Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz

Rootkit - C:\Windows\System32\drivers\rmesth.sys

Máte problém s virem? Vložte sem log z FRST nebo RSIT.

Moderátor: Moderátoři

Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]

Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.

!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Odpovědět
Zpráva
Autor
poharka
Návštěvník
Návštěvník
Příspěvky: 119
Registrován: 11 pro 2010 21:52

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#106 Příspěvek od poharka »

ok, dakujem.
azjtra pridem tak vecer az po praci.
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#107 Příspěvek od motji »

Pak se ozvěte :)
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
poharka
Návštěvník
Návštěvník
Příspěvky: 119
Registrován: 11 pro 2010 21:52

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#108 Příspěvek od poharka »

log z otl:

OTL logfile created on: 4. 1. 2011 22:55:07 - Run 2
OTL by OldTimer - Version 3.2.18.0 Folder = C:\Users\Saga\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 0000041b | Country: Slovenská republika | Language: SKY | Date Format: d. M. yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 79,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 90,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 107,22 Gb Total Space | 6,03 Gb Free Space | 5,62% Space Free | Partition Type: NTFS
Drive D: | 2,00 Gb Total Space | 1,39 Gb Free Space | 69,68% Space Free | Partition Type: NTFS

Computer Name: SAGA-NB | User Name: Saga | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/04 22:27:16 | 000,910,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/12/26 19:28:28 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Saga\Desktop\OTL.exe
PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/12/26 19:28:28 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Saga\Desktop\OTL.exe
MOD - [2009/07/14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/09/07 17:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/09/07 17:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/09/07 17:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () [Auto | Stopped] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2009/07/14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 02:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2007/09/20 14:31:10 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Stopped] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
SRV - [2007/09/13 14:45:38 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Stopped] -- C:\Windows\System32\stacsv.exe -- (STacSV)


========== Driver Services (SafeList) ==========

DRV - [2010/09/07 16:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/09/07 16:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/09/07 16:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/09/07 16:47:30 | 000,050,768 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2010/09/07 16:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/12 13:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/07/14 02:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/14 02:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/14 02:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/14 02:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/14 02:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/14 02:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/14 02:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/14 02:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/14 02:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/14 02:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/14 02:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/14 02:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/14 02:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/14 02:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/07/14 02:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/14 02:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/14 02:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/14 02:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/14 02:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/14 02:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/14 02:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/14 02:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/14 02:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/14 02:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/14 02:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/14 02:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/14 02:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/14 02:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/14 02:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/14 02:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/14 02:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/14 02:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/14 02:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/14 02:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/14 02:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/14 02:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/14 02:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/14 02:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/14 02:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/14 01:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/14 01:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/14 01:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/14 00:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/14 00:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/14 00:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/14 00:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)
DRV - [2009/07/14 00:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/14 00:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\1394ohci.sys -- (1394ohci)
DRV - [2009/07/14 00:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/14 00:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/14 00:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/14 00:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/14 00:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/14 00:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/14 00:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/14 00:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/14 00:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/14 00:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/14 00:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/14 00:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 23:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 23:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 23:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 23:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 23:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 23:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 23:13:46 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (SrvHsfV92)
DRV - [2009/07/13 23:13:45 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTCNXT3.SYS -- (SrvHsfWinac)
DRV - [2009/07/13 23:13:45 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (SrvHsfHDA)
DRV - [2009/07/13 23:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 23:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 23:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/06/25 15:58:10 | 000,048,128 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2009/06/25 15:25:58 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2009/06/25 15:10:48 | 000,044,544 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2009/01/20 15:36:42 | 001,207,288 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
DRV - [2009/01/20 15:36:12 | 000,018,424 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bcm42rly.sys -- (BCM42RLY)
DRV - [2007/09/13 14:46:06 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/06/25 17:53:10 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-634317434-1714682173-995488421-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKU\S-1-5-21-634317434-1714682173-995488421-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 29 10 91 65 2C A5 CB 01 [binary data]
IE - HKU\S-1-5-21-634317434-1714682173-995488421-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: ""
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.search.useDBForOrder: ""
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 7
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..network.proxy.backup.ftp: "proxy01-15.roburnet.lan"
FF - prefs.js..network.proxy.backup.ftp_port: 8080
FF - prefs.js..network.proxy.backup.gopher: "proxy01-15.roburnet.lan"
FF - prefs.js..network.proxy.backup.gopher_port: 8080
FF - prefs.js..network.proxy.backup.socks: "proxy01-15.roburnet.lan"
FF - prefs.js..network.proxy.backup.socks_port: 8080
FF - prefs.js..network.proxy.backup.ssl: "proxy01-15.roburnet.lan"
FF - prefs.js..network.proxy.backup.ssl_port: 8080
FF - prefs.js..network.proxy.ftp: "proxy-01-15.roburnet.lan"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "proxy-01-15.roburnet.lan"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "proxy-01-15.roburnet.lan"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.no_proxies_on: "localhost, 127.0.0.1, 192.168.1.1"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "proxy-01-15.roburnet.lan"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "proxy-01-15.roburnet.lan"
FF - prefs.js..network.proxy.ssl_port: 8080
FF - prefs.js..sweetim.toolbar.previous.keyword.URL: "http://search.icq.com/search/afe_result ... id=afex&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/04 22:27:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/04 22:27:42 | 000,000,000 | ---D | M]

