Prosím o kotrolu... Podozrenie na virus

Kobra.svk · Příspěvekod **Kobra.svk** » 05 črc 2009 14:18

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:04:15, on 5.7.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Razer\Habu\razerhid.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\windows\ld12.exe
C:\windows\pp10.exe
C:\PROGRA~1\ICQ6.5\ICQ.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Habu] C:\Program Files\Razer\Habu\razerhid.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6.5\ICQ.exe" silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xportovať do programu Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Vytvoriť mobilnú obľúbenú položku... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6674 bytes

Reklama

Příspěvekod **jaro3** » 05 črc 2009 14:28

To vypadá..

Vypni rez. ochranu u Avastu či NOD32
Stáhni si ComboFix (by sUBs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

Jsem na odchodu , budu večer, popř. poradí Damned..

Kobra.svk · Příspěvekod **Kobra.svk** » 05 črc 2009 14:38

Stiahol ale nejde spustit...nejaky alert...ze to neni bezpecne...ze si mam stiahnut cerstvu verziu z http://.....a nakoniec ze som bol mozno infikovany virusim Virut..... aky je dalsi odporucany postup?? thx =)

Příspěvekod **jaro3** » 05 črc 2009 17:58

Ten Tvůj příspěvek v sekci viry , na virut , je na tom samém PC?
Pokud ano:
Stáhni a spusť:
http://www.softpedia.com/get/Antivirus/ ... over.shtml
*****************************************************************************************************************************************
Zkus si zde
http://www.edisk.cz/stahni/71174/tools.rar_3.62MB.html

stáhnout některé prográmky co by se nám mohly hodit.
Rozbal si archiv do svého adresáře. Soubory jsou záměrně pojmenované jinak než původní v návodech, tak se nediv.
Zkus pak spustit.
itr - RSIT
buss - DDS
VerTerm= Combofix
pokud ti pojede VerTerm, tak sem vlož z něho log.
Návod na ComboFix viz výše.

Kobra.svk · Příspěvekod **Kobra.svk** » 06 črc 2009 20:21

rmvirut som spustil niekolkokrat...pre istotu... po restarte pc....
itr teda RSIT som spustil ...log
Logfile of random's system information tool 1.05 (written by random/random)
Run by Kobra at 2009-07-06 20:01:37
Microsoft Windows XP Professional Service Pack 2
System drive C: has 3 GB (7%) free of 42 GB
Total RAM: 1791 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:01:52, on 6.7.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Razer\Habu\razerhid.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\ld12.exe
C:\PROGRA~1\ICQ6.5\ICQ.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kobra\reader_s.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Xfire\Xfire.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kobra\Desktop\itr.exe
C:\Program Files\Trend Micro\HijackThis\Kobra.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Habu] C:\Program Files\Razer\Habu\razerhid.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6.5\ICQ.exe" silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Kobra\reader_s.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xportovať do programu Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Vytvoriť mobilnú obľúbenú položku... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6187 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{32099AAC-C132-4136-9E9A-4E364A424E17} - DAEMON Tools Toolbar - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll [2009-04-23 937416]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Habu"=C:\Program Files\Razer\Habu\razerhid.exe [2007-05-11 196608]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-02-06 2021400]
"services"=C:\WINDOWS\services.exe [2009-07-06 73216]
"reader_s"=C:\WINDOWS\System32\reader_s.exe [2009-07-06 47104]
"sysldtray"=C:\windows\ld12.exe [2009-07-06 40960]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ICQ"=C:\PROGRA~1\ICQ6.5\ICQ.exe [2009-03-01 172792]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 35328]
"reader_s"=C:\Documents and Settings\Kobra\reader_s.exe [2009-07-05 47104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [2008-08-14 611712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GRemoteServer Pro]
C:\Program Files\GBM\GRemote Pro\GRemoteServer.exe [2009-04-26 1745408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Meter]
C:\PROGRA~1\Mouse Meter\MouseMeter.exe [2002-12-19 1295360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1714176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2009-05-26 434176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services]
C:\WINDOWS\services.exe [2009-07-06 73216]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 598016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2280448]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-13 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-06-24 1850608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
C:\WINDOWS\system32\TWEAKUI.CPL [2003-03-25 106544]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe [2008-08-26 2019624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
C:\Program Files\Google\Gmail Notifier\gnotify.exe [2005-07-15 499712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
C:\PROGRA~1\VIA\RAID\RAID_T~1.EXE [2003-11-18 585728]

