vyděrači

[chronos_m]

Dobrý den, rád bych požádal o pomoc při záchraně PC(pokud to ještě je možné). k PC jsem se dostal v situaci, kdy po přihlášení se objeví pouze prázdná plocha. Nejde nic udělat. Této situaci prý předcházelo to, že se na obrazovce objevila vyděračská výzva k zaslání SMS na jakési číslo a pak vložení kódu. Majitel se eituaci pokusil vyřešit tím, že v nouzovém režimu zvolil spusit PC z bodu obnovy.
Teď je PC v nouzovém režimu bez připojení k síti. Nechl jsem to projet několika nástroji a stále to hlásí je je vše čisté.

Zasílám tedy log a doufám. Díky

Logfile of random's system information tool 1.07 (written by random/random)
Run by Administrator at 2010-05-08 08:30:58
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 21 GB (35%) free of 60 GB
Total RAM: 1023 MB (68% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Podpora odkazu pro Adobe PDF Reader - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1017A80C-6F09-4548-A84D-EDD6AC9525F0}]
Lexmark Panel nástrojů - C:\Program Files\Lexmark Toolbar\toolband.dll [2009-05-06 372736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2C5E510-BE6D-42CC-9F61-E4F939078474}]
Lexmark - C:\Program Files\Lexmark Printable Web\bho.dll [2008-11-03 180224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{1017A80C-6F09-4548-A84D-EDD6AC9525F0} - Lexmark Panel nástrojů - C:\Program Files\Lexmark Toolbar\toolband.dll [2009-05-06 372736]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"=C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe [2004-10-07 131072]
"Control Center"=C:\Program Files\ASUS\WLAN Card Utilities\Center.exe [2006-03-02 1667584]
"Adobe Reader Speed Launcher"=D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2010-03-05 524632]
"lxdumon.exe"=C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe [2008-05-29 676520]
"lxduamon"=C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe [2008-05-29 16040]
"NPSStartup"= []
"MSSE"=C:\Program Files\Microsoft Security Essentials\msseces.exe [2010-02-21 1093208]
"avast5"=C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe [2010-04-14 2790472]
"QuickTime Task"=D:\Hry\QuickTime\qttask.exe [2008-09-04 98304]
"nwiz"=nwiz.exe /installquiet []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2010-01-11 110696]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2010-01-11 13666408]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\CTFMON.EXE [2008-04-14 15360]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2009-09-09 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\Program Files\ICQ6\ICQ.exe"="D:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6"
"C:\WINDOWS\system32\dplaysvr.exe"="C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"D:\Hry\Team17 Software Ltd\WormsForts\wf.exe"="D:\Hry\Team17 Software Ltd\WormsForts\wf.exe:*:Enabled:wf"
"D:\Hry\UBISOFT\Heroes of Might and Magic V\bin\H5_Game.exe"="D:\Hry\UBISOFT\Heroes of Might and Magic V\bin\H5_Game.exe:*:Enabled:Heroes of Might and Magic V"
"D:\Hry\Pyro\Commandos 3 - Destination Berlin\Commandos3.exe"="D:\Hry\Pyro\Commandos 3 - Destination Berlin\Commandos3.exe:*:Enabled:Commandos3"
"D:\Hry\OpenArena\ioquake3.x86.exe"="D:\Hry\OpenArena\ioquake3.x86.exe:*:Enabled:ioquake3.x86"
"D:\Hry\5star Gomoku\Gomoku.exe"="D:\Hry\5star Gomoku\Gomoku.exe:*:Enabled:Gomoku"
"D:\Hry\FlatOut2\FlatOut2.exe"="D:\Hry\FlatOut2\FlatOut2.exe:*:Enabled:FlatOut2"
"D:\Hry\Cenega Czech\Sid Meier's Civilization III Gold\CIV3PTW\Civilization3X.exe"="D:\Hry\Cenega Czech\Sid Meier's Civilization III Gold\CIV3PTW\Civilization3X.exe:*:Enabled:Civilization3Xd"
"D:\Hry\Eidos\Pyro Studios\Commandos Strike Force\CommXPC.exe"="D:\Hry\Eidos\Pyro Studios\Commandos Strike Force\CommXPC.exe:*:Disabled:CommXPC"
"D:\Hry\TrackMania Sunrise\TmSunrise.exe"="D:\Hry\TrackMania Sunrise\TmSunrise.exe:*:Enabled:TmSunrise"
"D:\Hry\TrackMania Nations ESWC\TmNationsESWC.exe"="D:\Hry\TrackMania Nations ESWC\TmNationsESWC.exe:*:Enabled:TmNationsESWC"
"D:\Hry\UBISOFT\Prince of Persia\Prince of Persia.exe"="D:\Hry\UBISOFT\Prince of Persia\Prince of Persia.exe:*:Enabled:Prince of Persia Dx"
"D:\Hry\UBISOFT\Prince of Persia\PrinceOfPersia_Launcher.exe"="D:\Hry\UBISOFT\Prince of Persia\PrinceOfPersia_Launcher.exe:*:Enabled:Prince of Persia Update"
"D:\Hry\EA SPORTS\UEFA EURO 2008\EURO08.exe"="D:\Hry\EA SPORTS\UEFA EURO 2008\EURO08.exe:*:Enabled:EURO08"
"C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"D:\Hry\Activision\Mat Hoffman's Pro BMX\BMX.exe"="D:\Hry\Activision\Mat Hoffman's Pro BMX\BMX.exe:*:Enabled:BMX"
"D:\Hry\Warcraft III\Warcraft III.exe"="D:\Hry\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III"
"D:\Hry\THQ\Pandemic Studios\Full Spectrum Warrior\Launcher.exe"="D:\Hry\THQ\Pandemic Studios\Full Spectrum Warrior\Launcher.exe:*:Enabled:Launcher"
"D:\Hry\Empires.exe"="D:\Hry\Empires.exe:*:Enabled:Age of Empires"
"D:\Hry\Call of Duty\CoDUOMP.exe"="D:\Hry\Call of Duty\CoDUOMP.exe:*:Enabled:CoDUOMP"
"D:\Hry\TmNationsForever\TmForever.exe"="D:\Hry\TmNationsForever\TmForever.exe:*:Enabled:TmForever"
"D:\Hry\Call of Duty\CoDMP.exe"="D:\Hry\Call of Duty\CoDMP.exe:*:Disabled:CoDMP"
"D:\Hry\UBISOFT\Gearbox Software\BrothersInArms\System\bia.exe"="D:\Hry\UBISOFT\Gearbox Software\BrothersInArms\System\bia.exe:*:Enabled:Brothers In Arms: Road to Hill 30"
"D:\Hry\Microsoft Games\Age of Empires\Empires.exe"="D:\Hry\Microsoft Games\Age of Empires\Empires.exe:*:Enabled:Age of Empires"
"D:\Hry\Microsoft Games\Age of Empires II\empires2.exe"="D:\Hry\Microsoft Games\Age of Empires II\empires2.exe:*:Enabled:Age of Empires II"
"D:\Program Files\ICQ6.5\ICQ.exe"="D:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"D:\Hry\Activision\Call of Duty - World at War\CoDWaWmp.exe"="D:\Hry\Activision\Call of Duty - World at War\CoDWaWmp.exe:*:Enabled:Call of Duty(R) - World at War(TM)"
"D:\Hry\Activision\Call of Duty - World at War\CoDWaW.exe"="D:\Hry\Activision\Call of Duty - World at War\CoDWaW.exe:*:Enabled:Call of Duty(R) - World at War(TM)"
"D:\Hry\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe"="D:\Hry\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
"D:\Hry\Valve\hl.exe"="D:\Hry\Valve\hl.exe:*:Enabled:Half-Life Launcher"
"D:\Hry\UBISOFT\Shaun White Snowboarding\ShaunWhiteSnowboardingGame.exe"="D:\Hry\UBISOFT\Shaun White Snowboarding\ShaunWhiteSnowboardingGame.exe:*:Enabled:Shaun White Snowboarding Game"
"D:\Hry\UBISOFT\Shaun White Snowboarding\ShaunWhiteSnowboarding.exe"="D:\Hry\UBISOFT\Shaun White Snowboarding\ShaunWhiteSnowboarding.exe:*:Enabled:Shaun White Snowboarding Update"
"D:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe"="D:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe:*:Enabled:KTF MUSIC AoD Server"
"D:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe"="D:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe:*:Enabled:KTF MUSIC VoD Server"
"D:\Hry\Valve\hltv.exe"="D:\Hry\Valve\hltv.exe:*:Disabled:HLTV Launcher"
"D:\Hry\Valve\hlds.exe"="D:\Hry\Valve\hlds.exe:*:Enabled:HLDS Launcher"
"D:\Hry\Counter-Strike Source\hl2.exe"="D:\Hry\Counter-Strike Source\hl2.exe:*:Enabled:hl2"
"C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe"="C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe"="C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\WINDOWS\system32\lxducoms.exe"="C:\WINDOWS\system32\lxducoms.exe:*:Enabled:5600-6600 Series Server"
"D:\Hry\Tony Hawk's Underground 2\Game\THUG2.exe"="D:\Hry\Tony Hawk's Underground 2\Game\THUG2.exe:*:Disabled:THUG2"
"C:\Program Files\ICQ7.1\ICQ.exe"="C:\Program Files\ICQ7.1\ICQ.exe:*:Enabled:ICQ7.1"
"C:\Program Files\ICQ7.1\aolload.exe"="C:\Program Files\ICQ7.1\aolload.exe:*:Enabled:aolload.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\ICQ7.1\ICQ.exe"="C:\Program Files\ICQ7.1\ICQ.exe:*:Enabled:ICQ7.1"
"C:\Program Files\ICQ7.1\aolload.exe"="C:\Program Files\ICQ7.1\aolload.exe:*:Enabled:aolload.exe"

======List of files/folders created in the last 1 months======

2010-05-08 08:30:59 ----D---- C:\Program Files\trend micro
2010-05-08 08:15:20 ----D---- C:\Documents and Settings\Administrator.KLUCI-PC\Data aplikací\Malwarebytes
2010-05-07 22:06:12 ----ASH---- C:\Documents and Settings\Administrator.KLUCI-PC\Data aplikací\desktop.ini
2010-05-07 22:06:11 ----SD---- C:\Documents and Settings\Administrator.KLUCI-PC\Data aplikací\Microsoft
2010-05-07 19:50:05 ----D---- C:\Program Files\Norton 360
2010-05-07 19:50:04 ----D---- C:\Program Files\Windows Sidebar
2010-05-07 19:49:48 ----D---- C:\Program Files\NortonInstaller
2010-05-07 19:31:26 ----A---- C:\WINDOWS\ntbtlog.txt
2010-05-04 19:23:51 ----D---- C:\Program Files\Roger Wilco
2010-05-02 19:24:12 ----D---- C:\Program Files\1944 - Bitva v Ardenách
2010-04-14 18:50:13 ----HDC---- C:\WINDOWS\$NtUninstallKB979683$
2010-04-14 18:49:55 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-04-14 18:44:47 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-04-14 18:44:35 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$
2010-04-14 16:40:28 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$
2010-04-14 16:39:57 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$
2010-04-11 15:05:37 ----D---- C:\Documents and Settings\All Users\Data aplikací\NVIDIA Corporation
2010-04-11 15:04:00 ----A---- C:\WINDOWS\imsins.BAK
2010-04-11 15:03:55 ----HDC---- C:\WINDOWS\$NtUninstallKB971513$
2010-04-11 14:25:21 ----D---- C:\WINDOWS\pss

