VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

Rootkit - C:\Windows\System32\drivers\rmesth.sys

https://forum.viry.cz:443/viewtopic.php?t=107427

Stránka 3 z 14

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 12 pro 2010 22:47
od poharka
mam sem dat aj log z otl?

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 12 pro 2010 22:48
od motji
Ano :)

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 12 pro 2010 22:51
od poharka
OTL logfile created on: 12. 12. 2010 22:41:10 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Saga\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 0000041b | Country: Slovenská republika | Language: SKY | Date Format: d. M. yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 62,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 81,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 107,22 Gb Total Space | 10,21 Gb Free Space | 9,52% Space Free | Partition Type: NTFS
Drive D: | 2,00 Gb Total Space | 1,39 Gb Free Space | 69,68% Space Free | Partition Type: NTFS

Computer Name: SAGA-NB | User Name: Saga | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/12 22:40:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Saga\Desktop\OTL.exe
PRC - [2010/09/19 19:49:03 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/09/07 17:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/09/07 17:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2009/10/31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/07/14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/14 02:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2007/09/20 14:31:10 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEstSrv.exe
PRC - [2007/09/13 14:45:38 | 000,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/09/13 14:44:48 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/07/02 12:29:22 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2007/06/06 15:44:44 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2007/05/22 13:18:56 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2006/09/08 14:10:22 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe


========== Modules (SafeList) ==========

MOD - [2010/12/12 22:40:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Saga\Desktop\OTL.exe
MOD - [2009/07/14 02:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 02:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 02:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 02:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 02:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 02:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 02:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 02:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 02:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 02:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 02:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/09/07 17:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/09/07 17:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/09/07 17:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2009/07/14 02:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 02:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 02:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 02:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 02:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 02:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/14 02:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 02:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 02:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 02:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 02:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 02:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 02:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 02:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 02:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 02:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 02:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 02:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2007/09/20 14:31:10 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
SRV - [2007/09/13 14:45:38 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Saga\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2010/09/07 16:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/09/07 16:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/09/07 16:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/09/07 16:47:30 | 000,050,768 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2010/09/07 16:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/12 13:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/07/14 02:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/14 02:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/14 02:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/14 02:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/14 02:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/14 02:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/14 02:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/14 02:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/14 02:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/14 02:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/14 02:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/14 02:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/14 02:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/14 02:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/14 02:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/07/14 02:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/14 02:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/14 02:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/14 02:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/14 02:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/14 02:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/14 02:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/14 02:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/14 02:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/14 02:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/14 02:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/14 02:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/14 02:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/14 02:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/14 02:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/14 02:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/14 02:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/14 02:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/14 02:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/14 02:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/14 02:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/14 02:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/14 02:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/14 02:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/14 02:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/14 01:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/14 01:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/14 01:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/14 00:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/14 00:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/14 00:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/14 00:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)
DRV - [2009/07/14 00:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/14 00:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\1394ohci.sys -- (1394ohci)
DRV - [2009/07/14 00:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/14 00:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/14 00:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/14 00:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/14 00:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/14 00:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/14 00:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/14 00:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/14 00:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/14 00:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/14 00:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/14 00:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 23:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 23:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 23:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 23:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 23:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 23:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 23:13:46 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (SrvHsfV92)
DRV - [2009/07/13 23:13:45 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTCNXT3.SYS -- (SrvHsfWinac)
DRV - [2009/07/13 23:13:45 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (SrvHsfHDA)
DRV - [2009/07/13 23:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 23:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 23:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/06/25 15:58:10 | 000,048,128 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2009/06/25 15:25:58 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2009/06/25 15:10:48 | 000,044,544 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2009/01/20 15:36:42 | 001,207,288 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
DRV - [2009/01/20 15:36:12 | 000,018,424 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm42rly.sys -- (BCM42RLY)
DRV - [2007/09/13 14:46:06 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/06/25 17:53:10 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://eu.ask.com?o=16128&l=dis
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 89 9D 1C DF E6 96 CA 01 [binary data]
IE - HKCU\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://dell.com/"
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 7
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..network.proxy.backup.ftp: "proxy01-15.roburnet.lan"
FF - prefs.js..network.proxy.backup.ftp_port: 8080
FF - prefs.js..network.proxy.backup.gopher: "proxy01-15.roburnet.lan"
FF - prefs.js..network.proxy.backup.gopher_port: 8080
FF - prefs.js..network.proxy.backup.socks: "proxy01-15.roburnet.lan"
FF - prefs.js..network.proxy.backup.socks_port: 8080
FF - prefs.js..network.proxy.backup.ssl: "proxy01-15.roburnet.lan"
FF - prefs.js..network.proxy.backup.ssl_port: 8080
FF - prefs.js..network.proxy.ftp: "proxy-01-15.roburnet.lan"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "proxy-01-15.roburnet.lan"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "proxy-01-15.roburnet.lan"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.no_proxies_on: "localhost, 127.0.0.1, 192.168.1.1"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "proxy-01-15.roburnet.lan"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "proxy-01-15.roburnet.lan"
FF - prefs.js..network.proxy.ssl_port: 8080
FF - prefs.js..sweetim.toolbar.previous.keyword.URL: "http://search.icq.com/search/afe_result ... id=afex&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/19 19:49:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/04 19:17:18 | 000,000,000 | ---D | M]