C:\Documents and Settings\Kobra\Start Menu\Programs\Startup
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-02-25 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Java\jre6\launch4j-tmp\frd.exe"="C:\Program Files\Java\jre6\launch4j-tmp\frd.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"D:\Program Files\Warcraft III\Frozen Throne.exe"="D:\Program Files\Warcraft III\Frozen Throne.exe:*:Enabled:Frozen Throne"
"D:\Program Files\Warcraft III\war3.exe"="D:\Program Files\Warcraft III\war3.exe:*:Enabled:Warcraft III"
"C:\Program Files\BitSpirit\BitSpirit.exe"="C:\Program Files\BitSpirit\BitSpirit.exe:*:Enabled:The powerful and easy-to-use BitTorrent Client"
"C:\Program Files\QIP Infium\infium.exe"="C:\Program Files\QIP Infium\infium.exe:*:Enabled:QIP Infium"
"C:\Program Files\Cyanide\GameCenter\GameCenter.exe"="C:\Program Files\Cyanide\GameCenter\GameCenter.exe:*:Enabled:GameCenter"
"C:\Program Files\Hamachi\hamachi.exe"="C:\Program Files\Hamachi\hamachi.exe:*:Enabled:Hamachi Client"
"C:\WINDOWS\system32\dplaysvr.exe"="C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"D:\Program Files\Eidos Interactive\Pyro Studios\Praetorians\Praetorians.exe"="D:\Program Files\Eidos Interactive\Pyro Studios\Praetorians\Praetorians.exe:*:Enabled:Praetorians"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\HLSW\hlsw.exe"="C:\Program Files\HLSW\hlsw.exe:*:Enabled:HLSW Application"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"D:\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe"="D:\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "
"C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"D:\Program Files\KONAMI\Yu-Gi-Oh! Power of Chaos JOEY THE PASSION\joey_pc.exe"="D:\Program Files\KONAMI\Yu-Gi-Oh! Power of Chaos JOEY THE PASSION\joey_pc.exe:*:Enabled:joey_pc"
"C:\Program Files\TeamViewer\Version4\TeamViewer.exe"="C:\Program Files\TeamViewer\Version4\TeamViewer.exe:*:Enabled:TeamViewer Remote Control Application"
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"D:\RapGet Downloads\GRemoteServer.exe"="D:\RapGet Downloads\GRemoteServer.exe:*:Enabled:GRemoteServer"
"C:\Program Files\GBM\GRemote Pro\GRemoteServer.exe"="C:\Program Files\GBM\GRemote Pro\GRemoteServer.exe:*:Enabled:GRemoteServer Pro"
"D:\Warcraft III demon craft\Demon Craft\Warcraft III.exe"="D:\Warcraft III demon craft\Demon Craft\Warcraft III.exe:*:Enabled:Warcraft III"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