======List of files/folders modified in the last 1 months======

2010-05-08 08:30:59 ----RD---- C:\Program Files
2010-05-07 22:16:05 ----D---- C:\WINDOWS\system32\drivers
2010-05-07 22:12:18 ----SD---- C:\WINDOWS\Tasks
2010-05-07 22:12:02 ----D---- C:\WINDOWS\Temp
2010-05-07 22:08:43 ----D---- C:\WINDOWS\system32\CatRoot
2010-05-07 22:08:42 ----D---- C:\WINDOWS\system32\CatRoot2
2010-05-07 22:06:09 ----D---- C:\Documents and Settings
2010-05-07 21:54:12 ----D---- C:\WINDOWS\system32\config
2010-05-07 21:53:32 ----D---- C:\WINDOWS\system32\wbem
2010-05-07 21:53:31 ----D---- C:\WINDOWS\Registration
2010-05-07 21:52:26 ----AD---- C:\WINDOWS
2010-05-07 21:40:25 ----HD---- C:\WINDOWS\inf
2010-05-07 19:59:01 ----A---- C:\WINDOWS\ModemLog_Sériový kabel mezi dvěma počítači.txt
2010-05-07 19:53:07 ----SHD---- C:\System Volume Information
2010-05-07 19:51:30 ----D---- C:\WINDOWS\system32
2010-05-07 19:51:12 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-05-07 19:51:07 ----D---- C:\Program Files\Common Files
2010-05-07 19:50:04 ----D---- C:\Documents and Settings\All Users\Data aplikací\Norton
2010-05-07 18:56:02 ----D---- C:\WINDOWS\system32\ias
2010-05-06 18:04:02 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-05-04 19:24:23 ----HD---- C:\Program Files\InstallShield Installation Information
2010-05-04 19:23:42 ----D---- C:\Program Files\GameSpy Arcade
2010-05-04 18:50:30 ----A---- C:\ASWL2K.ini
2010-05-02 18:51:50 ----SHD---- C:\WINDOWS\Installer
2010-05-02 18:41:03 ----D---- C:\WINDOWS\system32\DirectX
2010-05-02 14:08:59 ----D---- C:\Program Files\Mozilla Thunderbird
2010-04-14 18:51:17 ----D---- C:\Documents and Settings\All Users\Data aplikací\Microsoft Help
2010-04-14 18:50:20 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-04-14 18:50:03 ----HD---- C:\WINDOWS\$hf_mig$
2010-04-14 18:47:03 ----A---- C:\WINDOWS\system32\aswBoot.exe
2010-04-14 18:46:04 ----D---- C:\WINDOWS\Debug
2010-04-14 18:43:54 ----D---- C:\WINDOWS\ie8updates
2010-04-11 15:06:46 ----D---- C:\WINDOWS\Prefetch
2010-04-11 15:06:26 ----D---- C:\Program Files\NVIDIA Corporation
2010-04-11 15:06:25 ----D---- C:\WINDOWS\Help
2010-04-11 15:05:34 ----D---- C:\WINDOWS\nview
2010-04-11 15:04:38 ----D---- C:\WINDOWS\system32\ReinstallBackups
2010-04-11 14:41:21 ----D---- C:\Program Files\Jarda a Šmarda
2010-04-11 14:34:44 ----SH---- C:\boot.ini
2010-04-11 14:34:44 ----A---- C:\WINDOWS\win.ini
2010-04-11 14:34:44 ----A---- C:\WINDOWS\system.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2004-05-14 10144]
R3 WmXlCore;Logitech WingMan Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2004-05-14 44384]
S1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2010-04-14 28880]
S1 AmdPPM;Ovladač procesoru HwPState AMD; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
S1 asuskbnt;Enhanced Display Driver Helper Service; C:\WINDOWS\system32\drivers\atkkbnt.sys [2004-07-20 20096]
S1 aswSP;aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [2010-04-14 162768]
S1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2010-04-14 46672]
S1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S1 MpFilter;Microsoft Malware Protection Driver; C:\WINDOWS\system32\DRIVERS\MpFilter.sys [2009-12-02 149040]
S1 prodrv06;StarForce Protection Environment Driver v6; C:\WINDOWS\System32\drivers\prodrv06.sys [2004-08-09 53920]
S1 SASDIFSV;SASDIFSV; \??\D:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL; \??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
S2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2007-11-16 20747]
S2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\drivers\aswFsBlk.sys [2010-04-14 19024]
S2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2010-04-14 100432]
S2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2009-12-25 278728]
S2 EIO;EIO; \??\C:\WINDOWS\system32\drivers\EIO.sys []
S2 irda;Protokol IrDA; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]
S2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2007-12-21 18048]
S3 a7hgxczf;a7hgxczf; C:\WINDOWS\system32\drivers\a7hgxczf.sys []
S3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 ASNDIS5;ASNDIS5 Protocol Driver; \??\C:\WINDOWS\system32\ASNDIS5.SYS []
S3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2010-04-14 23376]
S3 BCM43XX;Ovladač síťového adaptéru ASUS 802.11; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2006-10-12 604928]
S3 FXDRV;FXDRV; \??\J:\Fxdrv.sys []
S3 irsir;Microsoft Serial Infrared Driver; C:\WINDOWS\system32\DRIVERS\irsir.sys [2001-08-17 18688]
S3 jgameenp;jgameenp; \??\C:\DOCUME~1\KRYTOF~1\LOCALS~1\Temp\jgameenp.sys []
S3 kvpndev;Kerio VPN adapter; C:\WINDOWS\system32\DRIVERS\kvpndrv.sys [2008-06-24 65024]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer; C:\WINDOWS\system32\DRIVERS\kwflower.sys []
S3 mirrorv3;mirrorv3; C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-11-01 3328]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2009-02-09 17664]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2009-02-09 22016]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent; C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2009-03-19 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic; C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2009-03-19 8320]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2010-01-12 10276768]
S3 nvax;Service for NVIDIA(R) nForce(TM) Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2004-09-10 52224]
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2004-10-05 33280]
S3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2004-10-05 12928]
S3 nvnforce;Service for NVIDIA(R) nForce(TM) Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2004-09-10 412032]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 21632]
S3 PRODIGY;PRODIGY; C:\WINDOWS\System32\Drivers\PRODIGY.SYS [2006-08-29 32377]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2006-03-02 5888]
S3 SASENUM;SASENUM; \??\D:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM); C:\WINDOWS\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter); C:\WINDOWS\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem; C:\WINDOWS\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2009-02-09 7808]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\drivers\usbser.sys [2008-04-13 26112]
S3 UsbserFilt;UsbserFilt; C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2009-02-09 7808]
S3 Video3D;ASUS Video3D Service; C:\WINDOWS\System32\Drivers\Video3D.sys [2004-07-06 44544]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S3 WmFilter;Logitech WingMan HID Filter Driver; C:\WINDOWS\system32\drivers\WmFilter.sys [2004-05-14 21440]
S3 WmHidLo;Logitech WingMan USB Filter Driver; C:\WINDOWS\system32\drivers\WmHidLo.sys [2004-05-14 14720]
S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2004-05-14 5600]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-03-02 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-05 1029456]
R2 MsMpSvc;Microsoft Antimalware Service; C:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2009-12-09 17904]
S2 ASWLSVC;ASWLSVC; C:\WINDOWS\system32\ASWLSVC.exe [2004-05-06 496640]
S2 ATKKeyboardService;ATK Keyboard Service; C:\WINDOWS\ATKKBService.exe [2004-07-20 90112]
S2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-04-14 40384]
S2 FsUsbExService;FsUsbExService; C:\WINDOWS\system32\FsUsbExService.Exe [2009-03-31 233472]
S2 Irmon;Sledování infračerveného přenosu; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 lxdu_device;lxdu_device; C:\WINDOWS\system32\lxducoms.exe [2008-05-23 594600]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxduserv.exe [2008-05-23 98984]
S2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2010-01-11 154216]
S2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-09-14 66872]
S2 pr2agmlb;Armed Assault Drivers Auto Removal (pr2agmlb); C:\WINDOWS\system32\pr2agmlb.exe [2007-06-04 407168]
S2 pr2anfab;Helldorado Drivers Auto Removal (pr2anfab); C:\WINDOWS\system32\pr2anfab.exe [2007-10-04 411000]
S2 psrem02;CD Guard Drivers Auto Removal (v2); C:\WINDOWS\system32\psrem02.exe [2006-05-11 358008]
S2 StarWindServiceAE;StarWind AE Service; D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-28 275968]
S2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
S2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 aspnet_state;Stavová služba ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-04-14 40384]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-04-14 40384]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getPlusHelper;getPlus(R) Helper; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2008-04-07 430592]
S3 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 913920]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

[earl]

Zdravim,

CTETE POZORNE NAVOD,TENTO SOFT NETOLERUJE CHYBY V POSTUPU APLIKOVANI!

Klidne si nasledujici radky vytisknete,at vite,co se bude na obrazovce odehravat.

Budte prihlasen na pc s administratorskymi pravy.

stahnete a ulozte nejlepe na plochu ComboFix

v pripade,ze nepujde stranka nacist-stahnete odtud download , popr. nepujde ComboFix spustit - prejmenujte jej na grinder.com a postupujte dale dle instrukci.

hned po startu se zobrazi Zreknuti se prava zaruky na funkcnost software, pokracujte kliknutim na tlacitko Ano:



pote muze nasledovat upozorneni na nainstalovane emulatory CD mechanik,typicky Daemon Tools nebo Alcohol 120



odklepnout OK

Souhlasit s instalaci Recovery console(Konzola pro zotaveni)-nutno funkcni internet

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: upozorneni: Vypnete rezidentni stit u antiviru a antispywaru a zakazte docasne firewall-ComboFix by nemusel fungovat korektne-pokud budete mit stity vypnute a Combofix zahlasi,ze nejsou,pokracujte dal a potvrdte.

po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem

[chronos_m]

tak jsem vše provedl podle návodu. Po restartu dokonce Combofix nahlásil že našel rootkitové soubory a musí vše restartovat. Po restartu probělo x fází a v závěru napsal, že připravuje report a nemám nic spouštět dokud neskončí svou činnost. Bohužel na tento text hledím už asi 20minut a nic se neděje a i počítač se tváří, že je v klidu.

[chronos_m]

PC jsem musel restarovat, celou akci zopakovat. Průběh byl stejný. Jen v závěru když oznámil, že je téměř hotov a protokol uloží do C:\ Combofix.txt, tak se sám restartoval a na C: žádný protokol není vytvořen

[chronos_m]

do třetice se to povedlo. Jen log byl umístěn trochu jinde

ComboFix 10-05-07.07 - Borusík 08.05.2010 19:40:28.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.547 [GMT 2:00]
Spuštěný z: C:\Documents and Settings\Borusík\Plocha\ComboFix.exe
AV: ESET Smart Security 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-04-08 do 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-08 17:26:13 . 2009-06-18 10:55:41 18816 ------w- C:\WINDOWS\system32\SAVRKBootTasks.sys
2010-05-08 16:41:29 . 2010-05-08 16:41:29 -------- d-----w- C:\Program Files\Sophos
2010-05-08 14:17:27 . 2010-05-08 14:17:27 -------- d-----w- C:\Program Files\ESET
2010-05-08 07:04:53 . 2009-10-22 11:54:18 37392 ----a-w- C:\WINDOWS\system32\drivers\36444432.sys
2010-05-08 07:04:53 . 2009-10-09 21:31:10 315408 ----a-w- C:\WINDOWS\system32\drivers\3644443.sys
2010-05-08 07:04:53 . 2009-09-25 15:59:42 128016 ----a-w- C:\WINDOWS\system32\drivers\36444431.sys
2010-05-08 06:30:59 . 2010-05-08 06:30:59 -------- d-----w- C:\Program Files\trend micro
2010-05-07 20:07:26 . 2010-05-07 20:07:26 -------- d-sh--w- C:\Documents and Settings\Administrator.KLUCI-PC\IETldCache
2010-05-07 19:53:31 . 2010-05-07 19:53:31 -------- d-----w- C:\WINDOWS\system32\wbem\Repository
2010-05-07 17:50:08 . 2010-05-07 17:50:09 -------- d-----w- C:\WINDOWS\system32\drivers\N360
2010-05-07 17:50:05 . 2010-05-07 19:52:30 -------- d-----w- C:\Program Files\Norton 360
2010-05-07 17:50:04 . 2010-05-07 17:50:04 -------- d-----w- C:\Program Files\Windows Sidebar
2010-05-07 17:49:48 . 2010-05-07 17:49:48 -------- d-----w- C:\Program Files\NortonInstaller
2010-05-07 17:32:46 . 2010-05-07 17:32:46 -------- d-----w- C:\Documents and Settings\Administrator\IETldCache
2010-05-07 17:31:45 . 2010-05-07 19:52:31 -------- d-----w- C:\Documents and Settings\Administrator\Plocha
2010-05-07 17:31:45 . 2010-05-07 19:52:31 -------- d-----w- C:\Documents and Settings\Administrator\Šablony
2010-05-07 17:31:45 . 2010-05-07 19:52:31 -------- d-----w- C:\Documents and Settings\Administrator\Data aplikací
2010-05-07 17:31:44 . 2010-05-07 19:52:31 -------- d-s---w- C:\Documents and Settings\Administrator
2010-05-04 17:23:51 . 2010-05-04 17:24:00 -------- d-----w- C:\Program Files\Roger Wilco
2010-05-02 17:24:12 . 2010-05-02 17:24:46 -------- d-----w- C:\Program Files\1944 - Bitva v Ardenách

