VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

AVAST hlasi Win32:Rootkit-gen

https://forum.viry.cz:443/viewtopic.php?t=117222

Stránka 2 z 2

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 25 lis 2011 00:15
od Stuler
Log z ComboFixu:


ComboFix 11-11-21.01 - Administrator . 11. 2011 23:46:44.3.2 - x86 NETWORK
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.2046.1618 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Dokumenty\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Golden\Golden.exe
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\CSC\d6
c:\windows\daemon.dll
c:\windows\iun6002.exe
c:\windows\msmqinst.log
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\ReadMe.txt
c:\windows\system32\uninstall.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_GUPDATE
-------\Service_gupdate
-------\Service_gupdatem
.
.
((((((((((((((((((((((((( Files Created from 2011-10-24 to 2011-11-24 )))))))))))))))))))))))))))))))
.
.
2011-11-24 14:44 . 2011-11-24 14:44 -------- d-----w- C:\$WINDOWS.~BT
2011-11-23 15:10 . 2011-11-23 15:10 -------- d-----w- c:\program files\MH AeroTools
2011-11-22 20:04 . 2011-11-22 20:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-22 09:36 . 2011-11-22 20:03 -------- d-----w- c:\program files\ProfiliProV2
2011-11-22 09:35 . 2011-11-22 20:32 -------- d-----w- c:\program files\ProfiliXTV2
2011-11-22 09:34 . 2011-11-22 09:34 -------- d-----w- c:\program files\ProfiliV2
2011-11-22 07:26 . 2011-11-22 07:26 -------- d-----w- c:\program files\Glauert III
2011-11-21 19:37 . 2011-11-21 19:37 -------- d-----w- C:\rsit
2011-11-21 17:41 . 2011-11-22 20:06 -------- d-----w- c:\documents and settings\Administrator
2011-11-18 16:11 . 2011-11-18 16:13 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Alias
2011-11-17 16:44 . 2011-11-17 16:46 -------- d-----w- c:\program files\Maple 14
2011-11-17 16:44 . 2011-11-17 16:44 -------- d--h--w- c:\program files\Zero G Registry
2011-11-17 15:26 . 2011-11-17 15:26 -------- d-----w- c:\program files\Mathcad
2011-11-16 14:25 . 2011-11-21 17:07 -------- d-----w- c:\program files\Mozilla Sunbird
2011-11-05 20:07 . 2011-11-05 20:07 -------- d-----w- c:\program files\UsbMac
2011-11-01 11:47 . 2011-11-03 07:39 -------- d-----w- c:\program files\Freeciv-2.3.0-gtk2
2011-10-26 18:20 . 2011-10-26 18:20 -------- d-----w- c:\program files\Digiarty
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-14 20:33 . 2011-06-07 05:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-25 11:58 . 2011-10-25 11:58 532480 ----a-w- c:\windows\system32\360 GEnx (1280).scr
2011-10-10 14:22 . 2008-08-08 12:32 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 03:06 . 2011-06-09 17:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 00:37 . 2008-08-19 20:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2001-10-25 12:00 602112 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 09:41 . 2007-10-09 11:03 613376 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41 . 2001-10-25 12:00 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41 . 2001-10-25 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 20:45 . 2011-06-07 05:21 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:38 . 2011-06-07 05:21 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:37 . 2008-08-12 15:00 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-06 20:36 . 2008-08-12 15:00 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-06 20:36 . 2008-08-12 15:00 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-06 20:36 . 2008-08-12 15:00 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-09-06 20:36 . 2008-08-12 15:00 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-09-06 20:36 . 2008-08-12 15:00 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-06 20:33 . 2008-08-12 15:00 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-09-06 14:10 . 2001-10-25 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-11-09 11:24 . 2011-05-19 18:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-21_22.54.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-24 16:54 . 2011-11-22 20:07 74272 c:\windows\system32\Restore\rstrlog.dat
+ 2011-11-23 15:11 . 2011-11-23 15:11 10134 c:\windows\Installer\{927DE518-731B-46BC-A39D-BB277153949E}\_A0CF6261FCAF8910DAE9D8.exe
+ 2011-11-23 15:11 . 2011-11-23 15:11 10134 c:\windows\Installer\{927DE518-731B-46BC-A39D-BB277153949E}\_2F73B7755298C3D9946047.exe
+ 2011-11-23 15:10 . 2011-11-23 15:10 160256 c:\windows\Installer\6f1e7.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]
"nwiz"="nwiz.exe" [2009-04-30 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184]
SketchBook Snapshot.lnk - c:\program files\Autodesk\SketchBookPro2011\SketchBookSnapshot.exe [2010-9-8 721408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" -lang 1033
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Share-to-Web Namespace Daemon"=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
"ITSecMng"=%ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Hry\\AGE OF EMPIRES 2\\empires2.exe"=
"c:\\Program Files\\rFactor\\rFactor.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\CAD\\ProE\\i486_nt\\nms\\nmsd.exe"=
"c:\\CAD\\ProE\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\CAD\\ProE\\i486_nt\\obj\\xtop.exe"=
"c:\\CAD\\ProE\\bin\\proe.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\ApexDC++\\ApexDC.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Hry\\FULL\\AGE OF EMPIRES 2\\age2_x1\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Dassault Systemes\\B20\\intel_a\\code\\bin\\orbixd.exe"=
"c:\\Program Files\\Dassault Systemes\\B20\\intel_a\\code\\bin\\CNEXT.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Freeciv-2.3.0-gtk2\\freeciv-server.exe"=
"c:\\Program Files\\Freeciv-2.3.0-gtk2\\freeciv-gtk2.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [8. 8. 2008 14:43 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [8. 8. 2008 14:43 5248]
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [5. 7. 2006 13:46 63352]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [9. 8. 2008 9:40 210224]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7. 6. 2011 6:21 442200]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12. 8. 2008 16:00 320856]
S1 LUMDriver;LUMDriver;c:\windows\system32\drivers\LUMDriver.sys [24. 4. 2007 17:52 16688]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12. 8. 2008 16:00 20568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18. 3. 2010 12:16 130384]
S2 CoLinuxDriver;CoLinuxDriver;\??\c:\documents and settings\Stuler\Plocha\Portable_Ubuntu\linux.sys --> c:\documents and settings\Stuler\Plocha\Portable_Ubuntu\linux.sys [?]
S3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [19. 4. 2007 14:45 14336]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [21. 3. 2011 12:40 40960]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18. 3. 2010 12:16 753504]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 04:51]
.
2011-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 19:05]
.
2011-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 19:05]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://startsear.ch/?aff=1
TCP: DhcpNameServer = 147.229.190.143 147.229.191.143
FF - ProfilePath -
.
.
------- File Associations -------
.
.txt=RadLight Media txt
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Cool's_Codec_pack_4.12 - c:\windows\iun6002.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-25 00:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-11-25 00:03:53
ComboFix-quarantined-files.txt 2011-11-24 23:03
ComboFix2.txt 2011-11-21 23:02
.
Pre-Run: Volných bajtů: 84 548 280 320
Post-Run: Volných bajtů: 84 517 441 536
.
- - End Of File - - B1C786273FA29AD2E325D45FD3EDA08A