======List of files/folders created in the last 1 months======

2009-07-06 18:09:19 ----A---- C:\WINDOWS\system32\223.tmp
2009-07-06 18:08:59 ----A---- C:\WINDOWS\system32\59.tmp
2009-07-06 15:10:17 ----A---- C:\WINDOWS\system32\1E.tmp
2009-07-06 10:17:21 ----D---- C:\Program Files\Common Files\Blizzard Entertainment
2009-07-06 08:52:54 ----A---- C:\WINDOWS\system32\1B.tmp
2009-07-06 08:52:32 ----A---- C:\WINDOWS\system32\F.tmp
2009-07-06 07:15:41 ----D---- C:\rsit
2009-07-06 00:37:40 ----A---- C:\WINDOWS\system32\11.tmp
2009-07-06 00:37:32 ----A---- C:\WINDOWS\system32\B.tmp
2009-07-06 00:37:23 ----A---- C:\WINDOWS\ld12.exe
2009-07-05 20:25:06 ----A---- C:\WINDOWS\services.exe
2009-07-05 20:25:03 ----A---- C:\WINDOWS\system32\203.tmp
2009-07-05 20:25:02 ----A---- C:\WINDOWS\system32\200.tmp
2009-07-05 20:25:00 ----A---- C:\WINDOWS\system32\reader_s.exe
2009-07-05 20:24:54 ----A---- C:\WINDOWS\system32\1FA.tmp
2009-07-05 20:20:08 ----D---- C:\WINDOWS\CSC
2009-07-05 20:07:04 ----D---- C:\Program Files\ESET
2009-07-05 20:07:04 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2009-07-05 14:33:05 ----D---- C:\Documents and Settings\Kobra\Application Data\Malwarebytes
2009-07-05 14:33:01 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-05 14:33:01 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-05 14:19:04 ----D---- C:\Qoobox
2009-07-05 14:19:03 ----A---- C:\Bug.txt
2009-07-02 19:22:00 ----D---- C:\Documents and Settings\Kobra\Application Data\Mount&Blade
2009-06-29 21:43:32 ----D---- C:\Program Files\X-ray Anti-Cheat
2009-06-29 00:14:59 ----D---- C:\Documents and Settings\All Users\Application Data\Blizzard
2009-06-24 14:55:54 ----D---- C:\Documents and Settings\All Users\Application Data\Sony
2009-06-24 14:55:33 ----D---- C:\Program Files\Sony
2009-06-24 14:53:47 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-06-24 14:52:55 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2009-06-24 14:51:53 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2009-06-23 19:16:30 ----A---- C:\WINDOWS\system32\xvidvfw.dll
2009-06-23 19:16:29 ----D---- C:\Program Files\Xvid
2009-06-23 19:14:00 ----D---- C:\Program Files\FDRLab
2009-06-16 16:36:17 ----D---- C:\Program Files\Parallel Port Joystick
2009-06-16 16:27:46 ----D---- C:\Documents and Settings\Kobra\Application Data\GBM Software
2009-06-16 16:27:15 ----D---- C:\Program Files\GBM
2009-06-15 21:48:43 ----A---- C:\WINDOWS\system32\JR_PPM.dll
2009-06-15 21:48:43 ----A---- C:\WINDOWS\system32\JR_PCM.dll
2009-06-15 21:48:43 ----A---- C:\WINDOWS\system32\Futaba_PPM.dll
2009-06-15 21:48:43 ----A---- C:\WINDOWS\system32\Futaba_PCM.dll
2009-06-15 21:42:24 ----D---- C:\Program Files\EACom
2009-06-12 15:03:28 ----D---- C:\Program Files\QuickTime
2009-06-12 15:03:28 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-06-12 00:29:50 ----A---- C:\WINDOWS\system32\xfcodec.dll
2009-06-11 13:27:04 ----D---- C:\WINDOWS\ie8updates
2009-06-11 13:04:21 ----D---- C:\Program Files\Common Files\Macrovision Shared
2009-06-11 10:22:57 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-06-10 23:10:09 ----D---- C:\Program Files\Adobe Media Player
2009-06-10 23:08:10 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-06-09 17:56:02 ----A---- C:\WINDOWS\system32\vncmirror.dll
2009-06-09 16:27:53 ----D---- C:\Program Files\Common Files\Lingea Shared
2009-06-09 11:04:11 ----D---- C:\Documents and Settings\Kobra\Application Data\TeamViewer
2009-06-09 11:03:54 ----D---- C:\Program Files\TeamViewer
2009-06-09 09:44:34 ----D---- C:\Documents and Settings\Kobra\Application Data\Download Manager
2009-06-09 09:44:25 ----D---- C:\WINDOWS\Sun

======List of files/folders modified in the last 1 months======

2009-07-06 19:58:51 ----D---- C:\WINDOWS\Temp
2009-07-06 19:58:29 ----D---- C:\Program Files\Mozilla Firefox
2009-07-06 19:58:02 ----D---- C:\WINDOWS
2009-07-06 19:57:43 ----D---- C:\WINDOWS\Prefetch
2009-07-06 19:56:36 ----D---- C:\WINDOWS\system32
2009-07-06 18:38:45 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-07-06 18:09:25 ----D---- C:\WINDOWS\system32\drivers
2009-07-06 15:10:15 ----SHD---- C:\WINDOWS\Installer
2009-07-06 11:15:19 ----RD---- C:\Program Files
2009-07-06 10:17:21 ----D---- C:\Program Files\Common Files
2009-07-06 09:25:46 ----D---- C:\WINDOWS\system32\CatRoot2
2009-07-06 07:18:42 ----D---- C:\Documents and Settings\Kobra\Application Data\Xfire
2009-07-06 00:37:21 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-07-05 20:08:08 ----HD---- C:\WINDOWS\inf
2009-07-05 19:21:55 ----D---- C:\Documents and Settings\Kobra\Application Data\HLSW
2009-07-05 19:19:34 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-07-05 14:01:18 ----D---- C:\WINDOWS\Minidump
2009-07-05 13:57:39 ----SD---- C:\Documents and Settings\Kobra\Application Data\Microsoft
2009-07-05 13:57:39 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-07-04 01:22:56 ----RD---- C:\WINDOWS\Web
2009-07-04 01:22:36 ----D---- C:\WINDOWS\system32\wbem
2009-07-04 01:21:51 ----D---- C:\WINDOWS\system32\oobe
2009-07-04 01:04:29 ----D---- C:\WINDOWS\Help
2009-07-04 00:58:17 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-07-03 23:16:15 ----D---- C:\Program Files\WinRAR
2009-07-03 23:11:41 ----D---- C:\Program Files\NetMeeting
2009-07-03 22:37:32 ----D---- C:\WINDOWS\system32\DirectX
2009-07-03 22:36:09 ----RSD---- C:\WINDOWS\assembly
2009-07-03 21:08:55 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-03 19:04:26 ----D---- C:\Downloads
2009-07-02 21:45:34 ----D---- C:\Documents and Settings\Kobra\Application Data\teamspeak2
2009-07-02 18:22:32 ----D---- C:\Program Files\Xfire
2009-07-02 12:43:15 ----HD---- C:\Program Files\InstallShield Installation Information
2009-06-29 21:43:40 ----D---- C:\WINDOWS\WinSxS
2009-06-29 00:18:51 ----D---- C:\WINDOWS\Debug
2009-06-28 20:59:28 ----D---- C:\Program Files\mIRC
2009-06-25 11:38:25 ----D---- C:\WINDOWS\system32\CatRoot
2009-06-25 09:44:15 ----D---- C:\WINDOWS\AppPatch
2009-06-24 14:53:13 ----D---- C:\Program Files\Windows Media Player
2009-06-24 14:52:00 ----D---- C:\WINDOWS\system32\LogFiles
2009-06-24 13:21:48 ----D---- C:\Program Files\SUPERAntiSpyware
2009-06-23 19:13:36 ----D---- C:\Program Files\CENZURA
2009-06-16 16:24:55 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-06-15 14:29:53 ----D---- C:\Program Files\Microsoft ActiveSync
2009-06-11 20:15:47 ----D---- C:\Documents and Settings\Kobra\Application Data\Adobe
2009-06-11 13:27:08 ----D---- C:\Program Files\Internet Explorer
2009-06-11 13:27:02 ----HD---- C:\WINDOWS\$hf_mig$
2009-06-11 13:12:07 ----D---- C:\Program Files\Adobe
2009-06-11 13:10:55 ----D---- C:\Program Files\Common Files\Adobe
2009-06-11 13:10:38 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-06-11 13:09:18 ----RSD---- C:\WINDOWS\Fonts
2009-06-11 11:06:16 ----D---- C:\Program Files\MDM
2009-06-11 10:59:19 ----D---- C:\Program Files\Winamp
2009-06-11 10:57:50 ----D---- C:\Program Files\CCleaner
2009-06-10 10:38:13 ----D---- C:\Documents and Settings\Kobra\Application Data\Nero
2009-06-09 16:27:38 ----D---- C:\Program Files\Lingea
2009-06-08 18:24:19 ----D---- C:\WINDOWS\system32\Restore

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ATITool;ATITool Overclocking Utility; C:\WINDOWS\system32\DRIVERS\ATITool.sys [2006-11-10 24064]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-02-06 93336]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 adfs;adfs; C:\WINDOWS\system32\drivers\adfs.sys [2008-08-14 74720]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-02-06 113448]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [2004-08-03 88448]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [2001-08-23 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [2001-08-23 55936]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-09-24 4122368]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2009-02-26 3565568]
R3 HabuFltr;Habu Mouse; C:\WINDOWS\system32\drivers\habu.sys [2006-10-23 27776]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-23 12160]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [2004-08-19 189568]
S3 aehn70c7;aehn70c7; C:\WINDOWS\system32\drivers\aehn70c7.sys []
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-02-24 400384]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2009-05-22 25280]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
S3 nm;Network Monitor Driver; C:\WINDOWS\System32\DRIVERS\NMnt.sys [2004-08-03 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 32512]
S3 protect;protect; C:\WINDOWS\System32\drivers\protect.sys []
S3 s116bus;Sony Ericsson Device 116 driver (WDM); C:\WINDOWS\system32\DRIVERS\s116bus.sys [2007-04-03 83336]
S3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\s116mdfl.sys [2007-04-03 15112]
S3 s116mdm;Sony Ericsson Device 116 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\s116mdm.sys [2007-04-03 108680]
S3 s116obex;Sony Ericsson Device 116 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\s116obex.sys [2007-04-03 98696]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 teamviewervpn;TeamViewer VPN Adapter; C:\WINDOWS\system32\DRIVERS\teamviewervpn.sys [2008-01-25 25088]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2005-10-21 12800]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 vncmirror;vncmirror; C:\WINDOWS\system32\DRIVERS\vncmirror.sys [2009-03-17 4608]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 RsFx0102;RsFx0102 Driver; C:\WINDOWS\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2004-08-03 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2009-02-25 622592]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-02-06 727720]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-13 152984]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [2008-07-11 40999448]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0; C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-24 935208]
R2 NwSapAgent;SAP Agent; C:\WINDOWS\System32\svchost.exe [2004-08-04 34304]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-06-02 75064]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2009-07-05 189448]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-07-10 98840]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-09-23 614400]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-02-06 20680]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-06-11 655624]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2005-08-02 106496]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 34304]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service; c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]
S4 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-07-10 258072]