[2009/12/22 00:06:20 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\mozilla\Extensions
[2011/01/04 22:53:09 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\mozilla\Firefox\Profiles\egogpyjf.default\extensions
[2009/12/22 00:06:50 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Saga\AppData\Roaming\mozilla\Firefox\Profiles\egogpyjf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/12/05 17:36:26 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Saga\AppData\Roaming\mozilla\Firefox\Profiles\egogpyjf.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2009/12/22 00:06:50 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\mozilla\Firefox\Profiles\egogpyjf.default\extensions\firefox@tvunetworks.com
[2010/07/10 23:45:17 | 000,002,393 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\askcom.xml
[2011/01/04 22:38:01 | 000,000,961 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-1.xml
[2008/12/17 12:50:24 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-10.xml
[2009/02/06 22:40:02 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-11.xml
[2009/03/10 21:13:52 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-12.xml
[2009/03/12 00:14:10 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-13.xml
[2009/03/29 22:58:52 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-14.xml
[2009/04/23 08:24:42 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-15.xml
[2009/04/28 18:26:16 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-16.xml
[2009/06/25 22:03:24 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-17.xml
[2009/07/28 15:00:20 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-18.xml
[2007/12/08 19:47:52 | 000,000,951 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-2.xml
[2008/02/09 10:07:02 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-3.xml
[2008/03/10 19:51:12 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-4.xml
[2008/10/09 21:11:36 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-5.xml
[2008/11/13 22:36:38 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-6.xml
[2008/11/14 10:00:00 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-7.xml
[2008/12/12 21:18:26 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-8.xml
[2008/12/12 23:16:18 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-9.xml
[2008/07/10 13:07:28 | 000,000,944 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin.xml
[2009/03/03 20:38:28 | 000,003,915 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\sweetim.xml
[2011/01/04 22:53:16 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/28 11:29:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/09/05 08:00:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/17 04:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/01/04 22:27:36 | 000,001,583 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\atlas-sk.xml
[2011/01/04 22:27:36 | 000,001,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\azet-sk.xml
[2011/01/04 22:27:36 | 000,001,479 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\dunaj-sk.xml
[2011/01/04 22:27:36 | 000,001,473 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\slovnik-sk.xml
[2011/01/04 22:27:36 | 000,001,104 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-sk.xml
[2011/01/04 22:27:36 | 000,000,830 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zoznam-sk.xml

O1 HOSTS File: ([2010/12/16 22:55:53 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O13 - gopher Prefix: missing
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.2 192.168.1.2
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Nahoru
poharka
Návštěvník
Návštěvník
Příspěvky: 119
Registrován: 11 pro 2010 21:52

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#109 Příspěvek od poharka »

========== Files/Folders - Created Within 30 Days ==========

[2011/01/02 19:30:39 | 000,000,000 | ---D | C] -- C:\Users\Saga\Desktop\nye fb
[2011/01/02 19:29:11 | 000,000,000 | ---D | C] -- C:\Users\Saga\Desktop\NYE krk
[2010/12/26 19:28:23 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Users\Saga\Desktop\OTL.exe
[2010/12/22 20:30:04 | 000,000,000 | ---D | C] -- C:\rsit
[2010/12/13 22:45:00 | 000,000,000 | ---D | C] -- C:\Users\Saga\Desktop\Virus Removal Tool1
[2010/12/13 22:37:36 | 000,000,000 | ---D | C] -- C:\Users\Saga\Desktop\bootkit_remover
[2010/12/13 21:08:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2010/12/13 21:04:12 | 074,815,432 | ---- | C] ( ) -- C:\Users\Saga\Desktop\setup_9.0.0.722_03.09.2010_20-26.exe
[2010/12/12 22:00:44 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/12/12 22:00:43 | 000,000,000 | --SD | C] -- C:\beruška.com
[2010/12/12 21:59:43 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/12/12 11:54:53 | 000,000,000 | ---D | C] -- C:\Users\Saga\AppData\Roaming\Malwarebytes
[2010/12/12 11:54:44 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/12/12 11:54:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/12/12 11:54:39 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/12/12 11:54:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/12/12 11:51:53 | 007,622,112 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Saga\Desktop\mbam-setup-1.50.0.0.exe
[2010/12/11 22:41:05 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2010/12/11 22:31:34 | 000,000,000 | ---D | C] -- C:\Users\Saga\Pavark
[2010/12/11 21:13:53 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/12/11 12:32:44 | 000,000,000 | ---D | C] -- C:\Users\Saga\Bluetooth Software
[2010/12/11 12:32:44 | 000,000,000 | ---D | C] -- C:\Users\Saga\Documents\Bluetooth Exchange Folder
[2010/12/11 12:29:28 | 000,000,000 | ---D | C] -- C:\Program Files\WIDCOMM
[2010/12/11 12:24:20 | 000,000,000 | ---D | C] -- C:\Users\Saga\AppData\Roaming\Dell
[2010/12/11 12:24:02 | 000,000,000 | ---D | C] -- C:\Program Files\Cisco
[2010/12/11 12:22:05 | 000,991,232 | ---- | C] (Dell Inc.) -- C:\Windows\System32\BCMLogon.dll
[2010/12/11 12:22:03 | 002,682,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vcredist_x86.exe
[2010/12/11 12:22:03 | 000,018,424 | ---- | C] (Broadcom Corporation) -- C:\Windows\System32\drivers\bcm42rly.sys
[2010/12/11 12:22:02 | 004,145,152 | ---- | C] (Dell Inc.) -- C:\Windows\System32\bcmttls.dll
[2010/12/11 12:22:02 | 000,286,720 | ---- | C] (Dell Inc.) -- C:\Windows\System32\bcmwlu00.exe
[2010/12/11 12:22:01 | 006,369,280 | ---- | C] (Dell Inc.) -- C:\Windows\System32\BCMWLCPL.CPL
[2010/12/11 12:22:01 | 000,065,536 | ---- | C] (Broadcom Corporation) -- C:\Windows\System32\wltrynt.dll
[2010/12/11 12:22:00 | 000,163,840 | ---- | C] (Broadcom Corp.) -- C:\Windows\System32\bcmwlapi.dll
[2010/12/11 12:21:59 | 003,829,760 | ---- | C] (Dell Inc.) -- C:\Windows\System32\bcmihvsrv.dll
[2010/12/11 12:21:59 | 003,489,792 | ---- | C] (Dell Inc.) -- C:\Windows\System32\bcmihvui.dll
[2010/12/11 12:21:59 | 001,207,288 | ---- | C] (Broadcom Corporation) -- C:\Windows\System32\drivers\BCMWL6.SYS
[2010/12/11 12:21:59 | 000,087,328 | ---- | C] (Broadcom Corporation) -- C:\Windows\System32\bcmwlcoi.dll
[2010/12/11 12:21:58 | 000,000,000 | ---D | C] -- C:\Program Files\Dell
[2010/12/11 12:21:37 | 000,000,000 | ---D | C] -- C:\Users\Saga\AppData\Roaming\InstallShield
[2010/12/11 09:01:03 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/12/11 08:58:40 | 000,017,744 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2010/12/11 08:58:39 | 000,165,584 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2010/12/11 08:58:38 | 000,023,376 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2010/12/11 08:58:36 | 000,046,672 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2010/12/11 08:58:34 | 000,050,768 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2010/12/11 08:58:21 | 000,038,848 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2010/12/11 08:58:20 | 000,167,592 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[1 C:\Users\Saga\Desktop\*.tmp files -> C:\Users\Saga\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/04 22:49:59 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/01/04 22:49:46 | 1609,072,640 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/04 22:32:27 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/01/04 22:32:27 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/01/02 22:03:08 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/26 19:28:28 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Saga\Desktop\OTL.exe
[2010/12/22 20:29:48 | 000,339,991 | ---- | M] () -- C:\Users\Saga\Desktop\RSIT.exe
[2010/12/22 19:34:47 | 000,015,082 | ---- | M] () -- C:\Users\Saga\Desktop\[isoHunt] Home Alone 2 [DVDRip][Eng][1992][BugzBunny].torrent
[2010/12/22 01:16:06 | 000,013,600 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/12/22 01:16:06 | 000,013,600 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/12/19 10:54:15 | 000,014,870 | ---- | M] () -- C:\Users\Saga\Desktop\[isoHunt] Eat Pray Love.2010.R5.LiNE.Xvid {1337x}-Noir.torrent
[2010/12/19 10:39:56 | 000,016,646 | ---- | M] () -- C:\Users\Saga\Desktop\[isoHunt] INGLORIOUS BASTARDS 2009_DVDRIP_KNIGHT RIDERS RELEASE_XVID.avi.torrent
[2010/12/16 22:55:53 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2010/12/16 22:42:12 | 000,157,030 | ---- | M] () -- C:\Users\Saga\Desktop\Bez názvu.png
[2010/12/13 22:43:33 | 000,039,605 | ---- | M] () -- C:\Users\Saga\Desktop\bootkit_remover.rar
[2010/12/13 21:07:09 | 074,815,432 | ---- | M] ( ) -- C:\Users\Saga\Desktop\setup_9.0.0.722_03.09.2010_20-26.exe
[2010/12/13 19:12:28 | 353,628,845 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/12/12 21:59:33 | 003,988,679 | R--- | M] () -- C:\Users\Saga\Desktop\beruška.com.exe
[2010/12/12 11:52:11 | 007,622,112 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Saga\Desktop\mbam-setup-1.50.0.0.exe
[2010/12/11 22:30:28 | 000,311,591 | ---- | M] () -- C:\Users\Saga\Desktop\AntiRootkit.zip
[2010/12/11 21:13:26 | 001,372,818 | ---- | M] () -- C:\Users\Saga\Desktop\sar_15_sfx.rar
[2010/12/11 16:06:16 | 000,014,529 | ---- | M] () -- C:\Users\Saga\Desktop\39795BC0A7C6272339485DD9B2AE97458E654ECF.torrent
[2010/12/11 12:27:54 | 046,149,072 | ---- | M] () -- C:\Users\Saga\Desktop\R140135.exe
[2010/12/11 12:22:54 | 000,772,936 | ---- | M] () -- C:\Windows\System32\oem9.inf
[2010/12/11 12:20:14 | 060,833,624 | ---- | M] () -- C:\Users\Saga\Desktop\R209077.exe
[2010/12/11 08:58:41 | 000,002,005 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2010/12/11 08:58:34 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/12/11 08:54:41 | 052,150,856 | ---- | M] () -- C:\Users\Saga\Desktop\setup_av_free.exe
[1 C:\Users\Saga\Desktop\*.tmp files -> C:\Users\Saga\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/22 20:29:45 | 000,339,991 | ---- | C] () -- C:\Users\Saga\Desktop\RSIT.exe
[2010/12/22 19:34:41 | 000,015,082 | ---- | C] () -- C:\Users\Saga\Desktop\[isoHunt] Home Alone 2 [DVDRip][Eng][1992][BugzBunny].torrent
[2010/12/19 10:54:14 | 000,014,870 | ---- | C] () -- C:\Users\Saga\Desktop\[isoHunt] Eat Pray Love.2010.R5.LiNE.Xvid {1337x}-Noir.torrent
[2010/12/19 10:39:52 | 000,016,646 | ---- | C] () -- C:\Users\Saga\Desktop\[isoHunt] INGLORIOUS BASTARDS 2009_DVDRIP_KNIGHT RIDERS RELEASE_XVID.avi.torrent
[2010/12/16 22:42:11 | 000,157,030 | ---- | C] () -- C:\Users\Saga\Desktop\Bez názvu.png
[2010/12/13 22:37:30 | 000,039,605 | ---- | C] () -- C:\Users\Saga\Desktop\bootkit_remover.rar
[2010/12/12 22:15:57 | 353,628,845 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/12/12 21:59:01 | 003,988,679 | R--- | C] () -- C:\Users\Saga\Desktop\beruška.com.exe
[2010/12/12 11:54:45 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/12 11:21:58 | 000,000,392 | ---- | C] () -- C:\Program Files\lvzqx.txt
[2010/12/11 22:30:24 | 000,311,591 | ---- | C] () -- C:\Users\Saga\Desktop\AntiRootkit.zip
[2010/12/11 21:13:25 | 001,372,818 | ---- | C] () -- C:\Users\Saga\Desktop\sar_15_sfx.rar
[2010/12/11 16:06:13 | 000,014,529 | ---- | C] () -- C:\Users\Saga\Desktop\39795BC0A7C6272339485DD9B2AE97458E654ECF.torrent
[2010/12/11 12:26:54 | 046,149,072 | ---- | C] () -- C:\Users\Saga\Desktop\R140135.exe
[2010/12/11 12:23:18 | 000,772,936 | ---- | C] () -- C:\Windows\System32\oem9.inf
[2010/12/11 12:22:03 | 000,001,591 | ---- | C] () -- C:\Windows\System32\Uninst_EAPModules.bat
[2010/12/11 12:22:03 | 000,000,416 | ---- | C] () -- C:\Windows\System32\vcredist_x86.bat
[2010/12/11 12:22:02 | 000,055,808 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2010/12/11 12:22:00 | 000,024,064 | ---- | C] () -- C:\Windows\System32\WLTRYSVC.EXE
[2010/12/11 12:13:36 | 060,833,624 | ---- | C] () -- C:\Users\Saga\Desktop\R209077.exe
[2010/12/11 08:58:41 | 000,002,005 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2010/12/11 08:54:02 | 052,150,856 | ---- | C] () -- C:\Users\Saga\Desktop\setup_av_free.exe
[2010/12/04 08:31:10 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/07/12 16:49:04 | 000,001,024 | ---- | C] () -- C:\Windows\System32\grcauth2.dll
[2010/07/12 16:49:04 | 000,001,024 | ---- | C] () -- C:\Windows\System32\grcauth1.dll
[2010/07/12 16:49:04 | 000,000,100 | ---- | C] () -- C:\Windows\System32\prsgrc.dll
[2010/07/12 16:45:45 | 000,001,025 | ---- | C] () -- C:\Windows\System32\sysprs7.dll
[2010/07/12 16:45:45 | 000,000,205 | ---- | C] () -- C:\Windows\System32\lsprst7.dll
[2010/07/04 21:43:22 | 000,007,168 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2010/07/04 20:50:31 | 000,000,225 | ---- | C] () -- C:\Users\Saga\AppData\Roaming\burnaware.ini
[2009/12/23 18:39:40 | 000,010,240 | ---- | C] () -- C:\Users\Saga\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/07/14 00:36:08 | 000,193,024 | ---- | C] () -- C:\Windows\System32\sppcomapi.dll
[2009/07/14 00:24:44 | 000,003,584 | ---- | C] () -- C:\Windows\System32\kb.dll

========== LOP Check ==========

[2010/12/23 00:52:36 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\BitTorrent
[2010/07/04 21:43:46 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\Canneverbe Limited
[2010/12/11 10:15:07 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\COWON
[2010/10/27 08:13:43 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\ICQ
[2010/01/12 11:25:04 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\OpenOffice.org
[2009/12/22 18:55:44 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\TeamViewer
[2010/08/25 07:49:31 | 000,032,548 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /s >

< c:\windows\*.* /U >

< %SYSTEMDRIVE%\*.exe >

< %ALLUSERSPROFILE%\Application Data\*. >

< %ALLUSERSPROFILE%\Application Data\*.exe /s >

< %APPDATA%\*. >
[2010/01/18 11:22:28 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\Adobe
[2010/12/23 00:52:36 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\BitTorrent
[2010/07/04 21:43:46 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\Canneverbe Limited
[2010/12/11 10:15:07 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\COWON
[2010/12/11 12:24:20 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\Dell
[2009/12/22 21:53:16 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\Digsby
[2010/05/18 18:30:38 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\dvdcss
[2010/10/27 08:13:43 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\ICQ
[2009/12/21 23:57:20 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\Identities
[2010/12/11 12:21:37 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\InstallShield
[2009/12/22 18:11:58 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\Macromedia
[2010/12/12 11:54:53 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\Malwarebytes
[2009/07/14 08:49:10 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\Media Center Programs
[2010/12/04 19:09:44 | 000,000,000 | --SD | M] -- C:\Users\Saga\AppData\Roaming\Microsoft
[2009/12/22 00:06:20 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\Mozilla
[2010/01/12 11:25:04 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\OpenOffice.org
[2010/12/10 20:56:07 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\Skype
[2010/12/10 18:49:15 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\skypePM
[2009/12/22 18:55:44 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\TeamViewer
[2010/12/27 22:43:46 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\vlc
[2009/12/22 23:07:12 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\WinRAR

< %APPDATA%\*.exe /s >


< MD5 for: AGP440.SYS >
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: CDROM.SYS >
[2009/07/14 00:11:26 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=BA6E70AA0E6091BC39DE29477D866A77 -- C:\Windows\System32\drivers\cdrom.sys
[2009/07/14 00:11:26 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=BA6E70AA0E6091BC39DE29477D866A77 -- C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_x86_neutral_db87d184bc84f910\cdrom.sys
[2009/07/14 00:11:26 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=BA6E70AA0E6091BC39DE29477D866A77 -- C:\Windows\winsxs\x86_cdrom.inf_31bf3856ad364e35_6.1.7600.16385_none_5f7fb206051affbb\cdrom.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: CRYPTSVC.DLL >
[2009/07/14 02:15:07 | 000,135,680 | ---- | M] (Microsoft Corporation) MD5=9C231178CE4FB385F4B54B0A9080B8A4 -- C:\Windows\System32\cryptsvc.dll
[2009/07/14 02:15:07 | 000,135,680 | ---- | M] (Microsoft Corporation) MD5=9C231178CE4FB385F4B54B0A9080B8A4 -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.16385_none_75d5ef87fc22e35a\cryptsvc.dll

< MD5 for: EXPLORER.EXE >
[2009/07/14 02:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=6CE102617EE8D83DE17A6FDE1554560C -- C:\Windows\explorer.exe
[2009/08/03 06:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2009/08/03 06:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2009/10/31 07:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe

< MD5 for: HAL.DLL >
[2009/07/14 02:20:28 | 000,194,640 | ---- | M] (Microsoft Corporation) MD5=9A557EAE64ABAB3BA67A9BB035D24CB9 -- C:\Windows\System32\hal.dll
[2009/07/14 02:20:28 | 000,194,640 | ---- | M] (Microsoft Corporation) MD5=9A557EAE64ABAB3BA67A9BB035D24CB9 -- C:\Windows\winsxs\x86_microsoft-windows-hal_31bf3856ad364e35_6.1.7600.16385_none_aaff48c7bafdccc6\hal.dll

< MD5 for: IASTORV.SYS >
[2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

< MD5 for: ISAPNP.SYS >
[2009/07/14 02:20:36 | 000,046,656 | ---- | M] (Microsoft Corporation) MD5=1F32BB6B38F62F7DF1A7AB7292638A35 -- C:\Windows\System32\drivers\isapnp.sys
[2009/07/14 02:20:36 | 000,046,656 | ---- | M] (Microsoft Corporation) MD5=1F32BB6B38F62F7DF1A7AB7292638A35 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\isapnp.sys
[2009/07/14 02:20:36 | 000,046,656 | ---- | M] (Microsoft Corporation) MD5=1F32BB6B38F62F7DF1A7AB7292638A35 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\isapnp.sys

< MD5 for: LSASS.EXE >
[2009/07/14 02:14:23 | 000,022,528 | ---- | M] (Microsoft Corporation) MD5=F42309C4191C506B71DB5D1126D26318 -- C:\Windows\System32\lsass.exe
[2009/07/14 02:14:23 | 000,022,528 | ---- | M] (Microsoft Corporation) MD5=F42309C4191C506B71DB5D1126D26318 -- C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.16385_none_a620e0e5be1ecda7\lsass.exe

< MD5 for: NDIS.SYS >
[2009/07/14 02:20:44 | 000,710,720 | ---- | M] (Microsoft Corporation) MD5=23759D175A0A9BAAF04D05047BC135A8 -- C:\Windows\System32\drivers\ndis.sys
[2009/07/14 02:20:44 | 000,710,720 | ---- | M] (Microsoft Corporation) MD5=23759D175A0A9BAAF04D05047BC135A8 -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.1.7600.16385_none_a79d81ea7d62a289\ndis.sys

< MD5 for: NETLOGON.DLL >
[2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVRAID.SYS >
[2009/07/14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) MD5=3F3D04B1D08D43C16EA7963954EC768D -- C:\Windows\System32\drivers\nvraid.sys
[2009/07/14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) MD5=3F3D04B1D08D43C16EA7963954EC768D -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvraid.sys
[2009/07/14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) MD5=3F3D04B1D08D43C16EA7963954EC768D -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvraid.sys

< MD5 for: NVSTOR.SYS >
[2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

< MD5 for: SMSS.EXE >
[2009/07/14 02:14:39 | 000,069,632 | ---- | M] (Microsoft Corporation) MD5=16742790895960690237A5143CEDEC8B -- C:\Windows\System32\smss.exe
[2009/07/14 02:14:39 | 000,069,632 | ---- | M] (Microsoft Corporation) MD5=16742790895960690237A5143CEDEC8B -- C:\Windows\winsxs\x86_microsoft-windows-smss_31bf3856ad364e35_6.1.7600.16385_none_ac10fe207a85352b\smss.exe

< MD5 for: SVCHOST.EXE >
[2009/07/14 02:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\System32\svchost.exe
[2009/07/14 02:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe

< MD5 for: TCPIP.SYS >
[2009/07/14 02:19:10 | 001,285,712 | ---- | M] (Microsoft Corporation) MD5=2CC3D75488ABD3EC628BBB9A4FC84EFC -- C:\Windows\System32\drivers\tcpip.sys
[2009/07/14 02:19:10 | 001,285,712 | ---- | M] (Microsoft Corporation) MD5=2CC3D75488ABD3EC628BBB9A4FC84EFC -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16385_none_b2f46875c7b9d667\tcpip.sys

< MD5 for: USERINIT.EXE >
[2009/07/14 02:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\System32\userinit.exe
[2009/07/14 02:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/10/28 07:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\System32\winlogon.exe
[2009/10/28 07:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009/10/28 06:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2009/07/14 02:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe

< MD5 for: WS2_32.DLL >
[2009/07/14 02:16:20 | 000,206,336 | ---- | M] (Microsoft Corporation) MD5=DAAE8A9B8C0ACC7F858454132553C30D -- C:\Windows\System32\ws2_32.dll
[2009/07/14 02:16:20 | 000,206,336 | ---- | M] (Microsoft Corporation) MD5=DAAE8A9B8C0ACC7F858454132553C30D -- C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.1.7600.16385_none_f28e06e62fa99b35\ws2_32.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/14 02:16:17 | 000,003,584 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\kb.dll
[2009/07/14 02:16:15 | 000,193,024 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\sppcomapi.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/14 02:16:17 | 000,003,584 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\kb.dll
[2009/07/14 02:16:15 | 000,193,024 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\sppcomapi.dll

< reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" /v GinaDLL /c >

< reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v ImagePath /c >
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\WUAUSERV
IMAGEPATH REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k netsvcs

< reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v ImagePath /c >
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\BITS
IMAGEPATH REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k netsvcs

< %systemroot%\system32\drivers\*.sys /3 >

< %systemroot%\system32\*.* /3 >
[2011/01/04 22:32:27 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/01/04 22:32:27 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/01/04 22:32:27 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

< End of report >
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#110 Příspěvek od motji »

AVPtool něco smazal, opravil?

Otestujte prosím na www.virustotal.com
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe

Vyměníme ho zítra, už jdu do hajan :)
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
poharka
Návštěvník
Návštěvník
Příspěvky: 119
Registrován: 11 pro 2010 21:52

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#111 Příspěvek od poharka »

akurat davam sken gmerom, ale uz dlhsie nevydzim byt hore :( tak ho sem supnem zajtra, asi az takto vecer, lebo mmt. musim riesit nehrejuci radiator :(

Inak vyzera to tak, ze ani tym kasperskzm sa to neodstranilo :(
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#112 Příspěvek od motji »

Já Vám ten explorer vyměním, horší je, že OTL ten napadnutý nedetekovalo :o , takže ted budeme hledat čistý, napadený a podobně :D .
Já tu bývám vždycky večer asi mezi 21-23. hodinou :)
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
poharka
Návštěvník
Návštěvník
Příspěvky: 119
Registrován: 11 pro 2010 21:52

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#113 Příspěvek od poharka »

gmer log:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-05 07:23:17
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 TOSHIBA_MK1237GSX rev.DL140D
Running: gmer.exe; Driver: C:\Users\Saga\AppData\Local\Temp\kxrdypow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 820975C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 820BC052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[340] WS2_32.dll!closesocket 758F3BED 5 Bytes JMP 000660E7
.text C:\Program Files\Mozilla Firefox\firefox.exe[340] WS2_32.dll!recv 758F47DF 5 Bytes JMP 00065CE2
.text C:\Program Files\Mozilla Firefox\firefox.exe[340] WS2_32.dll!WSASend 758F68A7 5 Bytes JMP 00065DBD
.text C:\Program Files\Mozilla Firefox\firefox.exe[340] WS2_32.dll!WSARecv 758FC29F 5 Bytes JMP 00065E6C
.text C:\Program Files\Mozilla Firefox\firefox.exe[340] WS2_32.dll!send 758FC4C8 5 Bytes JMP 00065C6F
.text C:\Program Files\Mozilla Firefox\firefox.exe[340] WS2_32.dll!gethostbyname 75907133 5 Bytes JMP 000663C8
.text C:\Windows\Explorer.EXE[1364] Explorer.EXE 005F317E 2 Bytes [0C, 16] {OR AL, 0x16}
.text C:\Windows\Explorer.EXE[1364] Explorer.EXE 005F3190 14 Bytes [8B, FF, 55, 8B, EC, 56, 57, ...]
.text C:\Windows\Explorer.EXE[1364] kernel32.dll!CreateProcessInternalW 75FB42CE 5 Bytes JMP 00137207
.text C:\Windows\explorer.exe[1656] explorer.exe 005F317E 2 Bytes [0C, 16] {OR AL, 0x16}
.text C:\Windows\explorer.exe[1656] explorer.exe 005F3190 14 Bytes [8B, FF, 55, 8B, EC, 56, 57, ...]
.text C:\Windows\explorer.exe[1656] kernel32.dll!CreateProcessInternalW 75FB42CE 5 Bytes JMP 001C7207

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000047 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \FileSystem\fastfat \Fat 92C90130

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00197ed91eec
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00197ed91eec (not active ControlSet)

---- EOF - GMER 1.0.15 ----
Nahoru
poharka
Návštěvník
Návštěvník
Příspěvky: 119
Registrován: 11 pro 2010 21:52

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#114 Příspěvek od poharka »

este prvy sken cez gmer:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-05 19:39:30
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 TOSHIBA_MK1237GSX rev.DL140D
Running: gmer.exe; Driver: C:\Users\Saga\AppData\Local\Temp\kxrdypow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8D8C5BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8D8C59D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8D8C5B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

vadi, ze som ten prvy co som sem vkladala, robila vcera, a tento dnes?
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#115 Příspěvek od motji »

Nevadí, gmery jsou ok.

:arrow: Stáhněte SystemLook
http://jpshortstuff.247fixes.com/SystemLook.exe

- uložte ho na plochu a spustte.
- do okénka zkopírujte

Kód: Vybrat vše

:filefind
explorer.exe
- klikněte na Look, proběhne sken, na konci se zobrazí log, jehož obsah zkopírujete sem
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
poharka
Návštěvník
Návštěvník
Příspěvky: 119
Registrován: 11 pro 2010 21:52

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#116 Příspěvek od poharka »

tie dva subory som davala testovat na virustotal ale nic nenaslo.
Nahoru
poharka
Návštěvník
Návštěvník
Příspěvky: 119
Registrován: 11 pro 2010 21:52

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#117 Příspěvek od poharka »

SystemLook 04.09.10 by jpshortstuff
Log created at 20:00 on 05/01/2011 by Saga
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\Windows\explorer.exe --a---- 2614272 bytes [18:01 27/01/2010] [05:45 31/10/2009] 6CE102617EE8D83DE17A6FDE1554560C
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe --a---- 2613248 bytes [23:41 13/07/2009] [01:14 14/07/2009] 15BC38A7492BEFE831966ADB477CF76F
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe --a---- 2613248 bytes [16:05 22/12/2009] [05:35 03/08/2009] B95EEB0F4E5EFBF1038A35B3351CF047
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe --a---- 2614272 bytes [18:01 27/01/2010] [05:45 31/10/2009] 2626FC9755BE22F805D3CFA0CE3EE727
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe --a---- 2613248 bytes [16:05 22/12/2009] [05:49 03/08/2009] 9FF6C4C91A3711C0A3B18F87B08B518D
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe --a---- 2614272 bytes [18:01 27/01/2010] [06:00 31/10/2009] C76153C7ECA00FA852BB0C193378F917

-= EOF =-
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#118 Příspěvek od motji »

Můžete mi prosím ještě otestovat tyto dva soubory? něco se mi nezdá :o
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
poharka
Návštěvník
Návštěvník
Příspěvky: 119
Registrován: 11 pro 2010 21:52

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#119 Příspěvek od poharka »

ktore subory?

tie co ste vyssie pisali, som uy testovala, nic nenaslo...alebo nejake ien?
Nahoru
Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23302
Registrován: 23 říj 2008 08:02

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

#120 Příspěvek od motji »

Ty co jsme psala nahoře..asi sjem přehlédla, že jste to psala :oops: .
děkuji, dejte mi pár minut, jdu smolit skript na výměnu :)
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Nahoru
Odpovědět

Zpět na „Řešení problémů, logy“