
Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz
Win32/Rustock v paměti, nejde odstranit
Moderátor: Moderátoři
Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Win32/Rustock v paměti, nejde odstranit
Dobrý den , prosím o o radu co s virem , předem děkuji
LOG :
Logfile of random's system information tool 1.06 (written by random/random)
Run by Crusader at 2010-03-31 08:46:39
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 11 GB (15%) free of 76 GB
Total RAM: 511 MB (41% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:57, on 31.3.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Opera 10 Beta\opera.exe
C:\Program Files\Totalcmd\TOTALCMD.EXE
C:\Documents and Settings\Crusader\Plocha\RSIT.exe
C:\Documents and Settings\Administrator\Plocha\Crusader.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.juicyaccess.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: System Search Dispatcher - {cdbfb47b-58a8-4111-bf95-06178dce326d} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [java_sun] Java (Sun)
O17 - HKLM\System\CCS\Services\Tcpip\..\{4ACBD8F3-39DB-4753-900D-70090B9F0A8F}: NameServer = 212.158.128.2,212.158.128.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Služba inteligentního přenosu na pozadí (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Automatické aktualizace (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 4783 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\1-Click Maintenance.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 54248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cdbfb47b-58a8-4111-bf95-06178dce326d}]
System Search Dispatcher
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbc80044-a445-435b-bc74-9c25c1c588a9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-31 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7e6f031-17ce-4c07-bc86-eabfe594f69c}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-31 73728]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-16 13529088]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-16 86016]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2009-04-09 2029640]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-31 149280]
"ZoneAlarm Client"=C:\Program Files\ZoneAlarm\zlclient.exe [2009-02-16 981384]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2001-08-23 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
C:\Program Files\QuickTime\QTTask.exe [2008-05-27 413696]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^nabídka start^programy^po spuštění^digimax viewer 2.1.lnk]
C:\PROGRA~1\Samsung\DIGIMA~1.1\STIMGB~1.EXE [2004-02-10 626688]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^crusader^nabídka start^programy^po spuštění^magicdisc.lnk]
C:\PROGRA~1\MAGICD~1\MAGICD~1.EXE [2009-02-23 576000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
WRLogonNTF.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Enabled:utorrent"
"C:\Program Files\Totalcmd\TOTALCMD.EXE"="C:\Program Files\Totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\Games\CS\hl.exe"="C:\Games\CS\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\SecondLife\SLVoice.exe"="C:\Program Files\SecondLife\SLVoice.exe:*:Enabled:SLVoice"
"C:\Program Files\SecondLife\SecondLife.exe"="C:\Program Files\SecondLife\SecondLife.exe:*:Enabled:Second Life"
"C:\Program Files\Miranda MP\MirandaPack\miranda32.exe"="C:\Program Files\Miranda MP\MirandaPack\miranda32.exe:*:Enabled:Miranda IM"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Opera 10 Beta\opera.exe"="C:\Program Files\Opera 10 Beta\opera.exe:*:Enabled:Opera Internet Browser"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12f8fb14-0443-11df-aafc-001109ccf83c}]
shell\autorun\command - G:\Autorun.exe
======List of files/folders created in the last 1 months======
2010-03-31 08:46:39 ----D---- C:\rsit
======List of files/folders modified in the last 1 months======
2010-03-31 08:46:55 ----D---- C:\WINDOWS\Prefetch
2010-03-31 08:46:44 ----D---- C:\WINDOWS\temp
2010-03-31 07:27:07 ----A---- C:\WINDOWS\wincmd.ini
2010-03-31 06:54:56 ----D---- C:\WINDOWS\Internet Logs
2010-03-30 21:51:47 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-28 23:59:31 ----SHD---- C:\WINDOWS\Installer
2010-03-17 18:27:18 ----RD---- C:\Program Files
2010-03-17 18:22:52 ----D---- C:\Program Files\ZoneAlarm
2010-03-17 18:22:44 ----D---- C:\WINDOWS\system32
2010-03-17 18:21:34 ----D---- C:\Texty
2010-03-17 18:17:28 ----D---- C:\Obrazky
2010-03-16 14:47:50 ----D---- C:\UKLIDIT
2010-03-05 16:50:53 ----A---- C:\WINDOWS\jpegcode.ini
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK8;Ovladač procesoru AMD; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 42496]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2009-04-09 55768]
R1 prodrv06;StarForce Protection Environment Driver v6; C:\WINDOWS\System32\drivers\prodrv06.sys [2004-11-25 54368]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-02-16 353672]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-04-09 113960]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2009-04-09 133000]
R3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2001-08-23 60800]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2009-04-09 33096]
R3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2001-08-17 40704]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2009-02-24 116736]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2001-08-23 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-16 6557408]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-12-14 85120]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2001-08-23 26624]
R3 usbhub;Ovladač standardního rozbočovače USB; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2001-08-23 57600]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2001-08-23 20480]
S1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-17 14848]
S3 3dfxvs;3dfxvs; C:\WINDOWS\system32\DRIVERS\3dfxvsm.sys [2001-08-17 148352]
S3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 21504]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
S3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-10-11 47360]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbser;Motorola A1000 USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2004-08-03 25600]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 wpdusb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-04-09 731840]
R2 javaquickstarterservice;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-31 153376]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-16 159812]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2001-08-23 14336]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2009-04-09 20680]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
-----------------EOF-----------------
LOG :
Logfile of random's system information tool 1.06 (written by random/random)
Run by Crusader at 2010-03-31 08:46:39
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 11 GB (15%) free of 76 GB
Total RAM: 511 MB (41% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:57, on 31.3.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Opera 10 Beta\opera.exe
C:\Program Files\Totalcmd\TOTALCMD.EXE
C:\Documents and Settings\Crusader\Plocha\RSIT.exe
C:\Documents and Settings\Administrator\Plocha\Crusader.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.juicyaccess.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: System Search Dispatcher - {cdbfb47b-58a8-4111-bf95-06178dce326d} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [java_sun] Java (Sun)
O17 - HKLM\System\CCS\Services\Tcpip\..\{4ACBD8F3-39DB-4753-900D-70090B9F0A8F}: NameServer = 212.158.128.2,212.158.128.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Služba inteligentního přenosu na pozadí (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Automatické aktualizace (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 4783 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\1-Click Maintenance.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 54248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cdbfb47b-58a8-4111-bf95-06178dce326d}]
System Search Dispatcher
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbc80044-a445-435b-bc74-9c25c1c588a9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-31 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7e6f031-17ce-4c07-bc86-eabfe594f69c}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-31 73728]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-16 13529088]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-16 86016]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2009-04-09 2029640]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-31 149280]
"ZoneAlarm Client"=C:\Program Files\ZoneAlarm\zlclient.exe [2009-02-16 981384]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2001-08-23 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
C:\Program Files\QuickTime\QTTask.exe [2008-05-27 413696]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^nabídka start^programy^po spuštění^digimax viewer 2.1.lnk]
C:\PROGRA~1\Samsung\DIGIMA~1.1\STIMGB~1.EXE [2004-02-10 626688]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^crusader^nabídka start^programy^po spuštění^magicdisc.lnk]
C:\PROGRA~1\MAGICD~1\MAGICD~1.EXE [2009-02-23 576000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
WRLogonNTF.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Enabled:utorrent"
"C:\Program Files\Totalcmd\TOTALCMD.EXE"="C:\Program Files\Totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\Games\CS\hl.exe"="C:\Games\CS\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\SecondLife\SLVoice.exe"="C:\Program Files\SecondLife\SLVoice.exe:*:Enabled:SLVoice"
"C:\Program Files\SecondLife\SecondLife.exe"="C:\Program Files\SecondLife\SecondLife.exe:*:Enabled:Second Life"
"C:\Program Files\Miranda MP\MirandaPack\miranda32.exe"="C:\Program Files\Miranda MP\MirandaPack\miranda32.exe:*:Enabled:Miranda IM"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Opera 10 Beta\opera.exe"="C:\Program Files\Opera 10 Beta\opera.exe:*:Enabled:Opera Internet Browser"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12f8fb14-0443-11df-aafc-001109ccf83c}]
shell\autorun\command - G:\Autorun.exe
======List of files/folders created in the last 1 months======
2010-03-31 08:46:39 ----D---- C:\rsit
======List of files/folders modified in the last 1 months======
2010-03-31 08:46:55 ----D---- C:\WINDOWS\Prefetch
2010-03-31 08:46:44 ----D---- C:\WINDOWS\temp
2010-03-31 07:27:07 ----A---- C:\WINDOWS\wincmd.ini
2010-03-31 06:54:56 ----D---- C:\WINDOWS\Internet Logs
2010-03-30 21:51:47 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-28 23:59:31 ----SHD---- C:\WINDOWS\Installer
2010-03-17 18:27:18 ----RD---- C:\Program Files
2010-03-17 18:22:52 ----D---- C:\Program Files\ZoneAlarm
2010-03-17 18:22:44 ----D---- C:\WINDOWS\system32
2010-03-17 18:21:34 ----D---- C:\Texty
2010-03-17 18:17:28 ----D---- C:\Obrazky
2010-03-16 14:47:50 ----D---- C:\UKLIDIT
2010-03-05 16:50:53 ----A---- C:\WINDOWS\jpegcode.ini
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK8;Ovladač procesoru AMD; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 42496]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2009-04-09 55768]
R1 prodrv06;StarForce Protection Environment Driver v6; C:\WINDOWS\System32\drivers\prodrv06.sys [2004-11-25 54368]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-02-16 353672]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-04-09 113960]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2009-04-09 133000]
R3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2001-08-23 60800]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2009-04-09 33096]
R3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2001-08-17 40704]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2009-02-24 116736]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2001-08-23 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-16 6557408]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-12-14 85120]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2001-08-23 26624]
R3 usbhub;Ovladač standardního rozbočovače USB; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2001-08-23 57600]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2001-08-23 20480]
S1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-17 14848]
S3 3dfxvs;3dfxvs; C:\WINDOWS\system32\DRIVERS\3dfxvsm.sys [2001-08-17 148352]
S3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 21504]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
S3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-10-11 47360]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbser;Motorola A1000 USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2004-08-03 25600]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 wpdusb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-04-09 731840]
R2 javaquickstarterservice;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-31 153376]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-16 159812]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2001-08-23 14336]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2009-04-09 20680]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
-----------------EOF-----------------
Re: Win32/Rustock v paměti, nejde odstranit
Hezké dopoledne
Combofix stahněte takto:
- pravým myšítkem klikněte na odkaz combofixu --uložit jako.. ,a teď ho přejmenujte na Potvora.com a uložte.
Stáhněte na plochu, ukončete všechna aktivní okna a spusťte ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-souhlaste s instalací konzole pro zotavení
- ComboFix je třeba spustit pod účtem s právy administrátora
- Před použitím vypněte všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary
- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano
- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna
- Po dokončení skenování, trvajícího maximálně 10 minut, by měl program vytvořit log - C:\ComboFix.txt, zkopírujte celý jeho obsah sem


- pravým myšítkem klikněte na odkaz combofixu --uložit jako.. ,a teď ho přejmenujte na Potvora.com a uložte.

-souhlaste s instalací konzole pro zotavení
- ComboFix je třeba spustit pod účtem s právy administrátora
- Před použitím vypněte všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary
- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano
- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna

- Po dokončení skenování, trvajícího maximálně 10 minut, by měl program vytvořit log - C:\ComboFix.txt, zkopírujte celý jeho obsah sem
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data

Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Re: Win32/Rustock v paměti, nejde odstranit
ComboFix 10-03-29.04 - Crusader 01.04.2010 0:54.3.1 - x86
Spuštěný z: c:\documents and settings\Crusader\Plocha\Potvora.com.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Vytvořen nový Bod Obnovení
* Rezidentní štít AV je zapnutý
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\13560859.sys
c:\windows\system32\ieuinit.inf
c:\windows\system32\msgsvc.dll . . . je infikován!!
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_13560859
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-28 do 2010-03-31 )))))))))))))))))))))))))))))))
.
2010-03-31 06:46 . 2010-03-31 06:46 -------- d-----w- C:\rsit
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 22:10 . 2001-08-23 13:00 68916 ----a-w- c:\windows\system32\perfc005.dat
2010-03-31 22:10 . 2001-08-23 13:00 389938 ----a-w- c:\windows\system32\perfh005.dat
2010-03-30 19:04 . 2009-12-10 22:34 3091365 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-03-28 23:23 . 2010-03-29 11:23 1577984 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-03-27 00:28 . 2010-03-27 21:07 1576960 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-03-18 01:47 . 2010-03-18 09:57 1565696 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-03-17 16:22 . 2009-11-07 19:37 -------- d-----w- c:\program files\ZoneAlarm
2010-03-16 20:23 . 2010-03-16 20:27 1563136 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-03-15 00:04 . 2010-03-15 11:58 1562112 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-03-06 00:39 . 2010-03-06 21:59 1558016 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-02-28 16:58 . 2010-02-28 16:58 -------- d-----w- c:\program files\Common Files\DirectX
2010-02-12 00:28 . 2010-02-12 21:23 1525760 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-01-18 15:03 . 2008-04-06 09:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-08 20:09 . 2007-12-26 21:40 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"ZoneAlarm Client"="c:\program files\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2001-08-23 15360]
[HKLM\~\startupfolder\c:^documents and settings^all users^nabídka start^programy^po spuštění^digimax viewer 2.1.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Digimax Viewer 2.1.lnk
backup=c:\windows\pss\Digimax Viewer 2.1.lnkCommon Startup
[HKLM\~\startupfolder\c:^documents and settings^crusader^nabídka start^programy^po spuštění^magicdisc.lnk]
path=c:\documents and settings\Crusader\Nabídka Start\Programy\Po spuštění\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
2008-05-27 08:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Totalcmd\\TOTALCMD.EXE"=
"c:\\Games\\CS\\hl.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Opera 10 Beta\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6.4.2008 11:54 721904]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9.4.2009 15:18 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9.4.2009 15:19 731840]
S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [25.8.2007 16:44 148352]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'
2010-03-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-05-20 17:17]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://home.juicyaccess.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4ACBD8F3-39DB-4753-900D-70090B9F0A8F} = 212.158.128.2,212.158.128.3
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 01:07
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: TUKERNEL.EXE CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x823DE1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857afc3
\Driver\ACPI -> ACPI.sys @ 0xf83d4cb8
\Driver\atapi -> prosync1.sys @ 0xf8a406c1
IoDeviceObjectType -> DeleteProcedure -> TUKERNEL.EXE @ 0x805a1afe
ParseProcedure -> TUKERNEL.EXE @ 0x80570a6e
\Device\Harddisk0\DR0 -> DeleteProcedure -> TUKERNEL.EXE @ 0x805a1afe
ParseProcedure -> TUKERNEL.EXE @ 0x80570a6e
user & kernel MBR OK
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-1417001333-1715567821-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'explorer.exe'(1924)
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2010-04-01 01:33:43 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-31 23:33
Před spuštěním: Volných bajtů: 11 523 432 448
Po spuštění: Volných bajtů: 11 514 761 216
- - End Of File - - 2384875FC77A774B78A032A4CB86D8BA
Spuštěný z: c:\documents and settings\Crusader\Plocha\Potvora.com.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Vytvořen nový Bod Obnovení
* Rezidentní štít AV je zapnutý
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\13560859.sys
c:\windows\system32\ieuinit.inf
c:\windows\system32\msgsvc.dll . . . je infikován!!
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_13560859
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-28 do 2010-03-31 )))))))))))))))))))))))))))))))
.
2010-03-31 06:46 . 2010-03-31 06:46 -------- d-----w- C:\rsit
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 22:10 . 2001-08-23 13:00 68916 ----a-w- c:\windows\system32\perfc005.dat
2010-03-31 22:10 . 2001-08-23 13:00 389938 ----a-w- c:\windows\system32\perfh005.dat
2010-03-30 19:04 . 2009-12-10 22:34 3091365 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-03-28 23:23 . 2010-03-29 11:23 1577984 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-03-27 00:28 . 2010-03-27 21:07 1576960 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-03-18 01:47 . 2010-03-18 09:57 1565696 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-03-17 16:22 . 2009-11-07 19:37 -------- d-----w- c:\program files\ZoneAlarm
2010-03-16 20:23 . 2010-03-16 20:27 1563136 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-03-15 00:04 . 2010-03-15 11:58 1562112 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-03-06 00:39 . 2010-03-06 21:59 1558016 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-02-28 16:58 . 2010-02-28 16:58 -------- d-----w- c:\program files\Common Files\DirectX
2010-02-12 00:28 . 2010-02-12 21:23 1525760 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-01-18 15:03 . 2008-04-06 09:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-08 20:09 . 2007-12-26 21:40 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"ZoneAlarm Client"="c:\program files\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2001-08-23 15360]
[HKLM\~\startupfolder\c:^documents and settings^all users^nabídka start^programy^po spuštění^digimax viewer 2.1.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Digimax Viewer 2.1.lnk
backup=c:\windows\pss\Digimax Viewer 2.1.lnkCommon Startup
[HKLM\~\startupfolder\c:^documents and settings^crusader^nabídka start^programy^po spuštění^magicdisc.lnk]
path=c:\documents and settings\Crusader\Nabídka Start\Programy\Po spuštění\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
2008-05-27 08:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Totalcmd\\TOTALCMD.EXE"=
"c:\\Games\\CS\\hl.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Opera 10 Beta\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6.4.2008 11:54 721904]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9.4.2009 15:18 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9.4.2009 15:19 731840]
S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [25.8.2007 16:44 148352]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'
2010-03-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-05-20 17:17]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://home.juicyaccess.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4ACBD8F3-39DB-4753-900D-70090B9F0A8F} = 212.158.128.2,212.158.128.3
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 01:07
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: TUKERNEL.EXE CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x823DE1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857afc3
\Driver\ACPI -> ACPI.sys @ 0xf83d4cb8
\Driver\atapi -> prosync1.sys @ 0xf8a406c1
IoDeviceObjectType -> DeleteProcedure -> TUKERNEL.EXE @ 0x805a1afe
ParseProcedure -> TUKERNEL.EXE @ 0x80570a6e
\Device\Harddisk0\DR0 -> DeleteProcedure -> TUKERNEL.EXE @ 0x805a1afe
ParseProcedure -> TUKERNEL.EXE @ 0x80570a6e
user & kernel MBR OK
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-1417001333-1715567821-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'explorer.exe'(1924)
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2010-04-01 01:33:43 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-31 23:33
Před spuštěním: Volných bajtů: 11 523 432 448
Po spuštění: Volných bajtů: 11 514 761 216
- - End Of File - - 2384875FC77A774B78A032A4CB86D8BA
Re: Win32/Rustock v paměti, nejde odstranit

-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka
Kód: Vybrat vše
Restore::
c:\windows\system32\msgsvc.dll
File::
c:\windows\Internet Logs\xDB7.tmp
c:\windows\Internet Logs\xDB6.tmp
c:\windows\Internet Logs\xDB5.tmp
c:\windows\Internet Logs\xDB4.tmp
c:\windows\Internet Logs\xDB3.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB1.tmp
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:

-po aplikaci na Vás vypadne další log,vložte ho sem
Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

c:\windows\system32\drivers\3dfxvsm.sys
-Do okénka zkopírujte cestu k souboru , pokud napíše, že soubor byl už testován, dejte otestovat znovu.
-Sem vložte link s výsledky.
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data

Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Re: Win32/Rustock v paměti, nejde odstranit
Dobré dopoledne
Log z ComboFixu :
ComboFix 10-03-29.04 - Crusader 01.04.2010 9:32.4.1 - x86
SystÚm Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.511.281 [GMT 2:00]
SpuÜtýnř z: c:\documents and settings\Crusader\Plocha\Potvora.com.exe
Pou×itÚ ovlßdacÝ p°epÝnaŔe :: c:\documents and settings\Crusader\Plocha\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* RezidentnÝ ÜtÝt AV je zapnutř
FILE ::
"c:\windows\Internet Logs\xDB1.tmp"
"c:\windows\Internet Logs\xDB2.tmp"
"c:\windows\Internet Logs\xDB3.tmp"
"c:\windows\Internet Logs\xDB4.tmp"
"c:\windows\Internet Logs\xDB5.tmp"
"c:\windows\Internet Logs\xDB6.tmp"
"c:\windows\Internet Logs\xDB7.tmp"
.
((((((((((((((((((((((((((((((((((((((( OstatnÝ vřmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB3.tmp
c:\windows\Internet Logs\xDB4.tmp
c:\windows\Internet Logs\xDB5.tmp
c:\windows\Internet Logs\xDB6.tmp
c:\windows\Internet Logs\xDB7.tmp
Naka×enß kopie c:\windows\system32\msgsvc.dll byla nalezena a vylÚŔena.
Obnovena kopie z - c:\windows\erdnt\cache\msgsvc.dll
.
((((((((((((((((((((((((( Soubory vytvo°enÚ od 2010-03-01 do 2010-04-01 )))))))))))))))))))))))))))))))
.
2010-03-31 06:46 . 2010-03-31 06:46 -------- d-----w- C:\rsit
.
(((((((((((((((((((((((((((((((((((((((( Find3M vřpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 22:10 . 2001-08-23 13:00 68916 ----a-w- c:\windows\system32\perfc005.dat
2010-03-31 22:10 . 2001-08-23 13:00 389938 ----a-w- c:\windows\system32\perfh005.dat
2010-03-30 19:04 . 2009-12-10 22:34 3091365 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-03-17 16:22 . 2009-11-07 19:37 -------- d-----w- c:\program files\ZoneAlarm
2010-02-28 16:58 . 2010-02-28 16:58 -------- d-----w- c:\program files\Common Files\DirectX
2010-01-18 15:03 . 2008-04-06 09:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-08 20:09 . 2007-12-26 21:40 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-03-31_23.05.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-01 07:42 . 2010-04-01 07:42 16384 c:\windows\temp\Perflib_Perfdata_62c.dat
.
(((((((((((((((((((((((((((((((((( SpouÜtýcÝ body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznßmka* prßzdnÚ zßznamy a legitimnÝ vřchozÝ ˙daje nejsou zobrazeny.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"ZoneAlarm Client"="c:\program files\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2001-08-23 15360]
[HKLM\~\startupfolder\c:^documents and settings^all users^nabÝdka start^programy^po spuÜtýnÝ^digimax viewer 2.1.lnk]
path=c:\documents and settings\All Users\NabÝdka Start\Programy\Po spuÜtýnÝ\Digimax Viewer 2.1.lnk
backup=c:\windows\pss\Digimax Viewer 2.1.lnkCommon Startup
[HKLM\~\startupfolder\c:^documents and settings^crusader^nabÝdka start^programy^po spuÜtýnÝ^magicdisc.lnk]
path=c:\documents and settings\Crusader\NabÝdka Start\Programy\Po spuÜtýnÝ\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
2008-05-27 08:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Totalcmd\\TOTALCMD.EXE"=
"c:\\Games\\CS\\hl.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Opera 10 Beta\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6.4.2008 11:54 721904]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9.4.2009 15:18 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9.4.2009 15:19 731840]
S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [25.8.2007 16:44 148352]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresß°e 'NaplßnovanÚ ˙lohy'
2010-03-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-05-20 17:17]
.
.
------- Dopl˛kovř sken -------
.
uStart Page = hxxp://home.juicyaccess.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4ACBD8F3-39DB-4753-900D-70090B9F0A8F} = 212.158.128.2,212.158.128.3
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 09:43
Windows 5.1.2600 Service Pack 2 NTFS
skenovßnÝ skrytřch proces¨ ...
skenovßnÝ skrytřch polo×ek 'Po spuÜtýnÝ' ...
skenovßnÝ skrytřch soubor¨ ...
sken byl ˙speÜný dokonŔen
skrytÚ soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: TUKERNEL.EXE CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x823DE1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857afc3
\Driver\ACPI -> ACPI.sys @ 0xf83d4cb8
\Driver\atapi -> prosync1.sys @ 0xf8a406c1
IoDeviceObjectType -> DeleteProcedure -> TUKERNEL.EXE @ 0x805a1afe
ParseProcedure -> TUKERNEL.EXE @ 0x80570a6e
\Device\Harddisk0\DR0 -> DeleteProcedure -> TUKERNEL.EXE @ 0x805a1afe
ParseProcedure -> TUKERNEL.EXE @ 0x80570a6e
user & kernel MBR OK
**************************************************************************
.
--------------------- ZAMKNUT╔ KL═╚E V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-1417001333-1715567821-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- Knihovny navßzanÚ na bý×ÝcÝ procesy ---------------------
- - - - - - - > 'explorer.exe'(3764)
c:\windows\system32\msi.dll
.
------------------------ JinÚ spuÜtenÚ procesy ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkovř Ŕas: 2010-04-01 09:52:31 - poŔÝtaŔ byl restartovßn
ComboFix-quarantined-files.txt 2010-04-01 07:52
ComboFix2.txt 2010-03-31 23:33
P°ed spuÜtýnÝm: Volnřch bajt¨: 11á454á803á968
Po spuÜtýnÝ: Volnřch bajt¨: 11á417á391á104
- - End Of File - - 8645776AB3FEEB0ED7C3DDCFF066926B
Link s výsledky testu : http://www.virustotal.com/cs/analisis/4 ... 1270108953

Log z ComboFixu :
ComboFix 10-03-29.04 - Crusader 01.04.2010 9:32.4.1 - x86
SystÚm Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.511.281 [GMT 2:00]
SpuÜtýnř z: c:\documents and settings\Crusader\Plocha\Potvora.com.exe
Pou×itÚ ovlßdacÝ p°epÝnaŔe :: c:\documents and settings\Crusader\Plocha\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* RezidentnÝ ÜtÝt AV je zapnutř
FILE ::
"c:\windows\Internet Logs\xDB1.tmp"
"c:\windows\Internet Logs\xDB2.tmp"
"c:\windows\Internet Logs\xDB3.tmp"
"c:\windows\Internet Logs\xDB4.tmp"
"c:\windows\Internet Logs\xDB5.tmp"
"c:\windows\Internet Logs\xDB6.tmp"
"c:\windows\Internet Logs\xDB7.tmp"
.
((((((((((((((((((((((((((((((((((((((( OstatnÝ vřmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\xDB2.tmp
c:\windows\Internet Logs\xDB3.tmp
c:\windows\Internet Logs\xDB4.tmp
c:\windows\Internet Logs\xDB5.tmp
c:\windows\Internet Logs\xDB6.tmp
c:\windows\Internet Logs\xDB7.tmp
Naka×enß kopie c:\windows\system32\msgsvc.dll byla nalezena a vylÚŔena.
Obnovena kopie z - c:\windows\erdnt\cache\msgsvc.dll
.
((((((((((((((((((((((((( Soubory vytvo°enÚ od 2010-03-01 do 2010-04-01 )))))))))))))))))))))))))))))))
.
2010-03-31 06:46 . 2010-03-31 06:46 -------- d-----w- C:\rsit
.
(((((((((((((((((((((((((((((((((((((((( Find3M vřpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 22:10 . 2001-08-23 13:00 68916 ----a-w- c:\windows\system32\perfc005.dat
2010-03-31 22:10 . 2001-08-23 13:00 389938 ----a-w- c:\windows\system32\perfh005.dat
2010-03-30 19:04 . 2009-12-10 22:34 3091365 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-03-17 16:22 . 2009-11-07 19:37 -------- d-----w- c:\program files\ZoneAlarm
2010-02-28 16:58 . 2010-02-28 16:58 -------- d-----w- c:\program files\Common Files\DirectX
2010-01-18 15:03 . 2008-04-06 09:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-08 20:09 . 2007-12-26 21:40 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-03-31_23.05.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-01 07:42 . 2010-04-01 07:42 16384 c:\windows\temp\Perflib_Perfdata_62c.dat
.
(((((((((((((((((((((((((((((((((( SpouÜtýcÝ body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznßmka* prßzdnÚ zßznamy a legitimnÝ vřchozÝ ˙daje nejsou zobrazeny.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"ZoneAlarm Client"="c:\program files\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2001-08-23 15360]
[HKLM\~\startupfolder\c:^documents and settings^all users^nabÝdka start^programy^po spuÜtýnÝ^digimax viewer 2.1.lnk]
path=c:\documents and settings\All Users\NabÝdka Start\Programy\Po spuÜtýnÝ\Digimax Viewer 2.1.lnk
backup=c:\windows\pss\Digimax Viewer 2.1.lnkCommon Startup
[HKLM\~\startupfolder\c:^documents and settings^crusader^nabÝdka start^programy^po spuÜtýnÝ^magicdisc.lnk]
path=c:\documents and settings\Crusader\NabÝdka Start\Programy\Po spuÜtýnÝ\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
2008-05-27 08:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Totalcmd\\TOTALCMD.EXE"=
"c:\\Games\\CS\\hl.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Opera 10 Beta\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6.4.2008 11:54 721904]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9.4.2009 15:18 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9.4.2009 15:19 731840]
S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [25.8.2007 16:44 148352]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresß°e 'NaplßnovanÚ ˙lohy'
2010-03-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-05-20 17:17]
.
.
------- Dopl˛kovř sken -------
.
uStart Page = hxxp://home.juicyaccess.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4ACBD8F3-39DB-4753-900D-70090B9F0A8F} = 212.158.128.2,212.158.128.3
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 09:43
Windows 5.1.2600 Service Pack 2 NTFS
skenovßnÝ skrytřch proces¨ ...
skenovßnÝ skrytřch polo×ek 'Po spuÜtýnÝ' ...
skenovßnÝ skrytřch soubor¨ ...
sken byl ˙speÜný dokonŔen
skrytÚ soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: TUKERNEL.EXE CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys >>UNKNOWN [0x823DE1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf857afc3
\Driver\ACPI -> ACPI.sys @ 0xf83d4cb8
\Driver\atapi -> prosync1.sys @ 0xf8a406c1
IoDeviceObjectType -> DeleteProcedure -> TUKERNEL.EXE @ 0x805a1afe
ParseProcedure -> TUKERNEL.EXE @ 0x80570a6e
\Device\Harddisk0\DR0 -> DeleteProcedure -> TUKERNEL.EXE @ 0x805a1afe
ParseProcedure -> TUKERNEL.EXE @ 0x80570a6e
user & kernel MBR OK
**************************************************************************
.
--------------------- ZAMKNUT╔ KL═╚E V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-1417001333-1715567821-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- Knihovny navßzanÚ na bý×ÝcÝ procesy ---------------------
- - - - - - - > 'explorer.exe'(3764)
c:\windows\system32\msi.dll
.
------------------------ JinÚ spuÜtenÚ procesy ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkovř Ŕas: 2010-04-01 09:52:31 - poŔÝtaŔ byl restartovßn
ComboFix-quarantined-files.txt 2010-04-01 07:52
ComboFix2.txt 2010-03-31 23:33
P°ed spuÜtýnÝm: Volnřch bajt¨: 11á454á803á968
Po spuÜtýnÝ: Volnřch bajt¨: 11á417á391á104
- - End Of File - - 8645776AB3FEEB0ED7C3DDCFF066926B
Link s výsledky testu : http://www.virustotal.com/cs/analisis/4 ... 1270108953
Re: Win32/Rustock v paměti, nejde odstranit
Jak to vypadá s počítačem ted?
Ještě si něco ověřím
Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, klikněte na Save a tím si uložíte log,který sem vložíte
-Podle návodu v odkazu provedete druhý sken a log sem také vložíte.
Ještě si něco ověřím


- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, klikněte na Save a tím si uložíte log,který sem vložíte
-Podle návodu v odkazu provedete druhý sken a log sem také vložíte.
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data

Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Re: Win32/Rustock v paměti, nejde odstranit
Vypadá to dobře , hláška o viru už se neobjevuje , kompletní kontrolu jsem teda ještě nedělal ...
tady sou ty logy
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-01 15:33:58
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Crusader\LOCALS~1\Temp\pxtdqpow.sys
---- System - GMER 1.0.15 ----
SSDT spop.sys ZwEnumerateKey [0xF8433CA4]
SSDT spop.sys ZwEnumerateValueKey [0xF8434032]
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 823DC1F8
AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
---- EOF - GMER 1.0.15 ----
-----------------------------------------------------------------------------------------------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-01 17:59:18
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Crusader\LOCALS~1\Temp\pxtdqpow.sys
---- System - GMER 1.0.15 ----
SSDT 817CCA20 ZwAssignProcessToJobObject
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF293EFC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF293BC80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xF2956170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF293F580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF2953900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF2953B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF2957B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF293F670]
SSDT 817CD5A0 ZwDebugActiveProcess
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF293C210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xF29569F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xF29567A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF2953280]
SSDT spop.sys ZwEnumerateKey [0xF8433CA4]
SSDT spop.sys ZwEnumerateValueKey [0xF8434032]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF2956F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF2956F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF293C070]
SSDT spop.sys ZwOpenKey [0xF84150C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF2955180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF2954F40]
SSDT 817CCE60 ZwProtectVirtualMemory
SSDT spop.sys ZwQueryKey [0xF843410A]
SSDT spop.sys ZwQueryValueKey [0xF8433F8A]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF29576F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF2957150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF293EBE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xF2957540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF293F190]
SSDT 817CCD00 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF293C440]
SSDT 817CCB80 ZwSetInformationThread
SSDT 817C9A50 ZwSetSecurityObject
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xF29564E0]
SSDT 817CC8C0 ZwSuspendProcess
SSDT 817CC760 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF2954200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xF2954080]
SSDT 817CC5F0 ZwTerminateThread
SSDT 817CD3F0 ZwWriteVirtualMemory
INT 0x62 ? 823DEBF8
INT 0x82 ? 823DEBF8
INT 0xB4 ? 81ED9BF8
INT 0xB4 ? 81ED9BF8
INT 0xB4 ? 81ED9BF8
INT 0xB4 ? 81ED9BF8
INT 0xB4 ? 81ED9BF8
INT 0xB4 ? 81ED9BF8
---- Kernel code sections - GMER 1.0.15 ----
.text TUKERNEL.EXE!_abnormal_termination + 107 804E2DD8 12 Bytes [80, F5, 93, F2, 00, 39, 95, ...]
.text TUKERNEL.EXE!_abnormal_termination + 443 804E3114 12 Bytes [C0, C8, 7C, 81, 60, C7, 7C, ...]
.text TUKERNEL.EXE!IoSetFileOrigin + 3C0 80516C00 12 Bytes [46, 0C, 85, C0, 74, 08, 3B, ...]
.text TUKERNEL.EXE!IoSetFileOrigin + 3CE 80516C0E 45 Bytes [84, DB, 0F, 85, 7D, 3D, 00, ...]
.text TUKERNEL.EXE!IoSetFileOrigin + 3FC 80516C3C 15 Bytes JMP 80501F97 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoSetFileOrigin + 40C 80516C4C 9 Bytes JMP 80501F6D \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoSetFileOrigin + 418 80516C58 7 Bytes [84, DB, 75, BA, E9, FE, 3C]
.text ...
.text TUKERNEL.EXE!RtlFindClearRuns + 76 805170F4 129 Bytes [0F, BE, BE, 68, B8, 4E, 80, ...]
.text TUKERNEL.EXE!RtlFindClearRuns + F8 80517176 87 Bytes [B6, 91, 68, B9, 4E, 80, 8A, ...]
.text TUKERNEL.EXE!RtlFindClearRuns + 150 805171CE 75 Bytes JMP C3355CDB
.text TUKERNEL.EXE!RtlFindClearRuns + 19C 8051721A 16 Bytes [8D, 0C, D0, 8B, 55, E4, 89, ...]
.text TUKERNEL.EXE!RtlFindClearRuns + 1AD 8051722B 15 Bytes JMP 805170F3 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text ...
.text TUKERNEL.EXE!RtlFindNextForwardRunClear + 2D 80517CD2 129 Bytes [F9, 74, 1A, 8B, C1, 83, E0, ...]
.text TUKERNEL.EXE!RtlFindNextForwardRunClear + AF 80517D54 36 Bytes [C8, 83, E1, 1F, D3, EB, F6, ...]
.text TUKERNEL.EXE!RtlFindNextForwardRunClear + D6 80517D7B 68 Bytes [EB, 90, 83, 7D, F4, 01, 0F, ...]
.text TUKERNEL.EXE!RtlFindNextForwardRunClear + 11B 80517DC0 90 Bytes [FF, 0D, C4, 19, 55, 80, E9, ...]
.text TUKERNEL.EXE!RtlFindNextForwardRunClear + 176 80517E1B 29 Bytes [FF, 15, A8, 75, 4D, 80, 89, ...]
.text ...
.text TUKERNEL.EXE!IoInitializeIrp + 54 8051823D 112 Bytes [88, 46, 26, 8D, 46, 10, 89, ...]
.text TUKERNEL.EXE!_stricmp + 4D 805182AE 20 Bytes [0F, BE, C0, 5B, 5E, 5F, C9, ...]
.text TUKERNEL.EXE!KeInsertHeadQueue + 8 805182C3 44 Bytes [15, 68, 76, 4D, 80, 8B, 55, ...]
.text TUKERNEL.EXE!KeInsertHeadQueue + 35 805182F0 67 Bytes [00, 00, 83, 75, 0C, 01, E9, ...]
.text TUKERNEL.EXE!KeInsertHeadQueue + 79 80518334 1 Byte [90]
.text TUKERNEL.EXE!KeInsertHeadQueue + 7D 80518338 3 Bytes [FF, FF, FF]
.text TUKERNEL.EXE!KeInsertHeadQueue + 81 8051833C 25 Bytes [C1, D1, 5F, 80, D4, D1, 5F, ...]
.text TUKERNEL.EXE!PsGetProcessImageFileName + 2 80518356 63 Bytes [55, 8B, EC, 8B, 45, 08, 05, ...]
.text TUKERNEL.EXE!PsGetProcessImageFileName + 42 80518396 58 Bytes [7D, E0, 00, 0F, 84, 0B, FE, ...]
.text TUKERNEL.EXE!PsGetProcessImageFileName + 7D 805183D1 14 Bytes [0F, 84, A7, 14, 00, 00, 8D, ...]
.text TUKERNEL.EXE!PsGetProcessImageFileName + 8C 805183E0 45 Bytes [83, 65, D4, 00, FF, 37, 6A, ...]
.text TUKERNEL.EXE!PsGetProcessImageFileName + BC 80518410 3 Bytes [FF, FF, FF]
.text ...
.text TUKERNEL.EXE!PoSetSystemState + 56 80518611 2 Bytes [87, 01] {XCHG [ECX], EAX}
.text TUKERNEL.EXE!PoSetSystemState + 59 80518614 30 Bytes [C0, 75, 1C, 21, 05, E0, 3A, ...]
.text TUKERNEL.EXE!PoSetSystemState + 78 80518633 36 Bytes [C2, 04, 00, 90, 90, 90, 90, ...]
.text TUKERNEL.EXE!PoSetSystemState + 9D 80518658 125 Bytes [0F, 84, A9, 00, 01, 00, 6A, ...]
.text TUKERNEL.EXE!PoSetSystemState + 11B 805186D6 20 Bytes CALL 804EC9F3 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text ...
.text TUKERNEL.EXE!CcDeferWrite + 9 8052ACF7 8 Bytes [44, 77, 6A, 28, 33, DB, 53, ...] {INC ESP; JA 0x6d; SUB [EBX], DH; FIST DWORD [EBX-0x18]}
.text TUKERNEL.EXE!CcDeferWrite + 12 8052AD00 112 Bytes [03, 02, 00, 3B, C3, 75, 0B, ...]
.text TUKERNEL.EXE!CcDeferWrite + 83 8052AD71 10 Bytes [15, 68, 76, 4D, 80, 38, 1D, ...]
.text TUKERNEL.EXE!CcDeferWrite + 8E 8052AD7C 14 Bytes [88, 45, 1F, 75, 06, 53, E8, ...] {MOV [EBP+0x1f], AL; JNZ 0xb; PUSH EBX; CALL 0xfffffffffffba795; MOV CL, [EBP+0x1f]}
.text TUKERNEL.EXE!CcDeferWrite + 9D 8052AD8B 4 Bytes [15, 70, 76, 4D]
.text ...
.text TUKERNEL.EXE!CcRepinBcb + 2 8052ADE3 16 Bytes [55, 8B, EC, 83, EC, 0C, 56, ...]
.text TUKERNEL.EXE!CcRepinBcb + 13 8052ADF4 5 Bytes [00, 00, 8D, 55, F4] {ADD [EAX], AL; LEA EDX, [EBP-0xc]}
.text TUKERNEL.EXE!CcRepinBcb + 19 8052ADFA 11 Bytes [15, 58, 76, 4D, 80, FF, 46, ...] {ADC EAX, 0x804d7658; INC DWORD [ESI+0x34]; LEA ECX, [EBP-0xc]}
.text TUKERNEL.EXE!CcRepinBcb + 25 8052AE06 9 Bytes [15, 5C, 76, 4D, 80, 5E, C9, ...]
.text TUKERNEL.EXE!CcRepinBcb + 2F 8052AE10 47 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text ...
.text TUKERNEL.EXE!CcUnpinRepinnedBcb + 4 8052AF90 42 Bytes [EC, 53, 56, 8B, 75, 08, 8B, ...]
.text TUKERNEL.EXE!CcUnpinRepinnedBcb + 2F 8052AFBB 37 Bytes [38, 5E, 02, 74, 6C, FF, 76, ...]
.text TUKERNEL.EXE!CcUnpinRepinnedBcb + 56 8052AFE2 175 Bytes [70, 8B, 40, 44, FF, 70, 14, ...]
.text TUKERNEL.EXE!CcIsThereDirtyData + 14 8052B093 32 Bytes [D7, 8B, 35, 40, 6D, 55, 80, ...]
.text TUKERNEL.EXE!CcIsThereDirtyData + 35 8052B0B4 40 Bytes [74, 06, F6, 42, 2D, 80, 74, ...]
.text TUKERNEL.EXE!CcIsThereDirtyData + 5E 8052B0DD 13 Bytes [83, 65, FC, 00, FF, D7, 83, ...]
.text TUKERNEL.EXE!CcIsThereDirtyData + 6C 8052B0EB 25 Bytes [8B, 33, 83, EE, 64, 8D, 5E, ...]
.text TUKERNEL.EXE!CcIsThereDirtyData + 86 8052B105 26 Bytes [5F, 5E, 8A, C3, 5B, C9, C2, ...]
.text TUKERNEL.EXE!CcGetLsnForFileObject + 4 8052B120 42 Bytes [EC, 83, EC, 1C, 8B, 45, 08, ...]
.text TUKERNEL.EXE!CcGetLsnForFileObject + 2F 8052B14B 14 Bytes [00, 00, 8D, 55, E4, FF, 15, ...] {ADD [EAX], AL; LEA EDX, [EBP-0x1c]; CALL [0x804d7658]; LEA EDI, [ESI+0x10]}
.text TUKERNEL.EXE!CcGetLsnForFileObject + 3E 8052B15A 120 Bytes CALL 909B3E6F
.text TUKERNEL.EXE!CcGetLsnForFileObject + B7 8052B1D3 78 Bytes [8B, 45, 0C, 85, C0, 5F, 74, ...]
.text TUKERNEL.EXE!CcGetLsnForFileObject + 106 8052B222 66 Bytes [83, C0, 04, 50, 89, 0E, E8, ...]
.text TUKERNEL.EXE!CcSetDirtyPageThreshold + 7 8052B266 11 Bytes [08, 8B, 48, 14, 8B, 49, 04, ...] {OR [EBX+0x498b1448], CL; ADD AL, 0x85; LEAVE ; JZ 0x14}
.text TUKERNEL.EXE!CcSetDirtyPageThreshold + 13 8052B272 5 Bytes [55, 0C, 89, 91, A8]
.text TUKERNEL.EXE!CcSetDirtyPageThreshold + 19 8052B278 30 Bytes [00, 00, 8B, 48, 0C, F6, 41, ...]
.text TUKERNEL.EXE!CcSetDirtyPageThreshold + 3A 8052B299 5 Bytes [90, 90, 8B, FF, 55] {NOP ; NOP ; MOV EDI, EDI; PUSH EBP}
.text TUKERNEL.EXE!CcGetFileObjectFromSectionPtrs + 4 8052B29F 36 Bytes [EC, 56, 33, F6, FF, 15, 68, ...]
.text TUKERNEL.EXE!CcGetFileObjectFromSectionPtrs + 2A 8052B2C5 123 Bytes [90, 90, 90, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!CcGetFileObjectFromBcb + 6E 8052B341 160 Bytes [8B, 08, 8B, 40, 04, C6, 45, ...]
.text TUKERNEL.EXE!CcGetFileObjectFromBcb + 110 8052B3E3 51 Bytes [89, 48, 04, 89, 01, 80, 3D, ...]
.text TUKERNEL.EXE!CcGetFileObjectFromBcb + 144 8052B417 23 Bytes CALL 8052C5C2 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!CcGetFileObjectFromBcb + 15C 8052B42F 30 Bytes [85, F6, 8B, C6, 75, F2, 5F, ...]
.text TUKERNEL.EXE!CcMdlWriteAbort + 8 8052B44E 25 Bytes [08, 8B, 40, 14, 53, 56, 8B, ...]
.text TUKERNEL.EXE!CcMdlWriteAbort + 22 8052B468 37 Bytes [01, 80, 7D, FF, 00, 8B, 1F, ...]
.text TUKERNEL.EXE!CcMdlWriteAbort + 48 8052B48E 42 Bytes [FF, 4E, 04, 8A, D8, 75, 44, ...]
.text TUKERNEL.EXE!CcMdlWriteAbort + 73 8052B4B9 10 Bytes [89, 48, 04, 89, 01, 80, 3D, ...]
.text TUKERNEL.EXE!CcMdlWriteAbort + 7E 8052B4C4 5 Bytes [00, A3, 44, 6D, 55]
.text ...
.text TUKERNEL.EXE!CcPrepareMdlWrite + 49 8052B53C 25 Bytes CALL 804EF21D \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!CcPrepareMdlWrite + 63 8052B556 6 Bytes [65, FC, 00, 83, 7D, 10]
.text TUKERNEL.EXE!CcPrepareMdlWrite + 6A 8052B55D 5 Bytes [0F, 84, AC, 01, 00]
.text TUKERNEL.EXE!CcPrepareMdlWrite + 70 8052B563 82 Bytes [8D, 4D, E0, 51, 8D, 4D, E4, ...]
.text TUKERNEL.EXE!CcPrepareMdlWrite + C3 8052B5B6 36 Bytes [00, 00, 85, C8, 75, 04, 83, ...]
.text ...
.text TUKERNEL.EXE!CcWaitForCurrentLazyWriterActivity + 19 8052B834 2 Bytes [FF, 47]
.text TUKERNEL.EXE!CcWaitForCurrentLazyWriterActivity + 1D 8052B838 19 Bytes CALL 804E29EE \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!CcWaitForCurrentLazyWriterActivity + 31 8052B84C 40 Bytes [00, FF, 47, 0C, 8B, CF, E8, ...]
.text TUKERNEL.EXE!CcWaitForCurrentLazyWriterActivity + 5A 8052B875 32 Bytes [00, C0, EB, 6B, C6, 46, 0C, ...]
.text TUKERNEL.EXE!CcWaitForCurrentLazyWriterActivity + 7B 8052B896 61 Bytes [46, 08, FF, 15, 68, 76, 4D, ...]
.text ...
.text TUKERNEL.EXE!FsRtlIncrementCcFastReadResourceMiss + 1 8052BB5A 3 Bytes [05, 48, 6C]
.text TUKERNEL.EXE!FsRtlIncrementCcFastReadResourceMiss + 6 8052BB5F 11 Bytes [C3, CC, CC, CC, CC, CC, 90, ...] {RET ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP }
.text TUKERNEL.EXE!FsRtlMdlReadComplete + 1 8052BB6B 14 Bytes [FF, 55, 8B, EC, 56, 57, 8B, ...]
.text TUKERNEL.EXE!FsRtlMdlReadComplete + 10 8052BB7A 25 Bytes [8B, F0, 8B, 46, 08, 8B, 40, ...]
.text TUKERNEL.EXE!FsRtlMdlReadComplete + 2A 8052BB94 57 Bytes [75, 0C, 57, FF, D0, EB, 2D, ...]
.text TUKERNEL.EXE!FsRtlMdlReadComplete + 64 8052BBCE 82 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!FsRtlLookupLastLargeMcbEntryAndIndex + 36 8052BC21 11 Bytes [C8, FF, EB, 1D, 8D, 78, FF, ...] {ENTER 0xebff, 0x1d; LEA EDI, [EAX-0x1]; TEST EDI, EDI; JZ 0xf}
.text TUKERNEL.EXE!FsRtlLookupLastLargeMcbEntryAndIndex + 42 8052BC2D 58 Bytes [54, C1, F0, 8B, 46, 08, 8B, ...]
.text TUKERNEL.EXE!FsRtlLookupLastLargeMcbEntryAndIndex + 7D 8052BC68 4 Bytes CALL 8052BC9B \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlLookupLastLargeMcbEntryAndIndex + 82 8052BC6D 2 Bytes [33, C9] {XOR ECX, ECX}
.text TUKERNEL.EXE!FsRtlLookupLastLargeMcbEntryAndIndex + 85 8052BC70 106 Bytes [45, 0C, 83, 38, FF, 0F, 95, ...]
.text TUKERNEL.EXE!FsRtlLookupLastMcbEntry + 2 8052BCDB 11 Bytes [55, 8B, EC, 83, EC, 10, 8D, ...]
.text TUKERNEL.EXE!FsRtlLookupLastMcbEntry + E 8052BCE7 26 Bytes [F0, 50, FF, 75, 08, E8, 92, ...]
.text TUKERNEL.EXE!FsRtlLookupLastMcbEntry + 29 8052BD02 25 Bytes [10, 41, F7, D9, 1B, C9, 23, ...]
.text TUKERNEL.EXE!FsRtlNumberOfRunsInMcb 8052BD1F 26 Bytes [8B, FF, 55, 8B, EC, 5D, E9, ...]
.text TUKERNEL.EXE!FsRtlGetNextMcbEntry + 6 8052BD3A 32 Bytes CALL 78984A8F
.text TUKERNEL.EXE!FsRtlGetNextMcbEntry + 27 8052BD5B 22 Bytes [55, F0, 89, 11, 8B, 4D, F8, ...]
.text TUKERNEL.EXE!FsRtlGetNextMcbEntry + 3F 8052BD73 2 Bytes [55, E8]
.text TUKERNEL.EXE!FsRtlGetNextMcbEntry + 42 8052BD76 58 Bytes [11, C9, C2, 14, 00, CC, CC, ...]
.text TUKERNEL.EXE!FsRtlSplitLargeMcb + E 8052BDB1 2 Bytes [08, 89]
.text TUKERNEL.EXE!FsRtlSplitLargeMcb + 11 8052BDB4 114 Bytes [D8, 8B, 0E, FF, 15, 60, 76, ...]
.text TUKERNEL.EXE!FsRtlSplitLargeMcb + 84 8052BE27 24 Bytes [8D, 0C, 38, 8B, 41, F8, 03, ...]
.text TUKERNEL.EXE!FsRtlSplitLargeMcb + 9D 8052BE40 24 Bytes [DB, 75, 04, 33, D2, EB, 03, ...]
.text TUKERNEL.EXE!FsRtlSplitLargeMcb + B6 8052BE59 61 Bytes [46, 10, 83, 4C, 38, 04, FF, ...]
.text ...
.text TUKERNEL.EXE!FsRtlTruncateMcb + 7 8052BF33 40 Bytes [FF, 75, 0C, FF, 75, 08, E8, ...]
.text TUKERNEL.EXE!FsRtlAddMcbEntry + D 8052BF5C 16 Bytes [75, 10, 50, FF, 75, 0C, FF, ...]
.text TUKERNEL.EXE!FsRtlAddMcbEntry + 1E 8052BF6D 61 Bytes [00, CC, CC, CC, CC, CC, 90, ...]
.text TUKERNEL.EXE!FsRtlRemoveMcbEntry + 33 8052BFAB 34 Bytes CALL 804E2AD2 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlRemoveMcbEntry + 56 8052BFCE 66 Bytes [00, 00, B8, BF, 52, 80, CC, ...]
.text TUKERNEL.EXE!FsRtlLookupMcbEntry + 33 8052C011 82 Bytes [19, 8B, 4D, F8, 8B, 55, 10, ...]
.text TUKERNEL.EXE!FsRtlLookupMcbEntry + 86 8052C064 10 Bytes [85, C0, 53, 56, 57, 74, 60, ...] {TEST EAX, EAX; PUSH EBX; PUSH ESI; PUSH EDI; JZ 0x67; MOV ECX, [EBP+0xc]}
.text TUKERNEL.EXE!FsRtlLookupMcbEntry + 91 8052C06F 328 Bytes [11, 8B, 79, 04, 8B, 75, 10, ...]
.text TUKERNEL.EXE!FsRtlLookupMcbEntry + 1DA 8052C1B8 6 Bytes [39, 8B, 40, 04, 8B, 49] {CMP [EBX+0x498b0440], ECX}
.text TUKERNEL.EXE!FsRtlLookupMcbEntry + 1E1 8052C1BF 43 Bytes [33, DB, 39, 1E, 89, 55, EC, ...]
.text ...
.text TUKERNEL.EXE!FsRtlIsNtstatusExpected + 2 8052C4B0 23 Bytes [55, 8B, EC, 8B, 45, 08, 3D, ...]
.text TUKERNEL.EXE!FsRtlIsNtstatusExpected + 1A 8052C4C8 55 Bytes [C0, 74, 0B, 3D, AA, 00, 00, ...]
.text TUKERNEL.EXE!FsRtlAllocatePool + 19 8052C500 2 Bytes [F6, 75]
.text TUKERNEL.EXE!FsRtlAllocatePool + 1C 8052C503 3 Bytes [68, 9A, 00]
.text TUKERNEL.EXE!FsRtlAllocatePool + 20 8052C507 1 Byte [C0]
.text TUKERNEL.EXE!FsRtlAllocatePool + 20 8052C507 67 Bytes CALL 804DCB99 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlAllocatePoolWithQuota + 2D 8052C54B 15 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
.text TUKERNEL.EXE!FsRtlAllocatePoolWithTag + 6 8052C55B 61 Bytes [FF, 75, 10, FF, 75, 0C, FF, ...]
.text TUKERNEL.EXE!FsRtlAllocatePoolWithQuotaTag + F 8052C599 19 Bytes CALL 804E72C4 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlAllocatePoolWithQuotaTag + 23 8052C5AD 101 Bytes [FF, 8B, C6, 5E, 5D, C2, 0C, ...]
.text TUKERNEL.EXE!FsRtlNormalizeNtstatus + 4F 8052C613 49 Bytes [00, 00, 00, 8B, 4D, 08, 87, ...]
.text TUKERNEL.EXE!FsRtlNormalizeNtstatus + 81 8052C645 60 Bytes CALL 804E4186 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlNormalizeNtstatus + BE 8052C682 6 Bytes [00, 8B, 4D, DC, 87, 01] {ADD [EBX+0x187dc4d], CL}
.text TUKERNEL.EXE!FsRtlNormalizeNtstatus + C5 8052C689 57 Bytes [C0, 8A, 42, 25, 50, E8, D2, ...]
.text TUKERNEL.EXE!FsRtlNormalizeNtstatus + FF 8052C6C3 57 Bytes CALL 8052C5E8 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text ...
.text TUKERNEL.EXE!FsRtlLookupPerFileObjectContext + 8 8052CD30 65 Bytes [39, 7D, 08, 75, 04, 33, C0, ...]
.text TUKERNEL.EXE!FsRtlLookupPerFileObjectContext + 4A 8052CD72 6 Bytes [3B, C1, 75, ED, EB, 2A] {CMP EAX, ECX; JNZ 0xfffffffffffffff1; JMP 0x30}
.text TUKERNEL.EXE!FsRtlLookupPerFileObjectContext + 51 8052CD79 48 Bytes [F8, EB, 26, 8B, 55, 0C, 3B, ...]
.text TUKERNEL.EXE!FsRtlLookupPerFileObjectContext + 82 8052CDAA 8 Bytes [8B, C7, 5B, 5E, 5F, 5D, C2, ...]
.text TUKERNEL.EXE!FsRtlLookupPerFileObjectContext + 8B 8052CDB3 70 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text TUKERNEL.EXE!FsRtlRemovePerFileObjectContext + 3D 8052CDFA 182 Bytes [0F, 8B, 58, 08, 3B, 5D, 0C, ...]
.text TUKERNEL.EXE!FsRtlInsertPerFileObjectContext + 2D 8052CEB1 3 Bytes CALL 804F7C23 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlInsertPerFileObjectContext + 31 8052CEB5 79 Bytes [8B, F0, 3B, F7, 75, 65, 68, ...]
.text TUKERNEL.EXE!FsRtlInsertPerFileObjectContext + 81 8052CF05 27 Bytes CALL 8054AF04 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlInsertPerFileObjectContext + 9D 8052CF21 75 Bytes [CE, FF, 15, 60, 76, 4D, 80, ...]
.text TUKERNEL.EXE!FsRtlInsertPerFileObjectContext + E9 8052CF6D 38 Bytes [8B, 75, 08, C7, 80, 18, 02, ...]
.text ...
.text TUKERNEL.EXE!FsRtlPostPagingFileStackOverflow + E 8052D075 5 Bytes [75, 08, E8, 4B, FF]
.text TUKERNEL.EXE!FsRtlPostPagingFileStackOverflow + 15 8052D07C 230 Bytes [5D, C2, 0C, 00, CC, CC, CC, ...]
.text TUKERNEL.EXE!FsRtlPostPagingFileStackOverflow + FC 8052D163 17 Bytes [B7, 46, 2C, 57, C1, E0, 04, ...]
.text TUKERNEL.EXE!FsRtlPostPagingFileStackOverflow + 10E 8052D175 79 Bytes [89, 5D, FC, 89, 01, E8, C5, ...]
.text TUKERNEL.EXE!FsRtlPostPagingFileStackOverflow + 15E 8052D1C5 4 Bytes [53, 53, 53, 53] {PUSH EBX; PUSH EBX; PUSH EBX; PUSH EBX}
.text ...
.text TUKERNEL.EXE!InbvSolidColorFill + 62 8052D4F3 83 Bytes CALL 8050FD8D \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!InbvSetTextColor + 28 8052D547 38 Bytes [EB, 0A, C7, 05, 5C, C5, 54, ...]
.text TUKERNEL.EXE!InbvSetTextColor + 4F 8052D56E 41 Bytes CALL 8050FD8F \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!InbvSetTextColor + 79 8052D598 4 Bytes [8B, EC, 8B, 45]
.text TUKERNEL.EXE!InbvSetTextColor + 7E 8052D59D 66 Bytes [A3, B0, 7F, 55, 80, 8B, 45, ...]
.text TUKERNEL.EXE!InbvAcquireDisplayOwnership + 5 8052D5E0 9 Bytes [85, C0, 74, 0F, 83, 3D, 04, ...]
.text TUKERNEL.EXE!InbvAcquireDisplayOwnership + F 8052D5EA 84 Bytes [02, 75, 06, 6A, 32, 6A, 50, ...]
.text TUKERNEL.EXE!InbvSetScrollRegion + 4 8052D63F 6 Bytes [EC, 5D, E9, 11, AA, 01]
.text TUKERNEL.EXE!InbvSetScrollRegion + B 8052D646 59 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text TUKERNEL.EXE!InbvSetScrollRegion + 47 8052D682 86 Bytes [55, 8B, EC, 8B, 45, 08, 8A, ...]
.text TUKERNEL.EXE!IoAllocateAdapterChannel 8052D6DB 117 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
.text TUKERNEL.EXE!IoCheckQuerySetFileInformation + 1E 8052D751 129 Bytes [05, B8, E0, 2E, 57, 80, 8A, ...]
.text TUKERNEL.EXE!IoCreateStreamFileObjectEx 8052D7D3 128 Bytes [8B, FF, 55, 8B, EC, 83, EC, ...]
.text TUKERNEL.EXE!IoCreateStreamFileObjectEx + 81 8052D854 18 Bytes [45, 08, 66, C7, 00, 05, 00, ...]
.text TUKERNEL.EXE!IoCreateStreamFileObjectEx + 94 8052D867 67 Bytes [89, 70, 04, 8B, 45, 08, C7, ...]
.text TUKERNEL.EXE!IoCreateStreamFileObjectEx + D8 8052D8AB 33 Bytes CALL 804DCB97 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoCreateStreamFileObjectEx + FA 8052D8CD 30 Bytes [45, 10, 3B, C3, 75, 0B, 53, ...]
.text ...
.text TUKERNEL.EXE!IoDetachDevice + 9 8052D938 374 Bytes [15, 68, 76, 4D, 80, 8B, 75, ...]
.text TUKERNEL.EXE!IoGetInitialStack + CB 8052DAAF 48 Bytes [41, 20, 05, 28, 0F, 00, 00, ...]
.text TUKERNEL.EXE!IoGetInitialStack + FC 8052DAE0 15 Bytes [93, DA, 52, 80, CC, CC, CC, ...]
.text TUKERNEL.EXE!IoRaiseHardError + 2 8052DAF0 134 Bytes [55, 8B, EC, 53, 56, 8B, 75, ...]
.text TUKERNEL.EXE!IoRaiseHardError + 89 8052DB77 47 Bytes CALL 804E59A1 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoRaiseHardError + B9 8052DBA7 63 Bytes [84, 64, FF, FF, FF, 8B, 4D, ...]
.text TUKERNEL.EXE!IoRaiseInformationalHardError + 4 8052DBE7 58 Bytes [EC, 8B, 4D, 10, 53, 56, 33, ...]
.text TUKERNEL.EXE!IoRaiseInformationalHardError + 3F 8052DC22 148 Bytes [00, 81, 7D, 08, 44, 01, 00, ...]
.text TUKERNEL.EXE!IoRaiseInformationalHardError + D4 8052DCB7 61 Bytes [66, 89, 4B, 0E, 89, 43, 10, ...]
.text TUKERNEL.EXE!IoRaiseInformationalHardError + 113 8052DCF6 56 Bytes [00, B9, B4, 84, 55, 80, 0F, ...]
.text TUKERNEL.EXE!IoRaiseInformationalHardError + 14C 8052DD2F 6 Bytes [88, 45, 0B, E8, 0F, 6B]
.text ...
.text TUKERNEL.EXE!IoSetDeviceToVerify + 1 8052DE48 14 Bytes [FF, 55, 8B, EC, 8B, 45, 0C, ...]
.text TUKERNEL.EXE!IoSetDeviceToVerify + 10 8052DE57 60 Bytes [00, 5D, C2, 08, 00, CC, CC, ...]
.text TUKERNEL.EXE!IoSetDeviceToVerify + 4D 8052DE94 12 Bytes CALL 804E6B4A \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoSetDeviceToVerify + 5A 8052DEA1 28 Bytes [8D, 46, 60, 50, 89, 5E, 14, ...]
.text TUKERNEL.EXE!IoSetDeviceToVerify + 77 8052DEBE 112 Bytes [86, B0, 00, 00, 00, F6, 40, ...]
.text TUKERNEL.EXE!IoStartNextPacketByKey + 21 8052DF30 54 Bytes [83, C9, 40, 51, FF, 75, 10, ...]
tady sou ty logy
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-01 15:33:58
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Crusader\LOCALS~1\Temp\pxtdqpow.sys
---- System - GMER 1.0.15 ----
SSDT spop.sys ZwEnumerateKey [0xF8433CA4]
SSDT spop.sys ZwEnumerateValueKey [0xF8434032]
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 823DC1F8
AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
---- EOF - GMER 1.0.15 ----
-----------------------------------------------------------------------------------------------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-01 17:59:18
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Crusader\LOCALS~1\Temp\pxtdqpow.sys
---- System - GMER 1.0.15 ----
SSDT 817CCA20 ZwAssignProcessToJobObject
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF293EFC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF293BC80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xF2956170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF293F580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF2953900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF2953B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF2957B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF293F670]
SSDT 817CD5A0 ZwDebugActiveProcess
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF293C210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xF29569F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xF29567A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF2953280]
SSDT spop.sys ZwEnumerateKey [0xF8433CA4]
SSDT spop.sys ZwEnumerateValueKey [0xF8434032]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF2956F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF2956F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF293C070]
SSDT spop.sys ZwOpenKey [0xF84150C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF2955180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF2954F40]
SSDT 817CCE60 ZwProtectVirtualMemory
SSDT spop.sys ZwQueryKey [0xF843410A]
SSDT spop.sys ZwQueryValueKey [0xF8433F8A]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF29576F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF2957150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF293EBE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xF2957540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF293F190]
SSDT 817CCD00 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF293C440]
SSDT 817CCB80 ZwSetInformationThread
SSDT 817C9A50 ZwSetSecurityObject
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xF29564E0]
SSDT 817CC8C0 ZwSuspendProcess
SSDT 817CC760 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF2954200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xF2954080]
SSDT 817CC5F0 ZwTerminateThread
SSDT 817CD3F0 ZwWriteVirtualMemory
INT 0x62 ? 823DEBF8
INT 0x82 ? 823DEBF8
INT 0xB4 ? 81ED9BF8
INT 0xB4 ? 81ED9BF8
INT 0xB4 ? 81ED9BF8
INT 0xB4 ? 81ED9BF8
INT 0xB4 ? 81ED9BF8
INT 0xB4 ? 81ED9BF8
---- Kernel code sections - GMER 1.0.15 ----
.text TUKERNEL.EXE!_abnormal_termination + 107 804E2DD8 12 Bytes [80, F5, 93, F2, 00, 39, 95, ...]
.text TUKERNEL.EXE!_abnormal_termination + 443 804E3114 12 Bytes [C0, C8, 7C, 81, 60, C7, 7C, ...]
.text TUKERNEL.EXE!IoSetFileOrigin + 3C0 80516C00 12 Bytes [46, 0C, 85, C0, 74, 08, 3B, ...]
.text TUKERNEL.EXE!IoSetFileOrigin + 3CE 80516C0E 45 Bytes [84, DB, 0F, 85, 7D, 3D, 00, ...]
.text TUKERNEL.EXE!IoSetFileOrigin + 3FC 80516C3C 15 Bytes JMP 80501F97 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoSetFileOrigin + 40C 80516C4C 9 Bytes JMP 80501F6D \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoSetFileOrigin + 418 80516C58 7 Bytes [84, DB, 75, BA, E9, FE, 3C]
.text ...
.text TUKERNEL.EXE!RtlFindClearRuns + 76 805170F4 129 Bytes [0F, BE, BE, 68, B8, 4E, 80, ...]
.text TUKERNEL.EXE!RtlFindClearRuns + F8 80517176 87 Bytes [B6, 91, 68, B9, 4E, 80, 8A, ...]
.text TUKERNEL.EXE!RtlFindClearRuns + 150 805171CE 75 Bytes JMP C3355CDB
.text TUKERNEL.EXE!RtlFindClearRuns + 19C 8051721A 16 Bytes [8D, 0C, D0, 8B, 55, E4, 89, ...]
.text TUKERNEL.EXE!RtlFindClearRuns + 1AD 8051722B 15 Bytes JMP 805170F3 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text ...
.text TUKERNEL.EXE!RtlFindNextForwardRunClear + 2D 80517CD2 129 Bytes [F9, 74, 1A, 8B, C1, 83, E0, ...]
.text TUKERNEL.EXE!RtlFindNextForwardRunClear + AF 80517D54 36 Bytes [C8, 83, E1, 1F, D3, EB, F6, ...]
.text TUKERNEL.EXE!RtlFindNextForwardRunClear + D6 80517D7B 68 Bytes [EB, 90, 83, 7D, F4, 01, 0F, ...]
.text TUKERNEL.EXE!RtlFindNextForwardRunClear + 11B 80517DC0 90 Bytes [FF, 0D, C4, 19, 55, 80, E9, ...]
.text TUKERNEL.EXE!RtlFindNextForwardRunClear + 176 80517E1B 29 Bytes [FF, 15, A8, 75, 4D, 80, 89, ...]
.text ...
.text TUKERNEL.EXE!IoInitializeIrp + 54 8051823D 112 Bytes [88, 46, 26, 8D, 46, 10, 89, ...]
.text TUKERNEL.EXE!_stricmp + 4D 805182AE 20 Bytes [0F, BE, C0, 5B, 5E, 5F, C9, ...]
.text TUKERNEL.EXE!KeInsertHeadQueue + 8 805182C3 44 Bytes [15, 68, 76, 4D, 80, 8B, 55, ...]
.text TUKERNEL.EXE!KeInsertHeadQueue + 35 805182F0 67 Bytes [00, 00, 83, 75, 0C, 01, E9, ...]
.text TUKERNEL.EXE!KeInsertHeadQueue + 79 80518334 1 Byte [90]
.text TUKERNEL.EXE!KeInsertHeadQueue + 7D 80518338 3 Bytes [FF, FF, FF]
.text TUKERNEL.EXE!KeInsertHeadQueue + 81 8051833C 25 Bytes [C1, D1, 5F, 80, D4, D1, 5F, ...]
.text TUKERNEL.EXE!PsGetProcessImageFileName + 2 80518356 63 Bytes [55, 8B, EC, 8B, 45, 08, 05, ...]
.text TUKERNEL.EXE!PsGetProcessImageFileName + 42 80518396 58 Bytes [7D, E0, 00, 0F, 84, 0B, FE, ...]
.text TUKERNEL.EXE!PsGetProcessImageFileName + 7D 805183D1 14 Bytes [0F, 84, A7, 14, 00, 00, 8D, ...]
.text TUKERNEL.EXE!PsGetProcessImageFileName + 8C 805183E0 45 Bytes [83, 65, D4, 00, FF, 37, 6A, ...]
.text TUKERNEL.EXE!PsGetProcessImageFileName + BC 80518410 3 Bytes [FF, FF, FF]
.text ...
.text TUKERNEL.EXE!PoSetSystemState + 56 80518611 2 Bytes [87, 01] {XCHG [ECX], EAX}
.text TUKERNEL.EXE!PoSetSystemState + 59 80518614 30 Bytes [C0, 75, 1C, 21, 05, E0, 3A, ...]
.text TUKERNEL.EXE!PoSetSystemState + 78 80518633 36 Bytes [C2, 04, 00, 90, 90, 90, 90, ...]
.text TUKERNEL.EXE!PoSetSystemState + 9D 80518658 125 Bytes [0F, 84, A9, 00, 01, 00, 6A, ...]
.text TUKERNEL.EXE!PoSetSystemState + 11B 805186D6 20 Bytes CALL 804EC9F3 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text ...
.text TUKERNEL.EXE!CcDeferWrite + 9 8052ACF7 8 Bytes [44, 77, 6A, 28, 33, DB, 53, ...] {INC ESP; JA 0x6d; SUB [EBX], DH; FIST DWORD [EBX-0x18]}
.text TUKERNEL.EXE!CcDeferWrite + 12 8052AD00 112 Bytes [03, 02, 00, 3B, C3, 75, 0B, ...]
.text TUKERNEL.EXE!CcDeferWrite + 83 8052AD71 10 Bytes [15, 68, 76, 4D, 80, 38, 1D, ...]
.text TUKERNEL.EXE!CcDeferWrite + 8E 8052AD7C 14 Bytes [88, 45, 1F, 75, 06, 53, E8, ...] {MOV [EBP+0x1f], AL; JNZ 0xb; PUSH EBX; CALL 0xfffffffffffba795; MOV CL, [EBP+0x1f]}
.text TUKERNEL.EXE!CcDeferWrite + 9D 8052AD8B 4 Bytes [15, 70, 76, 4D]
.text ...
.text TUKERNEL.EXE!CcRepinBcb + 2 8052ADE3 16 Bytes [55, 8B, EC, 83, EC, 0C, 56, ...]
.text TUKERNEL.EXE!CcRepinBcb + 13 8052ADF4 5 Bytes [00, 00, 8D, 55, F4] {ADD [EAX], AL; LEA EDX, [EBP-0xc]}
.text TUKERNEL.EXE!CcRepinBcb + 19 8052ADFA 11 Bytes [15, 58, 76, 4D, 80, FF, 46, ...] {ADC EAX, 0x804d7658; INC DWORD [ESI+0x34]; LEA ECX, [EBP-0xc]}
.text TUKERNEL.EXE!CcRepinBcb + 25 8052AE06 9 Bytes [15, 5C, 76, 4D, 80, 5E, C9, ...]
.text TUKERNEL.EXE!CcRepinBcb + 2F 8052AE10 47 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text ...
.text TUKERNEL.EXE!CcUnpinRepinnedBcb + 4 8052AF90 42 Bytes [EC, 53, 56, 8B, 75, 08, 8B, ...]
.text TUKERNEL.EXE!CcUnpinRepinnedBcb + 2F 8052AFBB 37 Bytes [38, 5E, 02, 74, 6C, FF, 76, ...]
.text TUKERNEL.EXE!CcUnpinRepinnedBcb + 56 8052AFE2 175 Bytes [70, 8B, 40, 44, FF, 70, 14, ...]
.text TUKERNEL.EXE!CcIsThereDirtyData + 14 8052B093 32 Bytes [D7, 8B, 35, 40, 6D, 55, 80, ...]
.text TUKERNEL.EXE!CcIsThereDirtyData + 35 8052B0B4 40 Bytes [74, 06, F6, 42, 2D, 80, 74, ...]
.text TUKERNEL.EXE!CcIsThereDirtyData + 5E 8052B0DD 13 Bytes [83, 65, FC, 00, FF, D7, 83, ...]
.text TUKERNEL.EXE!CcIsThereDirtyData + 6C 8052B0EB 25 Bytes [8B, 33, 83, EE, 64, 8D, 5E, ...]
.text TUKERNEL.EXE!CcIsThereDirtyData + 86 8052B105 26 Bytes [5F, 5E, 8A, C3, 5B, C9, C2, ...]
.text TUKERNEL.EXE!CcGetLsnForFileObject + 4 8052B120 42 Bytes [EC, 83, EC, 1C, 8B, 45, 08, ...]
.text TUKERNEL.EXE!CcGetLsnForFileObject + 2F 8052B14B 14 Bytes [00, 00, 8D, 55, E4, FF, 15, ...] {ADD [EAX], AL; LEA EDX, [EBP-0x1c]; CALL [0x804d7658]; LEA EDI, [ESI+0x10]}
.text TUKERNEL.EXE!CcGetLsnForFileObject + 3E 8052B15A 120 Bytes CALL 909B3E6F
.text TUKERNEL.EXE!CcGetLsnForFileObject + B7 8052B1D3 78 Bytes [8B, 45, 0C, 85, C0, 5F, 74, ...]
.text TUKERNEL.EXE!CcGetLsnForFileObject + 106 8052B222 66 Bytes [83, C0, 04, 50, 89, 0E, E8, ...]
.text TUKERNEL.EXE!CcSetDirtyPageThreshold + 7 8052B266 11 Bytes [08, 8B, 48, 14, 8B, 49, 04, ...] {OR [EBX+0x498b1448], CL; ADD AL, 0x85; LEAVE ; JZ 0x14}
.text TUKERNEL.EXE!CcSetDirtyPageThreshold + 13 8052B272 5 Bytes [55, 0C, 89, 91, A8]
.text TUKERNEL.EXE!CcSetDirtyPageThreshold + 19 8052B278 30 Bytes [00, 00, 8B, 48, 0C, F6, 41, ...]
.text TUKERNEL.EXE!CcSetDirtyPageThreshold + 3A 8052B299 5 Bytes [90, 90, 8B, FF, 55] {NOP ; NOP ; MOV EDI, EDI; PUSH EBP}
.text TUKERNEL.EXE!CcGetFileObjectFromSectionPtrs + 4 8052B29F 36 Bytes [EC, 56, 33, F6, FF, 15, 68, ...]
.text TUKERNEL.EXE!CcGetFileObjectFromSectionPtrs + 2A 8052B2C5 123 Bytes [90, 90, 90, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!CcGetFileObjectFromBcb + 6E 8052B341 160 Bytes [8B, 08, 8B, 40, 04, C6, 45, ...]
.text TUKERNEL.EXE!CcGetFileObjectFromBcb + 110 8052B3E3 51 Bytes [89, 48, 04, 89, 01, 80, 3D, ...]
.text TUKERNEL.EXE!CcGetFileObjectFromBcb + 144 8052B417 23 Bytes CALL 8052C5C2 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!CcGetFileObjectFromBcb + 15C 8052B42F 30 Bytes [85, F6, 8B, C6, 75, F2, 5F, ...]
.text TUKERNEL.EXE!CcMdlWriteAbort + 8 8052B44E 25 Bytes [08, 8B, 40, 14, 53, 56, 8B, ...]
.text TUKERNEL.EXE!CcMdlWriteAbort + 22 8052B468 37 Bytes [01, 80, 7D, FF, 00, 8B, 1F, ...]
.text TUKERNEL.EXE!CcMdlWriteAbort + 48 8052B48E 42 Bytes [FF, 4E, 04, 8A, D8, 75, 44, ...]
.text TUKERNEL.EXE!CcMdlWriteAbort + 73 8052B4B9 10 Bytes [89, 48, 04, 89, 01, 80, 3D, ...]
.text TUKERNEL.EXE!CcMdlWriteAbort + 7E 8052B4C4 5 Bytes [00, A3, 44, 6D, 55]
.text ...
.text TUKERNEL.EXE!CcPrepareMdlWrite + 49 8052B53C 25 Bytes CALL 804EF21D \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!CcPrepareMdlWrite + 63 8052B556 6 Bytes [65, FC, 00, 83, 7D, 10]
.text TUKERNEL.EXE!CcPrepareMdlWrite + 6A 8052B55D 5 Bytes [0F, 84, AC, 01, 00]
.text TUKERNEL.EXE!CcPrepareMdlWrite + 70 8052B563 82 Bytes [8D, 4D, E0, 51, 8D, 4D, E4, ...]
.text TUKERNEL.EXE!CcPrepareMdlWrite + C3 8052B5B6 36 Bytes [00, 00, 85, C8, 75, 04, 83, ...]
.text ...
.text TUKERNEL.EXE!CcWaitForCurrentLazyWriterActivity + 19 8052B834 2 Bytes [FF, 47]
.text TUKERNEL.EXE!CcWaitForCurrentLazyWriterActivity + 1D 8052B838 19 Bytes CALL 804E29EE \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!CcWaitForCurrentLazyWriterActivity + 31 8052B84C 40 Bytes [00, FF, 47, 0C, 8B, CF, E8, ...]
.text TUKERNEL.EXE!CcWaitForCurrentLazyWriterActivity + 5A 8052B875 32 Bytes [00, C0, EB, 6B, C6, 46, 0C, ...]
.text TUKERNEL.EXE!CcWaitForCurrentLazyWriterActivity + 7B 8052B896 61 Bytes [46, 08, FF, 15, 68, 76, 4D, ...]
.text ...
.text TUKERNEL.EXE!FsRtlIncrementCcFastReadResourceMiss + 1 8052BB5A 3 Bytes [05, 48, 6C]
.text TUKERNEL.EXE!FsRtlIncrementCcFastReadResourceMiss + 6 8052BB5F 11 Bytes [C3, CC, CC, CC, CC, CC, 90, ...] {RET ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP }
.text TUKERNEL.EXE!FsRtlMdlReadComplete + 1 8052BB6B 14 Bytes [FF, 55, 8B, EC, 56, 57, 8B, ...]
.text TUKERNEL.EXE!FsRtlMdlReadComplete + 10 8052BB7A 25 Bytes [8B, F0, 8B, 46, 08, 8B, 40, ...]
.text TUKERNEL.EXE!FsRtlMdlReadComplete + 2A 8052BB94 57 Bytes [75, 0C, 57, FF, D0, EB, 2D, ...]
.text TUKERNEL.EXE!FsRtlMdlReadComplete + 64 8052BBCE 82 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!FsRtlLookupLastLargeMcbEntryAndIndex + 36 8052BC21 11 Bytes [C8, FF, EB, 1D, 8D, 78, FF, ...] {ENTER 0xebff, 0x1d; LEA EDI, [EAX-0x1]; TEST EDI, EDI; JZ 0xf}
.text TUKERNEL.EXE!FsRtlLookupLastLargeMcbEntryAndIndex + 42 8052BC2D 58 Bytes [54, C1, F0, 8B, 46, 08, 8B, ...]
.text TUKERNEL.EXE!FsRtlLookupLastLargeMcbEntryAndIndex + 7D 8052BC68 4 Bytes CALL 8052BC9B \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlLookupLastLargeMcbEntryAndIndex + 82 8052BC6D 2 Bytes [33, C9] {XOR ECX, ECX}
.text TUKERNEL.EXE!FsRtlLookupLastLargeMcbEntryAndIndex + 85 8052BC70 106 Bytes [45, 0C, 83, 38, FF, 0F, 95, ...]
.text TUKERNEL.EXE!FsRtlLookupLastMcbEntry + 2 8052BCDB 11 Bytes [55, 8B, EC, 83, EC, 10, 8D, ...]
.text TUKERNEL.EXE!FsRtlLookupLastMcbEntry + E 8052BCE7 26 Bytes [F0, 50, FF, 75, 08, E8, 92, ...]
.text TUKERNEL.EXE!FsRtlLookupLastMcbEntry + 29 8052BD02 25 Bytes [10, 41, F7, D9, 1B, C9, 23, ...]
.text TUKERNEL.EXE!FsRtlNumberOfRunsInMcb 8052BD1F 26 Bytes [8B, FF, 55, 8B, EC, 5D, E9, ...]
.text TUKERNEL.EXE!FsRtlGetNextMcbEntry + 6 8052BD3A 32 Bytes CALL 78984A8F
.text TUKERNEL.EXE!FsRtlGetNextMcbEntry + 27 8052BD5B 22 Bytes [55, F0, 89, 11, 8B, 4D, F8, ...]
.text TUKERNEL.EXE!FsRtlGetNextMcbEntry + 3F 8052BD73 2 Bytes [55, E8]
.text TUKERNEL.EXE!FsRtlGetNextMcbEntry + 42 8052BD76 58 Bytes [11, C9, C2, 14, 00, CC, CC, ...]
.text TUKERNEL.EXE!FsRtlSplitLargeMcb + E 8052BDB1 2 Bytes [08, 89]
.text TUKERNEL.EXE!FsRtlSplitLargeMcb + 11 8052BDB4 114 Bytes [D8, 8B, 0E, FF, 15, 60, 76, ...]
.text TUKERNEL.EXE!FsRtlSplitLargeMcb + 84 8052BE27 24 Bytes [8D, 0C, 38, 8B, 41, F8, 03, ...]
.text TUKERNEL.EXE!FsRtlSplitLargeMcb + 9D 8052BE40 24 Bytes [DB, 75, 04, 33, D2, EB, 03, ...]
.text TUKERNEL.EXE!FsRtlSplitLargeMcb + B6 8052BE59 61 Bytes [46, 10, 83, 4C, 38, 04, FF, ...]
.text ...
.text TUKERNEL.EXE!FsRtlTruncateMcb + 7 8052BF33 40 Bytes [FF, 75, 0C, FF, 75, 08, E8, ...]
.text TUKERNEL.EXE!FsRtlAddMcbEntry + D 8052BF5C 16 Bytes [75, 10, 50, FF, 75, 0C, FF, ...]
.text TUKERNEL.EXE!FsRtlAddMcbEntry + 1E 8052BF6D 61 Bytes [00, CC, CC, CC, CC, CC, 90, ...]
.text TUKERNEL.EXE!FsRtlRemoveMcbEntry + 33 8052BFAB 34 Bytes CALL 804E2AD2 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlRemoveMcbEntry + 56 8052BFCE 66 Bytes [00, 00, B8, BF, 52, 80, CC, ...]
.text TUKERNEL.EXE!FsRtlLookupMcbEntry + 33 8052C011 82 Bytes [19, 8B, 4D, F8, 8B, 55, 10, ...]
.text TUKERNEL.EXE!FsRtlLookupMcbEntry + 86 8052C064 10 Bytes [85, C0, 53, 56, 57, 74, 60, ...] {TEST EAX, EAX; PUSH EBX; PUSH ESI; PUSH EDI; JZ 0x67; MOV ECX, [EBP+0xc]}
.text TUKERNEL.EXE!FsRtlLookupMcbEntry + 91 8052C06F 328 Bytes [11, 8B, 79, 04, 8B, 75, 10, ...]
.text TUKERNEL.EXE!FsRtlLookupMcbEntry + 1DA 8052C1B8 6 Bytes [39, 8B, 40, 04, 8B, 49] {CMP [EBX+0x498b0440], ECX}
.text TUKERNEL.EXE!FsRtlLookupMcbEntry + 1E1 8052C1BF 43 Bytes [33, DB, 39, 1E, 89, 55, EC, ...]
.text ...
.text TUKERNEL.EXE!FsRtlIsNtstatusExpected + 2 8052C4B0 23 Bytes [55, 8B, EC, 8B, 45, 08, 3D, ...]
.text TUKERNEL.EXE!FsRtlIsNtstatusExpected + 1A 8052C4C8 55 Bytes [C0, 74, 0B, 3D, AA, 00, 00, ...]
.text TUKERNEL.EXE!FsRtlAllocatePool + 19 8052C500 2 Bytes [F6, 75]
.text TUKERNEL.EXE!FsRtlAllocatePool + 1C 8052C503 3 Bytes [68, 9A, 00]
.text TUKERNEL.EXE!FsRtlAllocatePool + 20 8052C507 1 Byte [C0]
.text TUKERNEL.EXE!FsRtlAllocatePool + 20 8052C507 67 Bytes CALL 804DCB99 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlAllocatePoolWithQuota + 2D 8052C54B 15 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
.text TUKERNEL.EXE!FsRtlAllocatePoolWithTag + 6 8052C55B 61 Bytes [FF, 75, 10, FF, 75, 0C, FF, ...]
.text TUKERNEL.EXE!FsRtlAllocatePoolWithQuotaTag + F 8052C599 19 Bytes CALL 804E72C4 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlAllocatePoolWithQuotaTag + 23 8052C5AD 101 Bytes [FF, 8B, C6, 5E, 5D, C2, 0C, ...]
.text TUKERNEL.EXE!FsRtlNormalizeNtstatus + 4F 8052C613 49 Bytes [00, 00, 00, 8B, 4D, 08, 87, ...]
.text TUKERNEL.EXE!FsRtlNormalizeNtstatus + 81 8052C645 60 Bytes CALL 804E4186 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlNormalizeNtstatus + BE 8052C682 6 Bytes [00, 8B, 4D, DC, 87, 01] {ADD [EBX+0x187dc4d], CL}
.text TUKERNEL.EXE!FsRtlNormalizeNtstatus + C5 8052C689 57 Bytes [C0, 8A, 42, 25, 50, E8, D2, ...]
.text TUKERNEL.EXE!FsRtlNormalizeNtstatus + FF 8052C6C3 57 Bytes CALL 8052C5E8 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text ...
.text TUKERNEL.EXE!FsRtlLookupPerFileObjectContext + 8 8052CD30 65 Bytes [39, 7D, 08, 75, 04, 33, C0, ...]
.text TUKERNEL.EXE!FsRtlLookupPerFileObjectContext + 4A 8052CD72 6 Bytes [3B, C1, 75, ED, EB, 2A] {CMP EAX, ECX; JNZ 0xfffffffffffffff1; JMP 0x30}
.text TUKERNEL.EXE!FsRtlLookupPerFileObjectContext + 51 8052CD79 48 Bytes [F8, EB, 26, 8B, 55, 0C, 3B, ...]
.text TUKERNEL.EXE!FsRtlLookupPerFileObjectContext + 82 8052CDAA 8 Bytes [8B, C7, 5B, 5E, 5F, 5D, C2, ...]
.text TUKERNEL.EXE!FsRtlLookupPerFileObjectContext + 8B 8052CDB3 70 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text TUKERNEL.EXE!FsRtlRemovePerFileObjectContext + 3D 8052CDFA 182 Bytes [0F, 8B, 58, 08, 3B, 5D, 0C, ...]
.text TUKERNEL.EXE!FsRtlInsertPerFileObjectContext + 2D 8052CEB1 3 Bytes CALL 804F7C23 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlInsertPerFileObjectContext + 31 8052CEB5 79 Bytes [8B, F0, 3B, F7, 75, 65, 68, ...]
.text TUKERNEL.EXE!FsRtlInsertPerFileObjectContext + 81 8052CF05 27 Bytes CALL 8054AF04 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!FsRtlInsertPerFileObjectContext + 9D 8052CF21 75 Bytes [CE, FF, 15, 60, 76, 4D, 80, ...]
.text TUKERNEL.EXE!FsRtlInsertPerFileObjectContext + E9 8052CF6D 38 Bytes [8B, 75, 08, C7, 80, 18, 02, ...]
.text ...
.text TUKERNEL.EXE!FsRtlPostPagingFileStackOverflow + E 8052D075 5 Bytes [75, 08, E8, 4B, FF]
.text TUKERNEL.EXE!FsRtlPostPagingFileStackOverflow + 15 8052D07C 230 Bytes [5D, C2, 0C, 00, CC, CC, CC, ...]
.text TUKERNEL.EXE!FsRtlPostPagingFileStackOverflow + FC 8052D163 17 Bytes [B7, 46, 2C, 57, C1, E0, 04, ...]
.text TUKERNEL.EXE!FsRtlPostPagingFileStackOverflow + 10E 8052D175 79 Bytes [89, 5D, FC, 89, 01, E8, C5, ...]
.text TUKERNEL.EXE!FsRtlPostPagingFileStackOverflow + 15E 8052D1C5 4 Bytes [53, 53, 53, 53] {PUSH EBX; PUSH EBX; PUSH EBX; PUSH EBX}
.text ...
.text TUKERNEL.EXE!InbvSolidColorFill + 62 8052D4F3 83 Bytes CALL 8050FD8D \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!InbvSetTextColor + 28 8052D547 38 Bytes [EB, 0A, C7, 05, 5C, C5, 54, ...]
.text TUKERNEL.EXE!InbvSetTextColor + 4F 8052D56E 41 Bytes CALL 8050FD8F \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!InbvSetTextColor + 79 8052D598 4 Bytes [8B, EC, 8B, 45]
.text TUKERNEL.EXE!InbvSetTextColor + 7E 8052D59D 66 Bytes [A3, B0, 7F, 55, 80, 8B, 45, ...]
.text TUKERNEL.EXE!InbvAcquireDisplayOwnership + 5 8052D5E0 9 Bytes [85, C0, 74, 0F, 83, 3D, 04, ...]
.text TUKERNEL.EXE!InbvAcquireDisplayOwnership + F 8052D5EA 84 Bytes [02, 75, 06, 6A, 32, 6A, 50, ...]
.text TUKERNEL.EXE!InbvSetScrollRegion + 4 8052D63F 6 Bytes [EC, 5D, E9, 11, AA, 01]
.text TUKERNEL.EXE!InbvSetScrollRegion + B 8052D646 59 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text TUKERNEL.EXE!InbvSetScrollRegion + 47 8052D682 86 Bytes [55, 8B, EC, 8B, 45, 08, 8A, ...]
.text TUKERNEL.EXE!IoAllocateAdapterChannel 8052D6DB 117 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
.text TUKERNEL.EXE!IoCheckQuerySetFileInformation + 1E 8052D751 129 Bytes [05, B8, E0, 2E, 57, 80, 8A, ...]
.text TUKERNEL.EXE!IoCreateStreamFileObjectEx 8052D7D3 128 Bytes [8B, FF, 55, 8B, EC, 83, EC, ...]
.text TUKERNEL.EXE!IoCreateStreamFileObjectEx + 81 8052D854 18 Bytes [45, 08, 66, C7, 00, 05, 00, ...]
.text TUKERNEL.EXE!IoCreateStreamFileObjectEx + 94 8052D867 67 Bytes [89, 70, 04, 8B, 45, 08, C7, ...]
.text TUKERNEL.EXE!IoCreateStreamFileObjectEx + D8 8052D8AB 33 Bytes CALL 804DCB97 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoCreateStreamFileObjectEx + FA 8052D8CD 30 Bytes [45, 10, 3B, C3, 75, 0B, 53, ...]
.text ...
.text TUKERNEL.EXE!IoDetachDevice + 9 8052D938 374 Bytes [15, 68, 76, 4D, 80, 8B, 75, ...]
.text TUKERNEL.EXE!IoGetInitialStack + CB 8052DAAF 48 Bytes [41, 20, 05, 28, 0F, 00, 00, ...]
.text TUKERNEL.EXE!IoGetInitialStack + FC 8052DAE0 15 Bytes [93, DA, 52, 80, CC, CC, CC, ...]
.text TUKERNEL.EXE!IoRaiseHardError + 2 8052DAF0 134 Bytes [55, 8B, EC, 53, 56, 8B, 75, ...]
.text TUKERNEL.EXE!IoRaiseHardError + 89 8052DB77 47 Bytes CALL 804E59A1 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoRaiseHardError + B9 8052DBA7 63 Bytes [84, 64, FF, FF, FF, 8B, 4D, ...]
.text TUKERNEL.EXE!IoRaiseInformationalHardError + 4 8052DBE7 58 Bytes [EC, 8B, 4D, 10, 53, 56, 33, ...]
.text TUKERNEL.EXE!IoRaiseInformationalHardError + 3F 8052DC22 148 Bytes [00, 81, 7D, 08, 44, 01, 00, ...]
.text TUKERNEL.EXE!IoRaiseInformationalHardError + D4 8052DCB7 61 Bytes [66, 89, 4B, 0E, 89, 43, 10, ...]
.text TUKERNEL.EXE!IoRaiseInformationalHardError + 113 8052DCF6 56 Bytes [00, B9, B4, 84, 55, 80, 0F, ...]
.text TUKERNEL.EXE!IoRaiseInformationalHardError + 14C 8052DD2F 6 Bytes [88, 45, 0B, E8, 0F, 6B]
.text ...
.text TUKERNEL.EXE!IoSetDeviceToVerify + 1 8052DE48 14 Bytes [FF, 55, 8B, EC, 8B, 45, 0C, ...]
.text TUKERNEL.EXE!IoSetDeviceToVerify + 10 8052DE57 60 Bytes [00, 5D, C2, 08, 00, CC, CC, ...]
.text TUKERNEL.EXE!IoSetDeviceToVerify + 4D 8052DE94 12 Bytes CALL 804E6B4A \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoSetDeviceToVerify + 5A 8052DEA1 28 Bytes [8D, 46, 60, 50, 89, 5E, 14, ...]
.text TUKERNEL.EXE!IoSetDeviceToVerify + 77 8052DEBE 112 Bytes [86, B0, 00, 00, 00, F6, 40, ...]
.text TUKERNEL.EXE!IoStartNextPacketByKey + 21 8052DF30 54 Bytes [83, C9, 40, 51, FF, 75, 10, ...]
Re: Win32/Rustock v paměti, nejde odstranit
.text TUKERNEL.EXE!IoStopTimer 8052DF69 5 Bytes [8B, FF, 55, 8B, EC] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
.text TUKERNEL.EXE!IoStopTimer + 6 8052DF6F 23 Bytes [45, 08, 8B, 40, 18, FA, 66, ...]
.text TUKERNEL.EXE!IoStopTimer + 1E 8052DF87 43 Bytes [FB, 5D, C2, 04, 00, CC, CC, ...]
.text TUKERNEL.EXE!IoCallDriver + 11 8052DFB3 9 Bytes [5D, C2, 08, 00, CC, CC, CC, ...] {POP EBP; RET 0x8; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text TUKERNEL.EXE!IoCallDriver + 1C 8052DFBE 3 Bytes [90, 90, 90] {NOP ; NOP ; NOP }
.text TUKERNEL.EXE!IoCompleteRequest + 1 8052DFC2 25 Bytes [FF, 55, 8B, EC, 8A, 55, 0C, ...]
.text TUKERNEL.EXE!IoCompleteRequest + 1B 8052DFDC 85 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!IoCompleteRequest + 71 8052E032 6 Bytes [BF, FF, FF, 89, 48, 08]
.text TUKERNEL.EXE!IoCompleteRequest + 78 8052E039 46 Bytes [48, 64, 89, 4D, F8, 8D, 4D, ...]
.text TUKERNEL.EXE!IoCompleteRequest + A7 8052E068 6 Bytes [CC, CC, CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text ...
.text TUKERNEL.EXE!IoGetDiskDeviceObject + 12 8052E09F 12 Bytes [00, C0, EB, 4B, 8D, 45, 08, ...]
.text TUKERNEL.EXE!IoGetDiskDeviceObject + 1F 8052E0AC 16 Bytes [8B, 86, B0, 00, 00, 00, 8B, ...]
.text TUKERNEL.EXE!IoGetDiskDeviceObject + 30 8052E0BD 6 Bytes [C0, EB, 24, 83, 78, 14]
.text TUKERNEL.EXE!IoGetDiskDeviceObject + 37 8052E0C4 6 Bytes [75, 07, BE, 6E, 02, 00]
.text TUKERNEL.EXE!IoGetDiskDeviceObject + 3E 8052E0CB 84 Bytes [EB, 17, F6, 40, 04, 01, 74, ...]
.text TUKERNEL.EXE!IoSetSystemPartition + 28 8052E120 69 Bytes [00, 57, 8D, 45, C4, 50, 33, ...]
.text TUKERNEL.EXE!IoSetSystemPartition + 6E 8052E166 5 Bytes [66, C7, 45, E4, 70]
.text TUKERNEL.EXE!IoSetSystemPartition + 74 8052E16C 9 Bytes [66, 89, 5D, E6, 66, C7, 45, ...]
.text TUKERNEL.EXE!IoSetSystemPartition + 7E 8052E176 29 Bytes [66, C7, 45, D4, 0A, 00, E8, ...]
.text TUKERNEL.EXE!IoSetSystemPartition + 9C 8052E194 56 Bytes [00, 00, 0F, B7, 06, 40, 40, ...]
.text ...
.text TUKERNEL.EXE!IoValidateDeviceIoControlAccess + 1A 8052E2F3 93 Bytes [0D, 75, 2B, 80, 7A, 20, 00, ...]
.text TUKERNEL.EXE!IoFreeErrorLogEntry + 10 8052E351 20 Bytes CALL 804D918D \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoFreeErrorLogEntry + 25 8052E366 14 Bytes [B7, 46, 02, F7, D8, 89, 45, ...]
.text TUKERNEL.EXE!IoFreeErrorLogEntry + 35 8052E376 136 Bytes [0F, C1, 01, 6A, 00, 56, E8, ...]
.text TUKERNEL.EXE!IoFreeErrorLogEntry + BE 8052E3FF 36 Bytes [57, 89, 06, 89, 70, 04, 8B, ...]
.text TUKERNEL.EXE!IoFreeErrorLogEntry + E3 8052E424 54 Bytes [6A, 0A, 8D, 57, 04, 59, E8, ...]
.text ...
.text TUKERNEL.EXE!IoAttachDeviceByPointer + 1D 8052E4FD 194 Bytes [C0, 5D, C2, 08, 00, CC, CC, ...]
.text TUKERNEL.EXE!IoCsqRemoveIrp + 2A 8052E5C1 6 Bytes [00, 00, 8B, 4D, 0C, 87]
.text TUKERNEL.EXE!IoCsqRemoveIrp + 31 8052E5C8 47 Bytes [85, C0, 75, 0D, 33, FF, FF, ...]
.text TUKERNEL.EXE!IoCsqRemoveIrp + 61 8052E5F8 93 Bytes [CC, 90, 90, 90, 90, 90, 8B, ...]
.text TUKERNEL.EXE!IoVolumeDeviceToDosName + 58 8052E656 20 Bytes [4D, 00, 88, 9D, E4, FD, FF, ...]
.text TUKERNEL.EXE!IoVolumeDeviceToDosName + 6D 8052E66B 17 Bytes CALL 804FCC21 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoVolumeDeviceToDosName + 7F 8052E67D 32 Bytes [00, 8B, D0, 8B, CF, E8, BE, ...]
.text TUKERNEL.EXE!IoVolumeDeviceToDosName + A0 8052E69E 50 Bytes [FA, FF, 8B, 85, D8, FD, FF, ...]
.text TUKERNEL.EXE!IoVolumeDeviceToDosName + D3 8052E6D1 12 Bytes [00, 8D, 85, C4, FD, FF, FF, ...] {ADD [EBP-0x23b7b], CL; CALL [EAX-0x18]; XOR AL, 0x9d; PUSH ES}
.text ...
.text TUKERNEL.EXE!KeCapturePersistentThreadState + 10 8052F32F 14 Bytes [33, F6, 3B, DE, 89, 45, FC, ...]
.text TUKERNEL.EXE!KeCapturePersistentThreadState + 1F 8052F33E 36 Bytes [00, 39, 75, 0C, 75, 09, 64, ...]
.text TUKERNEL.EXE!KeCapturePersistentThreadState + 44 8052F363 56 Bytes CALL 804DB11B \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KeCapturePersistentThreadState + 7D 8052F39C 6 Bytes [C7, 43, 18, 20, AB, 55]
.text TUKERNEL.EXE!KeCapturePersistentThreadState + 84 8052F3A3 5 Bytes [C7, 43, 1C, D8, 0B]
.text ...
.text TUKERNEL.EXE!IoRequestDeviceEject + 5 80531516 33 Bytes [8B, 4D, 08, 8B, 81, B0, 00, ...]
.text TUKERNEL.EXE!IoRequestDeviceEject + 27 80531538 15 Bytes [FF, FF, 5D, C2, 04, 00, 52, ...]
.text TUKERNEL.EXE!IoRequestDeviceEject + 37 80531548 85 Bytes CALL 80533993 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoRequestDeviceEject + 8D 8053159E 40 Bytes [8B, 35, 18, 8B, 55, 80, BB, ...]
.text TUKERNEL.EXE!IoRequestDeviceEject + B6 805315C7 86 Bytes [C0, 74, 06, C7, 00, 0E, 00, ...]
.text ...
.text TUKERNEL.EXE!KdDisableDebugger + 4E 805320D5 15 Bytes [A7, A2, 4F, 80, C6, 05, C1, ...]
.text TUKERNEL.EXE!KdDisableDebugger + 5E 805320E5 5 Bytes [80, E8, F8, 00, 00] {SUB AL, 0xf8; ADD [EAX], AL}
.text TUKERNEL.EXE!KdDisableDebugger + 64 805320EB 57 Bytes [8A, 4D, FF, FF, 15, 70, 76, ...]
.text TUKERNEL.EXE!KdEnableDebugger + 25 80532125 5 Bytes [74, 1C, 6A, 00, 6A]
.text TUKERNEL.EXE!KdEnableDebugger + 2B 8053212B 11 Bytes [C6, 05, EC, 05, 56, 80, 01, ...]
.text TUKERNEL.EXE!KdEnableDebugger + 37 80532137 25 Bytes CALL 8067D4DF \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KdEnableDebugger + 51 80532151 12 Bytes [C9, C3, CC, CC, CC, CC, CC, ...] {LEAVE ; RET ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP }
.text TUKERNEL.EXE!KdPowerTransition + 1 8053215E 30 Bytes [FF, 55, 8B, EC, 56, 33, F6, ...]
.text TUKERNEL.EXE!KdPowerTransition + 20 8053217D 8 Bytes [00, C0, EB, 05, E8, 3D, 64, ...]
.text TUKERNEL.EXE!KdPowerTransition + 29 80532186 6 Bytes [8B, C6, 5E, 5D, C2, 04]
.text TUKERNEL.EXE!KdPowerTransition + 30 8053218D 28 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!KdPowerTransition + 4D 805321AA 83 Bytes [75, 0C, FF, 75, 08, E8, 7F, ...]
.text ...
.text TUKERNEL.EXE!KeSetDmaIoCoherency + D 80532616 3 Bytes [5D, C2, 04]
.text TUKERNEL.EXE!KeSetDmaIoCoherency + 11 8053261A 53 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text TUKERNEL.EXE!KeSetDmaIoCoherency + 47 80532650 85 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
.text TUKERNEL.EXE!KeSetDmaIoCoherency + 9D 805326A6 25 Bytes [89, 45, F0, 89, 45, F4, 8D, ...]
.text TUKERNEL.EXE!KeSetDmaIoCoherency + B7 805326C0 1 Byte [00]
.text ...
.text TUKERNEL.EXE!KeReleaseInterruptSpinLock + 19 8053273E 3 Bytes [5D, C2, 08]
.text TUKERNEL.EXE!KeReleaseInterruptSpinLock + 1D 80532742 8 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP }
.text TUKERNEL.EXE!KeReleaseInterruptSpinLock + 27 8053274C 25 Bytes [8B, FF, 55, 8B, EC, 83, EC, ...]
.text TUKERNEL.EXE!KeReleaseInterruptSpinLock + 41 80532766 53 Bytes [8B, 46, 5C, 8B, 5D, 0C, 8D, ...]
.text TUKERNEL.EXE!KeReleaseInterruptSpinLock + 77 8053279C 9 Bytes [8B, 45, 08, 5F, 5E, 5B, C9, ...]
.text ...
.text TUKERNEL.EXE!KeEnterKernelDebugger + 6 80532B85 18 Bytes CALL 80514C4B \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KeEnterKernelDebugger + 19 80532B98 13 Bytes [0F, C1, 01, 48, 75, 19, 33, ...]
.text TUKERNEL.EXE!KeEnterKernelDebugger + 27 80532BA6 7 Bytes [75, 0F, 38, 05, 7C, CB, 54]
.text TUKERNEL.EXE!KeEnterKernelDebugger + 2F 80532BAE 49 Bytes CALL 8067AC84 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KeDeregisterBugCheckCallback + 15 80532BE0 51 Bytes [8B, CE, 88, 45, FF, E8, 4E, ...]
.text TUKERNEL.EXE!KeDeregisterBugCheckCallback + 49 80532C14 7 Bytes [5E, 8A, C3, 5B, C9, C2, 04]
.text TUKERNEL.EXE!KeDeregisterBugCheckCallback + 51 80532C1C 21 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!KeDeregisterBugCheckCallback + 67 80532C32 9 Bytes CALL 804E2A92 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KeDeregisterBugCheckCallback + 71 80532C3C 8 Bytes [89, 45, DC, 8B, 1D, D8, 9B, ...]
.text ...
.text TUKERNEL.EXE!KeDeregisterBugCheckReasonCallback + 15 80532D0C 51 Bytes [8B, CE, 88, 45, FF, E8, 22, ...]
.text TUKERNEL.EXE!KeDeregisterBugCheckReasonCallback + 49 80532D40 7 Bytes [5E, 8A, C3, 5B, C9, C2, 04]
.text TUKERNEL.EXE!KeDeregisterBugCheckReasonCallback + 51 80532D48 21 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!KeDeregisterBugCheckReasonCallback + 67 80532D5E 9 Bytes CALL 804E2A92 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KeDeregisterBugCheckReasonCallback + 71 80532D68 15 Bytes [89, 45, DC, 8B, 1D, D0, 9B, ...]
.text ...
.text TUKERNEL.EXE!KeBugCheckEx + 7 8053399A 23 Bytes [FF, 75, 18, FF, 75, 14, FF, ...]
.text TUKERNEL.EXE!KeBugCheckEx + 1F 805339B2 20 Bytes [CC, CC, CC, CC, CC, 90, CC, ...]
.text TUKERNEL.EXE!KeBugCheckEx + 35 805339C8 12 Bytes [8B, FF, 55, 8B, EC, F6, 05, ...] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; TEST BYTE [0x80550c80], 0x1}
.text TUKERNEL.EXE!KeBugCheckEx + 42 805339D5 18 Bytes [6E, 8B, 45, 0C, 53, 56, 8B, ...]
.text TUKERNEL.EXE!KeBugCheckEx + 55 805339E8 3 Bytes [83, 65, 0C]
.text ...
.text TUKERNEL.EXE!KeI386GetLid + 11 80533C14 9 Bytes [00, 89, 45, F8, 75, 0A, B8, ...]
.text TUKERNEL.EXE!KeI386GetLid + 1B 80533C1E 5 Bytes [C0, E9, 3F, 01, 00] {SHR CL, 0x3f; ADD [EAX], EAX}
.text TUKERNEL.EXE!KeI386GetLid + 21 80533C24 3 Bytes [80, 7D, 10]
.text TUKERNEL.EXE!KeI386GetLid + 25 80533C28 17 Bytes [74, 09, 83, 4D, F0, FF, 89, ...]
.text TUKERNEL.EXE!KeI386GetLid + 37 80533C3A 9 Bytes [89, 45, F0, 83, 3D, 60, 99, ...]
.text ...
.text TUKERNEL.EXE!KeI386ReleaseLid + B 80533D7E 17 Bytes [00, 75, 07, B8, 0F, 01, 00, ...]
.text TUKERNEL.EXE!KeI386ReleaseLid + 1D 80533D90 9 Bytes [0F, B7, 55, 08, 8B, 0D, 60, ...]
.text TUKERNEL.EXE!KeI386ReleaseLid + 27 80533D9A 15 Bytes [C1, E2, 03, 8D, 34, 0A, 8B, ...]
.text TUKERNEL.EXE!KeI386ReleaseLid + 37 80533DAA 23 Bytes [33, F6, EB, 20, 83, FF, FF, ...]
.text TUKERNEL.EXE!KeI386ReleaseLid + 4F 80533DC2 19 Bytes [75, E6, 83, 22, 00, EB, E1, ...]
.text ...
.text TUKERNEL.EXE!KeI386AbiosCall + E 80533DF6 5 Bytes [75, 07, B8, 0F, 01]
.text TUKERNEL.EXE!KeI386AbiosCall + 14 80533DFC 31 Bytes [C0, EB, 74, 66, 8B, 45, 08, ...]
.text TUKERNEL.EXE!KeI386AbiosCall + 34 80533E1C 117 Bytes [0F, B7, C0, C1, E0, 03, 8B, ...]
.text TUKERNEL.EXE!KeI386ReleaseGdtSelectors + C 80533E92 19 Bytes [66, 8B, 4D, 0C, 66, 01, 0D, ...]
.text TUKERNEL.EXE!KeI386ReleaseGdtSelectors + 20 80533EA6 15 Bytes [74, 22, 53, 56, 8B, 75, 08, ...]
.text TUKERNEL.EXE!KeI386ReleaseGdtSelectors + 30 80533EB6 15 Bytes [31, 55, 80, 03, D7, 46, 46, ...]
.text TUKERNEL.EXE!KeI386ReleaseGdtSelectors + 40 80533EC6 11 Bytes CALL 48DD9A29
.text TUKERNEL.EXE!KeI386ReleaseGdtSelectors + 4C 80533ED2 12 Bytes [33, C0, 5F, 5D, C2, 08, 00, ...] {XOR EAX, EAX; POP EDI; POP EBP; RET 0x8; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text ...
.text TUKERNEL.EXE!KeI386FlatToGdtSelector + B 80533EEE 11 Bytes [00, 75, 0A, B8, 0F, 01, 00, ...]
.text TUKERNEL.EXE!KeI386FlatToGdtSelector + 17 80533EFA 72 Bytes [00, 66, 81, 7D, 10, E0, 00, ...]
.text TUKERNEL.EXE!KeI386FlatToGdtSelector + 60 80533F43 2 Bytes [92, 00]
.text TUKERNEL.EXE!KeI386FlatToGdtSelector + 63 80533F46 11 Bytes [33, FF, 89, 4A, 04, 47, 80, ...]
.text TUKERNEL.EXE!KeI386FlatToGdtSelector + 6F 80533F52 9 Bytes [01, 76, 1F, 8B, 0C, BD, E0, ...]
.text ...
.text TUKERNEL.EXE!KeRemoveByKeyDeviceQueueIfBusy + 3B 8053401A 81 Bytes [57, 8B, 7D, 0C, 3B, 79, 08, ...]
.text TUKERNEL.EXE!KeRemoveEntryDeviceQueue + 18 8053406C 26 Bytes [8B, 45, 0C, 8A, 58, 0C, 80, ...]
.text TUKERNEL.EXE!KeRemoveEntryDeviceQueue + 33 80534087 6 Bytes [F4, FF, 15, 5C, 76, 4D]
.text TUKERNEL.EXE!KeRemoveEntryDeviceQueue + 3A 8053408E 117 Bytes [8A, C3, 5B, C9, C2, 08, 00, ...]
.text TUKERNEL.EXE!KeRemoveEntryDeviceQueue + B2 80534106 25 Bytes [8D, 55, F4, FF, 15, E4, 75, ...]
.text TUKERNEL.EXE!KeRemoveEntryDeviceQueue + CC 80534120 5 Bytes [00, 01, 75, 12, 6A]
.text ...
.text TUKERNEL.EXE!KeQueryPriorityThread + 10 80534200 79 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!KeQueryPriorityThread + 60 80534250 19 Bytes [00, 0F, B6, 32, 88, 0A, 8A, ...]
.text TUKERNEL.EXE!KeQueryPriorityThread + 74 80534264 200 Bytes [CC, CC, CC, CC, CC, 90, CC, ...]
.text TUKERNEL.EXE!KeQueryPriorityThread + 13D 8053432D 41 Bytes [F8, 8B, 5F, 44, EB, 09, 8D, ...]
.text TUKERNEL.EXE!KeQueryPriorityThread + 167 80534357 1 Byte [00]
.text ...
.text TUKERNEL.EXE!KeRaiseUserException + 79 8053449D 23 Bytes [33, C0, 40, C3, 90, 90, 90, ...]
.text TUKERNEL.EXE!KeRaiseUserException + 91 805344B5 55 Bytes [C2, 04, 00, FF, FF, FF, FF, ...]
.text TUKERNEL.EXE!KeRaiseUserException + C9 805344ED 17 Bytes [90, 90, 90, 90, 8B, FF, 55, ...] {NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH DWORD [EBP+0x8]; CALL 0xfffffffffffa7596}
.text TUKERNEL.EXE!KeSaveStateForHibernate + E 805344FF 8 Bytes CALL 804E608F \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KeSaveStateForHibernate + 17 80534508 33 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!KeSaveStateForHibernate + 39 8053452A 1 Byte [00]
.text TUKERNEL.EXE!KeSaveStateForHibernate + 39 8053452A 5 Bytes [00, E8, 09, 0B, 00]
.text TUKERNEL.EXE!KeSaveStateForHibernate + 3F 80534530 19 Bytes JMP 80515710 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text ...
.text TUKERNEL.EXE!MmMapLockedPagesWithReservedMapping + 27 80535C12 6 Bytes [00, 8D, 84, 08, FF, 0F] {ADD [EBP+0xfff0884], CL}
.text TUKERNEL.EXE!MmMapLockedPagesWithReservedMapping + 2E 80535C19 5 Bytes [00, C1, E8, 0C, 89]
.text TUKERNEL.EXE!MmMapLockedPagesWithReservedMapping + 34 80535C1F 81 Bytes CALL 804F812E \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!MmMapLockedPagesWithReservedMapping + 86 80535C71 29 Bytes [00, 8D, 4C, 88, F8, EB, 0C, ...]
.text TUKERNEL.EXE!MmMapLockedPagesWithReservedMapping + A4 80535C8F 208 Bytes [C0, 66, 8B, 46, 06, 83, C2, ...]
.text ...
.text TUKERNEL.EXE!MmUnmapReservedMapping + 9 80535EBB 22 Bytes [45, 08, 8B, 55, 0C, C1, E8, ...]
.text TUKERNEL.EXE!MmUnmapReservedMapping + 20 80535ED2 2 Bytes [40, 53] {INC EAX; PUSH EBX}
.text TUKERNEL.EXE!MmUnmapReservedMapping + 23 80535ED5 12 Bytes [E2, FE, 3B, CA, 56, 57, 8D, ...] {LOOP 0x0; CMP ECX, EDX; PUSH ESI; PUSH EDI; LEA EBX, [EAX-0x8]; JZ 0x1c; PUSH ECX}
.text TUKERNEL.EXE!MmUnmapReservedMapping + 30 80535EE2 28 Bytes [75, 0C, FF, 75, 08, 68, 08, ...]
.text TUKERNEL.EXE!MmUnmapReservedMapping + 4D 80535EFF 29 Bytes [75, 08, 68, 09, 01, 00, 00, ...]
.text ...
.text TUKERNEL.EXE!MmAdvanceMdl + 1D 80536028 53 Bytes [00, 83, 65, 0C, 00, 53, C7, ...]
.text TUKERNEL.EXE!MmAdvanceMdl + 53 8053605E 28 Bytes [10, 00, 00, 2B, DA, 3B, CB, ...]
.text TUKERNEL.EXE!MmAdvanceMdl + 70 8053607B 6 Bytes [01, 4E, 0C, E9, B4, 01]
.text TUKERNEL.EXE!MmAdvanceMdl + 77 80536082 31 Bytes [00, 83, 66, 18, 00, 81, C7, ...]
.text TUKERNEL.EXE!MmAdvanceMdl + 97 805360A2 61 Bytes [47, 89, 7D, 0C, EB, 03, 8B, ...]
.text ...
.text TUKERNEL.EXE!MmProtectMdlSystemAddress + 44 8053628E 139 Bytes [83, F8, 08, 0F, 84, 4D, 02, ...]
.text TUKERNEL.EXE!MmProtectMdlSystemAddress + D0 8053631A 41 Bytes [85, DB, 0F, 84, EE, 00, 00, ...]
.text TUKERNEL.EXE!MmProtectMdlSystemAddress + FA 80536344 121 Bytes [C1, 25, E0, 03, 00, 00, 3D, ...]
.text TUKERNEL.EXE!MmProtectMdlSystemAddress + 176 805363C0 58 Bytes [83, F8, 0F, 74, 1D, 8B, 4D, ...]
.text TUKERNEL.EXE!MmProtectMdlSystemAddress + 1B1 805363FB 147 Bytes [14, FF, 35, 3C, 3D, 4E, 80, ...]
.text ...
.text TUKERNEL.EXE!MmGetVirtualForPhysical + 10 805365DB 33 Bytes CALL 804D9A7F \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!MmGetVirtualForPhysical + 32 805365FD 61 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!MmGetVirtualForPhysical + 70 8053663B 74 Bytes [4D, 0C, 89, 70, 0C, 75, DC, ...]
.text TUKERNEL.EXE!MmIsRecursiveIoFault + 10 80536687 56 Bytes [0F, B6, 89, 54, 02, 00, 00, ...]
.text TUKERNEL.EXE!MmMapMemoryDumpMdl + 21 805366C0 107 Bytes [F7, DE, 1B, F6, 57, 8B, FB, ...]
.text TUKERNEL.EXE!MmMapMemoryDumpMdl + 8D 8053672C 89 Bytes [00, 4E, 75, CF, 5F, 5E, 5B, ...]
.text TUKERNEL.EXE!MmMapMemoryDumpMdl + E7 80536786 24 Bytes [00, C1, EE, 0C, 85, C0, 8B, ...]
.text TUKERNEL.EXE!MmMapMemoryDumpMdl + 100 8053679F 57 Bytes [04, 85, 28, 10, 55, 80, 83, ...]
.text TUKERNEL.EXE!MmMapMemoryDumpMdl + 13A 805367D9 26 Bytes CALL 8054B044 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text ...
? spop.sys Systém nemůže nalézt uvedený soubor. !
? Combo-Fix.sys Systém nemůže nalézt uvedený soubor. !
? srescan.sys Systém nemůže nalézt uvedený soubor. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF7B4D360, 0x37388D, 0xE8000020]
.text USBPORT.SYS!DllUnload F7AD262C 5 Bytes JMP 81ED91D8
PAGE mrxsmb.sys F0DFA700 75 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
PAGE mrxsmb.sys F0DFA74C 52 Bytes [53, 56, 57, 6A, 01, BE, 30, ...]
PAGE mrxsmb.sys F0DFA782 40 Bytes [FF, EB, EE, 80, BF, CE, 00, ...]
PAGE mrxsmb.sys F0DFA7AC 32 Bytes [89, 45, FC, 7C, CC, 6A, 01, ...]
PAGE mrxsmb.sys F0DFA7CD 19 Bytes [EC, 6A, 00, FF, 75, 08, FF, ...]
PAGE ...
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xB1A65F00, 0x24000, 0x48000000]
? C:\Potvora.com\catchme.sys Systém nemůže nalézt uvedenou cestu. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Systém nemůže nalézt uvedený soubor. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1512] kernel32.dll!SetUnhandledExceptionFilter 7C810386 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!SetScrollInfo 77D3902C 7 Bytes JMP 01B1A68D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!GetScrollPos 77D3F66F 5 Bytes JMP 01B1A63D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!SetScrollRange 77D3F6BB 5 Bytes JMP 01B1A6E3 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!SetScrollPos 77D3F780 5 Bytes JMP 01B1A6B8 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!GetScrollRange 77D3F7B7 5 Bytes JMP 01B1A662 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!ShowScrollBar 77D40142 5 Bytes JMP 01B1A711 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!GetScrollInfo 77D43A2F 7 Bytes JMP 01B1A615 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!EnableScrollBar 77D87BAD 7 Bytes JMP 01B1A5ED C:\Program Files\Winamp\Plugins\gen_jumpex.dll
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8416042] spop.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F841613E] spop.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84160C0] spop.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F8416800] spop.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84166D6] spop.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8425E9C] spop.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F2941E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F2941E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F2941E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F2941E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F2941E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F2941E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 823DC1F8
AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBPDO-0 81F771F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 823701F8
Device \Driver\dmio \Device\DmControl\DmConfig 823701F8
Device \Driver\dmio \Device\DmControl\DmPnP 823701F8
Device \Driver\dmio \Device\DmControl\DmInfo 823701F8
Device \Driver\usbuhci \Device\USBPDO-1 81F771F8
Device \Driver\usbuhci \Device\USBPDO-2 81F771F8
Device \Driver\usbuhci \Device\USBPDO-3 81F771F8
Device \Driver\usbehci \Device\USBPDO-4 81EC21F8
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\prodrv06 \Device\ProDrv06 E188CC30
Device \Driver\Ftdisk \Device\HarddiskVolume1 823DF1F8
Device \Driver\Cdrom \Device\CdRom0 81EE21F8
Device \Driver\atapi \Device\Ide\IdePort0 823DE1F8
Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 823DE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 823DE1F8
Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 823DE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Cdrom \Device\CdRom1 81EE21F8
Device \Driver\prohlp02 \Device\ProHlp02 E14DC7D0
Device \Driver\NetBT \Device\NetBt_Wins_Export 818D11F8
Device \Driver\NetBT \Device\NetbiosSmb 818D11F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{4ACBD8F3-39DB-4753-900D-70090B9F0A8F} 818D11F8
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-0 81F771F8
Device \Driver\usbuhci \Device\USBFDO-1 81F771F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 815C01F8
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-2 81F771F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 815C01F8
Device \Driver\usbuhci \Device\USBFDO-3 81F771F8
Device \Driver\usbehci \Device\USBFDO-4 81EC21F8
Device \Driver\Ftdisk \Device\FtControl 823DF1F8
Device \FileSystem\Cdfs \Cdfs 81DAE1F8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAD 0xA3 0x87 0x0D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec@hdf12 0xD9 0x44 0xE8 0xA4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001@hdf12 0x7E 0xB4 0x37 0xD9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001\gdq0@hdf12 0x3D 0x09 0x7B 0xEE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0xE2 0x2C 0xD0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAD 0xA3 0x87 0x0D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec@h0 2
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec@hdf12 0xD9 0x44 0xE8 0xA4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001@hdf12 0x7E 0xB4 0x37 0xD9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001\gdq0@hdf12 0x3D 0x09 0x7B 0xEE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0xE2 0x2C 0xD0 ...
---- EOF - GMER 1.0.15 ----
Je to už čistý ?
.text TUKERNEL.EXE!IoStopTimer + 6 8052DF6F 23 Bytes [45, 08, 8B, 40, 18, FA, 66, ...]
.text TUKERNEL.EXE!IoStopTimer + 1E 8052DF87 43 Bytes [FB, 5D, C2, 04, 00, CC, CC, ...]
.text TUKERNEL.EXE!IoCallDriver + 11 8052DFB3 9 Bytes [5D, C2, 08, 00, CC, CC, CC, ...] {POP EBP; RET 0x8; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text TUKERNEL.EXE!IoCallDriver + 1C 8052DFBE 3 Bytes [90, 90, 90] {NOP ; NOP ; NOP }
.text TUKERNEL.EXE!IoCompleteRequest + 1 8052DFC2 25 Bytes [FF, 55, 8B, EC, 8A, 55, 0C, ...]
.text TUKERNEL.EXE!IoCompleteRequest + 1B 8052DFDC 85 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!IoCompleteRequest + 71 8052E032 6 Bytes [BF, FF, FF, 89, 48, 08]
.text TUKERNEL.EXE!IoCompleteRequest + 78 8052E039 46 Bytes [48, 64, 89, 4D, F8, 8D, 4D, ...]
.text TUKERNEL.EXE!IoCompleteRequest + A7 8052E068 6 Bytes [CC, CC, CC, CC, CC, CC] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text ...
.text TUKERNEL.EXE!IoGetDiskDeviceObject + 12 8052E09F 12 Bytes [00, C0, EB, 4B, 8D, 45, 08, ...]
.text TUKERNEL.EXE!IoGetDiskDeviceObject + 1F 8052E0AC 16 Bytes [8B, 86, B0, 00, 00, 00, 8B, ...]
.text TUKERNEL.EXE!IoGetDiskDeviceObject + 30 8052E0BD 6 Bytes [C0, EB, 24, 83, 78, 14]
.text TUKERNEL.EXE!IoGetDiskDeviceObject + 37 8052E0C4 6 Bytes [75, 07, BE, 6E, 02, 00]
.text TUKERNEL.EXE!IoGetDiskDeviceObject + 3E 8052E0CB 84 Bytes [EB, 17, F6, 40, 04, 01, 74, ...]
.text TUKERNEL.EXE!IoSetSystemPartition + 28 8052E120 69 Bytes [00, 57, 8D, 45, C4, 50, 33, ...]
.text TUKERNEL.EXE!IoSetSystemPartition + 6E 8052E166 5 Bytes [66, C7, 45, E4, 70]
.text TUKERNEL.EXE!IoSetSystemPartition + 74 8052E16C 9 Bytes [66, 89, 5D, E6, 66, C7, 45, ...]
.text TUKERNEL.EXE!IoSetSystemPartition + 7E 8052E176 29 Bytes [66, C7, 45, D4, 0A, 00, E8, ...]
.text TUKERNEL.EXE!IoSetSystemPartition + 9C 8052E194 56 Bytes [00, 00, 0F, B7, 06, 40, 40, ...]
.text ...
.text TUKERNEL.EXE!IoValidateDeviceIoControlAccess + 1A 8052E2F3 93 Bytes [0D, 75, 2B, 80, 7A, 20, 00, ...]
.text TUKERNEL.EXE!IoFreeErrorLogEntry + 10 8052E351 20 Bytes CALL 804D918D \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoFreeErrorLogEntry + 25 8052E366 14 Bytes [B7, 46, 02, F7, D8, 89, 45, ...]
.text TUKERNEL.EXE!IoFreeErrorLogEntry + 35 8052E376 136 Bytes [0F, C1, 01, 6A, 00, 56, E8, ...]
.text TUKERNEL.EXE!IoFreeErrorLogEntry + BE 8052E3FF 36 Bytes [57, 89, 06, 89, 70, 04, 8B, ...]
.text TUKERNEL.EXE!IoFreeErrorLogEntry + E3 8052E424 54 Bytes [6A, 0A, 8D, 57, 04, 59, E8, ...]
.text ...
.text TUKERNEL.EXE!IoAttachDeviceByPointer + 1D 8052E4FD 194 Bytes [C0, 5D, C2, 08, 00, CC, CC, ...]
.text TUKERNEL.EXE!IoCsqRemoveIrp + 2A 8052E5C1 6 Bytes [00, 00, 8B, 4D, 0C, 87]
.text TUKERNEL.EXE!IoCsqRemoveIrp + 31 8052E5C8 47 Bytes [85, C0, 75, 0D, 33, FF, FF, ...]
.text TUKERNEL.EXE!IoCsqRemoveIrp + 61 8052E5F8 93 Bytes [CC, 90, 90, 90, 90, 90, 8B, ...]
.text TUKERNEL.EXE!IoVolumeDeviceToDosName + 58 8052E656 20 Bytes [4D, 00, 88, 9D, E4, FD, FF, ...]
.text TUKERNEL.EXE!IoVolumeDeviceToDosName + 6D 8052E66B 17 Bytes CALL 804FCC21 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoVolumeDeviceToDosName + 7F 8052E67D 32 Bytes [00, 8B, D0, 8B, CF, E8, BE, ...]
.text TUKERNEL.EXE!IoVolumeDeviceToDosName + A0 8052E69E 50 Bytes [FA, FF, 8B, 85, D8, FD, FF, ...]
.text TUKERNEL.EXE!IoVolumeDeviceToDosName + D3 8052E6D1 12 Bytes [00, 8D, 85, C4, FD, FF, FF, ...] {ADD [EBP-0x23b7b], CL; CALL [EAX-0x18]; XOR AL, 0x9d; PUSH ES}
.text ...
.text TUKERNEL.EXE!KeCapturePersistentThreadState + 10 8052F32F 14 Bytes [33, F6, 3B, DE, 89, 45, FC, ...]
.text TUKERNEL.EXE!KeCapturePersistentThreadState + 1F 8052F33E 36 Bytes [00, 39, 75, 0C, 75, 09, 64, ...]
.text TUKERNEL.EXE!KeCapturePersistentThreadState + 44 8052F363 56 Bytes CALL 804DB11B \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KeCapturePersistentThreadState + 7D 8052F39C 6 Bytes [C7, 43, 18, 20, AB, 55]
.text TUKERNEL.EXE!KeCapturePersistentThreadState + 84 8052F3A3 5 Bytes [C7, 43, 1C, D8, 0B]
.text ...
.text TUKERNEL.EXE!IoRequestDeviceEject + 5 80531516 33 Bytes [8B, 4D, 08, 8B, 81, B0, 00, ...]
.text TUKERNEL.EXE!IoRequestDeviceEject + 27 80531538 15 Bytes [FF, FF, 5D, C2, 04, 00, 52, ...]
.text TUKERNEL.EXE!IoRequestDeviceEject + 37 80531548 85 Bytes CALL 80533993 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!IoRequestDeviceEject + 8D 8053159E 40 Bytes [8B, 35, 18, 8B, 55, 80, BB, ...]
.text TUKERNEL.EXE!IoRequestDeviceEject + B6 805315C7 86 Bytes [C0, 74, 06, C7, 00, 0E, 00, ...]
.text ...
.text TUKERNEL.EXE!KdDisableDebugger + 4E 805320D5 15 Bytes [A7, A2, 4F, 80, C6, 05, C1, ...]
.text TUKERNEL.EXE!KdDisableDebugger + 5E 805320E5 5 Bytes [80, E8, F8, 00, 00] {SUB AL, 0xf8; ADD [EAX], AL}
.text TUKERNEL.EXE!KdDisableDebugger + 64 805320EB 57 Bytes [8A, 4D, FF, FF, 15, 70, 76, ...]
.text TUKERNEL.EXE!KdEnableDebugger + 25 80532125 5 Bytes [74, 1C, 6A, 00, 6A]
.text TUKERNEL.EXE!KdEnableDebugger + 2B 8053212B 11 Bytes [C6, 05, EC, 05, 56, 80, 01, ...]
.text TUKERNEL.EXE!KdEnableDebugger + 37 80532137 25 Bytes CALL 8067D4DF \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KdEnableDebugger + 51 80532151 12 Bytes [C9, C3, CC, CC, CC, CC, CC, ...] {LEAVE ; RET ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP }
.text TUKERNEL.EXE!KdPowerTransition + 1 8053215E 30 Bytes [FF, 55, 8B, EC, 56, 33, F6, ...]
.text TUKERNEL.EXE!KdPowerTransition + 20 8053217D 8 Bytes [00, C0, EB, 05, E8, 3D, 64, ...]
.text TUKERNEL.EXE!KdPowerTransition + 29 80532186 6 Bytes [8B, C6, 5E, 5D, C2, 04]
.text TUKERNEL.EXE!KdPowerTransition + 30 8053218D 28 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!KdPowerTransition + 4D 805321AA 83 Bytes [75, 0C, FF, 75, 08, E8, 7F, ...]
.text ...
.text TUKERNEL.EXE!KeSetDmaIoCoherency + D 80532616 3 Bytes [5D, C2, 04]
.text TUKERNEL.EXE!KeSetDmaIoCoherency + 11 8053261A 53 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
.text TUKERNEL.EXE!KeSetDmaIoCoherency + 47 80532650 85 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
.text TUKERNEL.EXE!KeSetDmaIoCoherency + 9D 805326A6 25 Bytes [89, 45, F0, 89, 45, F4, 8D, ...]
.text TUKERNEL.EXE!KeSetDmaIoCoherency + B7 805326C0 1 Byte [00]
.text ...
.text TUKERNEL.EXE!KeReleaseInterruptSpinLock + 19 8053273E 3 Bytes [5D, C2, 08]
.text TUKERNEL.EXE!KeReleaseInterruptSpinLock + 1D 80532742 8 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP }
.text TUKERNEL.EXE!KeReleaseInterruptSpinLock + 27 8053274C 25 Bytes [8B, FF, 55, 8B, EC, 83, EC, ...]
.text TUKERNEL.EXE!KeReleaseInterruptSpinLock + 41 80532766 53 Bytes [8B, 46, 5C, 8B, 5D, 0C, 8D, ...]
.text TUKERNEL.EXE!KeReleaseInterruptSpinLock + 77 8053279C 9 Bytes [8B, 45, 08, 5F, 5E, 5B, C9, ...]
.text ...
.text TUKERNEL.EXE!KeEnterKernelDebugger + 6 80532B85 18 Bytes CALL 80514C4B \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KeEnterKernelDebugger + 19 80532B98 13 Bytes [0F, C1, 01, 48, 75, 19, 33, ...]
.text TUKERNEL.EXE!KeEnterKernelDebugger + 27 80532BA6 7 Bytes [75, 0F, 38, 05, 7C, CB, 54]
.text TUKERNEL.EXE!KeEnterKernelDebugger + 2F 80532BAE 49 Bytes CALL 8067AC84 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KeDeregisterBugCheckCallback + 15 80532BE0 51 Bytes [8B, CE, 88, 45, FF, E8, 4E, ...]
.text TUKERNEL.EXE!KeDeregisterBugCheckCallback + 49 80532C14 7 Bytes [5E, 8A, C3, 5B, C9, C2, 04]
.text TUKERNEL.EXE!KeDeregisterBugCheckCallback + 51 80532C1C 21 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!KeDeregisterBugCheckCallback + 67 80532C32 9 Bytes CALL 804E2A92 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KeDeregisterBugCheckCallback + 71 80532C3C 8 Bytes [89, 45, DC, 8B, 1D, D8, 9B, ...]
.text ...
.text TUKERNEL.EXE!KeDeregisterBugCheckReasonCallback + 15 80532D0C 51 Bytes [8B, CE, 88, 45, FF, E8, 22, ...]
.text TUKERNEL.EXE!KeDeregisterBugCheckReasonCallback + 49 80532D40 7 Bytes [5E, 8A, C3, 5B, C9, C2, 04]
.text TUKERNEL.EXE!KeDeregisterBugCheckReasonCallback + 51 80532D48 21 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!KeDeregisterBugCheckReasonCallback + 67 80532D5E 9 Bytes CALL 804E2A92 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KeDeregisterBugCheckReasonCallback + 71 80532D68 15 Bytes [89, 45, DC, 8B, 1D, D0, 9B, ...]
.text ...
.text TUKERNEL.EXE!KeBugCheckEx + 7 8053399A 23 Bytes [FF, 75, 18, FF, 75, 14, FF, ...]
.text TUKERNEL.EXE!KeBugCheckEx + 1F 805339B2 20 Bytes [CC, CC, CC, CC, CC, 90, CC, ...]
.text TUKERNEL.EXE!KeBugCheckEx + 35 805339C8 12 Bytes [8B, FF, 55, 8B, EC, F6, 05, ...] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; TEST BYTE [0x80550c80], 0x1}
.text TUKERNEL.EXE!KeBugCheckEx + 42 805339D5 18 Bytes [6E, 8B, 45, 0C, 53, 56, 8B, ...]
.text TUKERNEL.EXE!KeBugCheckEx + 55 805339E8 3 Bytes [83, 65, 0C]
.text ...
.text TUKERNEL.EXE!KeI386GetLid + 11 80533C14 9 Bytes [00, 89, 45, F8, 75, 0A, B8, ...]
.text TUKERNEL.EXE!KeI386GetLid + 1B 80533C1E 5 Bytes [C0, E9, 3F, 01, 00] {SHR CL, 0x3f; ADD [EAX], EAX}
.text TUKERNEL.EXE!KeI386GetLid + 21 80533C24 3 Bytes [80, 7D, 10]
.text TUKERNEL.EXE!KeI386GetLid + 25 80533C28 17 Bytes [74, 09, 83, 4D, F0, FF, 89, ...]
.text TUKERNEL.EXE!KeI386GetLid + 37 80533C3A 9 Bytes [89, 45, F0, 83, 3D, 60, 99, ...]
.text ...
.text TUKERNEL.EXE!KeI386ReleaseLid + B 80533D7E 17 Bytes [00, 75, 07, B8, 0F, 01, 00, ...]
.text TUKERNEL.EXE!KeI386ReleaseLid + 1D 80533D90 9 Bytes [0F, B7, 55, 08, 8B, 0D, 60, ...]
.text TUKERNEL.EXE!KeI386ReleaseLid + 27 80533D9A 15 Bytes [C1, E2, 03, 8D, 34, 0A, 8B, ...]
.text TUKERNEL.EXE!KeI386ReleaseLid + 37 80533DAA 23 Bytes [33, F6, EB, 20, 83, FF, FF, ...]
.text TUKERNEL.EXE!KeI386ReleaseLid + 4F 80533DC2 19 Bytes [75, E6, 83, 22, 00, EB, E1, ...]
.text ...
.text TUKERNEL.EXE!KeI386AbiosCall + E 80533DF6 5 Bytes [75, 07, B8, 0F, 01]
.text TUKERNEL.EXE!KeI386AbiosCall + 14 80533DFC 31 Bytes [C0, EB, 74, 66, 8B, 45, 08, ...]
.text TUKERNEL.EXE!KeI386AbiosCall + 34 80533E1C 117 Bytes [0F, B7, C0, C1, E0, 03, 8B, ...]
.text TUKERNEL.EXE!KeI386ReleaseGdtSelectors + C 80533E92 19 Bytes [66, 8B, 4D, 0C, 66, 01, 0D, ...]
.text TUKERNEL.EXE!KeI386ReleaseGdtSelectors + 20 80533EA6 15 Bytes [74, 22, 53, 56, 8B, 75, 08, ...]
.text TUKERNEL.EXE!KeI386ReleaseGdtSelectors + 30 80533EB6 15 Bytes [31, 55, 80, 03, D7, 46, 46, ...]
.text TUKERNEL.EXE!KeI386ReleaseGdtSelectors + 40 80533EC6 11 Bytes CALL 48DD9A29
.text TUKERNEL.EXE!KeI386ReleaseGdtSelectors + 4C 80533ED2 12 Bytes [33, C0, 5F, 5D, C2, 08, 00, ...] {XOR EAX, EAX; POP EDI; POP EBP; RET 0x8; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 }
.text ...
.text TUKERNEL.EXE!KeI386FlatToGdtSelector + B 80533EEE 11 Bytes [00, 75, 0A, B8, 0F, 01, 00, ...]
.text TUKERNEL.EXE!KeI386FlatToGdtSelector + 17 80533EFA 72 Bytes [00, 66, 81, 7D, 10, E0, 00, ...]
.text TUKERNEL.EXE!KeI386FlatToGdtSelector + 60 80533F43 2 Bytes [92, 00]
.text TUKERNEL.EXE!KeI386FlatToGdtSelector + 63 80533F46 11 Bytes [33, FF, 89, 4A, 04, 47, 80, ...]
.text TUKERNEL.EXE!KeI386FlatToGdtSelector + 6F 80533F52 9 Bytes [01, 76, 1F, 8B, 0C, BD, E0, ...]
.text ...
.text TUKERNEL.EXE!KeRemoveByKeyDeviceQueueIfBusy + 3B 8053401A 81 Bytes [57, 8B, 7D, 0C, 3B, 79, 08, ...]
.text TUKERNEL.EXE!KeRemoveEntryDeviceQueue + 18 8053406C 26 Bytes [8B, 45, 0C, 8A, 58, 0C, 80, ...]
.text TUKERNEL.EXE!KeRemoveEntryDeviceQueue + 33 80534087 6 Bytes [F4, FF, 15, 5C, 76, 4D]
.text TUKERNEL.EXE!KeRemoveEntryDeviceQueue + 3A 8053408E 117 Bytes [8A, C3, 5B, C9, C2, 08, 00, ...]
.text TUKERNEL.EXE!KeRemoveEntryDeviceQueue + B2 80534106 25 Bytes [8D, 55, F4, FF, 15, E4, 75, ...]
.text TUKERNEL.EXE!KeRemoveEntryDeviceQueue + CC 80534120 5 Bytes [00, 01, 75, 12, 6A]
.text ...
.text TUKERNEL.EXE!KeQueryPriorityThread + 10 80534200 79 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!KeQueryPriorityThread + 60 80534250 19 Bytes [00, 0F, B6, 32, 88, 0A, 8A, ...]
.text TUKERNEL.EXE!KeQueryPriorityThread + 74 80534264 200 Bytes [CC, CC, CC, CC, CC, 90, CC, ...]
.text TUKERNEL.EXE!KeQueryPriorityThread + 13D 8053432D 41 Bytes [F8, 8B, 5F, 44, EB, 09, 8D, ...]
.text TUKERNEL.EXE!KeQueryPriorityThread + 167 80534357 1 Byte [00]
.text ...
.text TUKERNEL.EXE!KeRaiseUserException + 79 8053449D 23 Bytes [33, C0, 40, C3, 90, 90, 90, ...]
.text TUKERNEL.EXE!KeRaiseUserException + 91 805344B5 55 Bytes [C2, 04, 00, FF, FF, FF, FF, ...]
.text TUKERNEL.EXE!KeRaiseUserException + C9 805344ED 17 Bytes [90, 90, 90, 90, 8B, FF, 55, ...] {NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH DWORD [EBP+0x8]; CALL 0xfffffffffffa7596}
.text TUKERNEL.EXE!KeSaveStateForHibernate + E 805344FF 8 Bytes CALL 804E608F \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!KeSaveStateForHibernate + 17 80534508 33 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!KeSaveStateForHibernate + 39 8053452A 1 Byte [00]
.text TUKERNEL.EXE!KeSaveStateForHibernate + 39 8053452A 5 Bytes [00, E8, 09, 0B, 00]
.text TUKERNEL.EXE!KeSaveStateForHibernate + 3F 80534530 19 Bytes JMP 80515710 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text ...
.text TUKERNEL.EXE!MmMapLockedPagesWithReservedMapping + 27 80535C12 6 Bytes [00, 8D, 84, 08, FF, 0F] {ADD [EBP+0xfff0884], CL}
.text TUKERNEL.EXE!MmMapLockedPagesWithReservedMapping + 2E 80535C19 5 Bytes [00, C1, E8, 0C, 89]
.text TUKERNEL.EXE!MmMapLockedPagesWithReservedMapping + 34 80535C1F 81 Bytes CALL 804F812E \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!MmMapLockedPagesWithReservedMapping + 86 80535C71 29 Bytes [00, 8D, 4C, 88, F8, EB, 0C, ...]
.text TUKERNEL.EXE!MmMapLockedPagesWithReservedMapping + A4 80535C8F 208 Bytes [C0, 66, 8B, 46, 06, 83, C2, ...]
.text ...
.text TUKERNEL.EXE!MmUnmapReservedMapping + 9 80535EBB 22 Bytes [45, 08, 8B, 55, 0C, C1, E8, ...]
.text TUKERNEL.EXE!MmUnmapReservedMapping + 20 80535ED2 2 Bytes [40, 53] {INC EAX; PUSH EBX}
.text TUKERNEL.EXE!MmUnmapReservedMapping + 23 80535ED5 12 Bytes [E2, FE, 3B, CA, 56, 57, 8D, ...] {LOOP 0x0; CMP ECX, EDX; PUSH ESI; PUSH EDI; LEA EBX, [EAX-0x8]; JZ 0x1c; PUSH ECX}
.text TUKERNEL.EXE!MmUnmapReservedMapping + 30 80535EE2 28 Bytes [75, 0C, FF, 75, 08, 68, 08, ...]
.text TUKERNEL.EXE!MmUnmapReservedMapping + 4D 80535EFF 29 Bytes [75, 08, 68, 09, 01, 00, 00, ...]
.text ...
.text TUKERNEL.EXE!MmAdvanceMdl + 1D 80536028 53 Bytes [00, 83, 65, 0C, 00, 53, C7, ...]
.text TUKERNEL.EXE!MmAdvanceMdl + 53 8053605E 28 Bytes [10, 00, 00, 2B, DA, 3B, CB, ...]
.text TUKERNEL.EXE!MmAdvanceMdl + 70 8053607B 6 Bytes [01, 4E, 0C, E9, B4, 01]
.text TUKERNEL.EXE!MmAdvanceMdl + 77 80536082 31 Bytes [00, 83, 66, 18, 00, 81, C7, ...]
.text TUKERNEL.EXE!MmAdvanceMdl + 97 805360A2 61 Bytes [47, 89, 7D, 0C, EB, 03, 8B, ...]
.text ...
.text TUKERNEL.EXE!MmProtectMdlSystemAddress + 44 8053628E 139 Bytes [83, F8, 08, 0F, 84, 4D, 02, ...]
.text TUKERNEL.EXE!MmProtectMdlSystemAddress + D0 8053631A 41 Bytes [85, DB, 0F, 84, EE, 00, 00, ...]
.text TUKERNEL.EXE!MmProtectMdlSystemAddress + FA 80536344 121 Bytes [C1, 25, E0, 03, 00, 00, 3D, ...]
.text TUKERNEL.EXE!MmProtectMdlSystemAddress + 176 805363C0 58 Bytes [83, F8, 0F, 74, 1D, 8B, 4D, ...]
.text TUKERNEL.EXE!MmProtectMdlSystemAddress + 1B1 805363FB 147 Bytes [14, FF, 35, 3C, 3D, 4E, 80, ...]
.text ...
.text TUKERNEL.EXE!MmGetVirtualForPhysical + 10 805365DB 33 Bytes CALL 804D9A7F \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text TUKERNEL.EXE!MmGetVirtualForPhysical + 32 805365FD 61 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
.text TUKERNEL.EXE!MmGetVirtualForPhysical + 70 8053663B 74 Bytes [4D, 0C, 89, 70, 0C, 75, DC, ...]
.text TUKERNEL.EXE!MmIsRecursiveIoFault + 10 80536687 56 Bytes [0F, B6, 89, 54, 02, 00, 00, ...]
.text TUKERNEL.EXE!MmMapMemoryDumpMdl + 21 805366C0 107 Bytes [F7, DE, 1B, F6, 57, 8B, FB, ...]
.text TUKERNEL.EXE!MmMapMemoryDumpMdl + 8D 8053672C 89 Bytes [00, 4E, 75, CF, 5F, 5E, 5B, ...]
.text TUKERNEL.EXE!MmMapMemoryDumpMdl + E7 80536786 24 Bytes [00, C1, EE, 0C, 85, C0, 8B, ...]
.text TUKERNEL.EXE!MmMapMemoryDumpMdl + 100 8053679F 57 Bytes [04, 85, 28, 10, 55, 80, 83, ...]
.text TUKERNEL.EXE!MmMapMemoryDumpMdl + 13A 805367D9 26 Bytes CALL 8054B044 \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation)
.text ...
? spop.sys Systém nemůže nalézt uvedený soubor. !
? Combo-Fix.sys Systém nemůže nalézt uvedený soubor. !
? srescan.sys Systém nemůže nalézt uvedený soubor. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF7B4D360, 0x37388D, 0xE8000020]
.text USBPORT.SYS!DllUnload F7AD262C 5 Bytes JMP 81ED91D8
PAGE mrxsmb.sys F0DFA700 75 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
PAGE mrxsmb.sys F0DFA74C 52 Bytes [53, 56, 57, 6A, 01, BE, 30, ...]
PAGE mrxsmb.sys F0DFA782 40 Bytes [FF, EB, EE, 80, BF, CE, 00, ...]
PAGE mrxsmb.sys F0DFA7AC 32 Bytes [89, 45, FC, 7C, CC, 6A, 01, ...]
PAGE mrxsmb.sys F0DFA7CD 19 Bytes [EC, 6A, 00, FF, 75, 08, FF, ...]
PAGE ...
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xB1A65F00, 0x24000, 0x48000000]
? C:\Potvora.com\catchme.sys Systém nemůže nalézt uvedenou cestu. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Systém nemůže nalézt uvedený soubor. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1512] kernel32.dll!SetUnhandledExceptionFilter 7C810386 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!SetScrollInfo 77D3902C 7 Bytes JMP 01B1A68D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!GetScrollPos 77D3F66F 5 Bytes JMP 01B1A63D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!SetScrollRange 77D3F6BB 5 Bytes JMP 01B1A6E3 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!SetScrollPos 77D3F780 5 Bytes JMP 01B1A6B8 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!GetScrollRange 77D3F7B7 5 Bytes JMP 01B1A662 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!ShowScrollBar 77D40142 5 Bytes JMP 01B1A711 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!GetScrollInfo 77D43A2F 7 Bytes JMP 01B1A615 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[1656] USER32.dll!EnableScrollBar 77D87BAD 7 Bytes JMP 01B1A5ED C:\Program Files\Winamp\Plugins\gen_jumpex.dll
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8416042] spop.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F841613E] spop.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84160C0] spop.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F8416800] spop.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84166D6] spop.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8425E9C] spop.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F2941E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F2941E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F2941E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F2941E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F2941E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F2943B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F2941E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F2944260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F2943930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 823DC1F8
AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBPDO-0 81F771F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 823701F8
Device \Driver\dmio \Device\DmControl\DmConfig 823701F8
Device \Driver\dmio \Device\DmControl\DmPnP 823701F8
Device \Driver\dmio \Device\DmControl\DmInfo 823701F8
Device \Driver\usbuhci \Device\USBPDO-1 81F771F8
Device \Driver\usbuhci \Device\USBPDO-2 81F771F8
Device \Driver\usbuhci \Device\USBPDO-3 81F771F8
Device \Driver\usbehci \Device\USBPDO-4 81EC21F8
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\prodrv06 \Device\ProDrv06 E188CC30
Device \Driver\Ftdisk \Device\HarddiskVolume1 823DF1F8
Device \Driver\Cdrom \Device\CdRom0 81EE21F8
Device \Driver\atapi \Device\Ide\IdePort0 823DE1F8
Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 823DE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 823DE1F8
Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 823DE1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Cdrom \Device\CdRom1 81EE21F8
Device \Driver\prohlp02 \Device\ProHlp02 E14DC7D0
Device \Driver\NetBT \Device\NetBt_Wins_Export 818D11F8
Device \Driver\NetBT \Device\NetbiosSmb 818D11F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{4ACBD8F3-39DB-4753-900D-70090B9F0A8F} 818D11F8
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-0 81F771F8
Device \Driver\usbuhci \Device\USBFDO-1 81F771F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 815C01F8
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-2 81F771F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 815C01F8
Device \Driver\usbuhci \Device\USBFDO-3 81F771F8
Device \Driver\usbehci \Device\USBFDO-4 81EC21F8
Device \Driver\Ftdisk \Device\FtControl 823DF1F8
Device \FileSystem\Cdfs \Cdfs 81DAE1F8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAD 0xA3 0x87 0x0D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec@hdf12 0xD9 0x44 0xE8 0xA4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001@hdf12 0x7E 0xB4 0x37 0xD9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001\gdq0@hdf12 0x3D 0x09 0x7B 0xEE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0xE2 0x2C 0xD0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAD 0xA3 0x87 0x0D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec@h0 2
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec@hdf12 0xD9 0x44 0xE8 0xA4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001@hdf12 0x7E 0xB4 0x37 0xD9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919ea49a8f3b4aa3cf1058d9a64cec\00000001\gdq0@hdf12 0x3D 0x09 0x7B 0xEE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0xE2 0x2C 0xD0 ...
---- EOF - GMER 1.0.15 ----
Je to už čistý ?

Re: Win32/Rustock v paměti, nejde odstranit
Myslím že to čisté je
ještě Vás poprosím, pro jistotu
, najděte soubor TUKERNEL.EXE a nechejte ho otestovat na www.virustotal.com, pokud by se Vás virustotal ptal, jestli dát otestovat znovu, dejte ano 

ještě Vás poprosím, pro jistotu


Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data

Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Re: Win32/Rustock v paměti, nejde odstranit
Bry den ,
tady je link na výsledky TUKERNEL.EXE
http://www.virustotal.com/cs/analisis/9 ... 1270202928
něco se tam hlásí červeně , ale to snad je O.K.
Pokud už je to čistý , díky moc za pomoc
Máte u mě protislužbu
Až budete někdy potřebovat něco typu ,,Stavba Dílna Zahrada´´ ( specielně zahrada ) nebo opravit boty , kabelku apod. , ozvěte se mi na crus(uzenáč)centrum.cz ,udělejte si výlet z Hané do Brna a já se pro Vás taky pokusím udělat co budu moct
Tak ještě jednou díky , mějte se a hezký svátky !

tady je link na výsledky TUKERNEL.EXE
http://www.virustotal.com/cs/analisis/9 ... 1270202928
něco se tam hlásí červeně , ale to snad je O.K.
Pokud už je to čistý , díky moc za pomoc
Máte u mě protislužbu
Až budete někdy potřebovat něco typu ,,Stavba Dílna Zahrada´´ ( specielně zahrada ) nebo opravit boty , kabelku apod. , ozvěte se mi na crus(uzenáč)centrum.cz ,udělejte si výlet z Hané do Brna a já se pro Vás taky pokusím udělat co budu moct

Tak ještě jednou díky , mějte se a hezký svátky !

Re: Win32/Rustock v paměti, nejde odstranit
Ještě mi neutíkejte
, uklidíme
. Ale ten jeden nález na virustotalu se mi nelíbí, zrovna u dost známé firmy
, můžete prosím přeinstalovat Tune Up?
Odinstalujte combofix přes Start - Spustit
- zkopírujte do okénka:
ComboFix /Uninstall
-stiskněte Enter
-To odinstaluje ComboFix a smaže s ním související soubory a složky.
***********
Stáhněte T-Cleaner
http://sweb.cz/Marinus/T-Cleaner.exe
-Spusťte,pro potvrzení volby mačkejte klávesu A, Enter
-po použití prográmek vymažte.Pozor,antiviry ho mohou falešně označit za vir
***********
Z mého podpisu stahněte Ccleaner
- nainstalujte, při výběru, co se má nainstalovat, dejte pryč fajfku u instalace yahoo toolbaru
záložka čistič
- nechejte v levém sloupečku zatrhnuté vše jak je, klikněte na analyzovat
- po analýze klikněte na Spustit Ccleaner
záložka Registry
- klikněte na hledej problémy
- pak klikněte na opravit vybrané problémy -- udělat zálohu registrů - nemusíte
- kliknete opravit všechny problémy
ok
zavřít
Záložka Nástroje
- zde můžete odinstalovat programy. Je to důkladnější odinstalace než u přidat/odebrat programy ve Windows.
Ccleaner - čistič doporučuji používat, krásně pročistí pc od dočasných souborů.
Registry pročistí třeba po odinstalaci nějakého programu.
***********
Stahněte OTC a použijte
http://oldtimer.geekstogo.com/OTC.exe
-vyčistí tempy a po použitých programech
***********
Vložte nový log ze RSIT a řekněte co počítač, jak se chová, už je vše v pořádku?
A bot a kabelek na opravu by se tu našlo




- zkopírujte do okénka:
ComboFix /Uninstall
-stiskněte Enter
-To odinstaluje ComboFix a smaže s ním související soubory a složky.
***********

http://sweb.cz/Marinus/T-Cleaner.exe
-Spusťte,pro potvrzení volby mačkejte klávesu A, Enter
-po použití prográmek vymažte.Pozor,antiviry ho mohou falešně označit za vir
***********

- nainstalujte, při výběru, co se má nainstalovat, dejte pryč fajfku u instalace yahoo toolbaru

- nechejte v levém sloupečku zatrhnuté vše jak je, klikněte na analyzovat
- po analýze klikněte na Spustit Ccleaner

- klikněte na hledej problémy
- pak klikněte na opravit vybrané problémy -- udělat zálohu registrů - nemusíte
- kliknete opravit všechny problémy



- zde můžete odinstalovat programy. Je to důkladnější odinstalace než u přidat/odebrat programy ve Windows.
Ccleaner - čistič doporučuji používat, krásně pročistí pc od dočasných souborů.
Registry pročistí třeba po odinstalaci nějakého programu.
***********

http://oldtimer.geekstogo.com/OTC.exe
-vyčistí tempy a po použitých programech
***********

A bot a kabelek na opravu by se tu našlo

Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data

Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Re: Win32/Rustock v paměti, nejde odstranit
tady je ten log ,ale nerozumím proč přeinstalovat TuneUp utility ? Myslíte jako na novější verzi nebo jen přeinstalovat ?
počítač vypadá že je nprosto v pořádku
Logfile of random's system information tool 1.06 (written by random/random)
Run by Crusader at 2010-04-02 17:06:34
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 13 GB (17%) free of 76 GB
Total RAM: 511 MB (38% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:06:48, on 2.4.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Miranda_Cult_Pack_1.6\miranda32.exe
C:\Program Files\Opera 10 Beta\opera.exe
C:\Program Files\Totalcmd\TOTALCMD.EXE
C:\Documents and Settings\Crusader\Plocha\RSIT.exe
C:\Documents and Settings\Administrator\Plocha\Crusader.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.juicyaccess.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [java_sun] Java (Sun)
O17 - HKLM\System\CCS\Services\Tcpip\..\{4ACBD8F3-39DB-4753-900D-70090B9F0A8F}: NameServer = 212.158.128.2,212.158.128.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 4695 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\1-Click Maintenance.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 54248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbc80044-a445-435b-bc74-9c25c1c588a9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-31 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7e6f031-17ce-4c07-bc86-eabfe594f69c}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-31 73728]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-16 13529088]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-16 86016]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2009-04-09 2029640]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-31 149280]
"ZoneAlarm Client"=C:\Program Files\ZoneAlarm\zlclient.exe [2009-02-16 981384]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2001-08-23 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
C:\Program Files\QuickTime\QTTask.exe [2008-05-27 413696]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^nabídka start^programy^po spuštění^digimax viewer 2.1.lnk]
C:\PROGRA~1\Samsung\DIGIMA~1.1\STIMGB~1.EXE [2004-02-10 626688]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^crusader^nabídka start^programy^po spuštění^magicdisc.lnk]
C:\PROGRA~1\MAGICD~1\MAGICD~1.EXE [2009-02-23 576000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
WRLogonNTF.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Enabled:utorrent"
"C:\Program Files\Totalcmd\TOTALCMD.EXE"="C:\Program Files\Totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\Games\CS\hl.exe"="C:\Games\CS\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Opera 10 Beta\opera.exe"="C:\Program Files\Opera 10 Beta\opera.exe:*:Enabled:Opera Internet Browser"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
======List of files/folders created in the last 1 months======
2010-04-02 17:06:34 ----D---- C:\rsit
2010-04-02 16:45:06 ----D---- C:\Program Files\CCleaner
2010-04-02 16:38:24 ----SHD---- C:\RECYCLER
======List of files/folders modified in the last 1 months======
2010-04-02 17:06:48 ----D---- C:\WINDOWS\Prefetch
2010-04-02 17:06:39 ----D---- C:\WINDOWS\temp
2010-04-02 17:05:44 ----A---- C:\WINDOWS\wincmd.ini
2010-04-02 16:59:25 ----D---- C:\WINDOWS\Internet Logs
2010-04-02 16:52:51 ----AD---- C:\WINDOWS
2010-04-02 16:50:15 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-02 16:49:34 ----D---- C:\WINDOWS\system32
2010-04-02 16:47:13 ----D---- C:\UKLIDIT
2010-04-02 16:45:06 ----RD---- C:\Program Files
2010-04-02 16:34:55 ----SHD---- C:\System Volume Information
2010-04-02 16:34:55 ----D---- C:\WINDOWS\system32\Restore
2010-04-01 09:52:36 ----D---- C:\WINDOWS\system32\drivers
2010-04-01 09:48:41 ----D---- C:\WINDOWS\system32\CatRoot2
2010-04-01 09:43:21 ----A---- C:\WINDOWS\system.ini
2010-04-01 09:37:46 ----D---- C:\WINDOWS\AppPatch
2010-04-01 09:37:41 ----D---- C:\Program Files\Common Files
2010-04-01 01:03:02 ----D---- C:\WINDOWS\system32\config
2010-04-01 01:01:17 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-04-01 00:10:25 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-31 08:57:25 ----SHD---- C:\WINDOWS\Installer
2010-03-17 18:22:52 ----D---- C:\Program Files\ZoneAlarm
2010-03-17 18:21:34 ----D---- C:\Texty
2010-03-17 18:17:28 ----D---- C:\Obrazky
2010-03-05 16:50:53 ----A---- C:\WINDOWS\jpegcode.ini
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK8;Ovladač procesoru AMD; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 42496]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2009-04-09 55768]
R1 prodrv06;StarForce Protection Environment Driver v6; C:\WINDOWS\System32\drivers\prodrv06.sys [2004-11-25 54368]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-02-16 353672]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-04-09 113960]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2009-04-09 133000]
R3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2001-08-23 60800]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2009-04-09 33096]
R3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2001-08-17 40704]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2009-02-24 116736]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2001-08-23 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-16 6557408]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-12-14 85120]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2001-08-23 26624]
R3 usbhub;Ovladač standardního rozbočovače USB; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2001-08-23 57600]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2001-08-23 20480]
S1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-17 14848]
S3 3dfxvs;3dfxvs; C:\WINDOWS\system32\DRIVERS\3dfxvsm.sys [2001-08-17 148352]
S3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 21504]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
S3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-10-11 47360]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbser;Motorola A1000 USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2004-08-03 25600]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 wpdusb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2010-01-18 721904]
S4 sr;Ovladač filtru Obnovy systému; C:\WINDOWS\system32\DRIVERS\sr.sys [2001-08-23 73344]
S4 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-04-09 731840]
R2 javaquickstarterservice;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-31 153376]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-16 159812]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2001-08-23 14336]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2009-04-09 20680]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
-----------------EOF-----------------
počítač vypadá že je nprosto v pořádku
Logfile of random's system information tool 1.06 (written by random/random)
Run by Crusader at 2010-04-02 17:06:34
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 13 GB (17%) free of 76 GB
Total RAM: 511 MB (38% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:06:48, on 2.4.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Miranda_Cult_Pack_1.6\miranda32.exe
C:\Program Files\Opera 10 Beta\opera.exe
C:\Program Files\Totalcmd\TOTALCMD.EXE
C:\Documents and Settings\Crusader\Plocha\RSIT.exe
C:\Documents and Settings\Administrator\Plocha\Crusader.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.juicyaccess.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [java_sun] Java (Sun)
O17 - HKLM\System\CCS\Services\Tcpip\..\{4ACBD8F3-39DB-4753-900D-70090B9F0A8F}: NameServer = 212.158.128.2,212.158.128.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 4695 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\1-Click Maintenance.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 54248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbc80044-a445-435b-bc74-9c25c1c588a9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-31 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7e6f031-17ce-4c07-bc86-eabfe594f69c}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-31 73728]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-16 13529088]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-16 86016]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2009-04-09 2029640]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-31 149280]
"ZoneAlarm Client"=C:\Program Files\ZoneAlarm\zlclient.exe [2009-02-16 981384]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2001-08-23 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
C:\Program Files\QuickTime\QTTask.exe [2008-05-27 413696]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^nabídka start^programy^po spuštění^digimax viewer 2.1.lnk]
C:\PROGRA~1\Samsung\DIGIMA~1.1\STIMGB~1.EXE [2004-02-10 626688]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^crusader^nabídka start^programy^po spuštění^magicdisc.lnk]
C:\PROGRA~1\MAGICD~1\MAGICD~1.EXE [2009-02-23 576000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
WRLogonNTF.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Enabled:utorrent"
"C:\Program Files\Totalcmd\TOTALCMD.EXE"="C:\Program Files\Totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\Games\CS\hl.exe"="C:\Games\CS\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Opera 10 Beta\opera.exe"="C:\Program Files\Opera 10 Beta\opera.exe:*:Enabled:Opera Internet Browser"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
======List of files/folders created in the last 1 months======
2010-04-02 17:06:34 ----D---- C:\rsit
2010-04-02 16:45:06 ----D---- C:\Program Files\CCleaner
2010-04-02 16:38:24 ----SHD---- C:\RECYCLER
======List of files/folders modified in the last 1 months======
2010-04-02 17:06:48 ----D---- C:\WINDOWS\Prefetch
2010-04-02 17:06:39 ----D---- C:\WINDOWS\temp
2010-04-02 17:05:44 ----A---- C:\WINDOWS\wincmd.ini
2010-04-02 16:59:25 ----D---- C:\WINDOWS\Internet Logs
2010-04-02 16:52:51 ----AD---- C:\WINDOWS
2010-04-02 16:50:15 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-02 16:49:34 ----D---- C:\WINDOWS\system32
2010-04-02 16:47:13 ----D---- C:\UKLIDIT
2010-04-02 16:45:06 ----RD---- C:\Program Files
2010-04-02 16:34:55 ----SHD---- C:\System Volume Information
2010-04-02 16:34:55 ----D---- C:\WINDOWS\system32\Restore
2010-04-01 09:52:36 ----D---- C:\WINDOWS\system32\drivers
2010-04-01 09:48:41 ----D---- C:\WINDOWS\system32\CatRoot2
2010-04-01 09:43:21 ----A---- C:\WINDOWS\system.ini
2010-04-01 09:37:46 ----D---- C:\WINDOWS\AppPatch
2010-04-01 09:37:41 ----D---- C:\Program Files\Common Files
2010-04-01 01:03:02 ----D---- C:\WINDOWS\system32\config
2010-04-01 01:01:17 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-04-01 00:10:25 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-31 08:57:25 ----SHD---- C:\WINDOWS\Installer
2010-03-17 18:22:52 ----D---- C:\Program Files\ZoneAlarm
2010-03-17 18:21:34 ----D---- C:\Texty
2010-03-17 18:17:28 ----D---- C:\Obrazky
2010-03-05 16:50:53 ----A---- C:\WINDOWS\jpegcode.ini
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK8;Ovladač procesoru AMD; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 42496]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2009-04-09 55768]
R1 prodrv06;StarForce Protection Environment Driver v6; C:\WINDOWS\System32\drivers\prodrv06.sys [2004-11-25 54368]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-02-16 353672]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-04-09 113960]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2009-04-09 133000]
R3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2001-08-23 60800]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2009-04-09 33096]
R3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2001-08-17 40704]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2009-02-24 116736]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2001-08-23 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-16 6557408]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-12-14 85120]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2001-08-23 26624]
R3 usbhub;Ovladač standardního rozbočovače USB; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2001-08-23 57600]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2001-08-23 20480]
S1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-17 14848]
S3 3dfxvs;3dfxvs; C:\WINDOWS\system32\DRIVERS\3dfxvsm.sys [2001-08-17 148352]
S3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 21504]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
S3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-10-11 47360]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbser;Motorola A1000 USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2004-08-03 25600]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 wpdusb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2010-01-18 721904]
S4 sr;Ovladač filtru Obnovy systému; C:\WINDOWS\system32\DRIVERS\sr.sys [2001-08-23 73344]
S4 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-04-09 731840]
R2 javaquickstarterservice;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-31 153376]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-16 159812]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2001-08-23 14336]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-02-16 2402184]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2009-04-09 20680]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
-----------------EOF-----------------
Re: Win32/Rustock v paměti, nejde odstranit
Jen odinstalovat, vyčistit registry CCleanerem, nainstalovat 

Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data

Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Re: Win32/Rustock v paměti, nejde odstranit
Promiňte , mám potíže s připojením
TuneUp reinstalován , je to hotové ?
TuneUp reinstalován , je to hotové ?
Re: Win32/Rustock v paměti, nejde odstranit



Kód: Vybrat vše
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nwiz"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
klikněte na uložit, pak na soubor standardně 2X klikněte a potvrďte dialogové okno.



Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data

Chcete podpořit naše forum? Informace zde

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.