-----------------EOF-----------------

dds log

DDS (Version 1.1.0) - NTFSx86
Run by Kobra at 20:04:05,17 on po 06.07.2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.1791.1014 [GMT 2:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Razer\Habu\razerhid.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\ld12.exe
C:\PROGRA~1\ICQ6.5\ICQ.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kobra\reader_s.exe
C:\Program Files\Xfire\Xfire.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kobra\Desktop\buss.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
TB: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [ICQ] "c:\progra~1\icq6.5\ICQ.exe" silent
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [reader_s] c:\documents and settings\kobra\reader_s.exe
mRun: [Habu] c:\program files\razer\habu\razerhid.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [services] c:\windows\services.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [sysldtray] c:\windows\ld12.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [reader_s] c:\documents and settings\deathmaker\reader_s.exe
StartupFolder: c:\docume~1\kobra\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\Xfire.exe
IE: Download Using &BitSpirit - c:\program files\bitspirit\bsurl.htm
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: ÓĂ±ČĚŘľ«ÁéĎÂÔŘ(&B)
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kobra\applic~1\mozilla\firefox\profiles\61ndr1x4.default\
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... id=afex&q=
FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2009-5-13 77312]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2009-5-26 72944]
R2 ekrn;ESET Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" [2009-2-6 727720]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-9-24 935208]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 34304]
R3 HabuFltr;Habu Mouse;c:\windows\system32\drivers\habu.sys [2009-5-13 27776]
R3 PSched;QoS Packet Scheduler;c:\windows\system32\drivers\psched.sys [2002-8-29 69120]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 protect;protect;c:\windows\system32\drivers\protect.sys []
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-1-25 25088]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\microsoft sql server\100\shared\SQLADHLP.EXE" [2008-7-11 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE" -i SQLEXPRESS [2008-7-11 369688]

=============== Created Last 30 ================

2009-07-06 18:09 67,584 a------- c:\windows\system32\223.tmp
2009-07-06 18:08 120 a------- c:\windows\system32\59.tmp
2009-07-06 15:10 2,667 a------- c:\windows\system32\1E.tmp
2009-07-06 10:17 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-07-06 08:52 67,584 a------- c:\windows\system32\1B.tmp
2009-07-06 08:52 124 a------- c:\windows\system32\F.tmp
2009-07-06 00:37 67,584 a------- c:\windows\system32\11.tmp
2009-07-06 00:37 120 a------- c:\windows\system32\B.tmp
2009-07-06 00:37 40,960 a------- c:\windows\ld12.exe
2009-07-05 20:25 73,216 a------- c:\windows\services.exe
2009-07-05 20:25 182,912 ac------ c:\windows\system32\dllcache\ndis.sys
2009-07-05 20:25 0 a------- c:\windows\system32\203.tmp
2009-07-05 20:25 67,584 a------- c:\windows\system32\200.tmp
2009-07-05 20:25 47,104 a------- c:\windows\system32\reader_s.exe
2009-07-05 20:25 47,104 a------- c:\documents and settings\kobra\reader_s.exe
2009-07-05 20:24 120 a------- c:\windows\system32\1FA.tmp
2009-07-05 20:07 <DIR> --d----- c:\program files\ESET
2009-07-05 14:55 2 a------- c:\windows\0535251103110107106.lio
2009-07-05 14:55 1 ----h--- c:\windows\bf23567.dat
2009-07-05 14:33 <DIR> --d----- c:\docume~1\kobra\applic~1\Malwarebytes
2009-07-05 14:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-07-05 14:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-05 14:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-05 14:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-05 13:46 2 a------- c:\windows\0101120101464849.dat
2009-07-05 13:46 2 a------- c:\windows\010112010146118114.dat
2009-07-05 13:46 1 a------- c:\windows\934fdfg34fgjf23
2009-07-03 18:56 360,320 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-02 19:22 <DIR> --d----- c:\docume~1\kobra\applic~1\Mount&Blade
2009-06-29 21:43 <DIR> --d----- c:\program files\X-ray Anti-Cheat
2009-06-29 00:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard
2009-06-24 14:55 <DIR> --d----- c:\program files\Sony
2009-06-24 14:53 764,868 -c------ c:\windows\system32\dllcache\apph_sp.sdb
2009-06-24 14:53 217,118 -c------ c:\windows\system32\dllcache\apphelp.sdb
2009-06-23 21:20 3,176,960 ---sh--- c:\documents and settings\kobra\My DocumentsDhw3Ck_save2pc.exe
2009-06-23 21:18 3,176,960 ---sh--- c:\documents and settings\kobra\My DocumentsUws8A7_save2pc.exe
2009-06-23 21:17 3,176,960 ---sh--- c:\documents and settings\kobra\My DocumentsJwn7Mm_save2pc.exe
2009-06-23 19:16 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-06-23 19:16 <DIR> --d----- c:\program files\Xvid
2009-06-23 19:14 <DIR> --d----- c:\program files\FDRLab
2009-06-18 23:00 28,800 a------- c:\windows\system32\drivers\PPortJoy.sys
2009-06-18 23:00 5,632 a------- c:\windows\system32\drivers\W98Ports.sys
2009-06-18 22:56 13,952 a------- c:\windows\system32\PPJoyBus.sys
2009-06-16 16:36 <DIR> --d----- c:\program files\Parallel Port Joystick
2009-06-16 16:27 <DIR> --d----- c:\docume~1\kobra\applic~1\GBM Software
2009-06-16 16:27 <DIR> --d----- c:\program files\GBM
2009-06-15 21:48 61,440 a------- c:\windows\system32\JR_PCM.dll
2009-06-15 21:48 61,440 a------- c:\windows\system32\Futaba_PCM.dll
2009-06-15 21:48 57,344 a------- c:\windows\system32\JR_PPM.dll
2009-06-15 21:48 57,344 a------- c:\windows\system32\Futaba_PPM.dll
2009-06-15 21:42 <DIR> --d----- c:\program files\EACom
2009-06-12 00:29 41,808 a------- c:\windows\system32\xfcodec.dll
2009-06-11 13:27 <DIR> --d----- c:\windows\ie8updates
2009-06-11 13:04 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-06-11 10:23 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-11 10:23 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 10:23 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-11 10:23 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-09 17:56 20,992 a------- c:\windows\system32\vncmirror.dll
2009-06-09 17:56 4,608 a------- c:\windows\system32\drivers\vncmirror.sys
2009-06-09 16:27 <DIR> --d----- c:\program files\common files\Lingea Shared
2009-06-09 11:04 <DIR> --d----- c:\docume~1\kobra\applic~1\TeamViewer
2009-06-09 11:03 <DIR> --d----- c:\program files\TeamViewer
2009-06-09 11:02 <DIR> --d----- c:\documents and settings\kobra\temp
2009-06-07 21:11 <DIR> --dsh--- c:\documents and settings\kobra\IECompatCache

