čau, antivir mi našel rootkit kejnn.sys a po scanu jedním z anti-rootkit programů jsem objevil další dva. Prosím o pomoc při odstranění. Děkuji. přikládám log z RSIT.
Logfile of random's system information tool 1.06 (written by random/random)
Run by Ivanhoe at 2010-01-05 23:30:14
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 8 GB (5%) free of 179 GB
Total RAM: 3006 MB (44% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:36 PM, on 1/5/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18349)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Ivanhoe\Desktop\Rootkitrevelear\RootkitRevealer.exe
C:\Users\Ivanhoe\Downloads\RSIT.exe
C:\Program Files\trend micro\Ivanhoe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.centrum.cz/skinit/icq/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Update ESET's license.lnk = C:\Program Files\ESET\MiNODLogin\MiNODLogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVTIWOWBKJF - Sysinternals - http://www.sysinternals.com - C:\Users\Ivanhoe\AppData\Local\Temp\AVTIWOWBKJF.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: EOLKRIGDBX - Sysinternals - http://www.sysinternals.com - C:\Users\Ivanhoe\AppData\Local\Temp\EOLKRIGDBX.exe
O23 - Service: FGCZVZAB - Sysinternals - http://www.sysinternals.com - C:\Users\Ivanhoe\AppData\Local\Temp\FGCZVZAB.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1ca1910841b45d8) (gupdate1ca1910841b45d8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KBPFID - Sysinternals - http://www.sysinternals.com - C:\Users\Ivanhoe\AppData\Local\Temp\KBPFID.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: UTYOQBFY - Sysinternals - http://www.sysinternals.com - C:\Users\Ivanhoe\AppData\Local\Temp\UTYOQBFY.exe
O23 - Service: WFYGJH - Sysinternals - http://www.sysinternals.com - C:\Users\Ivanhoe\AppData\Local\Temp\WFYGJH.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 10947 bytes
======Scheduled tasks folder======
C:\Windows\tasks\Ad-Aware Update (Weekly).job
C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\User_Feed_Synchronization-{9E29BE8E-64C9-4048-803A-A3E2957A196D}.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll [2007-07-12 501136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-08-09 668656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5A1691B-D188-4419-AD02-90002030B8EE}]
FlashFXP Helper for Internet Explorer - C:\PROGRA~1\FlashFXP\IEFlash.dll [2008-06-16 191096]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7}]
HP Print Clips - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll [2007-08-31 177504]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
{32099AAC-C132-4136-9E9A-4E364A424E17} - DAEMON Tools Toolbar - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll [2008-12-10 929224]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-01-18 1033512]
"QPService"=C:\Program Files\HP\QuickPlay\QPService.exe [2007-12-20 468264]
"QlbCtrl"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2007-09-19 202032]
"OnScreenDisplay"=C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [2007-09-04 554320]
"UCam_Menu"=C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [2007-08-17 218408]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]
"hpqSRMon"=C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [2007-08-23 80896]
"HP Health Check Scheduler"=[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe []
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2007-05-09 54840]
"hpWirelessAssistant"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [2007-09-13 480560]
"WAWifiMessage"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [2007-01-08 311296]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [2007-07-12 132496]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-07-23 116040]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-05-27 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-07-30 289064]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2006-10-25 35328]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2008-12-04 13556256]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-12-04 92704]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2009-11-16 2054360]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-21 1233920]
"LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2007-08-24 455968]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-21 125952]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-12-29 687560]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Update ESET's license.lnk - C:\Program Files\ESET\MiNODLogin\MiNODLogin.exe
C:\Users\Ivanhoe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"
"C:\Program Files\FlashFXP\FlashFXP.exe"="C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3"
"C:\Program Files\FlashGet Network\FlashGet universal\FlashGet.exe"="C:\Program Files\FlashGet Network\FlashGet universal\FlashGet.exe:*:Enabled:Flashget2"
"C:\Program Files\FlashGet Network\FlashGet universal\LiveUpdate.exe"="C:\Program Files\FlashGet Network\FlashGet universal\LiveUpdate.exe:*:Enabled:FGLiveUpdate"
"C:\Program Files\FlashGet Network\FlashGet universal\LiveUpdateEx.exe"="C:\Program Files\FlashGet Network\FlashGet universal\LiveUpdateEx.exe:*:Enabled:FGLiveUpdateEx"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\Program Files\FlashFXP\FlashFXP.exe"="C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60ac56ff-7d47-11dd-b1cf-001e68a0f35a}]
shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac345992-9989-11dd-95aa-001e68a0f35a}]
shell\AutoRun\command - F:\xih9.cmd
shell\explore\command - F:\xih9.cmd
shell\open\command - F:\xih9.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9dfff18-22bf-11de-8916-001e68a0f35a}]
shell\AutoRun\command - RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ipse32.exe
shell\open\command - RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ipse32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cecd1859-e731-11dd-9eae-001e68a0f35a}]
shell\AutoRun\command - F:\autorun.exe
======List of files/folders created in the last 1 months======
2010-01-05 23:30:15 ----D---- C:\Program Files\trend micro
2010-01-05 23:30:14 ----D---- C:\rsit
2010-01-05 21:02:58 ----D---- C:\Program Files\CCleaner
2010-01-05 19:42:19 ----D---- C:\Program Files\GRISOFT
2010-01-05 18:03:34 ----D---- C:\Program Files\Sophos
2009-12-23 14:45:02 ----D---- C:\Users\Ivanhoe\AppData\Roaming\Magic Academy
2009-12-19 22:52:07 ----D---- C:\ProgramData\MinigolfAdventures
2009-12-15 12:41:22 ----A---- C:\Windows\system32\nshhttp.dll
2009-12-15 12:41:17 ----A---- C:\Windows\system32\httpapi.dll
2009-12-09 22:01:07 ----A---- C:\Windows\system32\winhttp.dll
2009-12-09 22:00:56 ----A---- C:\Windows\system32\occache.dll
2009-12-09 22:00:56 ----A---- C:\Windows\system32\mshtml.dll
2009-12-09 22:00:55 ----A---- C:\Windows\system32\wininet.dll
2009-12-09 22:00:54 ----A---- C:\Windows\system32\urlmon.dll
2009-12-09 22:00:52 ----A---- C:\Windows\system32\ieframe.dll
2009-12-09 22:00:51 ----A---- C:\Windows\system32\ieapfltr.dll
2009-12-09 22:00:50 ----A---- C:\Windows\system32\iertutil.dll
2009-12-09 22:00:49 ----A---- C:\Windows\system32\msfeeds.dll
2009-12-09 22:00:49 ----A---- C:\Windows\system32\iedkcs32.dll
2009-12-09 22:00:48 ----A---- C:\Windows\system32\ieUnatt.exe
2009-12-09 22:00:48 ----A---- C:\Windows\system32\ieaksie.dll
2009-12-09 22:00:47 ----A---- C:\Windows\system32\mstime.dll
2009-12-09 22:00:47 ----A---- C:\Windows\system32\ieencode.dll
2009-12-09 22:00:46 ----A---- C:\Windows\system32\jsproxy.dll
2009-12-09 21:59:59 ----A---- C:\Windows\system32\rastls.dll
2009-12-09 21:59:58 ----A---- C:\Windows\system32\raschap.dll
======List of files/folders modified in the last 1 months======
2010-01-06 02:52:27 ----D---- C:\Windows\system32\config
2010-01-06 02:52:23 ----D---- C:\Windows\system32\wbem
2010-01-06 02:52:23 ----D---- C:\Windows\system32\catroot2
2010-01-06 02:52:23 ----D---- C:\Windows\registration
2010-01-06 02:51:22 ----SHD---- C:\System Volume Information
2010-01-05 23:30:24 ----D---- C:\Windows\Temp
2010-01-05 23:30:15 ----RD---- C:\Program Files
2010-01-05 23:24:26 ----D---- C:\Windows\System32
2010-01-05 23:17:33 ----D---- C:\Windows\system32\drivers
2010-01-05 21:38:36 ----D---- C:\Windows\Prefetch
2010-01-05 21:21:58 ----D---- C:\Windows\Tasks
2010-01-05 21:19:25 ----D---- C:\Windows
2010-01-05 21:06:33 ----D---- C:\Windows\Debug
2010-01-05 15:50:11 ----D---- C:\Program Files\ICQ6.5
2010-01-04 22:36:44 ----D---- C:\Windows\system32\Tasks
2010-01-04 22:36:44 ----D---- C:\Windows\system32\spool
2010-01-04 22:36:44 ----D---- C:\Windows\system32\Msdtc
2010-01-04 22:36:21 ----HD---- C:\ProgramData
2010-01-04 17:49:48 ----D---- C:\Program Files\ESET
2010-01-04 17:48:55 ----SHD---- C:\Windows\Installer
2010-01-04 17:48:28 ----D---- C:\Windows\system32\catroot
