LSA shell (Export version) shutdown denied hlasi Kaspersky

[jcdenton12]

zdar
takze otec mi povedal ze sa mu na obrazovke objavuju dole (asi nad listou) obrazky typu "ma vasa dcera velke prsia"
a ze ked otvara nejaky dokument doc/xls tak sa najprv otvori internet prehliadac
stava sa to vraj len obcas

je tam legal system (Vista Ultimate SP2 + XP SP3 downgrade)
vista sa nepouziva
XP si samo taha aktualizacie a aj ich instaluje
dnes stiahol 12 updatov (tak ako moj pc) vyziadal si restart a bootol uz iba s windows 2000 vzhladom (ked dam vlastnosti na ploche tak tam je windows XP (zmenené))

aktualizovany KIS 8.0.0.506 nic nenasiel
aktualizovany MWAV nasiel par registry problemov, ktore opravil

napriek tomu si KIS nezavrie usta a stale hlasi rozne akcie ktore sa mu nepacia

ako napriklad shutdown denied
access to another process memory

windows update uz nefunguje, vraj treba zaregistrovat subory (vraj nejako zmizli) a pri registracii to hodi error (KIS ju bolkne)

kedze ani KIS ani MWAV nic nenasli som v koncoch
da sa na tom robit, kedze KIS zakaze vypnutie, ale jednoznacne to nie je OK

casto KIS hlasi LSA shell (Export version) shutdown denied a tak podobne

podla googlu to smeruje k sasseru ale to by nemalo byt ono
na kompe stale bezal KIS (aj ked asi posledne 2 mesiace nebol aktualizovany, ale stale bezal, sasser je z 2004)

poradte ake testy/scannery pouzit a ake logy sem hodit

dakujem velmi za rady


//edit: HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:42:25, on 12. 8. 2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Compal\Wireless Select Switch\WLSS.exe
C:\Program Files\Compal\Wow Video&Audio\WVAMain.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Compal\Smart Battery\SMBTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\EVEREST Ultimate Edition\everest.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/CISCO/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Pomocník pro přihlášení ke službě Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [WLSS] C:\Program Files\Compal\Wireless Select Switch\WLSS.exe
O4 - HKLM\..\Run: [Wow Video&Audio] C:\Program Files\Compal\Wow Video&Audio\WVAMain.exe
O4 - HKLM\..\Run: [SMBTray] C:\Program Files\Compal\Smart Battery\SMBTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\EVEREST Ultimate Edition\everest.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-329068152-1645522239-839522115-1007\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-329068152-1645522239-839522115-1007\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: REALTEK USB Wireless LAN Utility.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8008738317
O16 - DPF: {A4735C9C-6626-4386-9B93-2D9B79047AB8} (MediaPlugin Control) - http://www.joj.sk/fileadmin/joj_player/ ... Player.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35202067-E28C-4599-B022-903D33621483}: NameServer = 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{DAA093E7-093F-4A92-AC1E-8432048F5AE8}: NameServer = 208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9764 bytes

[zombux]

pusť na to ComboFix a pak Spybot

[jcdenton12]

ok, rano spravim

len sa divim ze po reboote naspat do XP ide aj windows update aj normalny XP vzhlad sa vratil a KIS nic nehlasi

teraz neviem ci je to ok alebo sa to skrylo do dajakeho procesu a bude zle

[jcdenton12]

tu je log z ComboFix

ComboFix 09-08-10.06 - Stefan . 08. 2009 10:17.1.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.2046.1508 [GMT 2:00]
Running from: f:\share_ntb_f\combofix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-618566573-94109533-1582036431-1000
c:\$recycle.bin\S-1-5-21-618566573-94109533-1582036431-1001
c:\windows\Installer\95131.msi
c:\windows\Installer\c7d8a.msi
c:\windows\regedit.com
c:\windows\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-12 20:42 . 2009-08-12 20:42 -------- d-----w- c:\program files\Trend Micro
2009-08-12 20:02 . 2009-08-12 20:03 8592252 ----a-w- c:\windows\REGBK00.ZIP
2009-08-12 19:28 . 2009-08-12 19:28 -------- d---a-w- c:\windows\system32\runouce.exe
2009-08-12 19:27 . 2009-08-12 19:27 632064 ----a-w- c:\windows\system32\msvcr80.dll
2009-08-12 19:27 . 2009-08-12 19:27 554240 ----a-w- c:\windows\system32\msvcp80.dll
2009-08-12 19:27 . 2009-08-12 19:27 34048 ----a-w- c:\windows\system32\eEmpty.exe
2009-08-12 19:27 . 2008-04-14 03:22 137216 ----a-w- c:\windows\system32\T.COM
2009-08-12 19:27 . 2008-04-14 03:22 147968 ----a-w- c:\windows\R.COM
2009-08-12 19:27 . 2009-08-12 19:27 -------- d-----w- c:\program files\Common Files\MicroWorld
2009-08-12 17:29 . 2009-08-12 17:29 -------- d-----w- c:\program files\Wireshark
2009-08-12 17:05 . 2009-08-12 17:12 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-08-12 17:05 . 2009-08-12 17:12 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-08-12 16:56 . 2009-07-10 13:28 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 205312 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 19:26 . 2009-08-04 19:26 -------- d-----w- c:\program files\Packet Tracer 5.2
2009-08-04 19:01 . 2009-08-04 19:11 -------- d-----w- c:\program files\GNS3
2009-07-17 19:04 . 2009-07-17 19:04 58880 -c----w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 08:23 . 2009-03-14 17:13 868384 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-13 08:23 . 2009-03-14 17:13 6144 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-13 08:21 . 2009-03-14 17:13 8408096 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-13 08:21 . 2009-03-14 17:13 68864 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-12 17:12 . 2008-01-29 15:29 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-08-12 17:05 . 2009-03-07 20:52 -------- d-----w- c:\program files\Kaspersky Lab
2009-08-12 17:00 . 2009-02-01 10:23 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2004-08-18 12:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:55 . 2008-02-10 13:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-04 19:24 . 2009-03-07 20:51 -------- d-----w- c:\program files\Packet Tracer 5.1
2009-07-25 03:23 . 2009-01-17 18:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:04 . 2004-08-18 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 21:43 . 2004-08-18 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 19:24 . 2009-07-03 17:55 -------- d-----w- c:\program files\NOS
2009-07-03 18:20 . 2008-03-15 13:13 -------- d-----w- c:\program files\WinPcap
2009-07-03 18:06 . 2007-12-19 22:30 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-03 17:50 . 2008-04-06 09:21 -------- d-----w- c:\program files\Google
2009-07-03 17:49 . 2004-08-18 12:00 92074 ----a-w- c:\windows\system32\perfc005.dat
2009-07-03 17:49 . 2004-08-18 12:00 461938 ----a-w- c:\windows\system32\perfh005.dat
2009-07-03 16:59 . 2004-08-18 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 16:23 . 2009-07-03 16:23 -------- d-----w- c:\program files\Common Files\PCSuite
2009-07-03 16:23 . 2009-01-05 19:14 -------- d-----w- c:\program files\Common Files\Nokia
2009-07-03 16:23 . 2009-01-05 19:13 -------- d-----w- c:\program files\Nokia
2009-07-03 16:22 . 2009-01-05 19:13 -------- d-----w- c:\program files\DIFX
2009-07-03 16:22 . 2009-07-03 16:22 -------- d-----w- c:\program files\PC Connectivity Solution
2009-06-25 08:27 . 2004-08-18 12:00 729088 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:27 . 2004-08-18 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:27 . 2004-08-18 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:27 . 2004-08-18 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:27 . 2004-08-18 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:27 . 2004-08-18 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-18 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:40 . 2004-08-18 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:40 . 2004-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 13:42 . 2007-12-23 15:47 -------- d-----w- c:\program files\totalcmd
2009-06-15 10:45 . 2004-08-18 12:00 78336 ----a-w- c:\windows\system32\telnet.exe
2009-06-15 10:45 . 2004-08-18 12:00 81408 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-10 14:15 . 2004-08-18 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 07:21 . 2007-12-18 19:58 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:16 . 2004-08-18 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:11 . 2004-08-18 12:00 1293824 ----a-w- c:\windows\system32\quartz.dll
2009-05-31 16:52 . 2009-05-31 16:53 151552 ----a-w- c:\windows\system32\nvRegDev.dll
2009-05-31 15:46 . 2009-05-31 15:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-24 22:24 . 2008-05-26 20:18 350208 ------w- c:\windows\system32\mssph.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-28 18:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-28 18:59 2953216 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"EVEREST AutoStart"="c:\program files\EVEREST Ultimate Edition\everest.exe" [2008-03-16 2083424]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"KTPWare"="c:\program files\Elantech\ktp.exe" [2007-12-01 647168]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-03-28 49168]
"WLSS"="c:\program files\Compal\Wireless Select Switch\WLSS.exe" [2007-04-23 190000]
"Wow Video&Audio"="c:\program files\Compal\Wow Video&Audio\WVAMain.exe" [2007-05-03 951856]
"SMBTray"="c:\program files\Compal\Smart Battery\SMBTray.exe" [2007-06-04 521776]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-08-12 208616]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-12-18 16377344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-11 561213]
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2009-1-17 790528]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-28 18:46 90112 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"IDriverT"=3 (0x3)
"RichVideo"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [21. 12. 2007 18:03 9856]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29. 1. 2008 17:29 33808]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [17. 1. 2009 15:42 38144]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\EVEREST Ultimate Edition\kerneld.wnt [11. 10. 2008 17:19 23152]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21. 12. 2007 18:11 36608]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13. 3. 2008 18:02 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30. 4. 2008 17:06 24592]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [19. 12. 2007 22:58 27776]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3. 7. 2009 19:50 133104]
S3 MosIrUsb;MosIrUsb.sys;c:\windows\system32\drivers\MosIrUsb.sys [14. 4. 2004 15:52 20736]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23. 12. 2008 17:35 50704]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [17. 1. 2009 14:44 332928]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVERESTDRIVER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-03 17:50]

2009-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-03 17:50]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///F:/CISCO/index.html
uInternet Settings,ProxyOverride = *.local
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {35202067-E28C-4599-B022-903D33621483} = 208.67.222.222
TCP: {DAA093E7-093F-4A92-AC1E-8432048F5AE8} = 208.67.222.222
DPF: {A4735C9C-6626-4386-9B93-2D9B79047AB8} - hxxp://www.joj.sk/fileadmin/joj_player/JOJ_Explorer_Player.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 10:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\EVEREST Ultimate Edition\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1780)
c:\windows\system32\vrlogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(1836)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'explorer.exe'(3860)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_slk.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclIrSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-08-13 10:26 - machine was rebooted [Martin]
ComboFix-quarantined-files.txt 2009-08-13 08:26

Pre-Run: Volných bajtů: 16 519 254 016
Post-Run: Volných bajtů: 18 035 822 592

259 --- E O F --- 2009-08-13 08:12

[zombux]

no, a jak se to chová?

[jcdenton12]

SPY bot S and D nasiel akurat 7x tracking cookies ciez to nic neni take vazne

chova sa to tak ako po prvom restarte co som pisal v druhom prispevku
teda uplne normalne

len fakt neviem ci to je ok alebo sa nejaky ten bordel zahrabal niekde hlbsie do systemu

kazdopadne sa sprava tak ako by sa mal a vsetko ide OK