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 14:27:00 . 2008-07-23 15:13:03 -------- d-----w- C:\Program Files\Common Files\Wise Installation Wizard
2010-05-08 14:26:10 . 2009-02-27 14:15:11 -------- d-----w- C:\Program Files\Lavasoft
2010-05-04 17:24:23 . 2007-11-16 18:23:44 -------- d--h--w- C:\Program Files\InstallShield Installation Information
2010-05-04 17:23:42 . 2008-01-25 13:30:52 -------- d-----w- C:\Program Files\GameSpy Arcade
2010-05-02 12:08:59 . 2007-11-16 18:42:08 -------- d-----w- C:\Program Files\Mozilla Thunderbird
2010-04-11 13:06:26 . 2007-11-17 08:43:29 -------- d-----w- C:\Program Files\NVIDIA Corporation
2010-04-11 12:41:21 . 2009-05-24 09:17:06 -------- d-----w- C:\Program Files\Jarda a Šmarda
2010-04-07 19:08:08 . 2010-04-07 19:08:08 55232 ----a-w- C:\WINDOWS\system32\drivers\epfwtdi.sys
2010-04-07 19:08:06 . 2010-04-07 19:08:06 32584 ----a-w- C:\WINDOWS\system32\drivers\epfwndis.sys
2010-04-07 19:08:04 . 2010-04-07 19:08:04 134488 ----a-w- C:\WINDOWS\system32\drivers\epfw.sys
2010-04-07 19:07:08 . 2010-04-07 19:07:08 114984 ----a-w- C:\WINDOWS\system32\drivers\ehdrv.sys
2010-04-07 19:03:44 . 2010-04-07 19:03:44 139192 ----a-w- C:\WINDOWS\system32\drivers\eamon.sys
2010-03-31 12:31:51 . 2009-07-16 16:59:03 -------- d-----w- C:\Program Files\ICQ6Toolbar
2010-03-31 08:34:13 . 2010-03-31 08:31:59 -------- d-----w- C:\Program Files\ICQ7.1
2010-03-30 05:39:14 . 2006-03-02 12:00:00 90546 ----a-w- C:\WINDOWS\system32\perfc005.dat
2010-03-30 05:39:14 . 2006-03-02 12:00:00 458370 ----a-w- C:\WINDOWS\system32\perfh005.dat
2010-03-23 19:21:26 . 2010-05-07 19:50:24 175372 ----a-w- C:\WINDOWS\pchealth\helpctr\Config\Cache\Personal_32_1029.dat
2010-03-22 17:59:46 . 2010-03-22 17:59:38 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-21 12:18:03 . 2010-02-17 19:01:50 -------- d-----w- C:\Program Files\Lexmark 5600-6600 Series
2010-03-21 12:09:24 . 2010-02-17 19:05:32 -------- d-----w- C:\Program Files\Lexmark Printable Web
2010-03-13 18:34:11 . 2007-11-16 18:42:45 -------- d-----w- C:\Program Files\Alwil Software
2010-03-10 06:17:40 . 2006-03-02 12:00:00 420352 ----a-w- C:\WINDOWS\system32\vbscript.dll
2010-02-25 06:18:56 . 2006-03-02 12:00:00 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
2010-02-24 13:11:07 . 2006-03-02 12:00:00 455680 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
2010-02-24 08:16:06 . 2010-02-19 17:36:26 181632 ------w- C:\WINDOWS\system32\MpSigStub.exe
2010-02-17 12:09:02 . 2006-03-02 12:00:00 2192128 ----a-w- C:\WINDOWS\system32\ntoskrnl.exe
2010-02-16 19:09:02 . 2004-08-17 15:45:30 2068992 ----a-w- C:\WINDOWS\system32\ntkrnlpa.exe
2010-02-12 10:03:03 . 2010-03-05 15:48:19 293376 ------w- C:\WINDOWS\system32\browserchoice.exe
2010-02-12 04:35:01 . 2006-03-02 12:00:00 100864 ----a-w- C:\WINDOWS\system32\6to4svc.dll
2010-02-11 12:02:15 . 2006-03-02 12:00:00 226880 ----a-w- C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-05-08_13.16.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-08 14:18:34 . 2010-05-08 14:18:34 97360 C:\WINDOWS\Installer\{10C86109-65BB-4E22-990A-110DC70DE29C}\egui.exe
+ 2010-05-08 14:18:34 . 2010-05-08 14:18:34 10134 C:\WINDOWS\Installer\{10C86109-65BB-4E22-990A-110DC70DE29C}\callmsi.exe
+ 2010-05-08 14:18:34 . 2010-05-08 14:18:34 960512 C:\WINDOWS\Installer\38f53.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe" [2005-03-24 17:28:18 983040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-10-07 16:53:06 131072]
"Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2006-03-02 20:10:26 1667584]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 20:16:00 39792]
"lxdumon.exe"="C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-05-29 13:04:45 676520]
"lxduamon"="C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe" [2008-05-29 13:04:43 16040]
"NPSStartup"="" [BU]
"QuickTime Task"="D:\Hry\QuickTime\qttask.exe" [2008-09-04 13:22:57 98304]
"nwiz"="nwiz.exe" [BU]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2010-01-11 20:17:44 110696]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2010-01-11 20:17:44 13666408]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2010-04-07 19:07:04 2145000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 03:22:17 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 23:44:24 435096]

C:\Documents and Settings\Kryçtof\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Věýezy obrazovky a spuçtŘnˇ aplikace OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 20:41:34 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"D:\\Hry\\Team17 Software Ltd\\WormsForts\\wf.exe"=
"D:\\Hry\\UBISOFT\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=
"D:\\Hry\\Pyro\\Commandos 3 - Destination Berlin\\Commandos3.exe"=
"D:\\Hry\\OpenArena\\ioquake3.x86.exe"=
"D:\\Hry\\5star Gomoku\\Gomoku.exe"=
"D:\\Hry\\FlatOut2\\FlatOut2.exe"=
"D:\\Hry\\Cenega Czech\\Sid Meier's Civilization III Gold\\CIV3PTW\\Civilization3X.exe"=
"D:\\Hry\\Eidos\\Pyro Studios\\Commandos Strike Force\\CommXPC.exe"=
"D:\\Hry\\TrackMania Sunrise\\TmSunrise.exe"=
"D:\\Hry\\UBISOFT\\Prince of Persia\\Prince of Persia.exe"=
"D:\\Hry\\UBISOFT\\Prince of Persia\\PrinceOfPersia_Launcher.exe"=
"D:\\Hry\\EA SPORTS\\UEFA EURO 2008\\EURO08.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"D:\\Hry\\Activision\\Mat Hoffman's Pro BMX\\BMX.exe"=
"D:\\Hry\\THQ\\Pandemic Studios\\Full Spectrum Warrior\\Launcher.exe"=
"D:\\Hry\\Call of Duty\\CoDUOMP.exe"=
"D:\\Hry\\Call of Duty\\CoDMP.exe"=
"D:\\Hry\\UBISOFT\\Gearbox Software\\BrothersInArms\\System\\bia.exe"=
"D:\\Hry\\Microsoft Games\\Age of Empires\\Empires.exe"=
"D:\\Hry\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"D:\\Hry\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"D:\\Hry\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"D:\\Hry\\UBISOFT\\Shaun White Snowboarding\\ShaunWhiteSnowboardingGame.exe"=
"D:\\Hry\\UBISOFT\\Shaun White Snowboarding\\ShaunWhiteSnowboarding.exe"=
"D:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"D:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"D:\\Hry\\Counter-Strike Source\\hl2.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\WINDOWS\\system32\\lxducoms.exe"=
"D:\\Hry\\Tony Hawk's Underground 2\\Game\\THUG2.exe"=
"C:\\Program Files\\ICQ7.1\\ICQ.exe"=
"C:\\Program Files\\ICQ7.1\\aolload.exe"=

R0 36444432;36444432 Boot Guard Driver;C:\WINDOWS\system32\drivers\36444432.sys [8.5.2010 9:04:53 37392]
R0 pe3agmlb;Armed Assault Environment Driver (pe3agmlb);C:\WINDOWS\system32\drivers\pe3agmlb.sys [4.6.2007 21:01:45 65408]
R0 pe3anfab;Helldorado Environment Driver (pe3anfab);C:\WINDOWS\system32\drivers\pe3anfab.sys [4.10.2007 18:26:30 64632]
R0 pf2anfab;Helldorado File System Driver (pf2anfab);C:\WINDOWS\system32\drivers\pf2anfab.sys [4.10.2007 18:25:51 83576]
R0 ps6agmlb;Armed Assault Synchronization Driver (ps6agmlb);C:\WINDOWS\system32\drivers\ps6agmlb.sys [4.6.2007 21:01:20 55688]
R0 ps7anfab;Helldorado Synchronization Driver (ps7anfab);C:\WINDOWS\system32\drivers\ps7anfab.sys [4.10.2007 18:25:03 68224]
R0 psdrv02;CD Guard Environment Driver (v2);C:\WINDOWS\system32\drivers\psdrv02.sys [11.9.2006 14:01:44 67960]
R0 pssync05;CD Guard Synchronization Driver (v5);C:\WINDOWS\system32\drivers\pssync05.sys [3.11.2006 10:24:01 61312]
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [5.7.2006 14:46:06 63352]
R1 36444431;36444431;C:\WINDOWS\system32\drivers\36444431.sys [8.5.2010 9:04:53 128016]
R1 ehdrv;ehdrv;C:\WINDOWS\system32\drivers\ehdrv.sys [7.4.2010 21:07:08 114984]
R1 SAVRKBootTasks;Boot Tasks Driver;C:\WINDOWS\system32\SAVRKBootTasks.sys [8.5.2010 19:26:13 18816]
R1 setup_9.0.0.722_08.05.2010_09-25drv;setup_9.0.0.722_08.05.2010_09-25drv;C:\WINDOWS\system32\drivers\3644443.sys [8.5.2010 9:04:53 315408]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\ekrn.exe [7.4.2010 21:07:24 810120]
R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [26.12.2009 17:04:12 233472]
R2 lxdu_device;lxdu_device;C:\WINDOWS\system32\lxducoms.exe -service --> C:\WINDOWS\system32\lxducoms.exe -service [?]
R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [26.12.2009 17:04:12 36608]
S0 Lbd;Lbd;C:\WINDOWS\system32\DRIVERS\Lbd.sys --> C:\WINDOWS\system32\DRIVERS\Lbd.sys [?]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService;C:\WINDOWS\system32\spool\drivers\w32x86\3\lxduserv.exe [17.2.2010 21:10:33 98984]
S2 pr2agmlb;Armed Assault Drivers Auto Removal (pr2agmlb);C:\WINDOWS\system32\pr2agmlb.exe svc --> C:\WINDOWS\system32\pr2agmlb.exe svc [?]
S2 pr2anfab;Helldorado Drivers Auto Removal (pr2anfab);C:\WINDOWS\system32\pr2anfab.exe svc --> C:\WINDOWS\system32\pr2anfab.exe svc [?]
S2 psrem02;CD Guard Drivers Auto Removal (v2);C:\WINDOWS\system32\psrem02.exe svc --> C:\WINDOWS\system32\psrem02.exe svc [?]
S3 BKU;BKU;C:\DOCUME~1\BORUSK~1\LOCALS~1\Temp\BKU.exe --> C:\DOCUME~1\BORUSK~1\LOCALS~1\Temp\BKU.exe [?]
S3 FXDRV;FXDRV;\??\J:\Fxdrv.sys --> J:\Fxdrv.sys [?]
S3 jgameenp;jgameenp;\??\C:\DOCUME~1\KRYTOF~1\LOCALS~1\Temp\jgameenp.sys --> C:\DOCUME~1\KRYTOF~1\LOCALS~1\Temp\jgameenp.sys [?]
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\drivers\kvpndrv.sys [24.6.2008 10:36:14 65024]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;C:\WINDOWS\system32\DRIVERS\kwflower.sys --> C:\WINDOWS\system32\DRIVERS\kwflower.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\78.tmp --> C:\WINDOWS\system32\78.tmp [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [10.2.2010 19:11:19 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [10.2.2010 19:11:20 8320]
S3 PRODIGY;PRODIGY;C:\WINDOWS\system32\drivers\prodigy.sys [11.2.2010 18:34:46 32377]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);C:\WINDOWS\system32\drivers\ss_bbus.sys [26.12.2009 17:04:29 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);C:\WINDOWS\system32\drivers\ss_bmdfl.sys [26.12.2009 17:04:29 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;C:\WINDOWS\system32\drivers\ss_bmdm.sys [26.12.2009 17:04:29 121856]
S4 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [11.9.2009 17:00:55 685816]

--- Ostatní služby/ovladače v paměti ---

*NewlyCreated* - FSUSBEXDISK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz
IE: Crawler Search - tbr:iemenu
IE: E&xportovat do aplikace Microsoft Excel - D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: {{71BFC818-0CED-42D6-9C87-5142918957EE} - C:\Program Files\ICQ7.1\ICQ.exe
FF - ProfilePath - C:\Documents and Settings\Borusík\Data aplikací\Mozilla\Firefox\Profiles\e4xsboq6.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - www.seznam.cz
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: D:\Hry\QuickTime\Plugins\npqtplugin.dll
FF - plugin: D:\Hry\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: D:\Hry\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: D:\Hry\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: D:\Hry\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: D:\Hry\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: D:\Hry\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: D:\Program Files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

[earl]

Chybi zaverecna tretina logu.V te se dozvime o detekci rootkitu

Klepnete na Tento pocitac-Nastroje-Moznosti slozky-Zobrazeni-a odfajfkujte Skryt chranene soubory operacniho systemu a oznacte Zobrazovat skryte soubory a slozky.Po ukonceni vsech procedur stejnou cestou vratte nastaveni zpet.

otestujte na VIRUSTOTALu

C:\WINDOWS\system32\drivers\36444432.sys

C:\WINDOWS\system32\drivers\3644443.sys

C:\WINDOWS\system32\drivers\36444431.sys

C:\DOCUME~1\BORUSK~1\LOCALS~1\Temp\BKU.exe

C:\DOCUME~1\KRYTOF~1\LOCALS~1\Temp\jgameenp.sys

(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledek sem vlozte)

Pokud skener napíše, že soubor již byl testován, dejte otestovat znovu.