2010-01-04 17:48:28 ----D---- C:\Windows\inf
2010-01-04 17:46:22 ----D---- C:\ProgramData\Lavasoft
2010-01-04 17:46:22 ----D---- C:\Program Files\Lavasoft
2010-01-04 17:46:08 ----DC---- C:\Windows\system32\DRVSTORE
2010-01-04 13:45:52 ----D---- C:\Program Files\Google
2009-12-23 14:44:54 ----D---- C:\ProgramData\WildTangent
2009-12-21 16:51:46 ----D---- C:\Windows\Minidump
2009-12-20 22:16:08 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-12-20 16:38:44 ----SD---- C:\Users\Ivanhoe\AppData\Roaming\Microsoft
2009-12-15 12:42:25 ----D---- C:\Windows\winsxs
2009-12-15 12:40:07 ----D---- C:\ProgramData\Microsoft Help
2009-12-15 12:40:05 ----RSD---- C:\Windows\assembly
2009-12-15 12:39:17 ----RSD---- C:\Windows\Fonts
2009-12-15 12:39:10 ----D---- C:\Program Files\Common Files\microsoft shared
2009-12-15 00:09:57 ----D---- C:\Users\Ivanhoe\AppData\Roaming\Skype
2009-12-15 00:06:49 ----D---- C:\Users\Ivanhoe\AppData\Roaming\skypePM
2009-12-14 13:22:44 ----D---- C:\Windows\rescache
2009-12-10 22:06:22 ----D---- C:\Windows\system32\en-US
2009-12-10 22:06:22 ----D---- C:\Program Files\Windows Mail
2009-12-10 22:06:22 ----D---- C:\Program Files\Internet Explorer
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AvgArCln;Avg Anti-Rootkit Clean Driver; C:\Windows\System32\DRIVERS\AvgArCln.sys [2007-01-18 3968]
R1 ehdrv;ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
R1 SSHDRV65;SSHDRV65; \??\C:\Windows\system32\drivers\SSHDRV65.sys [2009-03-31 120320]
R2 eamon;eamon; C:\Windows\system32\DRIVERS\eamon.sys [2009-11-16 116520]
R2 epfw;epfw; C:\Windows\system32\DRIVERS\epfw.sys [2009-11-16 135048]
R2 epfwwfp;epfwwfp; C:\Windows\system32\DRIVERS\epfwwfp.sys [2009-11-16 38240]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-01-24 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-03-22 37376]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-07-10 8704]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2007-12-06 761856]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-21 14208]
R3 Epfwndis;Eset Personal Firewall; C:\Windows\system32\DRIVERS\Epfwndis.sys [2009-06-19 33096]
R3 GEARAspiWDM;GEARAspiWDM; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\CHDART.sys [2007-09-09 176640]
R3 HpqKbFiltr;HpqKbFilter Driver; C:\Windows\system32\DRIVERS\HpqKbFiltr.sys [2007-06-19 16768]
R3 HpqRemHid;HP Remote Control HID Device; C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 7168]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-06-20 984064]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2007-06-20 208896]
R3 NuidFltr;NUID filter driver; C:\Windows\system32\DRIVERS\NuidFltr.sys [2009-05-09 14736]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2007-03-07 1059112]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-12-04 7606688]
R3 nvsmu;nvsmu; C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-16 12032]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-21 88576]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-01-18 196784]
R3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-21 134016]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-06-20 660480]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-21 11264]
S3 a8ha1441;a8ha1441; C:\Windows\system32\drivers\a8ha1441.sys []
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-21 200704]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\Windows\system32\F259.tmp []
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]
S3 PCD65X2;PCD65X2; \??\C:\Users\Ivanhoe\AppData\Local\Temp\PCD65X2.sys []
S3 SymIMMP;SymIMMP; C:\Windows\system32\DRIVERS\SymIM.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-07-23 32000]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-21 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-23 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-11-16 735960]
R2 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2007-09-20 65536]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2006-05-02 135168]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-08-24 79136]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-12-04 203296]
R2 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2009-10-25 66872]
R2 PnkBstrB;PnkBstrB; C:\Windows\system32\PnkBstrB.exe [2009-10-25 107832]
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS); C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe [2007-12-20 271760]
R2 QPSched;QuickPlay Task Scheduler (QTS); C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe [2007-12-20 112016]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-01-09 272024]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-07-10 386560]
R3 FGCZVZAB;FGCZVZAB; C:\Users\Ivanhoe\AppData\Local\Temp\FGCZVZAB.exe [2010-01-05 473984]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-30 532264]
R3 KBPFID;KBPFID; C:\Users\Ivanhoe\AppData\Local\Temp\KBPFID.exe [2010-01-05 473984]
R3 UTYOQBFY;UTYOQBFY; C:\Users\Ivanhoe\AppData\Local\Temp\UTYOQBFY.exe [2010-01-05 445312]
S2 gupdate1ca1910841b45d8;Google Update Service (gupdate1ca1910841b45d8); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-08-09 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-09 190448]
S3 AVTIWOWBKJF;AVTIWOWBKJF; C:\Users\Ivanhoe\AppData\Local\Temp\AVTIWOWBKJF.exe [2010-01-05 453504]
S3 Com4Qlb;Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [2007-03-05 110592]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2009-11-16 20680]
S3 EOLKRIGDBX;EOLKRIGDBX; C:\Users\Ivanhoe\AppData\Local\Temp\EOLKRIGDBX.exe [2010-01-04 506752]
S3 GameConsoleService;GameConsoleService; C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe [2008-05-05 165416]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WFYGJH;WFYGJH; C:\Users\Ivanhoe\AppData\Local\Temp\WFYGJH.exe [2010-01-05 486272]
-----------------EOF-----------------
Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz
rootkit kejnn.sys
Moderátor: Moderátoři
Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Re: rootkit kejnn.sys
Dobrý večer 
Něco tam je
Log z toho antirootkitu by nebyl?
:arrow:combofix stahněte takto:
-pravým myšítkem klikněte na odkaz combofixu --uložit jako.. ,a teď to přejmenujte na Potvora.com a uložte.
Zapojte do pc všechny usb klíče, flashky...co používáte
Stáhněte na plochu, ukončete všechna aktivní okna a spusťte ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- ComboFix je třeba spustit pod účtem s právy administrátora
- Před použitím vypněte všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary
- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano
- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna
- Po dokončení skenování, trvajícího maximálně 10 minut, by měl program vytvořit log - C:\ComboFix.txt, skopírujte celý jeho obsah sem
Něco tam je
Log z toho antirootkitu by nebyl?
:arrow:combofix stahněte takto:
-pravým myšítkem klikněte na odkaz combofixu --uložit jako.. ,a teď to přejmenujte na Potvora.com a uložte.
Zapojte do pc všechny usb klíče, flashky...co používáte Stáhněte na plochu, ukončete všechna aktivní okna a spusťte ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe - ComboFix je třeba spustit pod účtem s právy administrátora
- Před použitím vypněte všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary
- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano
- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna
- Po dokončení skenování, trvajícího maximálně 10 minut, by měl program vytvořit log - C:\ComboFix.txt, skopírujte celý jeho obsah sem
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Re: rootkit kejnn.sys
posílám log z combofixu a.k.a. potvory 
ComboFix 10-01-04.01 - Ivanhoe 01/06/2010 0:39.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3006.2283 [GMT 1:00]
Running from: c:\users\Ivanhoe\Desktop\Potvora.com.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-2870796406-1887052798-2938797926-500
c:\$recycle.bin\S-1-5-21-4016623809-3629486141-1618625363-500
c:\program files\FlashGet Network
c:\program files\FlashGet Network\FlashGet universal\dbtrans_verbose.log
c:\program files\FlashGet Network\FlashGet universal\fgoption.ini
c:\program files\FlashGet Network\FlashGet universal\P2PCfg.ini
c:\program files\FlashGet Network\FlashGet universal\p2spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\p4spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\Profiles\config.dat
c:\program files\FlashGet Network\FlashGet universal\Profiles\tasks.dat
c:\program files\FlashGet Network\FlashGet universal\transaction.log
c:\users\Ivanhoe\AppData\Roaming\avdrn.dat
c:\users\Ivanhoe\AppData\Roaming\BITS
c:\users\Ivanhoe\AppData\Roaming\BITS\BITS.ini
c:\users\Ivanhoe\AppData\Roaming\BITS\DHTTable.dat
c:\users\Ivanhoe\AppData\Roaming\BITS\ProxyList.ini
c:\windows\system32\KBL.LOG
.
((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.