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 25 lis 2011 12:30
od vyosek
:arrow: Stahnete RogueKiller http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe
  • Ukoncete vsechny programy
  • Pokud pouzivate Win Vista ci W7, kliknete na RogueKiller pravym a dejte Run As Administrator ci Spustit jako spravce
  • Zvolte moznost 2 a potvrte enterem
  • Utilita provede svou cinnost a da log - ten sem vlozte
  • Nyni znovu, ale zvolte moznost 3 a pote jeste 4 - logy opet vlozte

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 25 lis 2011 12:47
od Stuler
Log 1:


RogueKiller V6.1.10 [11/18/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Stuler [Admin rights]
Mode: Remove -- Date : 11/25/2011 12:44:00

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 1 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[45] : NtCreatePagingFile @ 0x805AB9EE -> HOOKED (d347bus.sys @ 0xB7F82A20)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt


Log2:

RogueKiller V6.1.10 [11/18/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Stuler [Admin rights]
Mode: HOSTSFix -- Date : 11/25/2011 12:44:29

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ Resetted HOSTS: ¤¤¤
127.0.0.1 localhost

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


Log 3:

RogueKiller V6.1.10 [11/18/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Stuler [Admin rights]
Mode: ProxyFix -- Date : 11/25/2011 12:44:55

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 25 lis 2011 12:48
od vyosek
Jak se chova PC :???:

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 25 lis 2011 12:52
od Stuler
PC sa chová rovnako uz od mojho prveho aplikovania combofixu, ide rychlo a nevyhadzuje hlasky o viroch, ale stale mi nejde net, pretoze mi nefunguje DHCP (subor netbt.sys je stale vo virusovej truhle).

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 25 lis 2011 13:00
od vyosek
Zkusime jej obnovit pomoci CFka, pripadne jej budem muset nekde najit :?:

:arrow: Aplikujte tento skript pro CF

Kód: Vybrat vše

KillAll::

Restore::
C:\Windows\System32\drivers\ netbt.sys

Mia::
C:\Windows\System32\drivers\ netbt.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

File::
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

DDS::
mStart Page = hxxp://startsear.ch/?aff=1

Reboot::

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 25 lis 2011 13:47
od Stuler
Log z ComboFixu:


ComboFix 11-11-21.01 - Stuler . 11. 2011 13:12:14.4.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.2046.1542 [GMT 1:00]
Running from: c:\documents and settings\Stuler\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\Stuler\Plocha\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\Tasks\GoogleUpdateTaskMachineCore.job"
"c:\windows\Tasks\GoogleUpdateTaskMachineUA.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\System32\drivers\ netbt.sys . . . is infected!!
.
c:\windows\System32\drivers\ netbt.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2011-10-25 to 2011-11-25 )))))))))))))))))))))))))))))))
.
.
2011-11-24 14:44 . 2011-11-24 14:44 -------- d-----w- C:\$WINDOWS.~BT
2011-11-23 15:10 . 2011-11-23 15:10 -------- d-----w- c:\program files\MH AeroTools
2011-11-22 20:11 . 2011-11-22 20:11 -------- d-----w- c:\documents and settings\Stuler\Data aplikací\ProfiliXT
2011-11-22 20:04 . 2011-11-22 20:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-22 09:36 . 2011-11-22 20:11 -------- d-----w- c:\documents and settings\Stuler\Data aplikací\DevProf
2011-11-22 09:36 . 2011-11-22 20:03 -------- d-----w- c:\program files\ProfiliProV2
2011-11-22 09:35 . 2011-11-22 20:32 -------- d-----w- c:\program files\ProfiliXTV2
2011-11-22 09:34 . 2011-11-22 09:34 -------- d-----w- c:\program files\ProfiliV2
2011-11-22 07:26 . 2011-11-22 07:26 -------- d-----w- c:\program files\Glauert III
2011-11-21 19:37 . 2011-11-21 19:37 -------- d-----w- C:\rsit
2011-11-21 17:41 . 2011-11-22 20:06 -------- d-----w- c:\documents and settings\Administrator
2011-11-20 12:48 . 2011-11-21 20:40 -------- d-sh--w- c:\documents and settings\Stuler\Local Settings\Data aplikací\67379620
2011-11-18 16:11 . 2011-11-18 16:13 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Alias
2011-11-17 16:44 . 2011-11-17 16:46 -------- d-----w- c:\program files\Maple 14
2011-11-17 16:44 . 2011-11-17 16:44 -------- d--h--w- c:\program files\Zero G Registry
2011-11-17 16:43 . 2011-11-17 16:43 -------- d--h--w- c:\documents and settings\Stuler\InstallAnywhere
2011-11-17 15:33 . 2011-11-17 15:33 -------- d-----w- c:\documents and settings\Stuler\Local Settings\Data aplikací\Mathsoft
2011-11-17 15:29 . 2011-11-17 15:29 -------- d-----w- c:\documents and settings\Stuler\Data aplikací\Mathsoft
2011-11-17 15:26 . 2011-11-17 15:26 -------- d-----w- c:\program files\Mathcad
2011-11-16 14:25 . 2011-11-21 17:07 -------- d-----w- c:\program files\Mozilla Sunbird
2011-11-05 20:07 . 2011-11-05 20:07 -------- d-----w- c:\program files\UsbMac
2011-11-01 11:47 . 2011-11-03 07:39 -------- d-----w- c:\program files\Freeciv-2.3.0-gtk2
2011-10-26 18:20 . 2011-10-26 18:20 -------- d-----w- c:\program files\Digiarty
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-14 20:33 . 2011-06-07 05:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-25 11:58 . 2011-10-25 11:58 532480 ----a-w- c:\windows\system32\360 GEnx (1280).scr
2011-10-10 14:22 . 2008-08-08 12:32 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 03:06 . 2011-06-09 17:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 00:37 . 2008-08-19 20:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2001-10-25 12:00 602112 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 09:41 . 2007-10-09 11:03 613376 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41 . 2001-10-25 12:00 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41 . 2001-10-25 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 20:45 . 2011-06-07 05:21 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:38 . 2011-06-07 05:21 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:37 . 2008-08-12 15:00 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-06 20:36 . 2008-08-12 15:00 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-06 20:36 . 2008-08-12 15:00 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-06 20:36 . 2008-08-12 15:00 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-09-06 20:36 . 2008-08-12 15:00 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-09-06 20:36 . 2008-08-12 15:00 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-06 20:33 . 2008-08-12 15:00 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-09-06 14:10 . 2001-10-25 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-11-09 11:24 . 2011-05-19 18:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-21_22.54.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-24 16:54 . 2011-11-22 20:07 74272 c:\windows\system32\Restore\rstrlog.dat
+ 2011-11-23 15:11 . 2011-11-23 15:11 10134 c:\windows\Installer\{927DE518-731B-46BC-A39D-BB277153949E}\_A0CF6261FCAF8910DAE9D8.exe
+ 2011-11-23 15:11 . 2011-11-23 15:11 10134 c:\windows\Installer\{927DE518-731B-46BC-A39D-BB277153949E}\_2F73B7755298C3D9946047.exe
+ 2011-11-23 15:10 . 2011-11-23 15:10 160256 c:\windows\Installer\6f1e7.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1204224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]
"nwiz"="nwiz.exe" [2009-04-30 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184]
SketchBook Snapshot.lnk - c:\program files\Autodesk\SketchBookPro2011\SketchBookSnapshot.exe [2010-9-8 721408]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AllerCalc"="c:\program files\AllerCalc\AllerCalc.exe" /i
"Start WingMan Profiler"="c:\program files\Logitech\Profiler\lwemon.exe" /noui
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe"
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" -lang 1033
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Share-to-Web Namespace Daemon"=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
"ITSecMng"=%ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Hry\\AGE OF EMPIRES 2\\empires2.exe"=
"c:\\Program Files\\rFactor\\rFactor.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\CAD\\ProE\\i486_nt\\nms\\nmsd.exe"=
"c:\\CAD\\ProE\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\CAD\\ProE\\i486_nt\\obj\\xtop.exe"=
"c:\\CAD\\ProE\\bin\\proe.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\ApexDC++\\ApexDC.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Hry\\FULL\\AGE OF EMPIRES 2\\age2_x1\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Dassault Systemes\\B20\\intel_a\\code\\bin\\orbixd.exe"=
"c:\\Program Files\\Dassault Systemes\\B20\\intel_a\\code\\bin\\CNEXT.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Freeciv-2.3.0-gtk2\\freeciv-server.exe"=
"c:\\Program Files\\Freeciv-2.3.0-gtk2\\freeciv-gtk2.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [8. 8. 2008 14:43 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [8. 8. 2008 14:43 5248]
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [5. 7. 2006 13:46 63352]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [9. 8. 2008 9:40 210224]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7. 6. 2011 6:21 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12. 8. 2008 16:00 320856]
R1 LUMDriver;LUMDriver;c:\windows\system32\drivers\LUMDriver.sys [24. 4. 2007 17:52 16688]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12. 8. 2008 16:00 20568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18. 3. 2010 12:16 130384]
S2 CoLinuxDriver;CoLinuxDriver;\??\c:\documents and settings\Stuler\Plocha\Portable_Ubuntu\linux.sys --> c:\documents and settings\Stuler\Plocha\Portable_Ubuntu\linux.sys [?]
S3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [19. 4. 2007 14:45 14336]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [21. 3. 2011 12:40 40960]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18. 3. 2010 12:16 753504]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 04:51]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 19:05]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 19:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://startsear.ch/?aff=1
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
TCP: DhcpNameServer = 147.229.190.143 147.229.191.143
FF - ProfilePath - c:\documents and settings\Stuler\Data aplikací\Mozilla\Firefox\Profiles\t4346nj9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.sk
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-25 13:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-527237240-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-790525478-527237240-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b
.
[HKEY_USERS\S-1-5-21-790525478-527237240-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b
.
[HKEY_USERS\S-1-5-21-790525478-527237240-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b
.
[HKEY_USERS\S-1-5-21-790525478-527237240-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b
.
[HKEY_USERS\S-1-5-21-790525478-527237240-725345543-1003\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000020
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2912)
c:\windows\system32\msi.dll
c:\windows\system32\AcSignIcon.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
.
**************************************************************************
.
Completion time: 2011-11-25 13:45:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-25 12:45
ComboFix2.txt 2011-11-24 23:03
ComboFix3.txt 2011-11-21 23:02
.
Pre-Run: Volných bajtů: 84 518 752 256
Post-Run: Volných bajtů: 84 488 065 024
.
- - End Of File - - F8444628D39A2BC2A73F2FEE5E16A5C5

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 26 lis 2011 11:31
od vyosek
:arrow: Stahnete tento soubor http://vyosek.ic.cz/pro_usery/netbt.sys a ulozte jej primo na disk c:\ tak at neni v zadne dalsi slozce

:arrow: Otevrete si poznamkovy blok
  • Start->spustit->notepad
  • Vlozte text nize

  • Kód: Vybrat vše

    @ECHO OFF
copy c:\netbt.sys C:\Windows\System32\drivers
regsvr32 netbt.sys
  • Soubor ulozte jako del.bat
  • Pri ukladani dejte ulozit jako typ Vsechny soubory (nastevni je uvedeno na obrazku nize)
  • Obrázek
  • Zavrit notepad a spustit dvojklikem del.bat
  • Okno jen problikne a provede opravu - soubor muzete smazat
:arrow: Restart PC a napiste jak se chova

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 26 lis 2011 11:52
od Stuler
Vysledok sa nezmenil, po spusteni del.bat vybehlo okienko s textom:

netbt.sys byl načten, ale nebyl nalezen vstupný bod DLLRegisterServer.
netbt.sys pravdepodobne není soubor DLL nebo OCX.

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 26 lis 2011 12:12
od vyosek
mate instalacni CD :???:

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 26 lis 2011 12:27
od Stuler
Mám image instalacneho CD na disku, CD-ROM mi nefunguje. Skusal som vyhladat netbt.sys aj tam, bez vacsieho uspechu.

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 26 lis 2011 12:57
od vyosek
A je nakopirovan v tom c:\windows\system32\drivers :???:

Jeste je moznost udelat bootovaci flash disk s instalacnim CD a z nej provest opravnou instalaci - ta prepise systemove soubory a registry, ale data se nesmazou...

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 26 lis 2011 13:21
od Stuler
to ma napadlo hned ako prve, ale tazko sa dostanem do BIOSu :-D nejako to vyriesim, jediny problem pre mna predstavuje nemoznost dostat sa do BIOSu, kedze sa mi to podari raz zo sto pokusov. kazdopadne velmi pekne dakujem za pomoc, musim povedat, ze ste machri a urcite sa na Vas obratim aj pri dalsom podobnom probleme ;-)

Re: AVAST hlasi Win32:Rootkit-gen

Napsal: 26 lis 2011 22:25
od vyosek
Na uvodni strance pri spusteni by mela byt napsana klavesa ktera vas do BIOSu dostane - zpravidla to byva Delete nebo pripadne jeste F2
Všechny časy jsou v UTC+01:00
Stránka 2 z 2

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz