Prosím o kontrolu logu. Pravděpodobně opět napadení PC Vyřešeno

Sekce věnovaná virům a jiným škodlivým kódům, rovněž ale nástrojům, kterým se lze proti nim bránit…

Moderátoři: Mods_senior, Security team

Zamčeno
jumbovrte
Level 1.5
Level 1.5
Příspěvky: 124
Registrován: květen 10
Pohlaví: Nespecifikováno
Stav:
Offline

Re: Prosím o kontrolu logu. Pravděpodobně opět napadení PC

Příspěvekod jumbovrte » 17 zář 2010 09:57

LOG z OTM:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\System32\CONFIG.TMP moved successfully.
C:\WINDOWS\System32\PerfStringBackup.TMP moved successfully.
C:\WINDOWS\002891_.tmp moved successfully.
C:\WINDOWS\SET3.tmp moved successfully.
C:\WINDOWS\SET4.tmp moved successfully.
C:\WINDOWS\SET8.tmp moved successfully.
File/Folder C:\WINDOWS\system32\*.tmp.dll not found.
File/Folder C:\WINDOWS\system32\SET*.tmp not found.
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job moved successfully.
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job moved successfully.
c:\windows\Tasks\MP Scheduled Scan.job moved successfully.
File/Folder C:\*.tmp not found.
File/Folder C:\Recyclers not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->FireFox cache emptied: 3510317 bytes

User: NetworkService
->Temp folder emptied: 2940 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: v2
->Temp folder emptied: 844253 bytes
->Temporary Internet Files folder emptied: 4058075 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 38697836 bytes
->Flash cache emptied: 3173 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2083 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 45,00 mb


OTM by OldTimer - Version 3.1.16.1 log created on 09172010_094730

Files moved on Reboot...

Registry entries deleted on Reboot...


Jaro3, ty příchozí maily jsme řešili i posledně, bylo to někdy v dubnu/květnu a vyřešili jsme to vyčištěním.. Tak doufám, že to bude teď stejné. Mail se mi moc měnit nechce, je firemní ... I když, když to jinak nepůjde...
Přemýšlím, jak to vlastně vy týpci děláte, že takhle pomáháte ostatním, to máte jako HPP?

Taky moc nechápu, odkud se tu ty breberky vzali, je pravda, že tu občas někdo surfuje, ale jedná se většinou o youtube, stream, seznam, sauto a podobné weby, odkud snad žádné zkázy nehrozí... Ale také je fakt, že sem občas někdo přitáhne fleshku, tam bych asi hledal a zakázal takovou činnost na pracovním PC, ne?

Zatím Ti tisíckrát díííík!!!
Nahoru
Reklama
Top
Uživatelský avatar
jaro3
člen Security týmu
Guru Level 15
Guru Level 15
Příspěvky: 43294
Registrován: červen 07
Bydliště: Jižní Čechy
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu. Pravděpodobně opět napadení PC

Příspěvekod jaro3 » 17 zář 2010 11:36

Nemáš zatím zač!!

HPP---tak to mě rozesmálo :D
Nic takovýho , je to zdarma a ve chvilkách volna...
Prostě nás to baví..

Nemůžeš sem dát odkaz , jak jsme to řešili minule?

Stáhni si OTL
na plochu. Ujisti se , že máš zavřena všechna ostatní okna a poklepej na ikonu OTL.Nahoře v okně pod Výstup klikni na minimální výstup.Pod Běžné registry změň na Vše. Zatrhni Kontrola na havěť “LOP“ a Kontrola na havěť “ Purity“ . Klikni na Prohledat. Všechny ostatní nastavení ponech jak jsou. Sken může trvat dlouho, až skončí otevřou se dva logy:
OTL.Txt
Extras.Txt
Jsou uloženy ve stejném místě jako OTL. Oba logy sem prosím zkopíruj.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Nahoru
jumbovrte
Level 1.5
Level 1.5
Příspěvky: 124
Registrován: květen 10
Pohlaví: Nespecifikováno
Stav:
Offline

Re: Prosím o kontrolu logu. Pravděpodobně opět napadení PC

Příspěvekod jumbovrte » 17 zář 2010 11:48

viewtopic.php?f=47&t=53060 - řešení z minule, nicméně, bylo tam několik věcí trochu jinak (nákazu hlásilo samotný AVG...)

:) OK, beru zpět, jen jsem si prostě říkal, že dneska ani kuře zadarmo nehrabe. Máte můj obdiv, já bych na to nervy neměl, ale jak je vidět, tak vás to tu baví a to je to nejdůležitější... Jsi programátor nebo tak něco?

Jdu na to OTL.
Nahoru
jumbovrte
Level 1.5
Level 1.5
Příspěvky: 124
Registrován: květen 10
Pohlaví: Nespecifikováno
Stav:
Offline

Re: Prosím o kontrolu logu. Pravděpodobně opět napadení PC

Příspěvekod jumbovrte » 17 zář 2010 12:11

Vyjel mi jen log OTL.txt, Extras nikoliv...

OTL logfile created on: 17.9.2010 12:05:34 - Run 2
OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\v2\Plocha
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 68,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 89,00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,53 Gb Total Space | 39,63 Gb Free Space | 53,17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 669,91 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive O: | 226,28 Gb Total Space | 198,02 Gb Free Space | 87,51% Space Free | Partition Type: NTFS
Drive P: | 226,28 Gb Total Space | 198,02 Gb Free Space | 87,51% Space Free | Partition Type: NTFS
Drive X: | 226,28 Gb Total Space | 198,02 Gb Free Space | 87,51% Space Free | Partition Type: NTFS

Computer Name: V2
Current User Name: v2
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\v2\Plocha\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)
PRC - C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
PRC - C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe (Skype Technologies S.A.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\ServoApp.exe ()
PRC - C:\Program Files\Print Server Utilities\PSAgent.exe (Edimax Technology Co., Ltd.)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe (Intel Corporation)
PRC - C:\Program Files\Linksys\CIT200\cit200.exe (Linksys)
PRC - C:\Program Files\Microsoft Hardware\Mouse\point32.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\v2\Plocha\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\Program Files\Microsoft Hardware\Mouse\Msh_zwf.dll (Microsoft Corporation)
MOD - C:\Program Files\Microsoft Hardware\Mouse\point32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (EhttpSrv) -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe (ESET)
SRV - (ekrn) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (uti3otqx) -- C:\WINDOWS\system32\drivers\uti3otqx.sys ()
DRV - (eamon) -- C:\WINDOWS\system32\drivers\eamon.sys (ESET)
DRV - (epfwtdi) -- C:\WINDOWS\system32\drivers\epfwtdi.sys (ESET)
DRV - (epfw) -- C:\WINDOWS\system32\drivers\epfw.sys (ESET)
DRV - (ehdrv) -- C:\WINDOWS\system32\drivers\ehdrv.sys (ESET)
DRV - (Epfwndis) -- C:\WINDOWS\system32\drivers\epfwndis.sys (ESET)
DRV - (53102182) -- C:\WINDOWS\system32\DRIVERS\53102182.sys (Kaspersky Lab)
DRV - (setup_9.0.0.722_16.09.2010_12-24drv) -- C:\WINDOWS\system32\drivers\5310218.sys (Kaspersky Lab)
DRV - (53102181) -- C:\WINDOWS\system32\drivers\53102181.sys (Kaspersky Lab)
DRV - (Stld) -- C:\WINDOWS\System32\drivers\STLD.SYS (Number Five Software)
DRV - (usbaudio) Ovladač zvukové karty USB (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (ALIWEHCD) -- C:\WINDOWS\system32\drivers\mfpec.sys (None)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (e1express) Intel(R) -- C:\WINDOWS\system32\drivers\e1e5132.sys (Intel Corporation)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (sfng32) -- C:\WINDOWS\system32\drivers\sfng32.sys (Sonic Focus, Inc)
DRV - (HECI) Intel(R) -- C:\WINDOWS\system32\drivers\HECI.sys (Intel Corporation)
DRV - (WUSBVBus) -- C:\WINDOWS\system32\drivers\mfpvbus.sys (None)
DRV - (n5lpt.sys) -- C:\WINDOWS\system32\drivers\n5lpt.sys (Number Five Software)
DRV - (IPFilter) -- C:\WINDOWS\system32\drivers\ipfilter.sys (Microsoft Corporation)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "seznam.cz"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.10

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010.05.07 07:32:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.09.17 09:50:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.09.17 09:50:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2010.09.15 14:35:26 | 000,000,000 | ---D | M]

[2010.02.05 09:27:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\v2\Data aplikací\Mozilla\Extensions
[2010.02.05 09:27:34 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\v2\Data aplikací\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010.09.17 10:01:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\v2\Data aplikací\Mozilla\Firefox\Profiles\0p4mft5z.default\extensions
[2010.07.29 06:21:19 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\v2\Data aplikací\Mozilla\Firefox\Profiles\0p4mft5z.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010.08.18 12:35:49 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\v2\Data aplikací\Mozilla\Firefox\Profiles\0p4mft5z.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010.06.03 15:17:15 | 000,002,048 | ---- | M] () -- C:\Documents and Settings\v2\Data aplikací\Mozilla\Firefox\Profiles\0p4mft5z.default\searchplugins\mapycz.xml
[2010.09.17 10:01:28 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010.09.17 09:50:32 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2010.08.05 13:25:53 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010.05.07 07:32:13 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.07.29 06:48:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010.09.17 09:50:16 | 000,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010.09.17 09:50:16 | 000,138,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2010.07.17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010.09.17 09:50:21 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2010.09.09 11:10:30 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2010.09.09 11:10:30 | 000,000,638 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\jyxo-cz.xml
[2010.09.09 11:10:30 | 000,001,687 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\mall-cz.xml
[2010.09.09 11:10:30 | 000,001,367 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\seznam-cz.xml
[2010.09.09 11:10:30 | 000,000,654 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\slunecnice-cz.xml
[2010.09.09 11:10:30 | 000,001,179 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-cz.xml

O1 HOSTS File: ([2010.09.16 09:30:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Adresa) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Společnost Microsoft)
O3 - HKCU\..\Toolbar\WebBrowser: (&Adresa) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Společnost Microsoft)
O3 - HKCU\..\Toolbar\WebBrowser: (&Odkazy) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelAudioStudio] C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe (Intel Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [POINTER] File not found
O4 - HKLM..\Run: [Print Manager] C:\Program Files\Print Server Utilities\PSAgent.exe (Edimax Technology Co., Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - Startup: C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\CIT200.lnk = C:\Program Files\Linksys\CIT200\cit200.exe (Linksys)
O4 - Startup: C:\Documents and Settings\v2\Nabídka Start\Programy\Po spuštění\setup_9.0.0.722_16.09.2010_12-24.lnk = C:\Documents and Settings\v2\Plocha\PCHELP\Virus Removal Tool\setup_9.0.0.722_16.09.2010_12-24\startup.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LegalNoticeText =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LegalNoticeCaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microso ... 1944494796 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microso ... 1944478078 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_21)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Společnost Microsoft)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Proces mezipaměti kategorií součástí - C:\WINDOWS\system32\browseui.dll (Společnost Microsoft)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010.07.30 12:46:36 | 000,000,061 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.09.17 11:48:55 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\v2\Plocha\OTL.exe
[2010.09.17 09:47:30 | 000,000,000 | ---D | C] -- C:\_OTM
[2010.09.17 09:46:53 | 000,519,680 | ---- | C] (OldTimer Tools) -- C:\OTM.exe
[2010.09.16 12:37:26 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\5310218.sys
[2010.09.16 12:37:26 | 000,128,016 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\53102181.sys
[2010.09.16 12:37:26 | 000,037,392 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\53102182.sys
[2010.09.16 12:33:06 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\v2\Recent
[2010.09.16 12:32:57 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010.09.16 07:57:34 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Hardware
[2010.09.15 19:53:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
[2010.09.15 18:08:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Data aplikací\Mozilla
[2010.09.15 18:08:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Data aplikací\Mozilla
[2010.09.15 18:07:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Data aplikací\FileOpen
[2010.09.15 15:22:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\v2\Plocha\PCHELP
[2010.09.15 14:36:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\v2\Local Settings\Data aplikací\ESET
[2010.09.15 14:36:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\v2\Data aplikací\ESET
[2010.09.15 14:36:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Data aplikací\ESET
[2010.09.15 14:35:25 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010.09.15 14:35:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Data aplikací\ESET
[2010.09.15 13:33:10 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.09.15 13:33:09 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.09.03 10:04:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\XSxS
[2010.09.03 10:04:22 | 000,000,000 | ---D | C] -- C:\Program Files\Xenocode
[2010.09.03 08:28:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\v2\Data aplikací\WinRAR
[2010.09.03 08:27:47 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2009.04.17 08:05:35 | 000,090,112 | ---- | C] ( ) -- C:\WINDOWS\System32\dirport.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.09.17 12:00:09 | 000,001,436 | ---- | M] () -- C:\WINDOWS\WDICT32.INI
[2010.09.17 11:55:12 | 000,000,041 | ---- | M] () -- C:\WINDOWS\Filzip.ini
[2010.09.17 11:49:07 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\v2\Plocha\OTL.exe
[2010.09.17 11:00:23 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010.09.17 10:18:44 | 000,004,939 | ---- | M] () -- C:\WINDOWS\wincmd.ini
[2010.09.17 09:53:16 | 000,693,508 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.09.17 09:53:16 | 000,258,560 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.09.17 09:49:27 | 000,002,352 | ---- | M] () -- C:\Documents and Settings\v2\Nabídka Start\Programy\Po spuštění\setup_9.0.0.722_16.09.2010_12-24.lnk
[2010.09.17 09:49:10 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.09.17 09:48:52 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.09.17 09:48:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.09.17 09:48:03 | 011,010,048 | -H-- | M] () -- C:\Documents and Settings\v2\NTUSER.DAT
[2010.09.17 09:47:55 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\v2\ntuser.ini
[2010.09.17 09:46:34 | 000,519,680 | ---- | M] (OldTimer Tools) -- C:\OTM.exe
[2010.09.17 08:32:21 | 000,003,299 | ---- | M] () -- C:\WINDOWS\WTRAN32.INI
[2010.09.17 06:45:36 | 002,529,609 | ---- | M] () -- C:\Documents and Settings\v2\Dokumenty\03346-100916 VS.pdf
[2010.09.17 06:45:34 | 002,536,882 | ---- | M] () -- C:\Documents and Settings\v2\Dokumenty\03346-100916 RS.pdf
[2010.09.17 06:40:58 | 000,043,520 | ---- | M] () -- C:\Documents and Settings\v2\Dokumenty\100916 LS-Gmbh an sro CFC Gewicht 30kg.xls
[2010.09.17 06:35:52 | 000,001,125 | ---- | M] () -- C:\WINDOWS\winamp.ini
[2010.09.17 06:13:02 | 000,007,168 | ---- | M] () -- C:\WINDOWS\System32\drivers\uti3otqx.sys
[2010.09.16 17:48:26 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010.09.16 11:43:14 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\Avan Carte Motiv Übersicht f. AT#1634 u. AvanFriends Archiv 16 09 2010 lj überprüft.xls
[2010.09.16 11:40:21 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\Avan Carte Motiv Übersicht f. AT#1634 u. AvanFriends Archiv 15 09 2010 lj.xls
[2010.09.16 09:30:59 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010.09.16 09:30:53 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010.09.16 08:10:07 | 000,310,280 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.09.16 07:48:03 | 006,952,070 | -H-- | M] () -- C:\Documents and Settings\v2\Local Settings\Data aplikací\IconCache.db
[2010.09.15 18:08:52 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010.09.15 11:46:39 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\Avan Carte Motiv Übersicht f. AT#1634 u. AvanFriends.xls
[2010.09.14 13:33:18 | 000,044,032 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\100914 LS-Gmbh an sro Aufträge 3237-3350-3356-3314 Gewicht 273kg.xls
[2010.09.14 11:01:11 | 000,000,635 | ---- | M] () -- C:\WINDOWS\win.ini
[2010.09.14 09:18:23 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\Úprava počtu znaků ve sloupcích pro data na Speedjet v.doc
[2010.09.09 13:55:46 | 000,708,854 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\1768 JAWA MINI Taschenkalender 2011 150 1.pdf
[2010.09.09 13:08:27 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\Namenskarten aus Archiv 09 09 2010.xls
[2010.09.09 12:50:30 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\QIII wegschmeissen.xls
[2010.09.07 12:49:18 | 000,044,032 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\100907 LS-Gmbh an sro Aufträge 3316-3314-3348 +Heißprägefolie Gewicht 555kg.xls
[2010.09.07 12:49:17 | 000,044,032 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\100907 LS-Gmbh an sro Aufträge 3297-3086-3208 Gewicht 2626kg LEHNERT.xls
[2010.09.03 10:02:01 | 000,001,001 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100915-200053.backup
[2010.08.31 08:25:16 | 000,017,920 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\AvanCarte Restbestände die bei der Bestellung berüksichtigt werden.xls
[2010.08.19 13:24:57 | 000,015,872 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\AvanCarte Bestande von Archiv zu 18.08.2010 skut.stav.xls
[2010.08.19 13:22:45 | 001,273,344 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\Avancarte neue Motive.doc
[2010.08.19 07:38:39 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\v2\Plocha\AvanCarte Bestande von Archiv zu 18.08.2010.xls
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.09.17 09:51:54 | 000,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010.09.17 06:45:34 | 002,529,609 | ---- | C] () -- C:\Documents and Settings\v2\Dokumenty\03346-100916 VS.pdf
[2010.09.17 06:45:33 | 002,536,882 | ---- | C] () -- C:\Documents and Settings\v2\Dokumenty\03346-100916 RS.pdf
[2010.09.17 06:40:56 | 000,043,520 | ---- | C] () -- C:\Documents and Settings\v2\Dokumenty\100916 LS-Gmbh an sro CFC Gewicht 30kg.xls
[2010.09.17 06:13:00 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\uti3otqx.sys
[2010.09.16 17:48:26 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010.09.16 12:39:17 | 000,002,352 | ---- | C] () -- C:\Documents and Settings\v2\Nabídka Start\Programy\Po spuštění\setup_9.0.0.722_16.09.2010_12-24.lnk
[2010.09.16 11:43:13 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\v2\Plocha\Avan Carte Motiv Übersicht f. AT#1634 u. AvanFriends Archiv 16 09 2010 lj überprüft.xls
[2010.09.15 18:08:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010.09.15 12:24:06 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\v2\Plocha\Avan Carte Motiv Übersicht f. AT#1634 u. AvanFriends Archiv 15 09 2010 lj.xls
[2010.09.15 11:46:38 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\v2\Plocha\Avan Carte Motiv Übersicht f. AT#1634 u. AvanFriends.xls
[2010.09.14 13:33:18 | 000,044,032 | ---- | C] () -- C:\Documents and Settings\v2\Plocha\100914 LS-Gmbh an sro Aufträge 3237-3350-3356-3314 Gewicht 273kg.xls
[2010.09.09 22:00:33 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\v2\Plocha\Úprava počtu znaků ve sloupcích pro data na Speedjet v.doc
[2010.09.09 13:55:43 | 000,708,854 | ---- | C] () -- C:\Documents and Settings\v2\Plocha\1768 JAWA MINI Taschenkalender 2011 150 1.pdf
[2010.09.09 13:08:22 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\v2\Plocha\Namenskarten aus Archiv 09 09 2010.xls
[2010.09.09 12:50:29 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\v2\Plocha\QIII wegschmeissen.xls
[2010.09.07 12:49:17 | 000,044,032 | ---- | C] () -- C:\Documents and Settings\v2\Plocha\100907 LS-Gmbh an sro Aufträge 3316-3314-3348 +Heißprägefolie Gewicht 555kg.xls
[2010.09.07 12:49:17 | 000,044,032 | ---- | C] () -- C:\Documents and Settings\v2\Plocha\100907 LS-Gmbh an sro Aufträge 3297-3086-3208 Gewicht 2626kg LEHNERT.xls
[2010.08.31 07:57:02 | 000,017,920 | ---- | C] () -- C:\Documents and Settings\v2\Plocha\AvanCarte Restbestände die bei der Bestellung berüksichtigt werden.xls
[2010.08.19 13:22:44 | 001,273,344 | ---- | C] () -- C:\Documents and Settings\v2\Plocha\Avancarte neue Motive.doc
[2010.08.19 09:33:22 | 000,015,872 | ---- | C] () -- C:\Documents and Settings\v2\Plocha\AvanCarte Bestande von Archiv zu 18.08.2010 skut.stav.xls
[2010.06.06 16:20:02 | 000,065,344 | ---- | C] () -- C:\WINDOWS\System32\PDFreDirectMonNT.dll
[2009.07.09 07:54:08 | 000,000,026 | ---- | C] () -- C:\WINDOWS\Lvdbed.INI
[2009.04.17 08:05:35 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\GDIBot.dll
[2009.04.17 08:05:35 | 000,241,664 | ---- | C] () -- C:\WINDOWS\System32\InstallGDIPS.dll
[2009.04.17 08:05:35 | 000,229,376 | ---- | C] () -- C:\WINDOWS\System32\Install98GDIPS.dll
[2009.04.17 08:05:35 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\mfpcoins.dll
[2009.04.17 08:05:35 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\ddschk.dll
[2009.04.17 08:05:35 | 000,000,548 | ---- | C] () -- C:\WINDOWS\System32\cliktext.ini
[2009.04.17 08:05:35 | 000,000,101 | ---- | C] () -- C:\WINDOWS\PSXLPR.INI
[2008.08.26 07:03:21 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008.05.16 18:59:01 | 000,000,530 | ---- | C] () -- C:\WINDOWS\wcx_ftp.ini
[2008.02.27 08:21:07 | 000,006,144 | ---- | C] () -- C:\WINDOWS\System32\Scos4prx.dll
[2008.02.07 20:46:25 | 000,000,704 | ---- | C] () -- C:\WINDOWS\Setupwizard.ini
[2008.02.02 19:34:27 | 000,000,041 | ---- | C] () -- C:\WINDOWS\System32\Filzip.ini
[2008.02.02 11:49:55 | 000,001,401 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008.02.02 11:20:34 | 000,000,041 | ---- | C] () -- C:\WINDOWS\Filzip.ini
[2008.02.02 11:14:26 | 000,003,299 | ---- | C] () -- C:\WINDOWS\WTRAN32.INI
[2008.02.02 11:13:53 | 000,001,436 | ---- | C] () -- C:\WINDOWS\WDICT32.INI
[2008.02.02 11:11:55 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\v2\Local Settings\Data aplikací\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008.02.02 10:49:49 | 000,001,125 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2008.02.02 10:48:56 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008.02.02 10:48:56 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008.02.02 10:48:55 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008.02.02 10:48:55 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008.02.02 10:48:55 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008.02.02 10:32:24 | 000,004,939 | ---- | C] () -- C:\WINDOWS\wincmd.ini
[2008.02.02 09:53:57 | 000,447,120 | R--- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2008.02.02 09:53:57 | 000,200,704 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll
[2004.02.05 00:22:38 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\PDFreDirectLEMonNT.dll

========== LOP Check ==========

[2008.02.02 19:59:23 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Data aplikací\CanonBJ
[2010.09.15 14:35:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Data aplikací\ESET
[2010.05.07 07:35:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Data aplikací\F-Secure
[2009.01.16 14:44:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Data aplikací\FileOpen
[2010.07.15 13:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Data aplikací\PDF reDirect
[2009.11.02 14:28:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Data aplikací\Temp
[2009.10.12 12:11:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Data aplikací\WinZip
[2008.02.02 11:09:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\v2\Data aplikací\ACD Systems
[2009.07.17 08:59:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\v2\Data aplikací\Avant Browser
[2010.06.30 07:23:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\v2\Data aplikací\BitSpirit
[2008.08.08 09:12:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\v2\Data aplikací\Canon
[2010.09.15 14:36:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\v2\Data aplikací\ESET
[2009.01.16 14:44:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\v2\Data aplikací\FileOpen
[2009.07.17 13:25:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\v2\Data aplikací\gtk-2.0
[2010.07.15 13:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\v2\Data aplikací\PDF reDirect
[2010.03.09 14:29:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\v2\Data aplikací\TeamViewer
[2010.09.17 11:00:23 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========


< End of report >
Nahoru
Uživatelský avatar
jaro3
člen Security týmu
Guru Level 15
Guru Level 15
Příspěvky: 43294
Registrován: červen 07
Bydliště: Jižní Čechy
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu. Pravděpodobně opět napadení PC

Příspěvekod jaro3 » 17 zář 2010 15:03

Ne v TV studiové technice... :D

Poklepej na ikonu OTL na ploše.Ujisti se , že máš všechny ostatní aplikace a prohlížeče zavřeny.
Pod Vlastní skenování/opravy do okénka vlož následující text, zobrazený zeleně:

Kód: Vybrat vše

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
O1 HOSTS File: ([2010.09.16 09:30:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O18 - Protocol\Handler\msdaipp - No CLSID value found
O32 - AutoRun File - [2010.07.30 12:46:36 | 000,000,061 | R--- | M] () - E:\autorun.inf -- [ CDFS ]

:Files
C:\WINDOWS\System32\*.tmp
C:\WINDOWS\*.tmp
C:\WINDOWS\system32\*.tmp.dll
C:\WINDOWS\system32\SET*.tmp
c:\windows\Tasks\*.job
C:\*.tmp
C:\WINDOWS\System32\drivers\etc\hosts.20100915-200053.backup
C:\Documents and Settings\v2\Local Settings\Data aplikací\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Reg
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[start explorer]
[Reboot]


Poté klikni nahoře na Opravit. Nech program nerušeně běžet, na konci se provede restart PC.
Po restartu se objeví log , prosím zkopíruj sem celý jeho obsah.

V možnostech složky si povol zobrazování skrytých souborů a složek+ odškrtni zatržítko skrýt chráněné soubory operačního systému

Toto otestuj na Virustotal
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\drivers\5310218.sys
C:\WINDOWS\Lvdbed.INI
C:\WINDOWS\System32\GDIBot.dll
C:\WINDOWS\System32\InstallGDIPS.dll
C:\WINDOWS\System32\mfpcoins.dll
C:\WINDOWS\system32\drivers\uti3otqx.sys
C:\WINDOWS\System32\drivers\STLD.SYS
C:\WINDOWS\system32\drivers\mfpec.sys

Klikni vpravo od okénka na Vybrat a v Exploreru najdi požadovaný soubor v Tvém PC. Označ ho myší a klikni na Otevřít , poté klikni na Send File. Pokud už byl soubor testován , objeví se okno ve kterém klikni na Reanalyze. Soubor se začne postupně testovat více antivirovými programy. Až skončí test posledního antiviru , objeví se nahoře result a červeně počet nákaz , např. 0/40 , nebo 1/40. Pak zkopíruj myší odkaz na tuto stránku a vlož ji do svého příspěvku.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Nahoru
jumbovrte
Level 1.5
Level 1.5
Příspěvky: 124
Registrován: květen 10
Pohlaví: Nespecifikováno
Stav:
Offline

Re: Prosím o kontrolu logu. Pravděpodobně opět napadení PC

Příspěvekod jumbovrte » 20 zář 2010 06:18

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =

Na tomhle se OTL kouslo, nebo nevím, jestli to má jet tak dlouho (asi 5 minut)... Takže jsem to vyrestartoval...

Když jsem koukal na mailovku z domova, kde přijímám maily přes Thunderbirda, tak ty nedoručenky chodily celý víkend...
Nahoru
jumbovrte
Level 1.5
Level 1.5
Příspěvky: 124
Registrován: květen 10
Pohlaví: Nespecifikováno
Stav:
Offline

Re: Prosím o kontrolu logu. Pravděpodobně opět napadení PC

Příspěvekod jumbovrte » 20 zář 2010 06:52

Virustotal

http://www.virustotal.com/file-scan/rep ... 1284957375
http://www.virustotal.com/file-scan/rep ... 1284957492

toto jsem zkusil sám, v komentech dole nějaký VT uživatel píše, že to je malware :
http://www.virustotal.com/file-scan/rep ... 1284957728

http://www.virustotal.com/file-scan/rep ... 1284957808
http://www.virustotal.com/file-scan/rep ... 1284957901 - nalezeno
http://www.virustotal.com/file-scan/rep ... 1284957982
http://www.virustotal.com/file-scan/rep ... 1284958052
http://www.virustotal.com/file-scan/rep ... 1284958191 - nalezeno
http://www.virustotal.com/file-scan/rep ... 1284958248
http://www.virustotal.com/file-scan/rep ... 1284958320
Nahoru
jumbovrte
Level 1.5
Level 1.5
Příspěvky: 124
Registrován: květen 10
Pohlaví: Nespecifikováno
Stav:
Offline

Re: Prosím o kontrolu logu. Pravděpodobně opět napadení PC

Příspěvekod jumbovrte » 20 zář 2010 07:38

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page =

OTL se kouše i na této řádce poté co jsem nenechal smazat tu předcházející. Nebo kouše, jelo přes 20 minut a žádná činnost....
Nahoru
Uživatelský avatar
jaro3
člen Security týmu
Guru Level 15
Guru Level 15
Příspěvky: 43294
Registrován: červen 07
Bydliště: Jižní Čechy
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu. Pravděpodobně opět napadení PC

Příspěvekod jaro3 » 20 zář 2010 11:40

Jo , někdy to na tom zamrzne..

C:\WINDOWS\System32\drivers\5310218.sys
C:\WINDOWS\System32\drivers\53102181.sys
C:\WINDOWS\System32\drivers\53102182.sys
=mělo by patřit ke Kaspersky Lab (C:\Documents and Settings\v2\Plocha\PCHELP\Virus Removal Tool\setup_9.0.0.722_16.09.2010_12-24==když tak odinstaluj , smaž a stáhni nový a nainstaluj.


Zkus to s tímto:

Kód: Vybrat vše

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
DRV - (uti3otqx) -- C:\WINDOWS\system32\drivers\uti3otqx.sys ()DRV - (53102182) -- C:\WINDOWS\system32\DRIVERS\53102182.sys (Kaspersky Lab)
DRV - (setup_9.0.0.722_16.09.2010_12-24drv) -- C:\WINDOWS\system32\drivers\5310218.sys (Kaspersky Lab)
DRV - (53102181) -- C:\WINDOWS\system32\drivers\53102181.sys (Kaspersky Lab)
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
O1 HOSTS File: ([2010.09.16 09:30:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [POINTER] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O18 - Protocol\Handler\msdaipp - No CLSID value found
O32 - AutoRun File - [2010.07.30 12:46:36 | 000,000,061 | R--- | M] () - E:\autorun.inf -- [ CDFS ]

:Files
C:\WINDOWS\System32\*.tmp
C:\WINDOWS\*.tmp
C:\WINDOWS\system32\*.tmp.dll
C:\WINDOWS\system32\SET*.tmp
c:\windows\Tasks\*.job
C:\*.tmp
C:\WINDOWS\System32\drivers\etc\hosts.20100915-200053.backup
C:\Documents and Settings\v2\Local Settings\Data aplikací\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\WINDOWS\System32\drivers\5310218.sys
C:\WINDOWS\System32\drivers\53102181.sys
C:\WINDOWS\System32\drivers\53102182.sys
C:\WINDOWS\System32\drivers\5310218.sys
C:\WINDOWS\System32\GDIBot.dll
C:\WINDOWS\system32\drivers\uti3otqx.sys
C:\WINDOWS\System32\perfh009.dat
C:\WINDOWS\System32\perfc009.dat
C:\WINDOWS\tasks\SA.DAT
C:\OTM.exe
C:\WINDOWS\System32\ezsidmv.dat

:Reg
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[start explorer]
[Reboot]
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Nahoru
jumbovrte
Level 1.5
Level 1.5
Příspěvky: 124
Registrován: květen 10
Pohlaví: Nespecifikováno
Stav:
Offline

Re: Prosím o kontrolu logu. Pravděpodobně opět napadení PC

Příspěvekod jumbovrte » 20 zář 2010 11:50

DRV - (uti3otqx) -- C:\WINDOWS\system32\drivers\uti3otqx.sys ()DRV - (53102182) -- C:\WINDOWS\system32\DRIVERS\53102182.sys (Kaspersky Lab)

Teď to mrzlo na tomhle. Zkusím tedy stáhnout znovu a nainstalovat. Nebo respektive, jestli již nepotřebujeme, tak odinstaluju aspoň pro to OTL, ne?
Nahoru
Uživatelský avatar
jaro3
člen Security týmu
Guru Level 15
Guru Level 15
Příspěvky: 43294
Registrován: červen 07
Bydliště: Jižní Čechy
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu. Pravděpodobně opět napadení PC

Příspěvekod jaro3 » 20 zář 2010 11:55

Odinstaluj a pak to zkus se stejným scriptem ještě jednou.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Nahoru
jumbovrte
Level 1.5
Level 1.5
Příspěvky: 124
Registrován: květen 10
Pohlaví: Nespecifikováno
Stav:
Offline

Re: Prosím o kontrolu logu. Pravděpodobně opět napadení PC

Příspěvekod jumbovrte » 20 zář 2010 11:59

Odinstaloval jsem a ručně smazal:
C:\WINDOWS\System32\drivers\5310218.sys
C:\WINDOWS\System32\drivers\53102181.sys
C:\WINDOWS\System32\drivers\53102182.sys

Následně jsem spustil OTL se scriptem od Tebe, akorát jsem umazal ze scriptu následující řádky:

DRV - (uti3otqx) -- C:\WINDOWS\system32\drivers\uti3otqx.sys ()DRV - (53102182) -- C:\WINDOWS\system32\DRIVERS\53102182.sys (Kaspersky Lab)
DRV - (setup_9.0.0.722_16.09.2010_12-24drv) -- C:\WINDOWS\system32\drivers\5310218.sys (Kaspersky Lab)
DRV - (53102181) -- C:\WINDOWS\system32\drivers\53102181.sys (Kaspersky Lab)

Script v OTL proběhl, přikládám log.
All processes killed
========== OTL ==========
No active process named explorer.exe was found!
No active process named firefox.exe was found!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\CustomizeSearch| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page| /E : value set successfully!
127.0.0.1 localhost removed from HOSTS file successfully
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\POINTER deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ deleted successfully.
File Protocol\Handler\msdaipp - No CLSID value found not found.
File move failed. E:\autorun.inf scheduled to be moved on reboot.
========== FILES ==========
C:\WINDOWS\System32\PerfStringBackup.TMP moved successfully.
File\Folder C:\WINDOWS\*.tmp not found.
File\Folder C:\WINDOWS\system32\*.tmp.dll not found.
File\Folder C:\WINDOWS\system32\SET*.tmp not found.
c:\windows\Tasks\MP Scheduled Scan.job moved successfully.
File\Folder C:\*.tmp not found.
C:\WINDOWS\System32\drivers\etc\hosts.20100915-200053.backup moved successfully.
C:\Documents and Settings\v2\Local Settings\Data aplikací\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
File\Folder C:\WINDOWS\System32\drivers\5310218.sys not found.
File\Folder C:\WINDOWS\System32\drivers\53102181.sys not found.
File\Folder C:\WINDOWS\System32\drivers\53102182.sys not found.
File\Folder C:\WINDOWS\System32\drivers\5310218.sys not found.
C:\WINDOWS\System32\GDIBot.dll moved successfully.
File\Folder C:\WINDOWS\system32\drivers\uti3otqx.sys not found.
C:\WINDOWS\System32\perfh009.dat moved successfully.
C:\WINDOWS\System32\perfc009.dat moved successfully.
C:\WINDOWS\tasks\SA.DAT moved successfully.
C:\OTM.exe moved successfully.
C:\WINDOWS\System32\ezsidmv.dat moved successfully.
========== REGISTRY ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 4992 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: v2
->Temp folder emptied: 996200 bytes
->Temporary Internet Files folder emptied: 35912 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 41904830 bytes
->Flash cache emptied: 689 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10981 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 41,00 mb


[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: v2
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.12.1 log created on 09202010_115304

Files\Folders moved on Reboot...
File move failed. E:\autorun.inf scheduled to be moved on reboot.

Registry entries deleted on Reboot...
Nahoru
Zamčeno

Zpět na “Viry, antiviry, firewally…”

Kdo je online

Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 3 hosti