2010-01-05 23:49 . 2010-01-05 23:50 -------- d-----w- c:\users\Ivanhoe\AppData\Local\temp
2010-01-05 23:49 . 2010-01-05 23:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-05 22:30 . 2010-01-05 22:31 -------- d-----w- c:\program files\trend micro
2010-01-05 22:30 . 2010-01-05 22:31 -------- d-----w- C:\rsit
2010-01-05 20:02 . 2010-01-05 20:02 -------- d-----w- c:\program files\CCleaner
2010-01-05 18:42 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-01-05 17:03 . 2010-01-05 17:03 -------- d-----w- c:\program files\Sophos
2010-01-05 14:34 . 2010-01-05 14:34 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-23 13:45 . 2009-12-23 14:00 -------- d-----w- c:\users\Ivanhoe\AppData\Roaming\Magic Academy
2009-12-19 21:52 . 2009-12-19 21:52 -------- d-----w- c:\programdata\MinigolfAdventures
2009-12-15 11:41 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-15 11:41 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-15 11:41 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 21:01 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 20:59 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 20:59 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 21:55 . 2009-02-18 12:26 55487 ----a-w- c:\programdata\nvModes.dat
2010-01-05 14:50 . 2009-08-10 15:57 -------- d-----w- c:\program files\ICQ6.5
2010-01-04 16:49 . 2008-09-29 17:36 -------- d-----w- c:\program files\ESET
2010-01-04 16:46 . 2009-02-23 18:56 -------- d-----w- c:\programdata\Lavasoft
2010-01-04 16:46 . 2009-02-23 18:56 -------- d-----w- c:\program files\Lavasoft
2010-01-04 12:45 . 2009-08-09 16:41 -------- d-----w- c:\program files\Google
2009-12-23 13:44 . 2008-07-13 02:57 -------- d-----w- c:\programdata\WildTangent
2009-12-15 11:52 . 2008-07-30 23:45 76568 ----a-w- c:\users\Ivanhoe\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-15 11:40 . 2008-04-25 02:33 -------- d-----w- c:\programdata\Microsoft Help
2009-12-14 23:09 . 2009-11-28 20:20 -------- d-----w- c:\users\Ivanhoe\AppData\Roaming\Skype
2009-12-14 23:06 . 2009-07-31 12:24 -------- d-----w- c:\users\Ivanhoe\AppData\Roaming\skypePM
2009-12-14 16:44 . 2009-12-14 16:44 16 ----a-w- c:\users\Ivanhoe\AppData\Roaming\fvgqad.dat
2009-12-10 21:06 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 18:13 . 2009-12-09 18:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-11-28 20:19 . 2009-11-28 20:19 -------- d-----w- c:\program files\Common Files\Skype
2009-11-28 20:19 . 2009-11-28 20:19 -------- d-----r- c:\program files\Skype
2009-11-28 20:19 . 2009-07-31 12:13 -------- d-----w- c:\programdata\Skype
2009-11-26 21:14 . 2008-07-13 02:50 -------- d-----w- c:\programdata\CyberLink
2009-11-16 08:06 . 2009-11-16 08:06 38240 ----a-w- c:\windows\system32\drivers\epfwwfp.sys
2009-11-16 08:06 . 2009-11-16 08:06 135048 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-11-16 08:03 . 2009-11-16 08:03 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 07:56 . 2009-11-16 07:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-11-02 19:42 . 2009-10-04 18:31 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 09:57 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 13:20 . 2009-12-09 21:00 833024 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 13:16 . 2009-12-09 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 10:55 . 2009-12-09 21:00 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-25 21:30 . 2009-05-28 10:50 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-25 21:27 . 2009-10-25 21:27 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-25 21:27 . 2009-10-25 21:27 22328 ----a-w- c:\users\Ivanhoe\AppData\Roaming\PnkBstrK.sys
2009-10-25 21:27 . 2009-10-25 21:27 22328 ----a-w- c:\users\Ivanhoe\AppData\Roaming\PnkBstrK.sys
2009-10-25 21:27 . 2009-10-25 21:27 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-25 21:27 . 2009-10-25 21:27 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-25 21:27 . 2009-10-25 21:27 2250024 ----a-w- c:\windows\system32\pbsvc.exe
2009-10-25 11:02 . 2008-10-10 01:37 15252096 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-24 455968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-10-25 35328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
c:\users\Ivanhoe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Update ESET's license.lnk - c:\program files\ESET\MiNODLogin\MiNODLogin.exe [2009-10-24 125952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [11/16/2009 9:03 AM 108792]
R1 SSHDRV65;SSHDRV65;c:\windows\System32\drivers\SSHDRV65.sys [3/31/2009 8:55 PM 120320]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 9:04 AM 735960]
R2 epfwwfp;epfwwfp;c:\windows\System32\drivers\epfwwfp.sys [11/16/2009 9:06 AM 38240]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [1/20/2009 9:19 PM 717296]
S2 gupdate1ca1910841b45d8;Google Update Service (gupdate1ca1910841b45d8);c:\program files\Google\Update\GoogleUpdate.exe [8/9/2009 5:43 PM 133104]
S3 AVTIWOWBKJF;AVTIWOWBKJF;c:\users\Ivanhoe\AppData\Local\Temp\AVTIWOWBKJF.exe --> c:\users\Ivanhoe\AppData\Local\Temp\AVTIWOWBKJF.exe [?]
S3 EOLKRIGDBX;EOLKRIGDBX;c:\users\Ivanhoe\AppData\Local\Temp\EOLKRIGDBX.exe --> c:\users\Ivanhoe\AppData\Local\Temp\EOLKRIGDBX.exe [?]
S3 FGCZVZAB;FGCZVZAB;c:\users\Ivanhoe\AppData\Local\Temp\FGCZVZAB.exe --> c:\users\Ivanhoe\AppData\Local\Temp\FGCZVZAB.exe [?]
S3 KBPFID;KBPFID;c:\users\Ivanhoe\AppData\Local\Temp\KBPFID.exe --> c:\users\Ivanhoe\AppData\Local\Temp\KBPFID.exe [?]
S3 UTYOQBFY;UTYOQBFY;c:\users\Ivanhoe\AppData\Local\Temp\UTYOQBFY.exe --> c:\users\Ivanhoe\AppData\Local\Temp\UTYOQBFY.exe [?]
S3 WFYGJH;WFYGJH;c:\users\Ivanhoe\AppData\Local\Temp\WFYGJH.exe --> c:\users\Ivanhoe\AppData\Local\Temp\WFYGJH.exe [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - kejnn
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 00:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
2010-01-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-09 16:41]
2010-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-09 16:43]
2010-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-09 16:43]
2010-01-05 c:\windows\Tasks\User_Feed_Synchronization-{9E29BE8E-64C9-4048-803A-A3E2957A196D}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.centrum.cz/skinit/icq/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Ivanhoe\AppData\Roaming\Mozilla\Firefox\Profiles\anf80jb7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 00:50
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6CA9.tmp"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\kejnn]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2870796406-1887052798-2938797926-1000\Software\SecuROM\License information*]
"datasecu"=hex:06,f6,1e,8d,b2,75,56,d8,2c,41,b4,90,f8,8b,32,4e,19,fb,6c,75,68,
ce,3f,36,57,41,a4,46,3f,04,92,8f,fc,04,1b,79,13,5e,44,39,e7,44,0a,07,25,ca,\
"rkeysecu"=hex:76,5a,9f,ae,d9,7f,8a,29,fb,a6,b6,04,8c,ca,01,37
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-06 00:52:23
ComboFix-quarantined-files.txt 2010-01-05 23:52
Pre-Run: 8,265,302,016 bytes free
Post-Run: 8,204,083,200 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 59E46E9A9EB73B29D2081CB670E37951
ComboFix 10-01-04.01 - Ivanhoe 01/06/2010 0:39.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3006.2283 [GMT 1:00]
Running from: c:\users\Ivanhoe\Desktop\Potvora.com.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-2870796406-1887052798-2938797926-500
c:\$recycle.bin\S-1-5-21-4016623809-3629486141-1618625363-500
c:\program files\FlashGet Network
c:\program files\FlashGet Network\FlashGet universal\dbtrans_verbose.log
c:\program files\FlashGet Network\FlashGet universal\fgoption.ini
c:\program files\FlashGet Network\FlashGet universal\P2PCfg.ini
c:\program files\FlashGet Network\FlashGet universal\p2spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\p4spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\Profiles\config.dat
c:\program files\FlashGet Network\FlashGet universal\Profiles\tasks.dat
c:\program files\FlashGet Network\FlashGet universal\transaction.log
c:\users\Ivanhoe\AppData\Roaming\avdrn.dat
c:\users\Ivanhoe\AppData\Roaming\BITS
c:\users\Ivanhoe\AppData\Roaming\BITS\BITS.ini
c:\users\Ivanhoe\AppData\Roaming\BITS\DHTTable.dat
c:\users\Ivanhoe\AppData\Roaming\BITS\ProxyList.ini
c:\windows\system32\KBL.LOG
.
((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.