[chronos_m]

tady jsou ty první 3 soubory. Ty druhé dva jsem nikde nenašel (nevím jak je to možné)

File 47327142.sys- received on 2010.04.29 01:16:58 (UTC)
Current status: finished
Result: 0/39 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.29 -
AhnLab-V3 5.0.0.2 2010.04.28 -
AntiVir 8.2.1.224 2010.04.28 -
Antiy-AVL 2.0.3.7 2010.04.28 -
Authentium 5.2.0.5 2010.04.29 -
Avast 4.8.1351.0 2010.04.28 -
AVG 9.0.0.787 2010.04.29 -
BitDefender 7.2 2010.04.29 -
CAT-QuickHeal 10.00 2010.04.28 -
ClamAV 0.96.0.3-git 2010.04.29 -
Comodo 4705 2010.04.29 -
DrWeb 5.0.2.03300 2010.04.29 -
eSafe 7.0.17.0 2010.04.28 -
eTrust-Vet 35.2.7456 2010.04.28 -
F-Prot 4.5.1.85 2010.04.28 -
F-Secure 9.0.15370.0 2010.04.28 -
Fortinet 4.0.14.0 2010.04.27 -
GData 21 2010.04.29 -
Ikarus T3.1.1.80.0 2010.04.29 -
Jiangmin 13.0.900 2010.04.28 -
Kaspersky 7.0.0.125 2010.04.29 -
McAfee 5.400.0.1158 2010.04.29 -
McAfee-GW-Edition 6.8.5 2010.04.28 -
Microsoft 1.5703 2010.04.28 -
NOD32 5070 2010.04.28 -
Norman 6.04.11 2010.04.28 -
nProtect 2010-04-28.02 2010.04.28 -
Panda 10.0.2.7 2010.04.28 -
PCTools 7.0.3.5 2010.04.29 -
Prevx 3.0 2010.04.29 -
Rising 22.45.02.04 2010.04.28 -
Sophos 4.53.0 2010.04.29 -
Sunbelt 6235 2010.04.28 -
Symantec 20091.2.0.41 2010.04.29 -
TheHacker 6.5.2.0.272 2010.04.28 -
TrendMicro 9.120.0.1004 2010.04.28 -
VBA32 3.12.12.4 2010.04.28 -
ViRobot 2010.4.27.2295 2010.04.28 -
VirusBuster 5.0.27.0 2010.04.28 -
Additional information
File size: 37392 bytes
MD5 : a305fad3719c5db0c13d1c2bfd08a04d
SHA1 : cd7300ae608db1ca6583736b9648cf36b476f832
SHA256: a3f8d9139142391d5f68aeb75a501243852a487f084f5aa75c03eb173d2b8935
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3CA0
timedatestamp.....: 0x4AE02BB3 (Thu Oct 22 11:53:55 2009)
machinetype.......: 0x14C (Intel I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x427E 0x4400 6.30 b2a5eb356209d15285e1808b9629411c
.rdata 0x6000 0x150C 0x1600 7.38 945af6e04dbf86c095c1755f343392a8
.data 0x8000 0x198 0x200 1.76 38b21fbea339d3c01709e6603a4baa5c
PAGECODE 0x9000 0x2EB 0x400 5.07 d6e2cfe49628330b8479e665ce2a9c2a
INIT 0xA000 0x650 0x800 4.61 f1d93e70472651a3da107c37db60f3a4
.rsrc 0xB000 0x418 0x600 2.48 7907b082561e0fcf5edc2821a6ea5738
.reloc 0xC000 0x422 0x600 4.20 70b278bb5403516ecc43165f821d09c7

( 2 imports )

> hal.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel
> ntoskrnl.exe: MmProbeAndLockPages, MmMapLockedPagesSpecifyCache, MmBuildMdlForNonPagedPool, IoAllocateMdl, _except_handler3, memset, ObfDereferenceObject, ObReferenceObjectByName, IoDriverObjectType, RtlInitUnicodeString, KeServiceDescriptorTable, PsGetCurrentProcessId, IoGetCurrentProcess, memcpy, ExFreePoolWithTag, ExAllocatePoolWithTag, KeLeaveCriticalRegion, ExReleaseResourceLite, ExAcquireResourceExclusiveLite, KeEnterCriticalRegion, ZwClose, ZwSetValueKey, ZwDeleteValueKey, ZwEnumerateValueKey, ZwOpenKey, ExInitializeResourceLite, MmIsAddressValid, KeWaitForSingleObject, IofCallDriver, IoBuildDeviceIoControlRequest, KeInitializeEvent, IoGetDeviceObjectPointer, ZwSetInformationFile, ZwQueryInformationFile, IoCreateFile, ZwWriteFile, ZwReadFile, RtlFreeAnsiString, RtlUnicodeStringToAnsiString, ZwNotifyChangeKey, IofCompleteRequest, IoCreateSymbolicLink, IoCreateDevice, IoDeleteSymbolicLink, IoDeleteDevice, IoRegisterBootDriverReinitialization, RtlCopyUnicodeString, InitSafeBootMode, ZwCreateKey, ZwEnumerateKey, ExAllocatePool, ZwDeleteKey, wcschr, MmUnlockPages, PsGetCurrentThreadId, IoFreeMdl, DbgPrint, RtlAnsiCharToUnicodeChar, KeBugCheckEx

( 0 exports )
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 768:M+hdvdtdNZnYvFOzz2o7fSgLa1TvanHWp66enLvbYCSm02:M+hdvdtdN1rz6qnLagDN/YeR
sigcheck: publisher....: Kaspersky Lab
copyright....: Copyright (c) Kaspersky Lab 1997-2009.
product......: Kaspersky Anti-Virus
description..: Kaspersky Lab Boot Guard Driver
original name: KLBG.SYS
internal name: KLBG
file version.: 9.1.0.0
comments.....: n/a
signers......: Kaspersky Lab
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 10:54 AM 10/22/2009
verified.....: -
PEiD : -
RDS : NSRL Reference Data Set

File 5633424.sys received on 2010.05.08 15:32:40 (UTC)
Current status: finished
Result: 0/41 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.08 -
AhnLab-V3 2010.05.08.00 2010.05.07 -
AntiVir 8.2.1.236 2010.05.07 -
Antiy-AVL 2.0.3.7 2010.05.07 -
Authentium 5.2.0.5 2010.05.08 -
Avast 4.8.1351.0 2010.05.08 -
Avast5 5.0.332.0 2010.05.08 -
AVG 9.0.0.787 2010.05.08 -
BitDefender 7.2 2010.05.08 -
CAT-QuickHeal 10.00 2010.05.08 -
ClamAV 0.96.0.3-git 2010.05.08 -
Comodo 4792 2010.05.08 -
DrWeb 5.0.2.03300 2010.05.08 -
eSafe 7.0.17.0 2010.05.06 -
eTrust-Vet 35.2.7474 2010.05.07 -
F-Prot 4.5.1.85 2010.05.08 -
F-Secure 9.0.15370.0 2010.05.08 -
Fortinet 4.1.133.0 2010.05.08 -
GData 21 2010.05.08 -
Ikarus T3.1.1.84.0 2010.05.08 -
Jiangmin 13.0.900 2010.05.08 -
Kaspersky 7.0.0.125 2010.05.08 -
McAfee 5.400.0.1158 2010.05.08 -
McAfee-GW-Edition 2010.1 2010.05.08 -
Microsoft 1.5703 2010.05.08 -
NOD32 5096 2010.05.07 -
Norman 6.04.12 2010.05.08 -
nProtect 2010-05-08.01 2010.05.08 -
Panda 10.0.2.7 2010.05.08 -
PCTools 7.0.3.5 2010.05.07 -
Prevx 3.0 2010.05.08 -
Rising 22.46.05.04 2010.05.08 -
Sophos 4.53.0 2010.05.08 -
Sunbelt 6278 2010.05.08 -
Symantec 20091.2.0.41 2010.05.08 -
TheHacker 6.5.2.0.277 2010.05.07 -
TrendMicro 9.120.0.1004 2010.05.08 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.08 -
VBA32 3.12.12.4 2010.05.06 -
ViRobot 2010.5.8.2306 2010.05.08 -
VirusBuster 5.0.27.0 2010.05.07 -
Additional information
File size: 315408 bytes
MD5 : 66ef49622baa18e4d4f1fe4bae1d51b8
SHA1 : 0c2651ff9f5661ae124408c457f6c8ac20f0c9cb
SHA256: d30daffafc29919c891c8952fc27890d735e4368c706ef452aa86b8b05cd7884
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x47F74
timedatestamp.....: 0x4ACF8E96 (Fri Oct 9 21:27:18 2009)
machinetype.......: 0x14C (Intel I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x35CFA 0x35E00 6.47 9a7eefd58ad95fe8d5b70c60d7dbfab8
.rdata 0x37000 0x1B0C 0x1C00 4.33 73b61928f8e12f4f916480bda327c099
.data 0x39000 0x2F28 0x1200 4.57 8350b3b3633ca9115c344945a45b982f
PAGE 0x3C000 0x7FB2 0x8000 6.40 bb40a61b814b4557d8c39edee6f0aac9
PAGEDATA 0x44000 0x7C 0x200 1.63 6bd37e74ff04ea7dd3acc28377576bd0
INIT 0x45000 0x5CBA 0x5E00 6.23 2b080f8d8901d746417a5bf231350b7a
.rsrc 0x4B000 0x390 0x400 3.09 eb200494a33d110578b627973a75f667
.reloc 0x4C000 0x4074 0x4200 6.51 adb7d789269c15c154718ccba5b0ad66

( 3 imports )

> fltmgr.sys: FltWriteFile, FltGetRequestorProcess, FltGetFileNameInformation, FltParseFileNameInformation, FltIsDirectory, FltSetStreamContext, FltEnumerateVolumeInformation, FltGetStreamHandleContext, FltGetStreamContext, FltCreateSystemVolumeInformationFolder, FltSetInformationFile, FltGetVolumeContext, FltGetVolumeGuidName, FltEnumerateVolumes, FltReleaseFileNameInformation, FltGetFileNameInformationUnsafe, FltBuildDefaultSecurityDescriptor, FltCreateCommunicationPort, FltFreeSecurityDescriptor, FltSendMessage, FltCloseClientPort, FltCloseCommunicationPort, FltAllocatePoolAlignedWithTag, FltReadFile, FltFreePoolAlignedWithTag, FltAllocateCallbackData, FltLockUserBuffer, FltFreeCallbackData, FltPerformSynchronousIo, FltFreeGenericWorkItem, FltRegisterFilter, FltStartFiltering, FltGetDestinationFileNameInformation, FltGetContexts, FltSetStreamHandleContext, FltCancelFileOpen, FltFlushBuffers, FltSetCallbackDataDirty, FltGetRequestorProcessId, FltGetInstanceContext, FltGetVolumeProperties, FltAllocateContext, FltReleaseContext, FltQueryVolumeInformation, FltGetDiskDeviceObject, FltSetInstanceContext, FltAllocateGenericWorkItem, FltQueueGenericWorkItem, FltSetVolumeContext, FltObjectReference, FltGetVolumeName, FltCreateFile, FltGetVolumeFromFileObject, FltClose, FltUnregisterFilter, FltInitializePushLock, FltReferenceFileNameInformation, FltAcquirePushLockShared, FltDeletePushLock, FltAcquirePushLockExclusive, FltReleasePushLock, FltObjectDereference, FltReleaseContexts, FltQueryInformationFile
> hal.dll: KfLowerIrql, KeAcquireInStackQueuedSpinLock, KeReleaseInStackQueuedSpinLock, ExAcquireFastMutex, ExReleaseFastMutex, KeQueryPerformanceCounter, KeGetCurrentIrql, KfRaiseIrql
> ntoskrnl.exe: IoQueueWorkItem, IoAllocateWorkItem, ZwOpenProcess, MmHighestUserAddress, RtlEqualUnicodeString, RtlEnumerateGenericTableWithoutSplayingAvl, _vsnwprintf, ZwEnumerateKey, ZwSetValueKey, ZwCreateFile, ZwDeleteKey, RtlIntegerToUnicodeString, ZwCreateKey, RtlUnicodeStringToInteger, FsRtlCheckLockForReadAccess, IoIsOperationSynchronous, KeClearEvent, ZwFlushVirtualMemory, RtlHashUnicodeString, KeSetPriorityThread, KeUnstackDetachProcess, ZwUnmapViewOfSection, ZwMapViewOfSection, KeStackAttachProcess, ZwCreateSection, MmUnsecureVirtualMemory, ExReInitializeRundownProtection, ObfReferenceObject, MmSecureVirtualMemory, IoUnregisterPlugPlayNotification, IoGetDeviceObjectPointer, IoRegisterPlugPlayNotification, SeTokenType, SeCreateClientSecurity, SeImpersonateClientEx, IoDeviceObjectType, IoBuildSynchronousFsdRequest, IoDeleteDevice, IoDeleteSymbolicLink, IoUnregisterShutdownNotification, ExGetPreviousMode, IoFreeMdl, MmUnlockPages, MmProbeAndLockPages, IoAllocateMdl, IoRegisterShutdownNotification, IoCreateSymbolicLink, IoCreateDevice, KeQueryInterruptTime, _stricmp, ZwQuerySystemInformation, KeDelayExecutionThread, strncmp, ZwQueryInformationProcess, KeServiceDescriptorTable, KeAddSystemServiceTable, PsLookupProcessByProcessId, IoGetBaseFileSystemDeviceObject, ZwOpenFile, ObQueryNameString, ObOpenObjectByName, strncpy, IoAllocateIrp, IoGetStackLimits, ObReferenceObjectByPointer, SeQueryAuthenticationIdToken, SeCaptureSubjectContext, PsDereferenceImpersonationToken, RtlCopySid, SeQueryInformationToken, PsReferenceImpersonationToken, PsReferencePrimaryToken, PsIsThreadTerminating, PsThreadType, PsProcessType, _allrem, MmUserProbeAddress, CmRegisterCallback, CmUnRegisterCallback, RtlGetVersion, PsGetVersion, ZwDeleteValueKey, ZwEnumerateValueKey, _allshl, InterlockedIncrement, InterlockedDecrement, InterlockedExchangeAdd, PsGetProcessId, IoThreadToProcess, PsLookupThreadByThreadId, ZwTerminateProcess, ProbeForRead, SeExports, NtBuildNumber, ZwQuerySection, RtlNumberGenericTableElementsAvl, swprintf, IoGetAttachedDeviceReference, PsRemoveCreateThreadNotifyRoutine, PsSetCreateThreadNotifyRoutine, PsSetCreateProcessNotifyRoutine, RtlSetDaclSecurityDescriptor, RtlGetAce, RtlAddAccessAllowedAce, RtlCreateAcl, RtlCreateSecurityDescriptor, ProbeForWrite, ZwSetInformationObject, ZwQueryObject, KeGetRecommendedSharedDataAlignment, KeNumberProcessors, KeInsertQueueApc, KeInitializeApc, IoIsSystemThread, NtQueryInformationProcess, RtlNtStatusToDosError, RtlAnsiStringToUnicodeString, ZwAllocateVirtualMemory, ZwFreeVirtualMemory, KeQueryTimeIncrement, KeTickCount, NtQueryInformationAtom, KeBugCheckEx, _allmul, _alldiv, KeWaitForMultipleObjects, IoGetRelatedDeviceObject, ObOpenObjectByPointer, IoFreeWorkItem, KeSetEvent, ExRundownCompleted, KeGetCurrentThread, ExInitializeRundownProtection, RtlUpcaseUnicodeChar, RtlUpperChar, PsCreateSystemThread, PsTerminateSystemThread, ExWaitForRundownProtectionRelease, ExReleaseRundownProtection, ExAcquireRundownProtection, KeInitializeEvent, IoBuildDeviceIoControlRequest, KeWaitForSingleObject, ZwOpenKey, ZwQueryValueKey, ZwClose, IoDriverObjectType, ObReferenceObjectByName, RtlLengthSid, MmIsAddressValid, RtlGetElementGenericTableAvl, RtlEnumerateGenericTableAvl, RtlDeleteElementGenericTableAvl, RtlLookupElementGenericTableAvl, RtlUpcaseUnicodeString, InitSafeBootMode, IoGetCurrentProcess, PsInitialSystemProcess, MmMapLockedPagesSpecifyCache, memmove, IoGetTopLevelIrp, RtlInitializeSid, RtlSubAuthoritySid, _wcsnicmp, PsGetThreadId, PsGetCurrentThreadId, FsRtlIsNameInExpression, KeQuerySystemTime, PsGetCurrentProcessId, IoFileObjectType, ObReferenceObjectByHandle, ObfDereferenceObject, RtlAppendUnicodeStringToString, RtlCopyUnicodeString, RtlAppendUnicodeToString, RtlInitializeGenericTableAvl, RtlInsertElementGenericTableAvl, RtlImageNtHeader, ExDeletePagedLookasideList, ExDeleteNPagedLookasideList, ExInitializePagedLookasideList, ExInitializeNPagedLookasideList, RtlCompareUnicodeString, IofCompleteRequest, IofCallDriver, IoWMIRegistrationControl, RtlCompareMemory, RtlInitUnicodeString, MmGetSystemRoutineAddress, memset, memcpy, IoWMIWriteEvent, ExFreePoolWithTag, ExAllocatePoolWithTag, InterlockedPushEntrySList, SeReleaseSubjectContext, InterlockedPopEntrySList, RtlUnwind

