 1286553641 0/43
Nahoru
Zamčeno

Zpět na “Viry, antiviry, firewally…”

Kdo je online

Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 1 host