[2009/12/22 00:06:20 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\mozilla\Extensions
[2010/12/12 20:49:30 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\mozilla\Firefox\Profiles\egogpyjf.default\extensions
[2009/12/22 00:06:50 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Saga\AppData\Roaming\mozilla\Firefox\Profiles\egogpyjf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/12/05 17:36:26 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Saga\AppData\Roaming\mozilla\Firefox\Profiles\egogpyjf.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2009/12/22 00:06:50 | 000,000,000 | ---D | M] -- C:\Users\Saga\AppData\Roaming\mozilla\Firefox\Profiles\egogpyjf.default\extensions\firefox@tvunetworks.com
[2010/07/10 23:45:17 | 000,002,393 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\askcom.xml
[2010/12/06 21:01:59 | 000,000,961 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-1.xml
[2008/12/17 12:50:24 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-10.xml
[2009/02/06 22:40:02 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-11.xml
[2009/03/10 21:13:52 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-12.xml
[2009/03/12 00:14:10 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-13.xml
[2009/03/29 22:58:52 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-14.xml
[2009/04/23 08:24:42 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-15.xml
[2009/04/28 18:26:16 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-16.xml
[2009/06/25 22:03:24 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-17.xml
[2009/07/28 15:00:20 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-18.xml
[2007/12/08 19:47:52 | 000,000,951 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-2.xml
[2008/02/09 10:07:02 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-3.xml
[2008/03/10 19:51:12 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-4.xml
[2008/10/09 21:11:36 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-5.xml
[2008/11/13 22:36:38 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-6.xml
[2008/11/14 10:00:00 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-7.xml
[2008/12/12 21:18:26 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-8.xml
[2008/12/12 23:16:18 | 000,000,950 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin-9.xml
[2008/07/10 13:07:28 | 000,000,944 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\icqplugin.xml
[2009/03/03 20:38:28 | 000,003,915 | ---- | M] () -- C:\Users\Saga\AppData\Roaming\Mozilla\FireFox\Profiles\egogpyjf.default\searchplugins\sweetim.xml
[2010/12/12 11:44:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/28 11:29:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/09/05 08:00:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/17 04:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/09/18 14:52:29 | 000,001,583 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\atlas-sk.xml
[2010/09/18 14:52:29 | 000,001,380 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\azet-sk.xml
[2010/09/18 14:52:29 | 000,001,479 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\dunaj-sk.xml
[2010/09/18 14:52:29 | 000,001,473 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\slovnik-sk.xml
[2010/09/18 14:52:29 | 000,001,104 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-sk.xml
[2010/09/18 14:52:29 | 000,000,830 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\zoznam-sk.xml

O1 HOSTS File: ([2010/12/10 21:10:09 | 000,001,093 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 thepiratebay.org
O1 - Hosts: 127.0.0.1 www.thepiratebay.org
O1 - Hosts: 127.0.0.1 mininova.org
O1 - Hosts: 127.0.0.1 www.mininova.org
O1 - Hosts: 127.0.0.1 forum.mininova.org
O1 - Hosts: 127.0.0.1 blog.mininova.org
O1 - Hosts: 127.0.0.1 suprbay.org
O1 - Hosts: 127.0.0.1 www.suprbay.org
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 0ft68q = C:\Windows\TEMP\sazhph.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O13 - gopher Prefix: missing
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.2 192.168.1.2
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/12 22:40:25 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\Saga\Desktop\OTL.exe
[2010/12/12 22:01:02 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/12/12 22:01:02 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/12/12 22:01:02 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/12/12 22:00:44 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/12/12 22:00:43 | 000,000,000 | --SD | C] -- C:\beruška.com
[2010/12/12 22:00:12 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/12/12 21:59:49 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/12/12 21:59:43 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/12/12 15:01:33 | 000,000,000 | ---D | C] -- C:\Users\Saga\Desktop\ats
[2010/12/12 11:54:53 | 000,000,000 | ---D | C] -- C:\Users\Saga\AppData\Roaming\Malwarebytes
[2010/12/12 11:54:44 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/12/12 11:54:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/12/12 11:54:39 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/12/12 11:54:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/12/12 11:51:53 | 007,622,112 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Saga\Desktop\mbam-setup-1.50.0.0.exe
[2010/12/12 09:49:39 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/12/11 22:41:05 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2010/12/11 22:41:04 | 000,000,000 | ---D | C] -- C:\rsit
[2010/12/11 22:31:34 | 000,000,000 | ---D | C] -- C:\Users\Saga\Pavark
[2010/12/11 21:13:53 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/12/11 12:32:44 | 000,000,000 | ---D | C] -- C:\Users\Saga\Bluetooth Software
[2010/12/11 12:32:44 | 000,000,000 | ---D | C] -- C:\Users\Saga\Documents\Bluetooth Exchange Folder
[2010/12/11 12:29:28 | 000,000,000 | ---D | C] -- C:\Program Files\WIDCOMM
[2010/12/11 12:24:20 | 000,000,000 | ---D | C] -- C:\Users\Saga\AppData\Roaming\Dell
[2010/12/11 12:24:02 | 000,000,000 | ---D | C] -- C:\Program Files\Cisco
[2010/12/11 12:22:05 | 000,991,232 | ---- | C] (Dell Inc.) -- C:\Windows\System32\BCMLogon.dll
[2010/12/11 12:22:03 | 002,682,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vcredist_x86.exe
[2010/12/11 12:22:03 | 000,018,424 | ---- | C] (Broadcom Corporation) -- C:\Windows\System32\drivers\bcm42rly.sys
[2010/12/11 12:22:02 | 004,145,152 | ---- | C] (Dell Inc.) -- C:\Windows\System32\bcmttls.dll
[2010/12/11 12:22:02 | 000,286,720 | ---- | C] (Dell Inc.) -- C:\Windows\System32\bcmwlu00.exe
[2010/12/11 12:22:01 | 006,369,280 | ---- | C] (Dell Inc.) -- C:\Windows\System32\BCMWLCPL.CPL
[2010/12/11 12:22:01 | 000,065,536 | ---- | C] (Broadcom Corporation) -- C:\Windows\System32\wltrynt.dll
[2010/12/11 12:22:00 | 000,163,840 | ---- | C] (Broadcom Corp.) -- C:\Windows\System32\bcmwlapi.dll
[2010/12/11 12:21:59 | 003,829,760 | ---- | C] (Dell Inc.) -- C:\Windows\System32\bcmihvsrv.dll
[2010/12/11 12:21:59 | 003,489,792 | ---- | C] (Dell Inc.) -- C:\Windows\System32\bcmihvui.dll
[2010/12/11 12:21:59 | 001,207,288 | ---- | C] (Broadcom Corporation) -- C:\Windows\System32\drivers\BCMWL6.SYS
[2010/12/11 12:21:59 | 000,087,328 | ---- | C] (Broadcom Corporation) -- C:\Windows\System32\bcmwlcoi.dll
[2010/12/11 12:21:58 | 000,000,000 | ---D | C] -- C:\Program Files\Dell
[2010/12/11 12:21:37 | 000,000,000 | ---D | C] -- C:\Users\Saga\AppData\Roaming\InstallShield
[2010/12/11 09:01:03 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/12/11 08:58:40 | 000,017,744 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2010/12/11 08:58:39 | 000,165,584 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2010/12/11 08:58:38 | 000,023,376 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2010/12/11 08:58:36 | 000,046,672 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2010/12/11 08:58:34 | 000,050,768 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2010/12/11 08:58:21 | 000,038,848 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2010/12/11 08:58:20 | 000,167,592 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2010/11/13 21:58:45 | 000,000,000 | ---D | C] -- C:\Users\Saga\Desktop\GfK_corporate_colors
[1 C:\Users\Saga\Desktop\*.tmp files -> C:\Users\Saga\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/12 22:40:28 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Saga\Desktop\OTL.exe
[2010/12/12 22:18:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/12/12 22:18:04 | 1609,072,640 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/12 22:15:57 | 239,350,445 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/12/12 21:59:33 | 003,988,679 | R--- | M] () -- C:\Users\Saga\Desktop\beruška.com.exe
[2010/12/12 21:00:00 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\At1.job
[2010/12/12 11:54:45 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/12 11:52:11 | 007,622,112 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Saga\Desktop\mbam-setup-1.50.0.0.exe
[2010/12/12 11:44:50 | 000,731,136 | ---- | M] () -- C:\Users\Saga\Desktop\avenger.exe
[2010/12/11 22:36:32 | 000,288,107 | ---- | M] () -- C:\Users\Saga\Desktop\gmer.zip
[2010/12/11 22:30:28 | 000,311,591 | ---- | M] () -- C:\Users\Saga\Desktop\AntiRootkit.zip
[2010/12/11 21:13:26 | 001,372,818 | ---- | M] () -- C:\Users\Saga\Desktop\sar_15_sfx.rar
[2010/12/11 16:06:16 | 000,014,529 | ---- | M] () -- C:\Users\Saga\Desktop\39795BC0A7C6272339485DD9B2AE97458E654ECF.torrent
[2010/12/11 15:52:12 | 000,839,408 | ---- | M] () -- C:\Users\Saga\Desktop\[isoHunt] Sex_Substitute_2.5210149.TPB.torrent