==================== Find3M ====================

2009-07-06 00:37 360,320 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-07-05 20:25 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-07-05 19:19 189,448 a------- c:\windows\system32\PnkBstrB.exe
2009-07-03 21:13 138,016 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-02 20:29 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-06-01 20:17 22,328 a------- c:\docume~1\kobra\applic~1\PnkBstrK.sys
2009-05-23 22:31 757,760 a------- c:\windows\iun6002.exe
2009-05-22 09:28 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-05-22 08:52 2,678 a------- c:\windows\java\packages\data\D7LND3PF.DAT
2009-05-22 08:52 2,678 a------- c:\windows\java\packages\data\4BZZDBV3.DAT
2009-05-22 08:52 2,678 a------- c:\windows\java\packages\data\VVPBFXFF.DAT
2009-05-22 08:52 2,678 a------- c:\windows\java\packages\data\EUI5Z3FZ.DAT
2009-05-22 08:52 2,678 a------- c:\windows\java\packages\data\8WTFPBXF.DAT
2009-05-17 17:43 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-13 18:01 118,784 a------- c:\windows\system32\qttask.exe
2009-05-13 17:22 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 16:43 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-13 16:11 558,142 a------- c:\windows\java\packages\LBNDJH37.ZIP
2009-05-13 16:11 155,995 a------- c:\windows\java\packages\E8NVR3JT.ZIP
2009-05-13 16:08 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-05-13 07:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 17:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-17 11:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 17:11 584,192 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 20:04:22,15 ===============

a combofix (verterm) mi stale nejde.....inak..bo tom co hodi tu hlasku ALERT...vid vyssie tak mi combofix zmaze

Příspěvekod **jaro3** » 06 črc 2009 20:42

Odinstaluj:
DAEMON Tools Toolbar

Stáhni si program OTM (by OldTimer)
http://www.edisk.cz/stahni/07995/OTMove ... .39KB.html
a ulož si ho na disk C a spusť ho.
- Do levého sloupce (Paste Instructions for Items to be Moved) zkopíruj tyto cesty:
Poznámka: Nepoužij k označení funkci VYBRAT VŠE

Kód: Vybrat vše

:Processes
explorer.exe

:Services
aehn70c7
protect
PEVSystemStart
nm

:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"services"=-
"reader_s"=-
"sysldtray"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"reader_s"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

:Files
C:\WINDOWS\System32\reader_s.exe
C:\windows\ld12.exe
C:\Documents and Settings\Kobra\reader_s.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\223.tmp
C:\WINDOWS\system32\59.tmp
C:\WINDOWS\system32\1E.tmp
C:\WINDOWS\system32\1B.tmp
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\203.tmp
C:\WINDOWS\system32\200.tmp
C:\WINDOWS\system32\1FA.tmp
C:\WINDOWS\system32\drivers\aehn70c7.sys
C:\WINDOWS\System32\drivers\protect.sys

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

- Po zkopírování klikni na tlačítko MoveIt! a vlož sem následně celý obsah z pravého sloupce, jinak uložený ve složce C:\_OTMoveIt\MovedFiles\, který bude informovat o výsledcích
- Je možné, že pokud nebudou moci být soubory odstraněny, budeš dotázán na restart počítače, v tom případě restart potvrď.

Až sem dáš ten log z OTM, zkus spustit Combofix ( VerTerm),a vložit sem z něj log, podívám se zítra.

Kobra.svk · Příspěvekod **Kobra.svk** » 06 črc 2009 22:41

restart to chcelo....log
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
Service\Driver aehn70c7 not found.
Service\Driver key aehn70c7 deleted successfully.
Service\Driver aehn70c7 not found.
Service\Driver protect deleted successfully.
Service\Driver PEVSystemStart not found.
Service\Driver PEVSystemStart not found.
Service\Driver PEVSystemStart not found.
Service\Driver nm deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\services deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\reader_s deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\sysldtray deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\reader_s deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart\ deleted successfully.
========== FILES ==========
C:\WINDOWS\System32\reader_s.exe moved successfully.
C:\windows\ld12.exe moved successfully.
C:\Documents and Settings\Kobra\reader_s.exe moved successfully.
C:\WINDOWS\services.exe moved successfully.
C:\WINDOWS\system32\223.tmp moved successfully.
C:\WINDOWS\system32\59.tmp moved successfully.
C:\WINDOWS\system32\1E.tmp moved successfully.
C:\WINDOWS\system32\1B.tmp moved successfully.
C:\WINDOWS\system32\F.tmp moved successfully.
C:\WINDOWS\system32\11.tmp moved successfully.
C:\WINDOWS\system32\B.tmp moved successfully.
C:\WINDOWS\system32\203.tmp moved successfully.
C:\WINDOWS\system32\200.tmp moved successfully.
C:\WINDOWS\system32\1FA.tmp moved successfully.
File/Folder C:\WINDOWS\system32\drivers\aehn70c7.sys not found.
File/Folder C:\WINDOWS\System32\drivers\protect.sys not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: DeathMaker
->Temp folder emptied: 6737440 bytes
->Temporary Internet Files folder emptied: 64403968 bytes
->Java cache emptied: 4116 bytes
->FireFox cache emptied: 74441288 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Kobra
->Temp folder emptied: 34975145 bytes
->Temporary Internet Files folder emptied: 1400425 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 120880196 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 28617931 bytes

User: OCINO a MAMINA
->Temp folder emptied: 4250192 bytes
->Temporary Internet Files folder emptied: 1313776 bytes
->FireFox cache emptied: 38776727 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1119318 bytes
%systemroot%\System32 .tmp files removed: 3206673 bytes
Windows Temp folder emptied: 1221808 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 363,75 mb

OTM by OldTimer - Version 3.0.0.4 log created on 07062009_222506

Files moved on Reboot...

Registry entries deleted on Reboot...
a trz idem skusit spustit combofix =)

EDIT: Combofix negativný...
zistil som ze po prihlaseni sa nieco snazi spojit s j.l.chura.pl/rc/

Příspěvekod **jaro3** » 07 črc 2009 07:45

Vypadá to na virut...doporučuji zazálohovat důležitá data ( nic z warez!) , v mnoha případech virut nelze odstranit.

. Virut (Virtob) is a polymorphic file infector with IRCBot functionality which infects .exe, .scr and script files (.PHP, .ASP, and .HTML), downloads more malicious files to your system, and opens a back door that compromises your computer. When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.
********************************************************************************************************************************************
Zavři ostatní aplikace a prohlížeče, odpoj se od netu a fixni v HJT:

Kód: Vybrat vše

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

*****************************************************************************************************************************************
Ještě jeden script v OTM:

Kód: Vybrat vše

:Processes
explorer.exe

:Services

:Reg

:Files
C:\windows\pp10.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Postup stejný , jako výše.
*****************************************************************************************************************************************
Stáhni si FixIEDef by ShadowPuterDude
na plochu.
Poklepej na FixIEDef
Až se objeví Copyright and Disclaimer notice, klikni na OK a poté na Scan.
Když se objeví zpráva , klikni na OK. Když program skončí , klikni na Exit.
Log se objeví na ploše. Vlož celý obsah toho logu sem.
********************************************************************************************************************************************
Stáhni si :Dr. Web CureIt
dej update , po aktualizaci dej start.
Tlacitky dole muzeš soubor léčit, smazat, přesunout nebo přejmenovat
****************************************************************************************************************************************
Stáhni si OTL
na plochu. Ujisti se , že máš zavřena všechna ostatní okna a poklepej na ikonu OTL.Nahoře v okně pod Output klikni na minimal Output.Pod Standard Registry změň na All.. Zatrhni LOP Check a Purity Check. Klikni na Run Scan. Všechny ostatní nastavení ponech jak jsou. Sken může trvat dlouho, až skončí otevřou se dva logy:
OTListIt.Txt
Extras.Txt
Jsou uloženy ve stejném místě jako OTL. Oba logy sem prosím zkopíruj.

Kobra.svk · Příspěvekod **Kobra.svk** » 07 črc 2009 14:47

log z OTM:
All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\windows\pp10.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: DeathMaker
->Temp folder emptied: 83776 bytes
->Temporary Internet Files folder emptied: 103519 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 18065579 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kobra
->Temp folder emptied: 505090 bytes
File delete failed. C:\Documents and Settings\Kobra\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 2178991 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 13039317 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: OCINO a MAMINA
->Temp folder emptied: 111 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 78073919 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 203112 bytes
Windows Temp folder emptied: 412672 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 107,54 mb

OTM by OldTimer - Version 3.0.0.4 log created on 07072009_143236

Files moved on Reboot...

Registry entries deleted on Reboot...

Log z FixIEDef:
********************************************************************************
* *
* FixIEDef Log *
* Version 1.7.22.7514 *
* *
********************************************************************************

Created at 14:40:39 on Tuesday, July 07, 2009

Time Zone : (GMT+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague

Logged On User : Kobra

Operating System : Microsoft Windows XP Professional Service Pack 2
OS Architecture : X86
System Langauge : English (United States)
Keyboard Layout : English (United States)
Processor : X64 AMD Athlon(tm) 64 Processor 3000+

System Drive : C:\
Windows Directory : C:\WINDOWS
System Directory : C:\WINDOWS\system32

System Drive Type : Fixed
System Drive Status : READY
System Drive Label :
System Drive Size : 42 GB
System Drive Free : 3.15 GB

Total Physical Memory: 1791 MB
Free Physical Memory : 1229 MB
Total Page File : 1791 MB
Free Page File : 3241 MB
Total Virtual Memory : 2048 MB
Free Virtual Memory : 1960 MB

Boot State : Normal boot

--------------------------------------------------------------------------------

!!! userinit.exe is Clean !!!

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\16.tmp

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done :)

ShadowPuterDude

Safe Surfing!!!

Kobra.svk · Příspěvekod **Kobra.svk** » 07 črc 2009 15:13

v prilohe je log z Dr. Web po prvej esxpresnej kontrole...este spustim uplnu.. =)

Log z DRWeb.rar: ma to vyse 200 000 znakov a je max povolene 60 000 tak preto je to takto...=); (11.02 KiB) Staženo 14 x

Příspěvekod **jaro3** » 07 črc 2009 16:46

Tolik infikovaných legitimních souborů virutem,všechny snad vyléčeny, doufám , že se to nevrátí.
Pak sem dej ještě log z OTV.
Případně zkus ten Combofix.

Kobra.svk · Příspěvekod **Kobra.svk** » 07 črc 2009 18:23

tak tu je log po uplnej kontrole z Dr.Web

a teraz idem pokracovat dalej =)

DrWeb.part01.rar: je to velke...tak po castiach musim; (488.28 KiB) Staženo 9 x

DrWeb.part02.rar: naozaj je to velke; (488.28 KiB) Staženo 8 x

DrWeb.part03.rar: necakane velke; (488.28 KiB) Staženo 10 x

DrWeb.part04.rar: az takto velke to je...; (210.86 KiB) Staženo 9 x

idem na ten OTL....=))

OTL a Extras logy.rar: oba logy su tiez velke..tak preto zasaa takto...; (23.73 KiB) Staženo 8 x

a ComboFix zasa negativny...

Prosím o kotrolu... Podozrenie na virus Vyřešeno

Prosím o kotrolu... Podozrenie na virus

Re: Prosím o kotrolu... Podozrenie na virus

Re: Prosím o kotrolu... Podozrenie na virus

Re: Prosím o kotrolu... Podozrenie na virus

Re: Prosím o kotrolu... Podozrenie na virus

Re: Prosím o kotrolu... Podozrenie na virus

Re: Prosím o kotrolu... Podozrenie na virus

Re: Prosím o kotrolu... Podozrenie na virus

Re: Prosím o kotrolu... Podozrenie na virus

Re: Prosím o kotrolu... Podozrenie na virus

Re: Prosím o kotrolu... Podozrenie na virus

Re: Prosím o kotrolu... Podozrenie na virus

Kdo je online