( 0 exports )
TrID : File type identification
Win64 Executable Generic (87.2%)
Win32 Executable Generic (8.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 6144:dtSiy0lFHPMXyNyNw71VtA4lEs7w92+L/6yeR6aPqmKw7h:dtSLxysNE1Vjw92+muaCmFh
sigcheck: publisher....: Kaspersky Lab
copyright....: Copyright (c) Kaspersky Lab 1996-2009.
product......: Kaspersky_ Anti-Virus _
description..: Klif Mini-Filter _fre_wnet_x86_
original name: KLIF
internal name: KLIF
file version.: 8.4.0.101 built by: WinDDK
comments.....: n/a
signers......: Kaspersky Lab
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 8:31 PM 10/9/2009
verified.....: -
PEiD : -
RDS : NSRL Reference Data Set
-

File 91581821.sys received on 2010.05.05 12:34:39 (UTC)
Current status: finished
Result: 0/41 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.05 -
AhnLab-V3 2010.05.05.00 2010.05.05 -
AntiVir 8.2.1.236 2010.05.05 -
Antiy-AVL 2.0.3.7 2010.05.05 -
Authentium 5.2.0.5 2010.05.05 -
Avast 4.8.1351.0 2010.05.05 -
Avast5 5.0.332.0 2010.05.05 -
AVG 9.0.0.787 2010.05.04 -
BitDefender 7.2 2010.05.05 -
CAT-QuickHeal 10.00 2010.05.04 -
ClamAV 0.96.0.3-git 2010.05.05 -
Comodo 4770 2010.05.05 -
DrWeb 5.0.2.03300 2010.05.05 -
eSafe 7.0.17.0 2010.05.05 -
eTrust-Vet 35.2.7469 2010.05.05 -
F-Prot 4.5.1.85 2010.05.05 -
F-Secure 9.0.15370.0 2010.05.05 -
Fortinet 4.0.14.0 2010.05.05 -
GData 21 2010.05.05 -
Ikarus T3.1.1.84.0 2010.05.05 -
Jiangmin 13.0.900 2010.05.05 -
Kaspersky 7.0.0.125 2010.05.05 -
McAfee 5.400.0.1158 2010.05.05 -
McAfee-GW-Edition 2010.1 2010.05.05 -
Microsoft 1.5703 2010.05.04 -
NOD32 5087 2010.05.05 -
Norman 6.04.12 2010.05.05 -
nProtect 2010-05-05.01 2010.05.05 -
Panda 10.0.2.7 2010.05.04 -
PCTools 7.0.3.5 2010.05.05 -
Prevx 3.0 2010.05.05 -
Rising 22.46.02.03 2010.05.05 -
Sophos 4.53.0 2010.05.05 -
Sunbelt 6263 2010.05.05 -
Symantec 20091.2.0.41 2010.05.05 -
TheHacker 6.5.2.0.275 2010.05.03 -
TrendMicro 9.120.0.1004 2010.05.05 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.05 -
VBA32 3.12.12.4 2010.05.05 -
ViRobot 2010.5.4.2303 2010.05.05 -
VirusBuster 5.0.27.0 2010.05.04 -
Additional information
File size: 128016 bytes
MD5 : 7dd41b7ac1fbb1dbf20bb1f4e4fbe58c
SHA1 : c763c52f8b0dbb6594f1a81246ae2c27c6f74557
SHA256: 16b77fb533986ca6119f1307e52a4d0b863043c3fee572df20c0bc0115cf68d8
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2CA0
timedatestamp.....: 0x4ABCCCA4 (Fri Sep 25 15:59:00 2009)
machinetype.......: 0x14C (Intel I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x16BBC 0x16C00 6.38 dddd74c8397a2d3a2410411853fa4365
.4lulz 0x18000 0x500000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.data 0x518000 0x2F24 0x3000 2.63 60022989bbf1decad14950fd83d3c909
INIT 0x51B000 0x54A 0x600 5.02 f3397d902be76b809d0b71b529972541
.rsrc 0x51C000 0x408 0x600 2.45 6d0ccd8942a830bc9662b2b4239c83d4
.reloc 0x51D000 0x2D24 0x2E00 1.47 48dc37f0b67e704793035f5299350824

( 3 imports )

> hal.dll: KfReleaseSpinLock, KfAcquireSpinLock
> ntoskrnl.exe: swprintf, sprintf, ZwQueryInformationFile, ExFreePool, ExAllocatePoolWithTag, memset, ZwClose, ZwReadFile, memcpy, strncmp, KeWaitForSingleObject, ObfDereferenceObject, ObReferenceObjectByHandle, PsCreateSystemThread, RtlFreeAnsiString, RtlUnicodeStringToAnsiString, ZwEnumerateValueKey, ZwOpenKey, wcsstr, RtlEqualUnicodeString, RtlCopyUnicodeString, KeReleaseMutex, PsSetLoadImageNotifyRoutine, KeInitializeMutex, IoDeleteDevice, IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, _except_handler3, ZwQueryValueKey, RtlFreeUnicodeString, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlPrefixUnicodeString, _stricmp, strchr, ZwQuerySystemInformation, IoAllocateIrp, _strnicmp, IoGetRelatedDeviceObject, KeInitializeSpinLock, InterlockedIncrement, InterlockedDecrement, ZwCreateFile, DbgPrint, IofCompleteRequest, PsGetVersion, wcschr, rand, srand, memmove
> tdi.sys: TdiMapUserRequest

( 0 exports )
TrID : File type identification
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 1536:3BJVx78OeKLiS554lvz1VMjRIRorRe2VCQPBiGclS4NcPr/Yeb:rvKXbb1VMjK+FCQJiGclU/
sigcheck: publisher....: Kaspersky Lab
copyright....: Copyright (c) Kaspersky Lab 1997-2009.
product......: Kaspersky Anti-Virus
description..: Kaspersky Unified Driver
original name: KL1.SYS
internal name: KL1
file version.: 6.4.0.11
comments.....: n/a
signers......: Kaspersky Lab
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 2:59 PM 9/25/2009
verified.....: -
PEiD : -
RDS : NSRL Reference Data Set
-

[chronos_m]

Nevím jestli to pomůže, ale nechal jsem to ještě projet RootkitReveal. Bohužel opět při ukládání logu se program odporoučel a tak nevím jestli stihlu uložit všechno. tady je co mám:

HKU\S-1-5-21-1614895754-179605362-839522115-1004\console_combofixbackup 8.5.2010 14:47 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 22.10.2007 16:42 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 22.10.2007 16:41 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\Timestamp 9.5.2010 15:21 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\100\LastExec 9.5.2010 14:30 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Swearware\backup\winsock2 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 8.5.2010 15:30 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018 8.5.2010 15:30 0 bytes Security mismatch.
C:\Documents and Settings\All Users\Data aplikací\ESET\ESET Smart Security\Updfiles\oldfiles\em002_32.dat 8.5.2010 16:22 24.61 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Data aplikací\ESET\ESET Smart Security\Updfiles\temp\em002_32.dat 9.5.2010 15:20 24.61 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.ci 9.5.2010 15:32 4.00 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.dir 9.5.2010 15:32 4.00 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid 9.5.2010 15:31 64.00 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.ci 9.5.2010 15:31 4.00 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.dir 9.5.2010 15:31 4.00 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid 9.5.2010 15:31 64.00 KB Hidden from Windows API.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini 9.5.2010 16:01 67 bytes Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_466.xml 29.4.2010 18:16 45.79 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_468.xml 29.4.2010 18:16 1.42 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_470.xml 29.4.2010 18:16 46.16 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_472.xml 29.4.2010 18:16 2.45 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_474.xml 29.4.2010 18:16 17.36 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_476.xml 29.4.2010 18:16 3.38 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_478.xml 29.4.2010 18:16 1.54 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_480.xml 29.4.2010 18:16 28.72 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_482.xml 29.4.2010 18:16 1.99 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_484.xml 29.4.2010 18:16 549.96 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_486.xml 29.4.2010 18:16 239.41 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_488.xml 29.4.2010 18:16 85.90 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_490.xml 29.4.2010 18:16 4.77 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_492.xml 29.4.2010 18:16 369.27 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_494.xml 29.4.2010 18:16 61.64 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_496.xml 9.5.2010 16:02 45.79 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_498.xml 9.5.2010 16:02 1.42 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_500.xml 9.5.2010 16:02 46.16 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_502.xml 9.5.2010 16:02 2.45 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_504.xml 9.5.2010 16:02 17.36 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_506.xml 9.5.2010 16:02 3.38 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_507.xml 9.5.2010 16:02 3.65 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_508.xml 9.5.2010 16:02 1.54 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_510.xml 9.5.2010 16:02 28.72 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_512.xml 9.5.2010 16:02 1.99 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_514.xml 9.5.2010 16:02 541.81 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_515.xml 9.5.2010 16:02 8.73 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_516.xml 9.5.2010 16:02 241.86 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_517.xml 9.5.2010 16:02 33.08 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_518.xml 9.5.2010 16:02 84.61 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_519.xml 9.5.2010 16:02 1.73 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_520.xml 9.5.2010 16:02 4.77 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_522.xml 9.5.2010 16:02 389.43 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_523.xml 9.5.2010 16:02 35.20 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_524.xml 9.5.2010 16:02 50.42 KB Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_525.xml 9.5.2010 16:02 31.35 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\ALCOHOL.EXE-10D07C64.pf 5.4.2010 13:30 23.62 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ASWL2K.EXE-2057BA89.pf 7.5.2010 19:56 10.03 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ASWLSVC.EXE-0640D898.pf 7.5.2010 19:56 27.05 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ATKKBSERVICE.EXE-24FE62ED.pf 7.5.2010 19:56 7.13 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\AUTORUN.EXE-055703AF.pf 4.5.2010 19:22 42.44 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\AVAST.SETUP-01FBC16A.pf 7.5.2010 18:57 70.24 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\AVASTUI.EXE-1CBCA997.pf 7.5.2010 18:56 36.40 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\CCLEANER.EXE-09CFC2BC.pf 8.5.2010 19:52 133.42 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\CENTER.EXE-013D3A4D.pf 8.5.2010 15:03 34.35 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf 6.5.2010 15:16 185.83 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DW20.EXE-22C39A55.pf 8.5.2010 19:55 44.96 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf 8.5.2010 19:52 29.45 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ENGINE.EXE-1003A7E0.pf 25.4.2010 18:22 50.36 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\FSUSBEXSERVICE.EXE-270893C6.pf 7.5.2010 19:56 10.81 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf 29.4.2010 18:16 77.78 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HEROESOFAE.EXE-04E6E49E.pf 5.4.2010 13:26 12.56 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\HL2.EXE-33D4F3D9.pf 11.4.2010 9:06 56.51 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ICQ.EXE-1630B616.pf 6.5.2010 17:49 81.55 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf 8.5.2010 16:27 71.86 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\JARDA A 11.4.2010 14:41 37.62 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\LXDUAMON.EXE-29BDB62C.pf 8.5.2010 15:03 10.62 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\LXDUMON.EXE-0204E6A4.pf 8.5.2010 15:03 20.88 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\LXDUMSDMON.EXE-270F1041.pf 8.5.2010 15:03 78.82 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\LXDUSERV.EXE-03D1E386.pf 7.5.2010 19:56 10.31 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPAM-D.EXE-273DDB90.pf 8.4.2010 16:51 87.07 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPAM-D_BD1.EXE-05E66EF2.pf 25.4.2010 11:04 117.87 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPAM-D_BD2.EXE-0417332B.pf 2.5.2010 12:07 213.84 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPMINISIGSTUB.EXE-078BE770.pf 11.4.2010 14:50 3.70 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPMINISIGSTUB.EXE-300541CC.pf 10.4.2010 14:06 3.83 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPSIGSTUB.EXE-1AF0C0DD.pf 5.4.2010 19:21 17.51 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPSIGSTUB.EXE-1D30D19B.pf 2.5.2010 12:07 43.31 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MPSIGSTUB.EXE-237CF66C.pf 8.4.2010 16:51 17.47 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MSCONFIG.EXE-35E4DAE9.pf 11.4.2010 14:34 32.87 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf 8.5.2010 16:25 90.42 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MSMSGS.EXE-2B6052DE.pf 8.5.2010 15:03 19.92 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MSOHTMED.EXE-0712ED38.pf 11.4.2010 15:03 10.29 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MSSECES.EXE-2F804BB2.pf 8.5.2010 15:03 28.84 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\NHL2009.EXE-319B49E8.pf 15.4.2010 20:13 14.40 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\NPSAGENT.EXE-35B3CCF8.pf 6.5.2010 18:08 15.71 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\NVCPLSETUPENG.EXE-349E1EE7.pf 11.4.2010 15:05 52.90 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\NVCPLUI.EXE-315CED5C.pf 11.4.2010 14:28 57.63 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\NVIEWSETUP.EXE-10D6BF7C.pf 11.4.2010 15:05 28.12 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\NVSVC32.EXE-1F9EED18.pf 11.4.2010 14:32 25.71 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\NVUDISP.EXE-08A6AC9D.pf 11.4.2010 15:05 16.87 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\NWIZ.EXE-2D0F9FBC.pf 11.4.2010 14:38 28.84 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\ONENOTEM.EXE-157A39AC.pf 8.5.2010 19:51 12.97 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\PNKBSTRA.EXE-188A67A9.pf 7.5.2010 19:56 11.40 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\PR2AGMLB.EXE-189960E6.pf 7.5.2010 19:56 8.18 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\PR2ANFAB.EXE-0C758CC0.pf 7.5.2010 19:56 8.06 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\PROTECT.EXE-200CFA45.pf 25.4.2010 18:22 17.08 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\PSREM02.EXE-207437DC.pf 7.5.2010 19:56 11.87 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\READER_SL.EXE-02E193BD.pf 8.5.2010 15:03 12.88 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-178024B3.pf 6.4.2010 14:13 60.52 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1857459C.pf 11.4.2010 14:32 15.97 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1CFCA186.pf 11.4.2010 9:08 17.81 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf 12.4.2010 16:40 66.55 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-26704274.pf 11.4.2010 15:06 17.32 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-30B14E8B.pf 11.4.2010 15:06 26.67 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-31B9BC96.pf 8.5.2010 16:27 21.06 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-34C04130.pf 11.4.2010 9:06 13.91 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-35A483DA.pf 8.5.2010 14:58 23.72 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-365277B8.pf 11.4.2010 15:06 26.99 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf 8.5.2010 19:54 12.33 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-46F3313B.pf 11.4.2010 15:06 26.86 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\RUNONCE.EXE-2803F297.pf 8.5.2010 19:30 21.15 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SEARCHINDEXER.EXE-1AD3307F.pf 7.5.2010 19:57 57.36 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SF.BIN-04A9BFD6.pf 11.4.2010 9:06 46.51 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SF.BIN-06FB5CFC.pf 5.4.2010 19:22 46.52 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SF.BIN-0F1FFC4E.pf 9.4.2010 17:13 81.38 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SF.BIN-1C9531EC.pf 7.4.2010 17:42 61.20 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SF.BIN-27ABBBC7.pf 10.4.2010 14:35 61.80 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SF.BIN-2CBA8610.pf 11.4.2010 14:41 62.17 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SF.BIN-2E8A9EDC.pf 7.4.2010 19:01 39.05 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SF.BIN-377F9D28.pf 5.4.2010 13:32 109.61 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SMARTDOCTOR.EXE-06E70190.pf 8.5.2010 15:03 17.72 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SPOOLSV.EXE-282F76A7.pf 7.5.2010 19:56 29.07 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SSPIPES.SCR-151C97BA.pf 6.5.2010 17:36 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SSUPDATE.EXE-074E7904.pf 8.5.2010 16:15 41.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\STARWINDSERVICEAE.EXE-00465506.pf 7.5.2010 19:56 16.97 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\SUPERANTISPYWARE.EXE-28713C90.pf 8.5.2010 16:27 51.41 KB Visible in Windows API, but not in MFT or directory in

[earl]

Takze jeste jednou:

Klepnete na Tento pocitac-Nastroje-Moznosti slozky-Zobrazeni-a odfajfkujte Skryt chranene soubory operacniho systemu a oznacte Zobrazovat skryte soubory a slozky.Po ukonceni vsech procedur stejnou cestou vratte nastaveni zpet.

otestujte na VIRUSTOTALu

C:\Documents and Settings\Borusík\Local Settings\Temp\BKU.exe

C:\Documents and Settings\Kryštof\Local Settings\Temp\jgameenp.sys

u druheho souboru pripadne opravte nazev uctu,pokud jsem jej odhadl chybne.(Kryštof)

(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledek sem vlozte)

Pokud skener napíše, že soubor již byl testován, dejte otestovat znovu.

Stahnete GMER , rozbalte a spustte

probehne sken, po jehoz ukonceni na vas vyskoci vysledky

pote kliknete na Save a ulozite tak log, jehoz obsah sem vlozte

pote dle tohoto navodu

absolvujte druhy sken a opet obsah logu sem.

[chronos_m]

ty dva tu opravdu nejsou nikde vidět (postup jsem si opakovaně kontroloval). Když jsem zkusil projet to HJT, tak mi k tomu jednomu dal poznámku o chybějícím souboru:

O23 - Service: BKU - Unknown owner - C:\DOCUME~1\BORUSK~1\LOCALS~1\Temp\BKU.exe (file missing)

GMER jsem zkoušel 2x a pokaždé se okamžitě PC restartoval.

co kdybych to zkusil v nouzovém režimu.

Zkusil jsem ho zkontrolovat ještě přes Rootkit Unhooker.
Výsledek:
RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.509
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtAssignProcessToJobObject
Actual Address 0xEB916610
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
NtDebugActiveProcess
Actual Address 0xEB916C10
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
NtDuplicateObject
Actual Address 0xEB916730
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
NtOpenProcess
Actual Address 0xEB9164B0
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
NtOpenThread
Actual Address 0xEB916570
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
NtProtectVirtualMemory
Actual Address 0xEB9166D0
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
NtSetContextThread
Actual Address 0xEB916690
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
NtSetInformationThread
Actual Address 0xEB916650
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
NtSetSecurityObject
Actual Address 0xEB9167D0
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
NtSuspendProcess
Actual Address 0xEB916510
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
NtSuspendThread
Actual Address 0xEB916590
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
NtTerminateProcess
Actual Address 0xEB9164D0
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
NtTerminateThread
Actual Address 0xEB9165D0
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
NtWriteVirtualMemory
Actual Address 0xEB916750
Hooked by: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
==============================================
>Shadow
==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x86FC62C0

Process: C:\WINDOWS\system32\spoolsv.exe
Process Id: 336
EPROCESS Address: 0x8598FDA0

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 444
EPROCESS Address: 0x85996B78

Process: C:\WINDOWS\ATKKBService.exe
Process Id: 496
EPROCESS Address: 0x85977020

Process: C:\Program Files\ESET\ESET Smart Security\ekrn.exe
Process Id: 516
EPROCESS Address: 0x85982950

Process: C:\WINDOWS\system32\FsUsbExService.Exe
Process Id: 548
EPROCESS Address: 0x86182698

Process: C:\WINDOWS\system32\lxducoms.exe
Process Id: 600
EPROCESS Address: 0x859A46E8

Process: C:\WINDOWS\system32\PnkBstrA.exe
Process Id: 628
EPROCESS Address: 0x859826D0

Process: D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
Process Id: 912
EPROCESS Address: 0x85975460

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 940
EPROCESS Address: 0x858E7B78

Process: C:\WINDOWS\system32\searchindexer.exe
Process Id: 980
EPROCESS Address: 0x85907A10

Process: C:\WINDOWS\system32\smss.exe
Process Id: 1132
EPROCESS Address: 0x85F906E8

Process: C:\WINDOWS\explorer.exe
Process Id: 1176
EPROCESS Address: 0x85877738

Process: C:\WINDOWS\system32\csrss.exe
Process Id: 1256
EPROCESS Address: 0x85B48828

Process: C:\WINDOWS\system32\winlogon.exe
Process Id: 1292
EPROCESS Address: 0x85F926E8

Process: C:\WINDOWS\system32\services.exe
Process Id: 1348
EPROCESS Address: 0x85EA86E8

Process: C:\WINDOWS\system32\lsass.exe
Process Id: 1368
EPROCESS Address: 0x85EB86E8

Process: C:\WINDOWS\system32\nvsvc32.exe
Process Id: 1516
EPROCESS Address: 0x8615B790

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1540
EPROCESS Address: 0x86170790

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1596
EPROCESS Address: 0x85A79950

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1636
EPROCESS Address: 0x8629A790

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1672
EPROCESS Address: 0x859C5728

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1860
EPROCESS Address: 0x859A9020

Process: C:\WINDOWS\system32\alg.exe
Process Id: 1904
EPROCESS Address: 0x858674B0

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1976
EPROCESS Address: 0x859C4600

Process: C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
Process Id: 2544
EPROCESS Address: 0x857D7DA0

Process: C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
Process Id: 2552
EPROCESS Address: 0x857AFB78

Process: C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
Process Id: 2612
EPROCESS Address: 0x857B7DA0

Process: D:\Hry\QuickTime\qttask.exe
Process Id: 2684
EPROCESS Address: 0x8578B6D8

Process: C:\Program Files\Lexmark 5600-6600 Series\lxdumsdmon.exe
Process Id: 2700
EPROCESS Address: 0x8577BDA0

Process: C:\WINDOWS\system32\rundll32.exe
Process Id: 2720
EPROCESS Address: 0x8579D270

Process: C:\WINDOWS\system32\searchfilterhost.exe
Process Id: 2752
EPROCESS Address: 0x857B6020

Process: C:\Program Files\ESET\ESET Smart Security\egui.exe
Process Id: 2760
EPROCESS Address: 0x85780020

Process: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
Process Id: 3108
EPROCESS Address: 0x8575C730

Process: C:\WINDOWS\system32\searchprotocolhost.exe
Process Id: 3400
EPROCESS Address: 0x85631020

Process: C:\WINDOWS\system32\ctfmon.exe
Process Id: 4000
EPROCESS Address: 0x85912AF0

Process: C:\Documents and Settings\Borusík\Plocha\20071210_182632_rku37300509\rku37300509.exe
Process Id: 3416
EPROCESS Address: 0x85591020

==============================================
>Drivers
Driver: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xF51BD000
Size: 10276864 bytes

Driver: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBD012000
Size: 6361088 bytes

Driver: C:\WINDOWS\system32\DRIVERS\36444431.sys
Address: 0xEB24C000
Size: 5373952 bytes

Driver: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000
Size: 2068992 bytes

Driver: PnpManager
Address: 0x804D7000
Size: 2068992 bytes

Driver: RAW
Address: 0x804D7000
Size: 2068992 bytes

Driver: WMIxWDM
Address: 0x804D7000
Size: 2068992 bytes

Driver: Win32k
Address: 0xBF800000
Size: 1851392 bytes

Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1851392 bytes

Driver: C:\WINDOWS\system32\drivers\nvmcp.sys
Address: 0xF33C7000
Size: 921600 bytes

Driver: C:\WINDOWS\system32\DRIVERS\eamon.sys
Address: 0x9C084000
Size: 794624 bytes

Driver: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Address: 0xF5BD6000
Size: 606208 bytes

Driver: Ntfs.sys
Address: 0xF7381000
Size: 577536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xEB792000
Size: 458752 bytes

Driver: C:\WINDOWS\system32\drivers\nvapu.sys
Address: 0xF34CC000
Size: 413696 bytes

Driver: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF510F000
Size: 385024 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xEB889000
Size: 364544 bytes

Driver: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0x9BE45000
Size: 356352 bytes

Driver: C:\WINDOWS\system32\DRIVERS\3644443.sys
Address: 0xEB934000
Size: 331776 bytes

Driver: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000
Size: 286720 bytes

Driver: C:\WINDOWS\system32\DRIVERS\atksgt.sys
Address: 0x9BE9C000
Size: 274432 bytes

Driver: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0x9B673000
Size: 266240 bytes

Driver: C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS
Address: 0xF5B8A000
Size: 212992 bytes

Driver: ACPI.sys
Address: 0xF74ED000
Size: 188416 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0x9BF07000
Size: 184320 bytes

Driver: NDIS.sys
Address: 0xF7354000
Size: 184320 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xEB802000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xEB84F000
Size: 163840 bytes

Driver: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0x9BDCD000
Size: 163840 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xEB76C000
Size: 155648 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF34A8000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF5C8D000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF5C6A000
Size: 143360 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEB82D000
Size: 139264 bytes

Driver: C:\WINDOWS\system32\DRIVERS\epfw.sys
Address: 0x9C062000
Size: 139264 bytes

Driver: ACPI_HAL
Address: 0x806D1000
Size: 131840 bytes

Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806D1000
Size: 131840 bytes

Driver: fltmgr.sys
Address: 0xF744A000
Size: 131072 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
Address: 0xEB915000
Size: 126976 bytes

Driver: ftdisk.sys
Address: 0xF7482000
Size: 126976 bytes

Driver: prohlp02.sys
Address: 0xF72CF000
Size: 114688 bytes

Driver: Mup.sys
Address: 0xF7277000
Size: 106496 bytes

Driver: atapi.sys
Address: 0xF746A000
Size: 98304 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEB234000
Size: 98304 bytes

Driver: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Address: 0xF5BBE000
Size: 98304 bytes

Driver: pf2anfab.sys
Address: 0xF72B7000
Size: 98304 bytes

Driver: C:\WINDOWS\System32\drivers\SCSIPORT.SYS
Address: 0xF72EB000
Size: 98304 bytes

Driver: KSecDD.sys
Address: 0xF7421000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF517E000
Size: 94208 bytes

Driver: sfvfs02.sys
Address: 0xF733D000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\irda.sys
Address: 0x9BFFC000
Size: 90112 bytes

Driver: ps7anfab.sys
Address: 0xF74B4000
Size: 90112 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0x9B8EA000
Size: 86016 bytes

Driver: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xF5195000
Size: 81920 bytes

Driver: psdrv02.sys
Address: 0xF7303000
Size: 81920 bytes

Driver: sfdrv01a.sys
Address: 0xF7329000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF51A9000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xEB8E2000
Size: 77824 bytes

Driver: pe3agmlb.sys
Address: 0xF7291000
Size: 77824 bytes

Driver: pe3anfab.sys
Address: 0xF72A4000
Size: 77824 bytes

Driver: pssync05.sys
Address: 0xF74A1000
Size: 77824 bytes

Driver: WudfPf.sys
Address: 0xF740E000
Size: 77824 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBD000000
Size: 73728 bytes

Driver: C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
Address: 0xEB877000
Size: 73728 bytes

Driver: ps6agmlb.sys
Address: 0xF74CA000
Size: 73728 bytes

Driver: sfdrv01.sys
Address: 0xF7317000
Size: 73728 bytes

Driver: sr.sys
Address: 0xF7438000
Size: 73728 bytes

Driver: C:\WINDOWS\system32\drivers\nvarm.sys
Address: 0xF33B6000
Size: 69632 bytes

Driver: pci.sys
Address: 0xF74DC000
Size: 69632 bytes

Driver: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF516D000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xEEBEA000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF780C000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xF782C000
Size: 65536 bytes

Driver: ohci1394.sys
Address: 0xF762C000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xF76CC000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\Drivers\Video3D.sys
Address: 0xF784C000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xEEC1A000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF774C000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF781C000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF5CF1000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF778C000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF763C000
Size: 57344 bytes

Driver: C:\WINDOWS\System32\drivers\prodrv06.sys
Address: 0xEEC3A000
Size: 57344 bytes

Driver: 36444432.sys
Address: 0xF769C000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
Address: 0xF77DC000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF768C000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF783C000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\drivers\nvax.sys
Address: 0xF77EC000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF786C000
Size: 53248 bytes

Driver: VolSnap.sys
Address: 0xF766C000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF5D31000
Size: 49152 bytes

Driver: C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
Address: 0xF785C000
Size: 45056 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xEEC4A000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF77FC000
Size: 45056 bytes

Driver: MountMgr.sys
Address: 0xF764C000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF5D41000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\drivers\WmXlCore.sys
Address: 0xF5D01000
Size: 45056 bytes

Driver: isapnp.sys
Address: 0xF761C000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF777C000
Size: 40960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF5D11000
Size: 40960 bytes

Driver: disk.sys
Address: 0xF767C000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\FsUsbExDisk.SYS
Address: 0xF76EC000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xEEBFA000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF5D21000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xEEC6A000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Address: 0xF76FC000
Size: 36864 bytes

Driver: sfsync02.sys
Address: 0xF765C000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xEEC2A000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF79EC000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xECAA5000
Size: 32768 bytes

Driver: sfhlp02.sys
Address: 0xF78AC000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF5D9A000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF5D92000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xECABD000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF789C000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xEE790000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF5D82000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF79F4000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS
Address: 0xECA85000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xECAB5000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xF791C000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\drivers\atkkbnt.sys
Address: 0xECA95000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xEE798000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\irsir.sys
Address: 0xF5D8A000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\lirsgt.sys
Address: 0xEEE71000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xECAAD000
Size: 20480 bytes

Driver: PartMgr.sys
Address: 0xF78A4000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF79DC000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasirda.sys
Address: 0xF5D7A000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF79E4000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\SAVRKBootTasks.sys
Address: 0xECAC5000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF5D72000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF5DA2000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xEE780000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\ASNDIS5.SYS
Address: 0x9BC89000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\asyncmac.sys
Address: 0x9BC5D000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF6865000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xF7243000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Address: 0xF6885000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xF6881000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7A2C000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xEF88F000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\drivers\EIO.sys
Address: 0x9BF84000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xEE709000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\irenum.sys
Address: 0xF687D000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF7237000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF6875000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xEED5B000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\drivers\WmBEnum.sys
Address: 0xF7247000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7BCE000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B72000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7B5C000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7B1C000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7B6E000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xEE7D4000
Size: 8192 bytes

Driver: prosync1.sys
Address: 0xF7B22000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7BD6000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\RootMdm.sys
Address: 0xF7B8A000
Size: 8192 bytes

Driver: sfhlp01.sys
Address: 0xF7B20000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7B8C000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7B96000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7B1E000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7C35000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7D63000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7C4A000
Size: 4096 bytes

Driver: pciide.sys
Address: 0xF7BE4000
Size: 4096 bytes

Driver: unknown_irp_handler
Address: 0xE1FF6C30
Size: 976 bytes

Driver: unknown_irp_handler
Address: 0xE102ECB8
Size: 840 bytes

==============================================
>Stealth

Unknown page with executable code
Address: 0x85C4CAB8
Size: 1352

Unknown page with executable code
Address: 0x85C549C6
Size: 1594

Unknown page with executable code
Address: 0x85BC0F53
Size: 173
==============================================
>Files

Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\SLDL\8345ade5-591f-460e-bca5-222024987c92\1c505999-f300-4c61-9240-db0c1768c867::$DATA Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Data aplikací\ESET\ESET Smart Security\Updfiles\continuous\nod2506.nup Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Data aplikací\ESET\ESET Smart Security\Updfiles\oldfiles\em002_32.dat Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Data aplikací\ESET\ESET Smart Security\Updfiles\temp\em002_32.dat Status: Hidden

==============================================
>Hooks

ntkrnlpa.exe+0x0002ABF0, Type: Inline - RelativeJump at address 0x80501BF0 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002ACB4, Type: Inline - RelativeJump at address 0x80501CB4 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AD8C, Type: Inline - RelativeJump at address 0x80501D8C hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002ADA4, Type: Inline - RelativeJump at address 0x80501DA4 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002ADC8, Type: Inline - RelativeJump at address 0x80501DC8 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AEF8, Type: Inline - RelativeJump at address 0x80501EF8 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AF38, Type: Inline - RelativeJump at address 0x80501F38 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AF58, Type: Inline - RelativeJump at address 0x80501F58 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AF98, Type: Inline - RelativeJump at address 0x80501F98 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AFA8, Type: Inline - RelativeJump at address 0x80501FA8 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AFF8, Type: Inline - RelativeJump at address 0x80501FF8 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006AA8A, Type: Inline - RelativeJump at address 0x80541A8A hook handler located in [ntkrnlpa.exe]
[1176]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]
[3760]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C9163C3 hook handler located in [firefox.exe]
[516]ekrn.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet at address 0x7C84495D hook handler located in [unknown_code_page]
[980]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump at address 0x7C810E27 hook handler located in [mssrch.dll]
[980]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2C hook handler located in [unknown_code_page]
[980]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2D hook handler located in [unknown_code_page]

[earl]

pokud jste tak jeste neucinil(a), presunte Combofix na plochu

otevrete si Poznamkovy blok

do nej zkopirujte skript z nasledujiciho okna:

Kód: Vybrat vše

KillAll::
Collect::
C:\WINDOWS\system32\drivers\36444432.sys
C:\WINDOWS\system32\drivers\3644443.sys
C:\WINDOWS\system32\drivers\36444431.sys
Driver::
36444432
3644443
36444431
Reboot::

ulozte vami vytvoreny textovy soubor jako CFScript.txt na plochu

po ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:



po aplikaci by na vas mel vyskocit dalsi log, vlozte jej sem

Upozorneni: je mozne, ze po aplikaci skriptu a restartu nenabehnou Windows, v takovem pripade znovu restartujte, po restartu mackejte F8 a zvolte Posledni znamou funkcni konfiguraci

Zkuste GMER v nouzovem rezimu.

Diagnostika pevneho disku (HDD):

Stahnete HDTune,nainstalujte,a na karte Error scan klepnete na start

(ne rychly),vysledek nahlaste.

Taktez nahlaste resume zalozky Status.

[chronos_m]

Combofix počítač restatroval a po chvilce obrazovka zčernala a nešlo dělat nic jiného, než znovu nahodit přes poslední funkční konfiguraci.
Gmer v nouzovém režimu proběhl s následujícími výsledky:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-10 19:50:54
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\BORUSK~1\LOCALS~1\Temp\pgdoqpob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

a druhý test:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 21:21:25
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\BORUSK~1\LOCALS~1\Temp\pgdoqpob.sys


---- Kernel code sections - GMER 1.0.15 ----

.xreloc C:\WINDOWS\system32\drivers\ps6agmlb.sys unknown last section [0xF764E000, 0x99C, 0x40000040]
.xreloc C:\WINDOWS\system32\drivers\ps7anfab.sys unknown last section [0xF763C000, 0x9F4, 0x40000040]
.xreloc C:\WINDOWS\system32\drivers\pssync05.sys unknown last section [0xF7626000, 0xCA8, 0x40000040]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort2 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort4 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort5 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\prohlp02 \Device\ProHlp02 E1015BF8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\HRY\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x31 0x9A 0x55 0x2A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xFE 0xD1 0x90 0x60 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x35 0x94 0xF1 0x4C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\HRY\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x31 0x9A 0x55 0x2A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xFE 0xD1 0x90 0x60 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x35 0x94 0xF1 0x4C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\HRY\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x31 0x9A 0x55 0x2A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xFE 0xD1 0x90 0x60 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x35 0x94 0xF1 0x4C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\HRY\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x31 0x9A 0x55 0x2A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xFE 0xD1 0x90 0x60 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x35 0x94 0xF1 0x4C ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\CLSID\{16453F0B-9C0C-163A-BC41-0712BDB71323}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{16453F0B-9C0C-163A-BC41-0712BDB71323}\LocalServer32@ C:\PROGRA~1\MICROS~2\Office12\WINWORD.EXE /Automation
Reg HKLM\SOFTWARE\Classes\CLSID\{16453F0B-9C0C-163A-BC41-0712BDB71323}\LocalServer32@LocalServer32 w_1^VW!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5 /Automation??84DVn-}f(YR]eAR6.jiWORDFiles>L&rfUmW.cG.e%fI4G}jd /Automation?
Reg HKLM\SOFTWARE\Classes\CLSID\{16453F0B-9C0C-163A-BC41-0712BDB71323}\ProgID@ Word.Application.12
Reg HKLM\SOFTWARE\Classes\CLSID\{16453F0B-9C0C-163A-BC41-0712BDB71323}\VersionIndependentProgID@ Word.Application

---- EOF - GMER 1.0.15 ----



HD tne běžel již v režimu normálním a tady jsou výsledky

Standard : ATA/ATAPI-7 - SATA II
Supported mode : UDMA Mode 6 (Ultra ATA/133)
Current mode : UDMA Mode 6 (Ultra ATA/133)



S.M.A.R.T : yes
48-bit Address : yes
Read Look-Ahead : yes
Write Cache : yes
Host Protected Area : yes
Device Configuration Overlay : yes
Automatic Acoustic Management: no
Power Management : yes
Advanced Power Management : no
Power-up in Standby : no
Security Mode : yes
Firmware Upgradable : yes

Partition : 1
Drive letter : C:\
Label :
Capacity : 60000 MB
Usage : 63.74%
Type : NTFS
Bootable : Yes

Partition : 2
Drive letter : D:\
Label : Data
Capacity : 178472 MB
Usage : 74.16%
Type : NTFS
Bootable : No

Screeny jednotlivých obrazovek jsou v příloze

[earl]

Ok.

Ten log z ComboFixu by nebyl?

Pouzijte MBAM

instalace,uplny sken,vlozit sem log-NIC NEMAZAT!

[chronos_m]

Jelikož ComboFix vůbec nedoběhl, tak list není. ComboFix nejdříve nahlásil rootkit aktivitu a oznámil, že musí restartovat PC, po potvrzrní se restartoval, a po opětovém přihlášení vyskočila hláška CF o virtuálních mechanikách.. Jakmile jsem ji potvrdil, restartoval se počítač okamžitě znova. Po dalším přihlášení spustil CF znovu a během 10s zčernal monitor, zablokovala se klávesnice a musel jsem provést restart s obnovou poslední funkční konfigurace.
MBAM jsem zkoušel mezi prvními a nenašel vůbec nic

[chronos_m]

ještě jsem zkusil znovu CF v nouzovém režimu (bez přesunutí CFScriptu) a konečně proběhl a vytvořil log:
ComboFix 10-05-09.08 - Borusík 12.05.2010 14:39:25.6.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.710 [GMT 2:00]
Spuštěný z: c:\documents and settings\Borusík\Plocha\ComboFix.exe
AV: ESET Smart Security 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\VB40032.DLL

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-04-12 do 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-10 17:46 . 2010-05-10 17:47 -------- d-----w- c:\program files\HD Tune
2010-05-09 12:52 . 2010-05-09 12:52 -------- d-----w- c:\program files\VirusTotalUploader2
2010-05-08 17:26 . 2009-06-18 10:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-05-08 16:41 . 2010-05-08 16:41 -------- d-----w- c:\program files\Sophos
2010-05-08 14:17 . 2010-05-08 14:17 -------- d-----w- c:\program files\ESET
2010-05-08 07:04 . 2009-10-22 11:54 37392 ----a-w- c:\windows\system32\drivers\36444432.sys
2010-05-08 07:04 . 2009-10-09 21:31 315408 ----a-w- c:\windows\system32\drivers\3644443.sys
2010-05-08 07:04 . 2009-09-25 15:59 128016 ----a-w- c:\windows\system32\drivers\36444431.sys
2010-05-08 06:30 . 2010-05-08 06:30 -------- d-----w- c:\program files\trend micro
2010-05-07 20:07 . 2010-05-07 20:07 -------- d-sh--w- c:\documents and settings\Administrator.KLUCI-PC\IETldCache
2010-05-07 19:53 . 2010-05-07 19:53 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-07 17:50 . 2010-05-07 17:50 -------- d-----w- c:\windows\system32\drivers\N360
2010-05-07 17:50 . 2010-05-07 19:52 -------- d-----w- c:\program files\Norton 360
2010-05-07 17:50 . 2010-05-07 17:50 -------- d-----w- c:\program files\Windows Sidebar
2010-05-07 17:49 . 2010-05-07 17:49 -------- d-----w- c:\program files\NortonInstaller
2010-05-07 17:32 . 2010-05-07 17:32 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2010-05-07 17:31 . 2010-05-07 19:52 -------- d-----w- c:\documents and settings\Administrator\Plocha
2010-05-07 17:31 . 2010-05-07 19:52 -------- d-----w- c:\documents and settings\Administrator\Šablony
2010-05-07 17:31 . 2010-05-07 19:52 -------- d-----w- c:\documents and settings\Administrator\Data aplikací
2010-05-07 17:31 . 2010-05-07 19:52 -------- d-s---w- c:\documents and settings\Administrator
2010-05-04 17:23 . 2010-05-04 17:24 -------- d-----w- c:\program files\Roger Wilco
2010-05-02 17:24 . 2010-05-02 17:24 -------- d-----w- c:\program files\1944 - Bitva v Ardenách

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-09 13:20 . 2010-03-22 17:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 14:27 . 2008-07-23 15:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-08 14:26 . 2009-02-27 14:15 -------- d-----w- c:\program files\Lavasoft
2010-05-04 17:24 . 2007-11-16 18:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-04 17:23 . 2008-01-25 13:30 -------- d-----w- c:\program files\GameSpy Arcade
2010-05-02 12:08 . 2007-11-16 18:42 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-29 13:39 . 2010-03-22 17:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2010-03-22 17:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 13:06 . 2007-11-17 08:43 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-11 12:41 . 2009-05-24 09:17 -------- d-----w- c:\program files\Jarda a Šmarda
2010-04-07 19:08 . 2010-04-07 19:08 55232 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2010-04-07 19:08 . 2010-04-07 19:08 32584 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2010-04-07 19:08 . 2010-04-07 19:08 134488 ----a-w- c:\windows\system32\drivers\epfw.sys
2010-04-07 19:07 . 2010-04-07 19:07 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-04-07 19:03 . 2010-04-07 19:03 139192 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-03-31 12:31 . 2009-07-16 16:59 -------- d-----w- c:\program files\ICQ6Toolbar
2010-03-31 08:34 . 2010-03-31 08:31 -------- d-----w- c:\program files\ICQ7.1
2010-03-30 05:39 . 2006-03-02 12:00 90546 ----a-w- c:\windows\system32\perfc005.dat
2010-03-30 05:39 . 2006-03-02 12:00 458370 ----a-w- c:\windows\system32\perfh005.dat
2010-03-23 19:21 . 2010-05-07 19:50 175372 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1029.dat
2010-03-21 12:18 . 2010-02-17 19:01 -------- d-----w- c:\program files\Lexmark 5600-6600 Series
2010-03-21 12:09 . 2010-02-17 19:05 -------- d-----w- c:\program files\Lexmark Printable Web
2010-03-13 18:34 . 2007-11-16 18:42 -------- d-----w- c:\program files\Alwil Software
2010-03-10 06:17 . 2006-03-02 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:18 . 2006-03-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-03-02 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 08:16 . 2010-02-19 17:36 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 12:09 . 2006-03-02 12:00 2192128 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:09 . 2004-08-17 15:45 2068992 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-03-05 15:48 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:35 . 2006-03-02 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-08_13.16.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-08 14:18 . 2010-05-08 14:18 97360 c:\windows\Installer\{10C86109-65BB-4E22-990A-110DC70DE29C}\egui.exe
+ 2010-05-08 14:18 . 2010-05-08 14:18 10134 c:\windows\Installer\{10C86109-65BB-4E22-990A-110DC70DE29C}\callmsi.exe
+ 2010-05-08 14:18 . 2010-05-08 14:18 960512 c:\windows\Installer\38f53.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\\SmartDoctor.exe" [2005-03-24 983040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-10-07 131072]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2006-03-02 1667584]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-05-29 676520]
"lxduamon"="c:\program files\Lexmark 5600-6600 Series\lxduamon.exe" [2008-05-29 16040]
"NPSStartup"="" [BU]
"QuickTime Task"="d:\hry\QuickTime\qttask.exe" [2008-09-04 98304]
"nwiz"="nwiz.exe" [BU]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-11 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-04-07 2145000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]

c:\documents and settings\Kryçtof\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Věýezy obrazovky a spuçtŘnˇ aplikace OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - d:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"d:\\Hry\\Team17 Software Ltd\\WormsForts\\wf.exe"=
"d:\\Hry\\UBISOFT\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=
"d:\\Hry\\Pyro\\Commandos 3 - Destination Berlin\\Commandos3.exe"=
"d:\\Hry\\OpenArena\\ioquake3.x86.exe"=
"d:\\Hry\\5star Gomoku\\Gomoku.exe"=
"d:\\Hry\\FlatOut2\\FlatOut2.exe"=
"d:\\Hry\\Cenega Czech\\Sid Meier's Civilization III Gold\\CIV3PTW\\Civilization3X.exe"=
"d:\\Hry\\Eidos\\Pyro Studios\\Commandos Strike Force\\CommXPC.exe"=
"d:\\Hry\\TrackMania Sunrise\\TmSunrise.exe"=
"d:\\Hry\\UBISOFT\\Prince of Persia\\Prince of Persia.exe"=
"d:\\Hry\\UBISOFT\\Prince of Persia\\PrinceOfPersia_Launcher.exe"=
"d:\\Hry\\EA SPORTS\\UEFA EURO 2008\\EURO08.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"d:\\Hry\\Activision\\Mat Hoffman's Pro BMX\\BMX.exe"=
"d:\\Hry\\THQ\\Pandemic Studios\\Full Spectrum Warrior\\Launcher.exe"=
"d:\\Hry\\Call of Duty\\CoDUOMP.exe"=
"d:\\Hry\\Call of Duty\\CoDMP.exe"=
"d:\\Hry\\UBISOFT\\Gearbox Software\\BrothersInArms\\System\\bia.exe"=
"d:\\Hry\\Microsoft Games\\Age of Empires\\Empires.exe"=
"d:\\Hry\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Hry\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"d:\\Hry\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Hry\\UBISOFT\\Shaun White Snowboarding\\ShaunWhiteSnowboardingGame.exe"=
"d:\\Hry\\UBISOFT\\Shaun White Snowboarding\\ShaunWhiteSnowboarding.exe"=
"d:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"d:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"d:\\Hry\\Counter-Strike Source\\hl2.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\WINDOWS\\system32\\lxducoms.exe"=
"d:\\Hry\\Tony Hawk's Underground 2\\Game\\THUG2.exe"=
"c:\\Program Files\\ICQ7.1\\ICQ.exe"=
"c:\\Program Files\\ICQ7.1\\aolload.exe"=

R0 36444432;36444432 Boot Guard Driver;c:\windows\system32\drivers\36444432.sys [8.5.2010 9:04 37392]
R0 pe3agmlb;Armed Assault Environment Driver (pe3agmlb);c:\windows\system32\drivers\pe3agmlb.sys [4.6.2007 21:01 65408]
R0 pe3anfab;Helldorado Environment Driver (pe3anfab);c:\windows\system32\drivers\pe3anfab.sys [4.10.2007 18:26 64632]
R0 pf2anfab;Helldorado File System Driver (pf2anfab);c:\windows\system32\drivers\pf2anfab.sys [4.10.2007 18:25 83576]
R0 ps6agmlb;Armed Assault Synchronization Driver (ps6agmlb);c:\windows\system32\drivers\ps6agmlb.sys [4.6.2007 21:01 55688]
R0 ps7anfab;Helldorado Synchronization Driver (ps7anfab);c:\windows\system32\drivers\ps7anfab.sys [4.10.2007 18:25 68224]
R0 psdrv02;CD Guard Environment Driver (v2);c:\windows\system32\drivers\psdrv02.sys [11.9.2006 14:01 67960]
R0 pssync05;CD Guard Synchronization Driver (v5);c:\windows\system32\drivers\pssync05.sys [3.11.2006 10:24 61312]
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [5.7.2006 14:46 63352]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [8.5.2010 19:26 18816]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11.9.2009 17:00 685816]
S1 36444431;36444431;c:\windows\system32\drivers\36444431.sys [8.5.2010 9:04 128016]
S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7.4.2010 21:07 114984]
S1 setup_9.0.0.722_08.05.2010_09-25drv;setup_9.0.0.722_08.05.2010_09-25drv;c:\windows\system32\drivers\3644443.sys [8.5.2010 9:04 315408]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [7.4.2010 21:07 810120]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [26.12.2009 17:04 233472]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [17.2.2010 21:10 98984]
S2 pr2agmlb;Armed Assault Drivers Auto Removal (pr2agmlb);c:\windows\system32\pr2agmlb.exe svc --> c:\windows\system32\pr2agmlb.exe svc [?]
S2 pr2anfab;Helldorado Drivers Auto Removal (pr2anfab);c:\windows\system32\pr2anfab.exe svc --> c:\windows\system32\pr2anfab.exe svc [?]
S2 psrem02;CD Guard Drivers Auto Removal (v2);c:\windows\system32\psrem02.exe svc --> c:\windows\system32\psrem02.exe svc [?]
S3 BKU;BKU;c:\docume~1\BORUSK~1\LOCALS~1\Temp\BKU.exe --> c:\docume~1\BORUSK~1\LOCALS~1\Temp\BKU.exe [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [26.12.2009 17:04 36608]
S3 FXDRV;FXDRV;\??\j:\fxdrv.sys --> j:\Fxdrv.sys [?]
S3 jgameenp;jgameenp;\??\c:\docume~1\KRYTOF~1\LOCALS~1\Temp\jgameenp.sys --> c:\docume~1\KRYTOF~1\LOCALS~1\Temp\jgameenp.sys [?]
S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [24.6.2008 10:36 65024]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\DRIVERS\kwflower.sys --> c:\windows\system32\DRIVERS\kwflower.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\78.tmp --> c:\windows\system32\78.tmp [?]
S3 NFZEXS;NFZEXS;c:\docume~1\BORUSK~1\LOCALS~1\Temp\NFZEXS.exe --> c:\docume~1\BORUSK~1\LOCALS~1\Temp\NFZEXS.exe [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [10.2.2010 19:11 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [10.2.2010 19:11 8320]
S3 PRODIGY;PRODIGY;c:\windows\system32\drivers\prodigy.sys [11.2.2010 18:34 32377]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [26.12.2009 17:04 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [26.12.2009 17:04 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [26.12.2009 17:04 121856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz
IE: Crawler Search - tbr:iemenu
IE: E&xportovat do aplikace Microsoft Excel - d:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: {{71BFC818-0CED-42D6-9C87-5142918957EE} - c:\program files\ICQ7.1\ICQ.exe
FF - ProfilePath - c:\documents and settings\Borusík\Data aplikací\Mozilla\Firefox\Profiles\e4xsboq6.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - www.seznam.cz
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: d:\hry\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\hry\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\hry\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\hry\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\hry\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\hry\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\hry\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: d:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 14:44
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\78.tmp"
.
Celkový čas: 2010-05-12 14:46:49
ComboFix-quarantined-files.txt 2010-05-12 12:46

Před spuštěním: Volných bajtů: 23 027 888 128
Po spuštění: Volných bajtů: 22 986 072 064

Current=2 Default=2 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 0AC2BC50879E676F8FC72CB50F60129C