[2010/12/11 12:27:54 | 046,149,072 | ---- | M] () -- C:\Users\Saga\Desktop\R140135.exe
[2010/12/11 12:25:16 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/12/11 12:25:16 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/12/11 12:22:54 | 000,772,936 | ---- | M] () -- C:\Windows\System32\oem9.inf
[2010/12/11 12:20:14 | 060,833,624 | ---- | M] () -- C:\Users\Saga\Desktop\R209077.exe
[2010/12/11 11:37:48 | 000,013,600 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/12/11 11:37:48 | 000,013,600 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/12/11 08:58:41 | 000,002,005 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2010/12/11 08:58:34 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/12/11 08:54:41 | 052,150,856 | ---- | M] () -- C:\Users\Saga\Desktop\setup_av_free.exe
[2010/12/10 21:10:09 | 000,001,093 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/12/05 22:04:34 | 001,524,224 | ---- | M] () -- C:\Users\Saga\Desktop\Tipos_navigator_predloha.ppt
[2010/12/04 16:30:31 | 000,012,768 | ---- | M] () -- C:\Users\Saga\Desktop\Apache_Gold_aka_Winnetou_1_by_Baloch66.torrent
[2010/12/04 15:47:03 | 012,162,560 | ---- | M] () -- C:\Users\Saga\Desktop\ENG_Navigator Mass Affluent.ppt
[2010/12/04 15:46:58 | 001,017,025 | ---- | M] () -- C:\Users\Saga\Desktop\35856_uzatvorene.sav
[2010/12/04 11:13:28 | 000,018,825 | ---- | M] () -- C:\Users\Saga\Desktop\Winnetou_I.Teil_Apache_Gold.4604810.TPB.torrent
[2010/12/04 08:31:10 | 000,000,376 | ---- | M] () -- C:\Windows\ODBC.INI
[2010/11/29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/11/29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/11/14 20:13:12 | 002,221,056 | ---- | M] () -- C:\Users\Saga\Desktop\Maestro_layout_r_prerob-1.ppt
[2010/11/13 23:21:46 | 001,971,712 | ---- | M] () -- C:\Users\Saga\Desktop\Maestro_layout_r.ppt
[2010/11/13 18:35:45 | 000,344,576 | ---- | M] () -- C:\Users\Saga\Documents\Presentation1.ppt
[1 C:\Users\Saga\Desktop\*.tmp files -> C:\Users\Saga\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/12 22:15:57 | 239,350,445 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/12/12 22:01:02 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/12/12 22:01:02 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/12/12 22:01:02 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2010/12/12 22:01:02 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/12/12 22:01:02 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/12/12 21:59:01 | 003,988,679 | R--- | C] () -- C:\Users\Saga\Desktop\beruška.com.exe
[2010/12/12 11:54:45 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/12 11:44:48 | 000,731,136 | ---- | C] () -- C:\Users\Saga\Desktop\avenger.exe
[2010/12/12 11:21:58 | 000,000,392 | ---- | C] () -- C:\Program Files\lvzqx.txt
[2010/12/11 22:36:30 | 000,288,107 | ---- | C] () -- C:\Users\Saga\Desktop\gmer.zip
[2010/12/11 22:30:24 | 000,311,591 | ---- | C] () -- C:\Users\Saga\Desktop\AntiRootkit.zip
[2010/12/11 21:13:25 | 001,372,818 | ---- | C] () -- C:\Users\Saga\Desktop\sar_15_sfx.rar
[2010/12/11 16:06:13 | 000,014,529 | ---- | C] () -- C:\Users\Saga\Desktop\39795BC0A7C6272339485DD9B2AE97458E654ECF.torrent
[2010/12/11 15:52:04 | 000,839,408 | ---- | C] () -- C:\Users\Saga\Desktop\[isoHunt] Sex_Substitute_2.5210149.TPB.torrent
[2010/12/11 12:26:54 | 046,149,072 | ---- | C] () -- C:\Users\Saga\Desktop\R140135.exe
[2010/12/11 12:23:18 | 000,772,936 | ---- | C] () -- C:\Windows\System32\oem9.inf
[2010/12/11 12:22:03 | 000,001,591 | ---- | C] () -- C:\Windows\System32\Uninst_EAPModules.bat
[2010/12/11 12:22:03 | 000,000,416 | ---- | C] () -- C:\Windows\System32\vcredist_x86.bat
[2010/12/11 12:22:02 | 000,055,808 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2010/12/11 12:22:00 | 000,024,064 | ---- | C] () -- C:\Windows\System32\WLTRYSVC.EXE
[2010/12/11 12:13:36 | 060,833,624 | ---- | C] () -- C:\Users\Saga\Desktop\R209077.exe
[2010/12/11 08:58:41 | 000,002,005 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2010/12/11 08:54:02 | 052,150,856 | ---- | C] () -- C:\Users\Saga\Desktop\setup_av_free.exe
[2010/12/04 16:30:28 | 000,012,768 | ---- | C] () -- C:\Users\Saga\Desktop\Apache_Gold_aka_Winnetou_1_by_Baloch66.torrent
[2010/12/04 15:46:56 | 001,017,025 | ---- | C] () -- C:\Users\Saga\Desktop\35856_uzatvorene.sav
[2010/12/04 15:46:46 | 001,524,224 | ---- | C] () -- C:\Users\Saga\Desktop\Tipos_navigator_predloha.ppt
[2010/12/04 15:46:38 | 012,162,560 | ---- | C] () -- C:\Users\Saga\Desktop\ENG_Navigator Mass Affluent.ppt
[2010/12/04 11:13:26 | 000,018,825 | ---- | C] () -- C:\Users\Saga\Desktop\Winnetou_I.Teil_Apache_Gold.4604810.TPB.torrent
[2010/12/04 08:31:10 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/12/04 08:28:44 | 000,000,370 | ---- | C] () -- C:\Windows\tasks\At1.job
[2010/11/14 20:13:07 | 002,221,056 | ---- | C] () -- C:\Users\Saga\Desktop\Maestro_layout_r_prerob-1.ppt
[2010/11/13 18:59:28 | 005,175,466 | ---- | C] () -- C:\Users\Saga\Desktop\SDC11358.JPG
[2010/11/13 18:58:08 | 005,233,443 | ---- | C] () -- C:\Users\Saga\Desktop\SDC11357.JPG
[2010/11/13 18:35:43 | 000,344,576 | ---- | C] () -- C:\Users\Saga\Documents\Presentation1.ppt
[2010/11/13 15:45:01 | 001,971,712 | ---- | C] () -- C:\Users\Saga\Desktop\Maestro_layout_r.ppt
[2010/07/12 16:49:04 | 000,001,024 | ---- | C] () -- C:\Windows\System32\grcauth2.dll
[2010/07/12 16:49:04 | 000,001,024 | ---- | C] () -- C:\Windows\System32\grcauth1.dll
[2010/07/12 16:49:04 | 000,000,100 | ---- | C] () -- C:\Windows\System32\prsgrc.dll
[2010/07/12 16:45:45 | 000,001,025 | ---- | C] () -- C:\Windows\System32\sysprs7.dll
[2010/07/12 16:45:45 | 000,000,205 | ---- | C] () -- C:\Windows\System32\lsprst7.dll
[2010/07/04 21:43:22 | 000,007,168 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2010/07/04 20:50:31 | 000,000,225 | ---- | C] () -- C:\Users\Saga\AppData\Roaming\burnaware.ini
[2009/12/23 18:39:40 | 000,010,240 | ---- | C] () -- C:\Users\Saga\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/07/14 00:36:08 | 000,193,024 | ---- | C] () -- C:\Windows\System32\sppcomapi.dll
[2009/07/14 00:24:44 | 000,003,584 | ---- | C] () -- C:\Windows\System32\kb.dll

< End of report >

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 12 pro 2010 22:52
od poharka
OTL Extras logfile created on: 12. 12. 2010 22:41:10 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Saga\Desktop
An unknown product (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 0000041b | Country: Slovenská republika | Language: SKY | Date Format: d. M. yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 62,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 81,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 107,22 Gb Total Space | 10,21 Gb Free Space | 9,52% Space Free | Partition Type: NTFS
Drive D: | 2,00 Gb Total Space | 1,39 Gb Free Space | 69,68% Space Free | Partition Type: NTFS

Computer Name: SAGA-NB | User Name: Saga | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 21
"{46B65150-F8AA-42F2-94FB-2729A8AE5F7E}" = SPSS Statistics 17.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5U8xx Media Driver ver.3.62.02
"{5AF8E290-3618-4263-B47D-68AEE9DE496D}" = STORMWARE POHODA SK Start
"{6367598D-E903-4B58-BEB8-A5D03D3803B3}" = STORMWARE POHODA SK Start
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D3963B0-E13B-4FC3-B0FF-506A304BB043}" = Cisco EAP-FAST Module
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{EE132ABE-5452-4442-9AEC-2F65CFA8CC85}" = STORMWARE POHODA SK Start
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast5" = avast! Free Antivirus
"BitTorrent" = BitTorrent
"Broadcom 802.11b Network Adapter" = Pomôcka Dell Wireless WLAN Card
"BurnAware Professional_is1" = BurnAware Professional 2.4.7
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MozBackup" = MozBackup 1.4.10
"Mozilla Firefox (3.5.13)" = Mozilla Firefox (3.5.13)
"SyTools Open Office Writer Recovery - DEMO Version 2.0_is1" = SyTools Open Office Writer Recovery
"VLC media player" = VLC media player 1.0.5
"WinRAR archiver" = WinRAR archiver

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 12 pro 2010 23:04
od motji
Tento soubor znáte?
C:\Program Files\lvzqx.txt
Pokud ne, obsah souboru zkopírujte zde

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 12 pro 2010 23:07
od poharka
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-12 23:06:39
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort1 TOSHIBA_MK1237GSX rev.DL140D
Running: gmer.exe; Driver: C:\Users\Saga\AppData\Local\Temp\kxrdypow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8CAD4BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8CAD49D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8CAD4B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82C4E5C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C73052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwLoadDriver 82DAC279 7 Bytes JMP 8CAD4B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82E13F59 5 Bytes JMP 8CAD05D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 82E2DC5F 5 Bytes JMP 8CAD2012 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!NtCreateSection 82E3BCE3 7 Bytes JMP 8CAD49D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82EE5E12 7 Bytes JMP 8CAD4BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtProtectVirtualMemory 77725360 5 Bytes JMP 0038000A
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtWriteVirtualMemory 77725EE0 5 Bytes JMP 003D000A
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!KiUserExceptionDispatcher 77726448 5 Bytes JMP 0037000A
.text C:\Windows\system32\svchost.exe[920] ole32.dll!CoCreateInstance 762357FC 5 Bytes JMP 00A6000A
.text C:\Windows\system32\svchost.exe[920] USER32.dll!GetCursorPos 773EC198 5 Bytes JMP 00B1000A
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1412] kernel32.dll!SetUnhandledExceptionFilter 75E53162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Windows\Explorer.EXE[1652] Explorer.EXE 007D317E 2 Bytes [0C, 16] {OR AL, 0x16}
.text C:\Windows\Explorer.EXE[1652] Explorer.EXE 007D3190 14 Bytes [8B, FF, 55, 8B, EC, 56, 57, ...]
.text C:\Windows\Explorer.EXE[1652] ntdll.dll!NtProtectVirtualMemory 77725360 5 Bytes JMP 01B4000A
.text C:\Windows\Explorer.EXE[1652] ntdll.dll!NtWriteVirtualMemory 77725EE0 5 Bytes JMP 01C0000A
.text C:\Windows\Explorer.EXE[1652] ntdll.dll!KiUserExceptionDispatcher 77726448 5 Bytes JMP 0078000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3752] ntdll.dll!NtProtectVirtualMemory 77725360 5 Bytes JMP 0082000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3752] ntdll.dll!NtWriteVirtualMemory 77725EE0 5 Bytes JMP 00B0000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3752] ntdll.dll!KiUserExceptionDispatcher 77726448 5 Bytes JMP 004E000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744F2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [744D5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [744D56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [744F250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [744E8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744E4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [744E50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [744E51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [744E66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [744E82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [744E8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [744E907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [744EE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [744E4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\BTHUSB \Device\00000071 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000073 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \FileSystem\fastfat \Fat 9A1C8130

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP1T0L0-2 -> \??\IDE#DiskTOSHIBA_MK1237GSX_______________________DL140D__#5&1bbdf5d2&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00197ed91eec
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00197ed91eec (not active ControlSet)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 234441392 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 12 pro 2010 23:08
od poharka
motji píše:Tento soubor znáte?
C:\Program Files\lvzqx.txt
Pokud ne, obsah souboru zkopírujte zde
obsah suboru:
drivers to delete:
rmesth
kxrdypow
Files to delete:
C:\Windows\System32\drivers\rmesth.sys
C:\Users\Saga\AppData\Local\Temp\kxrdypow.sys
C:\Windows\TEMP\sazhph.exe
C:\Windows\TEMP\Rjv.exe

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 12 pro 2010 23:13
od motji
Paráda, mbr rootkit :arcisit: .
Máte stolní počítač nebo nootebok? Máte více oddílů, systémů?


:arrow: stáhněte MBR
http://www2.gmer.net/mbr/mbr.exe
-uložte ho na plochu a spusťte
-vytvoří se log s názvem mbr.log, vložte ho zde

Pokračujeme zítra, syn mě volá :) . Budu tu ráno kolem 9, nechám Vám tu instrukce.
Ted to bude chtít od Vás trochu trpělivosti. Budeme se hrabat přímo v sektorech na disku, což musíme dělat opatrně. :) . Jsem Vám říkala, že je to celá Zoo, ale že tam máte i takováhle zvířátka mě nenapadlo :D

Máte inst.DVD?

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 12 pro 2010 23:22
od poharka
to je "skvele"...och :( problem je, ze ja zajtra idem do prace, a pridem az vecer :( takze teraz sa to bude vliect...
No nic,mam NB, mam len cecko,decko. Ak myslite to.

instal.dvd nemam, instaloval mi to kamos, ked mi preinstalovaval povodny windows. Mam tisic chuti dat si Linux a predist takymto problemom.

Ste ma nepotesili, ale dufam, ze sa to podari zabit.

Najma dakujem za Vas cas a ochotu :)

tak teda zajtra vecer tu budem.

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 12 pro 2010 23:24
od poharka
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: TOSHIBA_MK1237GSX rev.DL140D -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-2

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-2 -> \??\IDE#DiskTOSHIBA_MK1237GSX_______________________DL140D__#5&1bbdf5d2&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 234441646 (+255): user != kernel

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 13 pro 2010 06:58
od motji
Ještě se zeptám na typ notebooku - máte Toschibu?:o .Máte jen jeden systém?Používáte nějaké šifrování dat?
Otázky jsou z toho důvodu, že když budeme fixovat v mbr sektorech, třeba u notasů HP Vám můžu odpálit bootování :o Taky jak se tak dívám, tak změnu v mbr může právě způsobovat něco od Toschiby, ještě to zjistím. Tyhle opravy jsou hodně citlivé.
Já tu budu večer zhruba od 9.hodin, ale pak to půjde celkem rychle, pokusím se tu zůstat co nejdéle :) . Přijde mi, že to tam pořád něco vrací :o . Těch ukolů tu máte víc, dělejte je postupně, pokud Vám zbyde čas, udělejte i Avptool, případně ten udělejte přes noc.


:arrow: Pokud máte nějaká důležitá data, pro jistotu si je zazálohujte :!:

:arrow: otestujte na http://www.virustotal.com
C:\Windows\System32\drivers\pcw.sys

:arrow: tuto složku znáte?
C:\Users\Saga\Desktop\ats



:arrow: Spustte OTL
-do bílého okna dole skopírujte tento skript:

Kód: Vybrat vše

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://eu.ask.com?o=16128&l=dis
IE - HKCU\..\URLSearchHook: - Reg Error: Key error. File not found
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://dell.com/"
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 0ft68q = C:\Windows\TEMP\sazhph.exe File not found

:files
C:\WINDOWS\system32\*.tmp.dll /s
C:\WINDOWS\system32\SET*.tmp /s
C:\WINDOWS\*.tmp /s
C:\Windows\tasks\At1.job
c:\Windows\Temp\huui\setup.exe
c:\Users\Saga\AppData\Local\Temp\setupcb.exe 
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job 
c:\Windows\Tasks\{35dc3473-a719-4d14-b7c1-fd326ca84a0c}.job 
c:\Windows\Temp\huui

:commands
[emptytemp]
[resethosts]
[EMPTYFLASH]
[Reboot]

-klikněte na tlačítko opravit.
-Následně se pc restartuje.
- Log vložte zde :)




:arrow: návod od kolegy Stella
Stiahnite si prosím TDSSKiller http://support.kaspersky.com/downloads/ ... killer.exe a uložte ho na plochu.

2x-klik na TDSSKiller.exe- spustiť aplikáciu, potom na Spustiť kontrolu-klik- Start Scan.
Ak je infikovaný súbor detekovaný, bude predvolená akcia Cure, kliknite na tlačidlo Continue.
Ak podozrivý[suspicious] súbor je detekovaný, bude predvolená akcia Skip, kliknite na Continue.
Môže vás požiadať, aby ste reštartovali počítač na dokončenie procesu. Kliknite na Reboot Now.
Ak nevyžaduje reštart, kliknite na tlačidlo Report. Log súbor by sa mal objaviť. Prosím, skopírujte a vložte obsah súboru tu.
Ak je vyžadované reštartovanie počítača, správa je k dispozícii vo vašom koreňovom
adresári




:arrow: Stahněte z mého podpisu AVPTOOl http://www.viry.cz/forum/viewtopic.php?f=29&t=58179

-Podle návodu nainstalujte a proveďte sken
-co najde nechejte léčit, mazat
-sken může trvat několik hodin
-vložte zde log z výsledky

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 13 pro 2010 09:42
od poharka
Dobry den,

Mmt. som v praci, takze k NB sa dostanem najskor o 18tej.

Mam NB Dell Vostro 1400.

Trochu sa bojim, ze tam bude treba nieco ine robit, co ja uz nezvladnem, alebo ze mi uplne odide PC :(

Vecer to spravim podla postupu.

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 13 pro 2010 10:13
od poharka
Este k tomu systemu a k sifrovaniu :)
Ja som uplny laik do pc, takze mozno vam zle odpoviem.

Sifrovanie neviem co je,ale vedome,ze by som nieco sifrovala,o tom neviem.
A system, tak ja pouzivam len lokalny disk C, tam vsetko ukladam.

Alebo sa spytajte laickejsie :), ak som zle odpovedla :)

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 13 pro 2010 20:43
od poharka
log z otl:
All processes killed
========== OTL ==========
No active process named explorer.exe was found!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\ not found.
Prefs.js: "Ask.com" removed from browser.search.defaultengine
Prefs.js: "Ask.com" removed from browser.search.defaultenginename
Prefs.js: "Ask.com" removed from browser.search.order.1
Prefs.js: "Ask.com" removed from browser.search.selectedEngine
Prefs.js: true removed from browser.search.useDBForOrder
Prefs.js: "http://dell.com/" removed from browser.startup.homepage
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SigmatelSysTrayApp not found.
File C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\0ft68q not found.
========== FILES ==========
File\Folder C:\WINDOWS\system32\*.tmp.dll not found.
File\Folder C:\WINDOWS\system32\SET*.tmp not found.
File\Folder C:\WINDOWS\*.tmp not found.
File\Folder C:\Windows\tasks\At1.job not found.
File\Folder c:\Windows\Temp\huui\setup.exe not found.
File\Folder c:\Users\Saga\AppData\Local\Temp\setupcb.exe not found.
File\Folder c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job not found.
File\Folder c:\Windows\Tasks\{35dc3473-a719-4d14-b7c1-fd326ca84a0c}.job not found.
File\Folder c:\Windows\Temp\huui not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Saga
->Temp folder emptied: 144107 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 4640276 bytes
->Flash cache emptied: 456 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2644 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 5,00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: Saga
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 12132010_203838

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Re: Rootkit - C:\Windows\System32\drivers\rmesth.sys

Napsal: 13 pro 2010 20:48
od poharka
rozbor z virustotal:

pcw.sys
Submission date:
2010-12-13 19:45:17 (UTC)
Current status:
queued queued analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.12.13.01 2010.12.12 -
AntiVir 7.10.15.15 2010.12.13 -
Antiy-AVL 2.0.3.7 2010.12.13 -
Avast 4.8.1351.0 2010.12.13 -
Avast5 5.0.677.0 2010.12.13 -
AVG 9.0.0.851 2010.12.13 -
BitDefender 7.2 2010.12.13 -
CAT-QuickHeal 11.00 2010.12.13 -
ClamAV 0.96.4.0 2010.12.13 -
Command 5.2.11.5 2010.12.13 -
Comodo 7050 2010.12.13 -
DrWeb 5.0.2.03300 2010.12.13 -
Emsisoft 5.1.0.1 2010.12.13 -
eSafe 7.0.17.0 2010.12.13 -
eTrust-Vet 36.1.8037 2010.12.13 -
F-Prot 4.6.2.117 2010.12.13 -
F-Secure 9.0.16160.0 2010.12.13 -
Fortinet 4.2.254.0 2010.12.13 -
GData 21 2010.12.13 -
Ikarus T3.1.1.90.0 2010.12.13 -
Jiangmin 13.0.900 2010.12.13 -
K7AntiVirus 9.72.3235 2010.12.13 -
Kaspersky 7.0.0.125 2010.12.13 -
McAfee 5.400.0.1158 2010.12.13 -
McAfee-GW-Edition 2010.1C 2010.12.13 -
Microsoft 1.6402 2010.12.13 -
NOD32 5700 2010.12.13 -
Norman 6.06.12 2010.12.13 -
nProtect 2010-12-13.01 2010.12.13 -
Panda 10.0.2.7 2010.12.13 -
PCTools 7.0.3.5 2010.12.13 -
Prevx 3.0 2010.12.13 -
Rising 22.77.06.03 2010.12.13 -
Sophos 4.60.0 2010.12.13 -
SUPERAntiSpyware 4.40.0.1006 2010.12.13 -
Symantec 20101.3.0.103 2010.12.13 -
TheHacker 6.7.0.1.099 2010.12.13 -
TrendMicro 9.120.0.1004 2010.12.13 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.13 -
VBA32 3.12.14.2 2010.12.13 -
VIPRE 7637 2010.12.13 -
ViRobot 2010.12.13.4198 2010.12.13 -
VirusBuster 13.6.92.0 2010.12.13 -
Additional information
Show all
MD5 : 250f6b43d2b613172035c6747aeeb19f
SHA1 : 608ff835f70c5d7ed51560ae62f26bf21da5da8f
SHA256: a91f15b133f2619912cf750e6f3662e011cd0fa4b9477ce532ce3196d23307d9
ssdeep: 768:VVNkgTxZsOq4fEbTUG0pHFwQBK0vu8REudkMm9Rq:nZRUWE29JuRq
File size : 43088 bytes
First seen: 2009-12-26 16:09:00
Last seen : 2010-12-13 19:45:17
TrID:
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Performance Counters for Windows Driver
original name: pcw.sys
internal name: pcw.sys
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xB34B
timedatestamp....: 0x4A5BBF0E (Mon Jul 13 23:11:10 2009)
machinetype......: 0x14c (I386)