2010-01-05 23:49 . 2010-01-05 23:50 -------- d-----w- c:\users\Ivanhoe\AppData\Local\temp
2010-01-05 23:49 . 2010-01-05 23:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-05 22:30 . 2010-01-05 22:31 -------- d-----w- c:\program files\trend micro
2010-01-05 22:30 . 2010-01-05 22:31 -------- d-----w- C:\rsit
2010-01-05 20:02 . 2010-01-05 20:02 -------- d-----w- c:\program files\CCleaner
2010-01-05 18:42 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-01-05 17:03 . 2010-01-05 17:03 -------- d-----w- c:\program files\Sophos
2010-01-05 14:34 . 2010-01-05 14:34 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-23 13:45 . 2009-12-23 14:00 -------- d-----w- c:\users\Ivanhoe\AppData\Roaming\Magic Academy
2009-12-19 21:52 . 2009-12-19 21:52 -------- d-----w- c:\programdata\MinigolfAdventures
2009-12-15 11:41 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-15 11:41 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-15 11:41 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 21:01 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 20:59 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 20:59 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 21:55 . 2009-02-18 12:26 55487 ----a-w- c:\programdata\nvModes.dat
2010-01-05 14:50 . 2009-08-10 15:57 -------- d-----w- c:\program files\ICQ6.5
2010-01-04 16:49 . 2008-09-29 17:36 -------- d-----w- c:\program files\ESET
2010-01-04 16:46 . 2009-02-23 18:56 -------- d-----w- c:\programdata\Lavasoft
2010-01-04 16:46 . 2009-02-23 18:56 -------- d-----w- c:\program files\Lavasoft
2010-01-04 12:45 . 2009-08-09 16:41 -------- d-----w- c:\program files\Google
2009-12-23 13:44 . 2008-07-13 02:57 -------- d-----w- c:\programdata\WildTangent
2009-12-15 11:52 . 2008-07-30 23:45 76568 ----a-w- c:\users\Ivanhoe\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-15 11:40 . 2008-04-25 02:33 -------- d-----w- c:\programdata\Microsoft Help
2009-12-14 23:09 . 2009-11-28 20:20 -------- d-----w- c:\users\Ivanhoe\AppData\Roaming\Skype
2009-12-14 23:06 . 2009-07-31 12:24 -------- d-----w- c:\users\Ivanhoe\AppData\Roaming\skypePM
2009-12-14 16:44 . 2009-12-14 16:44 16 ----a-w- c:\users\Ivanhoe\AppData\Roaming\fvgqad.dat
2009-12-10 21:06 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 18:13 . 2009-12-09 18:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-11-28 20:19 . 2009-11-28 20:19 -------- d-----w- c:\program files\Common Files\Skype
2009-11-28 20:19 . 2009-11-28 20:19 -------- d-----r- c:\program files\Skype
2009-11-28 20:19 . 2009-07-31 12:13 -------- d-----w- c:\programdata\Skype
2009-11-26 21:14 . 2008-07-13 02:50 -------- d-----w- c:\programdata\CyberLink
2009-11-16 08:06 . 2009-11-16 08:06 38240 ----a-w- c:\windows\system32\drivers\epfwwfp.sys
2009-11-16 08:06 . 2009-11-16 08:06 135048 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-11-16 08:03 . 2009-11-16 08:03 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 07:56 . 2009-11-16 07:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-11-02 19:42 . 2009-10-04 18:31 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 09:57 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 13:20 . 2009-12-09 21:00 833024 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 13:16 . 2009-12-09 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 10:55 . 2009-12-09 21:00 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-25 21:30 . 2009-05-28 10:50 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-25 21:27 . 2009-10-25 21:27 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-25 21:27 . 2009-10-25 21:27 22328 ----a-w- c:\users\Ivanhoe\AppData\Roaming\PnkBstrK.sys
2009-10-25 21:27 . 2009-10-25 21:27 22328 ----a-w- c:\users\Ivanhoe\AppData\Roaming\PnkBstrK.sys
2009-10-25 21:27 . 2009-10-25 21:27 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-25 21:27 . 2009-10-25 21:27 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-25 21:27 . 2009-10-25 21:27 2250024 ----a-w- c:\windows\system32\pbsvc.exe
2009-10-25 11:02 . 2008-10-10 01:37 15252096 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-24 455968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-10-25 35328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
c:\users\Ivanhoe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Update ESET's license.lnk - c:\program files\ESET\MiNODLogin\MiNODLogin.exe [2009-10-24 125952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [11/16/2009 9:03 AM 108792]
R1 SSHDRV65;SSHDRV65;c:\windows\System32\drivers\SSHDRV65.sys [3/31/2009 8:55 PM 120320]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 9:04 AM 735960]
R2 epfwwfp;epfwwfp;c:\windows\System32\drivers\epfwwfp.sys [11/16/2009 9:06 AM 38240]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [1/20/2009 9:19 PM 717296]
S2 gupdate1ca1910841b45d8;Google Update Service (gupdate1ca1910841b45d8);c:\program files\Google\Update\GoogleUpdate.exe [8/9/2009 5:43 PM 133104]
S3 AVTIWOWBKJF;AVTIWOWBKJF;c:\users\Ivanhoe\AppData\Local\Temp\AVTIWOWBKJF.exe --> c:\users\Ivanhoe\AppData\Local\Temp\AVTIWOWBKJF.exe [?]
S3 EOLKRIGDBX;EOLKRIGDBX;c:\users\Ivanhoe\AppData\Local\Temp\EOLKRIGDBX.exe --> c:\users\Ivanhoe\AppData\Local\Temp\EOLKRIGDBX.exe [?]
S3 FGCZVZAB;FGCZVZAB;c:\users\Ivanhoe\AppData\Local\Temp\FGCZVZAB.exe --> c:\users\Ivanhoe\AppData\Local\Temp\FGCZVZAB.exe [?]
S3 KBPFID;KBPFID;c:\users\Ivanhoe\AppData\Local\Temp\KBPFID.exe --> c:\users\Ivanhoe\AppData\Local\Temp\KBPFID.exe [?]
S3 UTYOQBFY;UTYOQBFY;c:\users\Ivanhoe\AppData\Local\Temp\UTYOQBFY.exe --> c:\users\Ivanhoe\AppData\Local\Temp\UTYOQBFY.exe [?]
S3 WFYGJH;WFYGJH;c:\users\Ivanhoe\AppData\Local\Temp\WFYGJH.exe --> c:\users\Ivanhoe\AppData\Local\Temp\WFYGJH.exe [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - kejnn
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 00:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
2010-01-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-09 16:41]
2010-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-09 16:43]
2010-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-09 16:43]
2010-01-05 c:\windows\Tasks\User_Feed_Synchronization-{9E29BE8E-64C9-4048-803A-A3E2957A196D}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.centrum.cz/skinit/icq/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Ivanhoe\AppData\Roaming\Mozilla\Firefox\Profiles\anf80jb7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 00:50
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6CA9.tmp"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\kejnn]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2870796406-1887052798-2938797926-1000\Software\SecuROM\License information*]
"datasecu"=hex:06,f6,1e,8d,b2,75,56,d8,2c,41,b4,90,f8,8b,32,4e,19,fb,6c,75,68,
ce,3f,36,57,41,a4,46,3f,04,92,8f,fc,04,1b,79,13,5e,44,39,e7,44,0a,07,25,ca,\
"rkeysecu"=hex:76,5a,9f,ae,d9,7f,8a,29,fb,a6,b6,04,8c,ca,01,37
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-06 00:52:23
ComboFix-quarantined-files.txt 2010-01-05 23:52
Pre-Run: 8,265,302,016 bytes free
Post-Run: 8,204,083,200 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 59E46E9A9EB73B29D2081CB670E37951
Re: rootkit kejnn.sys
tady ještě log scanu z programu sophos anti-rootkit
Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 1/6/2010 at 0:54:50 AM
User "Ivanhoe" on computer "TRAFFICMOU"
Windows version 6.0 SP 1.0 Service Pack 1 build 6001 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Windows\System32\config\RegBack\COMPONENTS.LOG1
Hidden: file C:\Windows\System32\drivers\kejnn.sys
Info: Starting disk scan of D: (NTFS).
Stopped logging on 1/6/2010 at 2:08:14 AM
Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 1/6/2010 at 0:54:50 AM
User "Ivanhoe" on computer "TRAFFICMOU"
Windows version 6.0 SP 1.0 Service Pack 1 build 6001 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Windows\System32\config\RegBack\COMPONENTS.LOG1
Hidden: file C:\Windows\System32\drivers\kejnn.sys
Info: Starting disk scan of D: (NTFS).
Stopped logging on 1/6/2010 at 2:08:14 AM
Re: rootkit kejnn.sys
Především odinstalujte ten cracklý Nod a dejte nějaký free antivir - Avast nebo Aviru, jinak Vám už nepomůžu 
flešky nechte připojené k pc
Pokud nemáte, přesuňte Combofix na plochu
-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka
-uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:
-po aplikaci na Vás vypadne další log,vložte ho sem
Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci
Start - ovládací panely - možnosti složky - zobrazení - odkrýt skryté a systémové soubory
Dejte soubor otestovat na http://www.virustotal.com
c:\windows\System32\drivers\SSHDRV65.sys
Do okénka zkopírujte cestu k souboru , pokud napíše, že soubor byl už testován, dejte otestovat znovu.
Sem vložte link s výsledky.
flešky nechte připojené k pc Pokud nemáte, přesuňte Combofix na plochu-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka
Kód: Vybrat vše
Killall::
Folder::
C:\Program Files\DAEMON Tools Toolbar
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler
I:\recycler
C:\resycled
D:\resycled
e:\resycled
f:\resycled
g:\resycled
h:\resycled
I:\resycled
c:\$recycle.bin
d:\$recycle.bin
e:\$recycle.bin
f:\$recycle.bin
g:\$recycle.bin
h:\$recycle.bin
I:\$recycle.bin
Collect::
C:\Windows\System32\drivers\kejnn.sys
c:\users\Ivanhoe\AppData\Local\Temp\AVTIWOWBKJF.exe
c:\users\Ivanhoe\AppData\Local\Temp\FGCZVZAB.exe
c:\users\Ivanhoe\AppData\Local\Temp\KBPFID.exe
c:\users\Ivanhoe\AppData\Local\Temp\UTYOQBFY.exe
c:\users\Ivanhoe\AppData\Local\Temp\WFYGJH.exe
File::
C:\xih9.cmd
E:\xih9.cmd
F:\xih9.cmd
G:\xih9.cmd
c:\windows\system32\6CA9.tmp
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Update ESET's license.lnk
c:\program files\ESET\MiNODLogin\MiNODLogin.exe
Driver::
WFYGJH
UTYOQBFY
EOLKRIGDBX
FGCZVZAB
KBPFID
kejnn
MEMSWEEP2
AVTIWOWBKJF
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9dfff18-22bf-11de-8916-001e68a0f35a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac345992-9989-11dd-95aa-001e68a0f35a}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=-
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:
-po aplikaci na Vás vypadne další log,vložte ho sem
Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci
Start - ovládací panely - možnosti složky - zobrazení - odkrýt skryté a systémové soubory Dejte soubor otestovat na http://www.virustotal.comc:\windows\System32\drivers\SSHDRV65.sys
Do okénka zkopírujte cestu k souboru , pokud napíše, že soubor byl už testován, dejte otestovat znovu.
Sem vložte link s výsledky.
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Re: rootkit kejnn.sys
zdravim, už tu mám avasta
tady je zatím log z combofixu
ComboFix 10-01-04.01 - Ivanhoe 01/06/2010 23:59:58.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3006.1857 [GMT 1:00]
Running from: c:\users\Ivanhoe\Desktop\ComboFix.exe
Command switches used :: c:\users\Ivanhoe\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FILE ::
"c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\"
"c:\windows\system32\6CA9.tmp"
"C:\xih9.cmd"
"E:\xih9.cmd"
"F:\xih9.cmd"
"G:\xih9.cmd"
file zipped: c:\windows\System32\drivers\kejnn.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin
C:\LOG.TXT
c:\program files\DAEMON Tools Toolbar
c:\program files\DAEMON Tools Toolbar\_DTLite.xml
c:\program files\DAEMON Tools Toolbar\DTToolbar.dll
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\chrome.manifest
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\chrome\dttoolbar.jar
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.xpt
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\install.rdf
c:\program files\DAEMON Tools Toolbar\Resources\about.ico
c:\program files\DAEMON Tools Toolbar\Resources\AboutWindow.ico
c:\program files\DAEMON Tools Toolbar\Resources\AddRadioStation.ico
c:\program files\DAEMON Tools Toolbar\Resources\as.ico
c:\program files\DAEMON Tools Toolbar\Resources\as.png
c:\program files\DAEMON Tools Toolbar\Resources\astro.ico
c:\program files\DAEMON Tools Toolbar\Resources\az.ico
c:\program files\DAEMON Tools Toolbar\Resources\b1.bmp
c:\program files\DAEMON Tools Toolbar\Resources\b1.png
c:\program files\DAEMON Tools Toolbar\Resources\BurnImage.ico
c:\program files\DAEMON Tools Toolbar\Resources\buy.ico
c:\program files\DAEMON Tools Toolbar\Resources\cond000.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond001.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond003.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond004.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond005.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond006.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond007.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond008.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond009.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond010.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond011.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond019.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond020.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond021.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond022.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond023.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond024.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond025.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond026.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond037.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond038.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond039.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond040.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond041.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond046.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond048.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond050.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond051.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond052.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond053.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond054.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond055.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond056.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond057.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond058.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond059.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond060.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond061.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond062.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond063.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond064.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond065.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond066.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond067.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond068.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond069.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond075.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond076.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond077.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond078.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond079.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond080.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond084.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond085.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond086.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond087.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond088.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond089.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond090.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond091.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond092.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond093.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond094.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond095.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond108.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond109.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond110.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond111.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond112.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond113.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond120.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond121.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond122.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond126.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond127.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond128.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond129.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond130.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond131.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond132.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond133.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond134.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond135.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond136.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond137.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond138.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond140.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond141.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond142.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond143.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond148.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond149.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond152.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond154.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond155.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond156.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond157.gif
c:\program files\DAEMON Tools Toolbar\Resources\Config.ico
c:\program files\DAEMON Tools Toolbar\Resources\d.ico
c:\program files\DAEMON Tools Toolbar\Resources\d2.ico
c:\program files\DAEMON Tools Toolbar\Resources\daemon.ico
c:\program files\DAEMON Tools Toolbar\Resources\ds.ico
c:\program files\DAEMON Tools Toolbar\Resources\dsearch.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt.ico
c:\program files\DAEMON Tools Toolbar\Resources\DTPro.ico
c:\program files\DAEMON Tools Toolbar\Resources\Dwnl.ico
c:\program files\DAEMON Tools Toolbar\Resources\emulation.ico
c:\program files\DAEMON Tools Toolbar\Resources\features.ico
c:\program files\DAEMON Tools Toolbar\Resources\GameCentrix.ico
c:\program files\DAEMON Tools Toolbar\Resources\gd.ico
c:\program files\DAEMON Tools Toolbar\Resources\genre.xml
c:\program files\DAEMON Tools Toolbar\Resources\globe.ico
c:\program files\DAEMON Tools Toolbar\Resources\GrabImage.ico
c:\program files\DAEMON Tools Toolbar\Resources\hb.bmp
c:\program files\DAEMON Tools Toolbar\Resources\hb.ico
c:\program files\DAEMON Tools Toolbar\Resources\help.ico
c:\program files\DAEMON Tools Toolbar\Resources\ip.ico
c:\program files\DAEMON Tools Toolbar\Resources\lang.xml
c:\program files\DAEMON Tools Toolbar\Resources\lingvo.ico
c:\program files\DAEMON Tools Toolbar\Resources\m.ico
c:\program files\DAEMON Tools Toolbar\Resources\mail.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_disable.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_disable.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\MenuRadioConfig.ico
c:\program files\DAEMON Tools Toolbar\Resources\MenuRadioStation.ico
c:\program files\DAEMON Tools Toolbar\Resources\MenuRSCur.ico
c:\program files\DAEMON Tools Toolbar\Resources\MenuTr.ico
c:\program files\DAEMON Tools Toolbar\Resources\next.bmp
c:\program files\DAEMON Tools Toolbar\Resources\next_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\next_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\next_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\none.bmp
c:\program files\DAEMON Tools Toolbar\Resources\none_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\noW.gif
c:\program files\DAEMON Tools Toolbar\Resources\op.ico
c:\program files\DAEMON Tools Toolbar\Resources\play.bmp
c:\program files\DAEMON Tools Toolbar\Resources\play.ico
c:\program files\DAEMON Tools Toolbar\Resources\play_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\play_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\play_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\pragma.ico
c:\program files\DAEMON Tools Toolbar\Resources\prev.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prev_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prev_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prev_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prod.ico
c:\program files\DAEMON Tools Toolbar\Resources\Radio.ico
c:\program files\DAEMON Tools Toolbar\Resources\RadioBg.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioBg.ico
c:\program files\DAEMON Tools Toolbar\Resources\RadioBgMask.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDisp.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDisp_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown.ico
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioE.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioG.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioL.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioLDotMask.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioLeft.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioLeftMask.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioLM.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioN.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioR.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioR.ico
c:\program files\DAEMON Tools Toolbar\Resources\RadioRM.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioRU.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioVolume.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioVolume_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioVolume_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioVolume_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioW.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Rss.ico
c:\program files\DAEMON Tools Toolbar\Resources\Rss1.ico
c:\program files\DAEMON Tools Toolbar\Resources\rssClose.ico
c:\program files\DAEMON Tools Toolbar\Resources\rssL.bmp
c:\program files\DAEMON Tools Toolbar\Resources\rssOpen.ico
c:\program files\DAEMON Tools Toolbar\Resources\size.bmp
c:\program files\DAEMON Tools Toolbar\Resources\size_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\skins.ico
c:\program files\DAEMON Tools Toolbar\Resources\spt.ico
c:\program files\DAEMON Tools Toolbar\Resources\stop.bmp
c:\program files\DAEMON Tools Toolbar\Resources\stop.ico
c:\program files\DAEMON Tools Toolbar\Resources\stop_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\stop_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\stop_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\style.ico
c:\program files\DAEMON Tools Toolbar\Resources\SupportRequest.ico
c:\program files\DAEMON Tools Toolbar\Resources\time.ico
c:\program files\DAEMON Tools Toolbar\Resources\TitleIcon.ico
c:\program files\DAEMON Tools Toolbar\Resources\toolbar.xml
c:\program files\DAEMON Tools Toolbar\Resources\trans.ico
c:\program files\DAEMON Tools Toolbar\Resources\Trash.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_disable.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\u.ico
c:\program files\DAEMON Tools Toolbar\Resources\vol.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol.ico
c:\program files\DAEMON Tools Toolbar\Resources\vol_back.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_dott.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_dott_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wb.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Weather_m42.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Weather_m43.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wi.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi0.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi1.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi10.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi11.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi12.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi13.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi2.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi3.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi4.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi5.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi6.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi7.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi8.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi9.ico
c:\program files\DAEMON Tools Toolbar\uninst.exe
c:\program files\FlashGet Network
c:\program files\FlashGet Network\FlashGet universal\fgoption.ini
c:\program files\FlashGet Network\FlashGet universal\P2PCfg.ini
c:\program files\FlashGet Network\FlashGet universal\p2spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\p4spmgr.ini
c:\users\Ivanhoe\AppData\Roaming\BITS
c:\users\Ivanhoe\AppData\Roaming\BITS\BITS.ini
c:\users\Ivanhoe\AppData\Roaming\BITS\ProxyList.ini
d:\$recycle.bin
c:\windows\system32\drivers\kejnn.sys . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_KEJNN
-------\Service_EOLKRIGDBX
-------\Service_kejnn
((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.
2010-01-06 23:09 . 2010-01-06 23:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-06 23:09 . 2010-01-06 23:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-06 15:20 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-06 15:20 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-06 15:20 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-01-06 15:20 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-06 15:20 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-06 15:19 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-06 15:19 . 2009-11-24 23:49 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-05 23:52 . 2010-01-06 14:51 -------- d-----w- c:\users\Ivanhoe\AppData\Local\temp(13)
2010-01-05 23:36 . 2010-01-05 23:52 -------- d-----w- C:\Potvora.com
2010-01-05 22:30 . 2010-01-05 22:31 -------- d-----w- c:\program files\trend micro
2010-01-05 22:30 . 2010-01-05 22:31 -------- d-----w- C:\rsit
2010-01-05 17:03 . 2010-01-05 17:03 -------- d-----w- c:\program files\Sophos
2009-12-23 13:45 . 2009-12-23 14:00 -------- d-----w- c:\users\Ivanhoe\AppData\Roaming\Magic Academy
2009-12-19 21:52 . 2009-12-19 21:52 -------- d-----w- c:\programdata\MinigolfAdventures
2009-12-15 11:41 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-15 11:41 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-15 11:41 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 21:01 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 20:59 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 20:59 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 22:36 . 2009-02-18 12:26 55487 ----a-w- c:\programdata\nvModes.dat
2010-01-06 16:55 . 2009-08-10 15:57 -------- d-----w- c:\program files\ICQ6.5
2010-01-06 15:24 . 2008-09-29 17:36 -------- d-----w- c:\program files\ESET
2010-01-05 14:34 . 2010-01-05 14:34 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-04 16:46 . 2009-02-23 18:56 -------- d-----w- c:\programdata\Lavasoft
2010-01-04 16:46 . 2009-02-23 18:56 -------- d-----w- c:\program files\Lavasoft
2010-01-04 12:45 . 2009-08-09 16:41 -------- d-----w- c:\program files\Google
2009-12-23 13:44 . 2008-07-13 02:57 -------- d-----w- c:\programdata\WildTangent
2009-12-15 11:52 . 2008-07-30 23:45 76568 ----a-w- c:\users\Ivanhoe\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-15 11:40 . 2008-04-25 02:33 -------- d-----w- c:\programdata\Microsoft Help
2009-12-14 23:09 . 2009-11-28 20:20 -------- d-----w- c:\users\Ivanhoe\AppData\Roaming\Skype
2009-12-14 23:06 . 2009-07-31 12:24 -------- d-----w- c:\users\Ivanhoe\AppData\Roaming\skypePM
2009-12-14 16:44 . 2009-12-14 16:44 16 ----a-w- c:\users\Ivanhoe\AppData\Roaming\fvgqad.dat
2009-12-10 21:06 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 18:13 . 2009-12-09 18:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-11-28 20:19 . 2009-11-28 20:19 -------- d-----w- c:\program files\Common Files\Skype
2009-11-28 20:19 . 2009-11-28 20:19 -------- d-----r- c:\program files\Skype
2009-11-28 20:19 . 2009-07-31 12:13 -------- d-----w- c:\programdata\Skype
2009-11-26 21:17 . 2009-11-26 21:17 1961720 ----a-w- c:\users\Ivanhoe\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-11-26 21:14 . 2008-07-13 02:50 -------- d-----w- c:\programdata\CyberLink
2009-11-02 19:42 . 2009-10-04 18:31 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 09:57 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 13:20 . 2009-12-09 21:00 833024 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 13:16 . 2009-12-09 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 10:55 . 2009-12-09 21:00 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-25 21:30 . 2009-05-28 10:50 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-25 21:27 . 2009-10-25 21:27 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-25 21:27 . 2009-10-25 21:27 22328 ----a-w- c:\users\Ivanhoe\AppData\Roaming\PnkBstrK.sys
2009-10-25 21:27 . 2009-10-25 21:27 22328 ----a-w- c:\users\Ivanhoe\AppData\Roaming\PnkBstrK.sys
2009-10-25 21:27 . 2009-10-25 21:27 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-25 21:27 . 2009-10-25 21:27 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-25 21:27 . 2009-10-25 21:27 2250024 ----a-w- c:\windows\system32\pbsvc.exe
2009-10-25 11:02 . 2008-10-10 01:37 15252096 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-24 455968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [BU]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-10-25 35328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
c:\users\Ivanhoe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Update ESET's license.lnk - c:\program files\ESET\MiNODLogin\MiNODLogin.exe [2009-10-24 125952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [1/6/2010 4:20 PM 114768]
R1 SSHDRV65;SSHDRV65;c:\windows\System32\drivers\SSHDRV65.sys [3/31/2009 8:55 PM 120320]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [1/6/2010 4:20 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [1/6/2010 4:19 PM 53328]
S2 gupdate1ca1910841b45d8;Google Update Service (gupdate1ca1910841b45d8);c:\program files\Google\Update\GoogleUpdate.exe [8/9/2009 5:43 PM 133104]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - KEJNN
*Deregistered* - kejnn
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 00:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
2010-01-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-09 16:41]
2010-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-09 16:43]
2010-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-09 16:43]
2010-01-06 c:\windows\Tasks\User_Feed_Synchronization-{9E29BE8E-64C9-4048-803A-A3E2957A196D}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.centrum.cz/skinit/icq/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Ivanhoe\AppData\Roaming\Mozilla\Firefox\Profiles\anf80jb7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - ORPHANS REMOVED - - - -
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 00:11
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x858AC1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a5a4322
\Driver\ACPI -> acpi.sys @ 0x80743d4c
\Driver\atapi -> 0x858ac1f8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\kejnn]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2870796406-1887052798-2938797926-1000\Software\SecuROM\License information*]
"datasecu"=hex:06,f6,1e,8d,b2,75,56,d8,2c,41,b4,90,f8,8b,32,4e,19,fb,6c,75,68,
ce,3f,36,57,41,a4,46,3f,04,92,8f,fc,04,1b,79,13,5e,44,39,e7,44,0a,07,25,ca,\
"rkeysecu"=hex:76,5a,9f,ae,d9,7f,8a,29,fb,a6,b6,04,8c,ca,01,37
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\windows\system32\rundll32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\conime.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
.
**************************************************************************
.
Completion time: 2010-01-07 00:20:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 23:20
ComboFix2.txt 2010-01-05 23:52
Pre-Run: 9,475,854,336 bytes free
Post-Run: 9,258,811,392 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - B82D85DED76AACBF11A893ECA4606D6E
Upload was successful
tady je zatím log z combofixu
ComboFix 10-01-04.01 - Ivanhoe 01/06/2010 23:59:58.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3006.1857 [GMT 1:00]
Running from: c:\users\Ivanhoe\Desktop\ComboFix.exe
Command switches used :: c:\users\Ivanhoe\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FILE ::
"c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\"
"c:\windows\system32\6CA9.tmp"
"C:\xih9.cmd"
"E:\xih9.cmd"
"F:\xih9.cmd"
"G:\xih9.cmd"
file zipped: c:\windows\System32\drivers\kejnn.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin
C:\LOG.TXT
c:\program files\DAEMON Tools Toolbar
c:\program files\DAEMON Tools Toolbar\_DTLite.xml
c:\program files\DAEMON Tools Toolbar\DTToolbar.dll
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\chrome.manifest
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\chrome\dttoolbar.jar
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.xpt
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\install.rdf
c:\program files\DAEMON Tools Toolbar\Resources\about.ico
c:\program files\DAEMON Tools Toolbar\Resources\AboutWindow.ico
c:\program files\DAEMON Tools Toolbar\Resources\AddRadioStation.ico
c:\program files\DAEMON Tools Toolbar\Resources\as.ico
c:\program files\DAEMON Tools Toolbar\Resources\as.png
c:\program files\DAEMON Tools Toolbar\Resources\astro.ico
c:\program files\DAEMON Tools Toolbar\Resources\az.ico
c:\program files\DAEMON Tools Toolbar\Resources\b1.bmp
c:\program files\DAEMON Tools Toolbar\Resources\b1.png
c:\program files\DAEMON Tools Toolbar\Resources\BurnImage.ico
c:\program files\DAEMON Tools Toolbar\Resources\buy.ico
c:\program files\DAEMON Tools Toolbar\Resources\cond000.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond001.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond003.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond004.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond005.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond006.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond007.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond008.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond009.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond010.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond011.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond019.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond020.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond021.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond022.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond023.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond024.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond025.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond026.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond037.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond038.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond039.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond040.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond041.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond046.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond048.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond050.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond051.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond052.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond053.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond054.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond055.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond056.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond057.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond058.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond059.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond060.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond061.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond062.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond063.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond064.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond065.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond066.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond067.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond068.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond069.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond075.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond076.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond077.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond078.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond079.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond080.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond084.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond085.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond086.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond087.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond088.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond089.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond090.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond091.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond092.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond093.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond094.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond095.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond108.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond109.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond110.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond111.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond112.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond113.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond120.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond121.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond122.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond126.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond127.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond128.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond129.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond130.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond131.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond132.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond133.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond134.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond135.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond136.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond137.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond138.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond140.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond141.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond142.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond143.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond148.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond149.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond152.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond154.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond155.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond156.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond157.gif
c:\program files\DAEMON Tools Toolbar\Resources\Config.ico
c:\program files\DAEMON Tools Toolbar\Resources\d.ico
c:\program files\DAEMON Tools Toolbar\Resources\d2.ico
c:\program files\DAEMON Tools Toolbar\Resources\daemon.ico
c:\program files\DAEMON Tools Toolbar\Resources\ds.ico
c:\program files\DAEMON Tools Toolbar\Resources\dsearch.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt.ico
c:\program files\DAEMON Tools Toolbar\Resources\DTPro.ico
c:\program files\DAEMON Tools Toolbar\Resources\Dwnl.ico
c:\program files\DAEMON Tools Toolbar\Resources\emulation.ico
c:\program files\DAEMON Tools Toolbar\Resources\features.ico
c:\program files\DAEMON Tools Toolbar\Resources\GameCentrix.ico
c:\program files\DAEMON Tools Toolbar\Resources\gd.ico
c:\program files\DAEMON Tools Toolbar\Resources\genre.xml
c:\program files\DAEMON Tools Toolbar\Resources\globe.ico
c:\program files\DAEMON Tools Toolbar\Resources\GrabImage.ico
c:\program files\DAEMON Tools Toolbar\Resources\hb.bmp
c:\program files\DAEMON Tools Toolbar\Resources\hb.ico
c:\program files\DAEMON Tools Toolbar\Resources\help.ico
c:\program files\DAEMON Tools Toolbar\Resources\ip.ico
c:\program files\DAEMON Tools Toolbar\Resources\lang.xml
c:\program files\DAEMON Tools Toolbar\Resources\lingvo.ico
c:\program files\DAEMON Tools Toolbar\Resources\m.ico
c:\program files\DAEMON Tools Toolbar\Resources\mail.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_disable.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_disable.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\MenuRadioConfig.ico
c:\program files\DAEMON Tools Toolbar\Resources\MenuRadioStation.ico
c:\program files\DAEMON Tools Toolbar\Resources\MenuRSCur.ico
c:\program files\DAEMON Tools Toolbar\Resources\MenuTr.ico
c:\program files\DAEMON Tools Toolbar\Resources\next.bmp
c:\program files\DAEMON Tools Toolbar\Resources\next_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\next_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\next_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\none.bmp
c:\program files\DAEMON Tools Toolbar\Resources\none_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\noW.gif
c:\program files\DAEMON Tools Toolbar\Resources\op.ico
c:\program files\DAEMON Tools Toolbar\Resources\play.bmp
c:\program files\DAEMON Tools Toolbar\Resources\play.ico
c:\program files\DAEMON Tools Toolbar\Resources\play_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\play_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\play_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\pragma.ico
c:\program files\DAEMON Tools Toolbar\Resources\prev.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prev_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prev_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prev_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prod.ico
c:\program files\DAEMON Tools Toolbar\Resources\Radio.ico
c:\program files\DAEMON Tools Toolbar\Resources\RadioBg.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioBg.ico
c:\program files\DAEMON Tools Toolbar\Resources\RadioBgMask.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDisp.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDisp_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown.ico
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioE.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioG.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioL.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioLDotMask.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioLeft.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioLeftMask.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioLM.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioN.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioR.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioR.ico
c:\program files\DAEMON Tools Toolbar\Resources\RadioRM.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioRU.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioVolume.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioVolume_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioVolume_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioVolume_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioW.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Rss.ico
c:\program files\DAEMON Tools Toolbar\Resources\Rss1.ico
c:\program files\DAEMON Tools Toolbar\Resources\rssClose.ico
c:\program files\DAEMON Tools Toolbar\Resources\rssL.bmp
c:\program files\DAEMON Tools Toolbar\Resources\rssOpen.ico
c:\program files\DAEMON Tools Toolbar\Resources\size.bmp
c:\program files\DAEMON Tools Toolbar\Resources\size_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\skins.ico
c:\program files\DAEMON Tools Toolbar\Resources\spt.ico
c:\program files\DAEMON Tools Toolbar\Resources\stop.bmp
c:\program files\DAEMON Tools Toolbar\Resources\stop.ico
c:\program files\DAEMON Tools Toolbar\Resources\stop_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\stop_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\stop_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\style.ico
c:\program files\DAEMON Tools Toolbar\Resources\SupportRequest.ico
c:\program files\DAEMON Tools Toolbar\Resources\time.ico
c:\program files\DAEMON Tools Toolbar\Resources\TitleIcon.ico
c:\program files\DAEMON Tools Toolbar\Resources\toolbar.xml
c:\program files\DAEMON Tools Toolbar\Resources\trans.ico
c:\program files\DAEMON Tools Toolbar\Resources\Trash.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_disable.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\u.ico
c:\program files\DAEMON Tools Toolbar\Resources\vol.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol.ico
c:\program files\DAEMON Tools Toolbar\Resources\vol_back.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_dott.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_dott_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wb.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Weather_m42.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Weather_m43.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wi.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi0.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi1.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi10.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi11.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi12.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi13.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi2.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi3.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi4.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi5.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi6.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi7.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi8.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi9.ico
c:\program files\DAEMON Tools Toolbar\uninst.exe
c:\program files\FlashGet Network
c:\program files\FlashGet Network\FlashGet universal\fgoption.ini
c:\program files\FlashGet Network\FlashGet universal\P2PCfg.ini
c:\program files\FlashGet Network\FlashGet universal\p2spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\p4spmgr.ini
c:\users\Ivanhoe\AppData\Roaming\BITS
c:\users\Ivanhoe\AppData\Roaming\BITS\BITS.ini
c:\users\Ivanhoe\AppData\Roaming\BITS\ProxyList.ini
d:\$recycle.bin
c:\windows\system32\drivers\kejnn.sys . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_KEJNN
-------\Service_EOLKRIGDBX
-------\Service_kejnn
((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.
2010-01-06 23:09 . 2010-01-06 23:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-06 23:09 . 2010-01-06 23:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-06 15:20 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-06 15:20 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-06 15:20 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-01-06 15:20 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-06 15:20 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-06 15:19 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-06 15:19 . 2009-11-24 23:49 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-05 23:52 . 2010-01-06 14:51 -------- d-----w- c:\users\Ivanhoe\AppData\Local\temp(13)
2010-01-05 23:36 . 2010-01-05 23:52 -------- d-----w- C:\Potvora.com
2010-01-05 22:30 . 2010-01-05 22:31 -------- d-----w- c:\program files\trend micro
2010-01-05 22:30 . 2010-01-05 22:31 -------- d-----w- C:\rsit
2010-01-05 17:03 . 2010-01-05 17:03 -------- d-----w- c:\program files\Sophos
2009-12-23 13:45 . 2009-12-23 14:00 -------- d-----w- c:\users\Ivanhoe\AppData\Roaming\Magic Academy
2009-12-19 21:52 . 2009-12-19 21:52 -------- d-----w- c:\programdata\MinigolfAdventures
2009-12-15 11:41 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-15 11:41 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-15 11:41 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 21:01 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 20:59 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 20:59 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 22:36 . 2009-02-18 12:26 55487 ----a-w- c:\programdata\nvModes.dat
2010-01-06 16:55 . 2009-08-10 15:57 -------- d-----w- c:\program files\ICQ6.5
2010-01-06 15:24 . 2008-09-29 17:36 -------- d-----w- c:\program files\ESET
2010-01-05 14:34 . 2010-01-05 14:34 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-04 16:46 . 2009-02-23 18:56 -------- d-----w- c:\programdata\Lavasoft
2010-01-04 16:46 . 2009-02-23 18:56 -------- d-----w- c:\program files\Lavasoft
2010-01-04 12:45 . 2009-08-09 16:41 -------- d-----w- c:\program files\Google
2009-12-23 13:44 . 2008-07-13 02:57 -------- d-----w- c:\programdata\WildTangent
2009-12-15 11:52 . 2008-07-30 23:45 76568 ----a-w- c:\users\Ivanhoe\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-15 11:40 . 2008-04-25 02:33 -------- d-----w- c:\programdata\Microsoft Help
2009-12-14 23:09 . 2009-11-28 20:20 -------- d-----w- c:\users\Ivanhoe\AppData\Roaming\Skype
2009-12-14 23:06 . 2009-07-31 12:24 -------- d-----w- c:\users\Ivanhoe\AppData\Roaming\skypePM
2009-12-14 16:44 . 2009-12-14 16:44 16 ----a-w- c:\users\Ivanhoe\AppData\Roaming\fvgqad.dat
2009-12-10 21:06 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 18:13 . 2009-12-09 18:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-11-28 20:19 . 2009-11-28 20:19 -------- d-----w- c:\program files\Common Files\Skype
2009-11-28 20:19 . 2009-11-28 20:19 -------- d-----r- c:\program files\Skype
2009-11-28 20:19 . 2009-07-31 12:13 -------- d-----w- c:\programdata\Skype
2009-11-26 21:17 . 2009-11-26 21:17 1961720 ----a-w- c:\users\Ivanhoe\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-11-26 21:14 . 2008-07-13 02:50 -------- d-----w- c:\programdata\CyberLink
2009-11-02 19:42 . 2009-10-04 18:31 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 09:57 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 13:20 . 2009-12-09 21:00 833024 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 13:16 . 2009-12-09 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 10:55 . 2009-12-09 21:00 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-25 21:30 . 2009-05-28 10:50 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-25 21:27 . 2009-10-25 21:27 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-25 21:27 . 2009-10-25 21:27 22328 ----a-w- c:\users\Ivanhoe\AppData\Roaming\PnkBstrK.sys
2009-10-25 21:27 . 2009-10-25 21:27 22328 ----a-w- c:\users\Ivanhoe\AppData\Roaming\PnkBstrK.sys
2009-10-25 21:27 . 2009-10-25 21:27 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-25 21:27 . 2009-10-25 21:27 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-25 21:27 . 2009-10-25 21:27 2250024 ----a-w- c:\windows\system32\pbsvc.exe
2009-10-25 11:02 . 2008-10-10 01:37 15252096 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-10-23 15:25 . 2009-10-23 15:25 138240 ----a-w- c:\users\Ivanhoe\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-24 455968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [BU]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-10-25 35328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
c:\users\Ivanhoe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Update ESET's license.lnk - c:\program files\ESET\MiNODLogin\MiNODLogin.exe [2009-10-24 125952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [1/6/2010 4:20 PM 114768]
R1 SSHDRV65;SSHDRV65;c:\windows\System32\drivers\SSHDRV65.sys [3/31/2009 8:55 PM 120320]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [1/6/2010 4:20 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [1/6/2010 4:19 PM 53328]
S2 gupdate1ca1910841b45d8;Google Update Service (gupdate1ca1910841b45d8);c:\program files\Google\Update\GoogleUpdate.exe [8/9/2009 5:43 PM 133104]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - KEJNN
*Deregistered* - kejnn
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 00:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
2010-01-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-09 16:41]
2010-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-09 16:43]
2010-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-09 16:43]
2010-01-06 c:\windows\Tasks\User_Feed_Synchronization-{9E29BE8E-64C9-4048-803A-A3E2957A196D}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.centrum.cz/skinit/icq/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Ivanhoe\AppData\Roaming\Mozilla\Firefox\Profiles\anf80jb7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - ORPHANS REMOVED - - - -
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 00:11
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x858AC1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a5a4322
\Driver\ACPI -> acpi.sys @ 0x80743d4c
\Driver\atapi -> 0x858ac1f8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\kejnn]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2870796406-1887052798-2938797926-1000\Software\SecuROM\License information*]
"datasecu"=hex:06,f6,1e,8d,b2,75,56,d8,2c,41,b4,90,f8,8b,32,4e,19,fb,6c,75,68,
ce,3f,36,57,41,a4,46,3f,04,92,8f,fc,04,1b,79,13,5e,44,39,e7,44,0a,07,25,ca,\
"rkeysecu"=hex:76,5a,9f,ae,d9,7f,8a,29,fb,a6,b6,04,8c,ca,01,37
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\windows\system32\rundll32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\conime.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
.
**************************************************************************
.
Completion time: 2010-01-07 00:20:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 23:20
ComboFix2.txt 2010-01-05 23:52
Pre-Run: 9,475,854,336 bytes free
Post-Run: 9,258,811,392 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - B82D85DED76AACBF11A893ECA4606D6E
Upload was successful
Re: rootkit kejnn.sys
Můžete ještě prosím otestovat na http://www.virustotal.com
c:\windows\system32\drivers\kejnn.sys
At vím co je to za potvoru , drží se zuby nehty
odinstalujte všechny virtuální jednotky (Daemon nebo alcohol)
Stáhněte SPTD http://www.duplexsecure.com/en/downloads
-vyberte verzi podle svého operačního systému. SPTD for Windows (32 bit) nebo (64b)
-uložte na plochu a spusťte
- zvolte možnost Uninstall
- restart PC
- spusťte gmer
Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, kliknete na Save a tím si uložíte log,který sem vložíte
-Podle návodu v odkazu proveďte druhý sken a log sem také vložte.
stáhněte MBR
http://www2.gmer.net/mbr/mbr.exe
-uložte ho na plochu
start-spustit
do okénka zkopírujte
ok
vytvoří se log s názvem mbr.log, vložte ho zde
c:\windows\system32\drivers\kejnn.sys
At vím co je to za potvoru , drží se zuby nehty
odinstalujte všechny virtuální jednotky (Daemon nebo alcohol) Stáhněte SPTD http://www.duplexsecure.com/en/downloads-vyberte verzi podle svého operačního systému. SPTD for Windows (32 bit) nebo (64b)
-uložte na plochu a spusťte
- zvolte možnost Uninstall
- restart PC
- spusťte gmer
Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, kliknete na Save a tím si uložíte log,který sem vložíte
-Podle návodu v odkazu proveďte druhý sken a log sem také vložte.
stáhněte MBR http://www2.gmer.net/mbr/mbr.exe
-uložte ho na plochu
start-spustit do okénka zkopírujte
Kód: Vybrat vše
"%userprofile%\plocha\mbr" -tNepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Re: rootkit kejnn.sys
bohužel mi kejnn.sys nejde otestovat, háže to hlášku " A device attached to the system is not functioning". drží se to opravdu zuby nehty 
tady je první log z gmer
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-07 18:09:59
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\Ivanhoe\AppData\Local\Temp\kxlciaob.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 86797200
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- Services - GMER 1.0.15 ----
Service (*** hidden *** ) [BOOT] kejnn <-- ROOTKIT !!!
---- EOF - GMER 1.0.15 ----
Druhý log z gmer
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-07 18:08:05
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\Ivanhoe\AppData\Local\Temp\kxlciaob.sys
---- Kernel code sections - GMER 1.0.15 ----
? System32\Drivers\kejnn.sys A device attached to the system is not functioning. !
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EA0F340, 0x3FA057, 0xE8000020]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\system32\services.exe[664] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 000B0002
IAT C:\Windows\system32\services.exe[664] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 000B0000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 86797200
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- Services - GMER 1.0.15 ----
Service (*** hidden *** ) [BOOT] kejnn <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\kejnn@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kejnn@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kejnn@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kejnn@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9E 0x01 0x15 0x89 ...
Reg HKLM\SYSTEM\ControlSet002\Services\kejnn@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kejnn@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\kejnn@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\kejnn@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0x4A 0x66 0xB0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x71 0xC0 0x3F 0x90 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x16 0x62 0x77 0x89 ...
Reg HKLM\SYSTEM\ControlSet003\Services\kejnn@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\kejnn@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\kejnn@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\kejnn@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0x4A 0x66 0xB0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x71 0xC0 0x3F 0x90 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x16 0x62 0x77 0x89 ...
Reg HKLM\SYSTEM\ControlSet004\Services\kejnn@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\kejnn@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\kejnn@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\kejnn@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9E 0x01 0x15 0x89 ...
---- Files - GMER 1.0.15 ----
File C:\Users\Ivanhoe\AppData\Local\Temp\~ROMFN_000008E4 1020 bytes
---- EOF - GMER 1.0.15 ----
tady je první log z gmer
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-07 18:09:59
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\Ivanhoe\AppData\Local\Temp\kxlciaob.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 86797200
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- Services - GMER 1.0.15 ----
Service (*** hidden *** ) [BOOT] kejnn <-- ROOTKIT !!!
---- EOF - GMER 1.0.15 ----
Druhý log z gmer
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-07 18:08:05
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\Ivanhoe\AppData\Local\Temp\kxlciaob.sys
---- Kernel code sections - GMER 1.0.15 ----
? System32\Drivers\kejnn.sys A device attached to the system is not functioning. !
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EA0F340, 0x3FA057, 0xE8000020]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\system32\services.exe[664] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 000B0002
IAT C:\Windows\system32\services.exe[664] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 000B0000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 86797200
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- Services - GMER 1.0.15 ----
Service (*** hidden *** ) [BOOT] kejnn <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\kejnn@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kejnn@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kejnn@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kejnn@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9E 0x01 0x15 0x89 ...
Reg HKLM\SYSTEM\ControlSet002\Services\kejnn@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kejnn@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\kejnn@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\kejnn@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0x4A 0x66 0xB0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x71 0xC0 0x3F 0x90 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x16 0x62 0x77 0x89 ...
Reg HKLM\SYSTEM\ControlSet003\Services\kejnn@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\kejnn@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\kejnn@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\kejnn@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0x4A 0x66 0xB0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x71 0xC0 0x3F 0x90 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x16 0x62 0x77 0x89 ...
Reg HKLM\SYSTEM\ControlSet004\Services\kejnn@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\kejnn@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\kejnn@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\kejnn@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9E 0x01 0x15 0x89 ...
---- Files - GMER 1.0.15 ----
File C:\Users\Ivanhoe\AppData\Local\Temp\~ROMFN_000008E4 1020 bytes
---- EOF - GMER 1.0.15 ----
Re: rootkit kejnn.sys
log MBR
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: error reading MBR
kernel: error reading MBR
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: error reading MBR
kernel: error reading MBR
Re: rootkit kejnn.sys
Zazálohujte si důležitá data, pro jistotu Stáhněte Avengerhttp://swandog46.geekstogo.com/avenger.exe
-spustíte program a potvrdíte kliknutím na ok,tím potvrzujete, že všechny činnosti s tím spojené činíte na vlastní riziko.
-Po odkliknutí se objeví hlavní okno programu,do bílého okna něj zkopírujte tento skript:
Kód: Vybrat vše
drivers to delete:
kejnn
Files to delete:
File C:\Users\Ivanhoe\AppData\Local\Temp\~ROMFN_000008E4
C:\Windows\system32\DRIVERS\\kejnn.sys
a klikněte na tlačítko Execute.
-Potom se objeví okno,kde kliknutím Yes potvrdíte spuštění skriptu. Pak znovu tlačítkem yes potvrdíte restart počítače.
-Po restartu by se měl otevřít poznámkový blok s logem o vykonání skriptu, bude také uložený v C:\avenger.txt.
-Log vložte sem
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Re: rootkit kejnn.sys
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "kejnn" deleted successfully.
Error: could not open file "File C:\Users\Ivanhoe\AppData\Local\Temp\~ROMFN_000008E4"
Deletion of file "File C:\Users\Ivanhoe\AppData\Local\Temp\~ROMFN_000008E4" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Windows\system32\DRIVERS\\kejnn.sys"
Deletion of file "C:\Windows\system32\DRIVERS\\kejnn.sys" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name
Completed script processing.
*******************
Finished! Terminate.
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "kejnn" deleted successfully.
Error: could not open file "File C:\Users\Ivanhoe\AppData\Local\Temp\~ROMFN_000008E4"
Deletion of file "File C:\Users\Ivanhoe\AppData\Local\Temp\~ROMFN_000008E4" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
Error: could not open file "C:\Windows\system32\DRIVERS\\kejnn.sys"
Deletion of file "C:\Windows\system32\DRIVERS\\kejnn.sys" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name
Completed script processing.
*******************
Finished! Terminate.
Re: rootkit kejnn.sys
Můžete prosím spustit znovu gmer?
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Re: rootkit kejnn.sys
gmer spuštěn
Re: rootkit kejnn.sys
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-07 21:57:36
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\Ivanhoe\AppData\Local\Temp\kxlciaob.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Rootkit quick scan 2010-01-07 21:57:36
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\Ivanhoe\AppData\Local\Temp\kxlciaob.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Přispějete na provoz fóra?