[[ 8 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x52C, 0x600, 5.48, b98bcc9ba3c90b189ff20173c37d255f
.rdata, 0x2000, 0x9FC, 0xA00, 3.91, 1ffea91e2c0f30f52bdd687accc33ec8
.data, 0x3000, 0x1FC, 0x200, 1.91, 62253f36b184d6599f514476890eb877
PAGE, 0x4000, 0x57C2, 0x5800, 6.32, f0af87ef65863652e6b8b0f0ab118d65
PAGEDATA, 0xA000, 0xB0, 0x200, 0.52, ed88f5e42cacb2e064c4dfe09a27e2d1
INIT, 0xB000, 0xDDC, 0xE00, 5.93, 7a4f6dfbafda041cda521817dd10c912
.rsrc, 0xC000, 0x408, 0x600, 2.51, b75ebc3273f3d59d7f267886ce6fbea0
.reloc, 0xD000, 0x690, 0x800, 5.39, 3b2aba5c89f1df172c3c8e6fcf624fe4

[[ 1 import(s) ]]
ntoskrnl.exe: memcpy, RtlCompareUnicodeStrings, _allshl, ExfAcquirePushLockShared, ExfReleasePushLockShared, KeGetCurrentThread, KeEnterCriticalRegion, KeLeaveCriticalRegion, KeReadStateEvent, PsIsThreadTerminating, ExFreePoolWithTag, ExfAcquirePushLockExclusive, ExfTryToWakePushLock, ObfDereferenceObject, ObInsertObject, ObfReferenceObject, PsGetCurrentProcess, ExAllocatePoolWithQuotaTag, MmUserProbeAddress, IofCompleteRequest, SeReleaseSecurityDescriptor, SeCaptureSecurityDescriptor, ObReferenceObjectByHandle, EtwRegister, EtwUnregister, EtwWrite, ExEventObjectType, IoFileObjectType, ProbeForWrite, ExUnregisterExtension, ObCreateObjectType, RtlInitUnicodeString, ExRegisterExtension, memset, IoDeleteDevice, IoSetIoCompletionEx, MmCopyVirtualMemory, KeUnstackDetachProcess, KeStackAttachProcess, _allmul, KeSetEvent, PsGetCurrentProcessId, ExAllocatePoolWithTag, KeWaitForSingleObject, KeInitializeEvent, ZwAllocateLocallyUniqueId, IoAllocateMiniCompletionPacket, IoFreeMiniCompletionPacket, ObCreateObject, ObDereferenceSecurityDescriptor, RtlFreeUnicodeString, RtlCompareUnicodeString, RtlDuplicateUnicodeString, RtlSubAuthoritySid, RtlInitializeSid, RtlLengthRequiredSid, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, ObLogSecurityDescriptor, RtlAbsoluteToSelfRelativeSD, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetOwnerSecurityDescriptor, SeExports, RtlCreateSecurityDescriptor, ZwClose, ZwOpenKey, RtlValidRelativeSecurityDescriptor, ZwQueryValueKey, ObReferenceSecurityDescriptor, SeReleaseSubjectContext, SeAccessCheck, SeCaptureSubjectContext, SeQuerySecurityDescriptorInfo, ZwSetValueKey, SeSetSecurityDescriptorInfo, ZwDeleteValueKey, KeTickCount, KeBugCheckEx, _alloca_probe, RtlUnwind, MmGetSystemRoutineAddress, RtlGetDaclSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, ZwSetSecurityObject, ObOpenObjectByPointer, IoDeviceObjectType, IoCreateDevice, _snwprintf, IoIsWdmVersionAvailable, _wcsnicmp, wcschr, ZwCreateKey
Všechny časy jsou v UTC+01:00
Stránka 3 z 14

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz