VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

prosba o pomoc - ROOTKIT

https://forum.viry.cz:443/viewtopic.php?t=100022

Stránka 1 z 5

prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 20:39
od lusi86
ahojte... mam taky povedala by som, ze vacsi problem s jednym Rootkitom... konkretne je to Win32:Rootkit-gen [Rtk] verzia vps: 100411-1... pravdepodobne som si ho preniesla od brata na kluci a teraz sa ho neviem zbavit... cely den mi antivirus vyhadzuje, ze mam tento rootkit na roznych miestach v pocitaci cez system32 az po temporary internet files... mam avast, ale doteraz mi stacil, no na niektore potvory je slaby... nedalo sa mi stiahnut RSIT, tak pridavam log z HijackThis... a velmi prosim o pomoc... nie som natolko pocitacovo zdatna, aby som si s tymto poradila sama... :( za pomoc vopred dakujem! Lusi

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:26:11, on 12.4.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\P4P\P4P.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\lucka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\MOBILI~1\FMMSER~1.EXE
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\ATK Hotkey\KBFiltr.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Program Files\ICQ6.5\ICQ.exe
C:\WINDOWS\system32\acovcnt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 54.21.177.36 msnfix.changelog.fr
O1 - Hosts: 54.21.177.36 http://www.incodesolutions.com
O1 - Hosts: 54.21.177.36 virusinfo.prevx.com
O1 - Hosts: 54.21.177.36 download.bleepingcomputer.com
O1 - Hosts: 54.21.177.36 http://www.dazhizhu.cn
O1 - Hosts: 54.21.177.36 foro.noticias3d.com
O1 - Hosts: 54.21.177.36 http://www.spybotupdates.com
O1 - Hosts: 54.21.177.36 club.myce.com
O1 - Hosts: 54.21.177.36 http://www.k7computing.com
O1 - Hosts: 54.21.177.36 softwaresecuritysolutions.com
O1 - Hosts: 54.21.177.36 http://www.nabble.com
O1 - Hosts: 54.21.177.36 lurker.clamav.net
O1 - Hosts: 54.21.177.36 lexikon.ikarus.at
O1 - Hosts: 54.21.177.36 research.sunbelt-software.com
O1 - Hosts: 54.21.177.36 http://www.virusdoctor.jp
O1 - Hosts: 54.21.177.36 http://www.elitepvpers.de
O1 - Hosts: 54.21.177.36 guru.avg.com
O1 - Hosts: 54.21.177.36 downloads.sophos.com
O1 - Hosts: 54.21.177.36 share.skype.com
O1 - Hosts: 54.21.177.36 myantispyware.com
O1 - Hosts: 54.21.177.36 http://www.computerhilfen.de
O1 - Hosts: 54.21.177.36 http://www.superuser.co.kr
O1 - Hosts: 54.21.177.36 ntfaq.co.kr
O1 - Hosts: 54.21.177.36 v.dreamwiz.com
O1 - Hosts: 54.21.177.36 cit.kookmin.ac.kr
O1 - Hosts: 54.21.177.36 forums.whatthetech.com
O1 - Hosts: 54.21.177.36 forum.hijackthis.de
O1 - Hosts: 54.21.177.36 avg.vo.llnwd.net
O1 - Hosts: 54.21.177.36 ftp.drweb.com
O1 - Hosts: 54.21.177.36 http://www.zonealarm.com
O1 - Hosts: 54.21.177.36 smadaver.com
O1 - Hosts: 54.21.177.36 support.emsisoft.com
O1 - Hosts: 54.21.177.36 psychoski.blogspot.com
O1 - Hosts: 54.21.177.36 http://www.huaifai.go.th
O1 - Hosts: 54.21.177.36 http://www.mostz.com
O1 - Hosts: 54.21.177.36 http://www.krupunmai.com
O1 - Hosts: 54.21.177.36 http://www.cddchiangmai.net
O1 - Hosts: 54.21.177.36 forum.malekal.com
O1 - Hosts: 54.21.177.36 tech.pantip.com
O1 - Hosts: 54.21.177.36 sapcupgrades.com
O1 - Hosts: 54.21.177.36 http://www.elguruinformatico.com
O1 - Hosts: 54.21.177.36 forums.avg.com
O1 - Hosts: 54.21.177.36 zastita.com
O1 - Hosts: 54.21.177.36 support.kaspersky.com
O1 - Hosts: 54.21.177.36 foro.msgpluslive.es
O1 - Hosts: 54.21.177.36 http://www.247fixes.com
O1 - Hosts: 54.21.177.36 forum.sysinternals.com
O1 - Hosts: 54.21.177.36 forum.telecharger.01net.com
O1 - Hosts: 54.21.177.36 sophos.com
O1 - Hosts: 54.21.177.36 foros.softonic.com
O1 - Hosts: 54.21.177.36 avast-home.uptodown.com
O1 - Hosts: 54.21.177.36 dr-web-cureit.softonic.com
O1 - Hosts: 54.21.177.36 heavenward.ru
O1 - Hosts: 54.21.177.36 forum.smadav.net
O1 - Hosts: 54.21.177.36 http://www.forum.kaspersky.com
O1 - Hosts: 54.21.177.36 http://www.dl4all.com
O1 - Hosts: 54.21.177.36 http://www.f-secure.com
O1 - Hosts: 54.21.177.36 http://www.chkrootkit.org
O1 - Hosts: 54.21.177.36 diamondcs.com.au
O1 - Hosts: 54.21.177.36 http://www.rootkit.nl
O1 - Hosts: 54.21.177.36 http://www.sysinternals.com
O1 - Hosts: 54.21.177.36 z-oleg.com
O1 - Hosts: 54.21.177.36 espanol.dir.groups.yahoo.com
O1 - Hosts: 54.21.177.36 ftp01net.telechargement.fr
O1 - Hosts: 54.21.177.36 modelayu.com
O1 - Hosts: 54.21.177.36 vaksin.com
O1 - Hosts: 54.21.177.36 bbs.kaspersky.com.cn
O1 - Hosts: 54.21.177.36 sf.tapuz.co.il
O1 - Hosts: 54.21.177.36 http://www.castlecrops.com
O1 - Hosts: 54.21.177.36 http://www.misec.net
O1 - Hosts: 54.21.177.36 safecomputing.umn.edu
O1 - Hosts: 54.21.177.36 http://www.antirootkit.com
O1 - Hosts: 54.21.177.36 http://www.greatis.com
O1 - Hosts: 54.21.177.36 ar.answers.yahoo.com
O1 - Hosts: 54.21.177.36 http://www.elhacker.org
O1 - Hosts: 54.21.177.36 research.pandasecurity.com
O1 - Hosts: 54.21.177.36 http://www.tpu.ro
O1 - Hosts: 54.21.177.36 http://www.pinoyden.com
O1 - Hosts: 54.21.177.36 forum.avira.de
O1 - Hosts: 54.21.177.36 http://www.tanya-it.com
O1 - Hosts: 54.21.177.36 http://www.rootkit.com
O1 - Hosts: 54.21.177.36 http://www.pctools.com
O1 - Hosts: 54.21.177.36 http://www.pcsupportadvisor.com
O1 - Hosts: 54.21.177.36 http://www.resplendence.com
O1 - Hosts: 54.21.177.36 http://www.personal.psu.edu
O1 - Hosts: 54.21.177.36 foro.ethek.com
O1 - Hosts: 54.21.177.36 foro.elhacker.net
O1 - Hosts: 54.21.177.36 download.zonealarm.com
O1 - Hosts: 54.21.177.36 spywarehammer.com
O1 - Hosts: 54.21.177.36 http://www.codelain.com
O1 - Hosts: 54.21.177.36 http://www.thaicert.org
O1 - Hosts: 54.21.177.36 vil.nail.com
O1 - Hosts: 54.21.177.36 search.mcafee.com
O1 - Hosts: 54.21.177.36 wwww.mcafee.com
O1 - Hosts: 54.21.177.36 download.nai.com
O1 - Hosts: 54.21.177.36 wwww.experts-exchange.com
O1 - Hosts: 54.21.177.36 http://www.bakunos.com
O1 - Hosts: 54.21.177.36 http://www.darkclockers.com
O1 - Hosts: 54.21.177.36 www2.gmer.net
O1 - Hosts: 54.21.177.36 ariefew.com
O1 - Hosts: 54.21.177.36 http://www.emsisoft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [ATKHOTKEY] "C:\Program Files\ATK Hotkey\Hcontrol.exe"
O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Wireless Console 2] "C:\Program Files\Wireless Console 2\wcourier.exe"
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [PowerForPhone] "C:\Program Files\P4P\P4P.exe"
O4 - HKLM\..\Run: [ACMON] "C:\Program Files\ASUS\Splendid\ACMON.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MultiFrame] C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\lucka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSConfig] C:\Documents and Settings\lucka\bclmr.exe \u
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSConfig] C:\Documents and Settings\NetworkService\jtqkx.exe \u (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Sally's Salon\Images\stg_drm.ocx
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.sk/OnlineScanner.cab
O16 - DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} (AXScan Control) - http://www.barracudanetworks.com/ns/pro ... emoval.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/vi ... ebscan.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://games.icq.com/online/online2/mah ... uncher.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Sally's Salon\Images\armhelper.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: csbdll - C:\WINDOWS\SYSTEM32\csbdll.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: FMMService - Flarion Technologies, Inc. - C:\PROGRA~1\MOBILI~1\FMMSER~1.EXE
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 14714 bytes

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 21:11
od motji
Dobrý večer :)
V jakém souboru vir hlásí?
Poprosím o log ze Rsitu, viz můj podpis :)

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 21:19
od lusi86
Hlási to v týchto súboroch... toto je len časť...

C:\Documents and Settings\lucka\Local Settings\Temporary Internet Files\Content.IE5\OSTUP56J\seka[1]
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M7CJ8ZKX\ms7[1]
C:\DOCUME~1\lucka\LOCALS~1\Temp\tmp091.exe
C:\WINDOWS\system32\67.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\W1ML2DGJ\ms7[1]
C:\WINDOWS\system32\03.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EPOZS7KV\ms7[1]
C:\WINDOWS\system32\57.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MTQH6ZW7\ms7[1]
C:\WINDOWS\system32\85.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M7CJ8ZKX\ms7[2]
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M7CJ8ZKX\ms7[2]
C:\WINDOWS\system32\60.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\W1ML2DGJ\ms7[2]
C:\WINDOWS\system32\27.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EPOZS7KV\ms7[2]
C:\WINDOWS\system32\60.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MTQH6ZW7\ms7[2]
C:\WINDOWS\system32\03.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M7CJ8ZKX\ms7[3]
C:\WINDOWS\system32\57.scr
C:\WINDOWS\system32\05.scr
C:\WINDOWS\system32\58.scr
C:\WINDOWS\system32\74.scr
C:\WINDOWS\system32\56.scr
C:\WINDOWS\system32\03.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\W1ML2DGJ\ms7[3]
C:\WINDOWS\system32\18.scr
C:\WINDOWS\system32\02.scr
C:\WINDOWS\system32\02.scr
C:\WINDOWS\system32\37.scr
C:\WINDOWS\system32\02.scr
C:\WINDOWS\system32\32.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M7CJ8ZKX\ms7[1]
C:\WINDOWS\system32\37.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\W1ML2DGJ\ms7[1]
C:\WINDOWS\system32\73.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EPOZS7KV\ms7[2]
C:\WINDOWS\system32\37.scr
C:\WINDOWS\system32\32.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MTQH6ZW7\ms7[1]
C:\WINDOWS\system32\61.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M7CJ8ZKX\ms7[2]
C:\WINDOWS\system32\32.scr
C:\WINDOWS\system32\24.scr
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\W1ML2DGJ\ms7[2]
C:\WINDOWS\system32\12.scr


RSIT mi nejde stiahnut z toho linku... Skusala som to aj vygooglit, odkazy mi reagovali podobne, neviem preco...
vypisuje mi:

Táto webová stránka nie je k dispozícii.

Webová stránka na adrese http://images.malwareremoval.com/random/RSIT.exe je dočasne nedostupná alebo sa trvalo presunula na novú adresu.

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 21:24
od motji
Stáhněte ho z přílohy :) . asi Vám je budu muset všechny programy někam poslat :D

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 21:28
od lusi86
dakujem velmi pekne!

you have an particularly large amount of hijacked domains. it´s probably better to delete the file itself then to fix each item (and create a backup).
if you seen the same IP address in all the reported O1 items, consider deleting you Hosts file, which is located at C:/windows/systemšľ/drivers/etc/hosts.

Pripajam ten log z RSIT

Logfile of random's system information tool 1.06 (written by random/random)
Run by lucka at 2010-04-12 22:25:57
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 7 GB (12%) free of 60 GB
Total RAM: 1015 MB (31% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:26:51, on 12.4.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\P4P\P4P.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\MOBILI~1\FMMSER~1.EXE
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\ATK Hotkey\KBFiltr.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Program Files\ICQ6.5\ICQ.exe
C:\PROGRA~1\SAS\SAS9~1.1\SAS.EXE
C:\Documents and Settings\lucka\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\lucka\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\acovcnt.exe
C:\Documents and Settings\lucka\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\lucka\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\lucka\LOCALS~1\Temp\Rar$EX00.641\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\lucka.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 54.21.177.36 msnfix.changelog.fr
O1 - Hosts: 54.21.177.36 www.incodesolutions.com
O1 - Hosts: 54.21.177.36 virusinfo.prevx.com
O1 - Hosts: 54.21.177.36 download.bleepingcomputer.com
O1 - Hosts: 54.21.177.36 www.dazhizhu.cn
O1 - Hosts: 54.21.177.36 foro.noticias3d.com
O1 - Hosts: 54.21.177.36 www.spybotupdates.com
O1 - Hosts: 54.21.177.36 club.myce.com
O1 - Hosts: 54.21.177.36 www.k7computing.com
O1 - Hosts: 54.21.177.36 softwaresecuritysolutions.com
O1 - Hosts: 54.21.177.36 www.nabble.com
O1 - Hosts: 54.21.177.36 lurker.clamav.net
O1 - Hosts: 54.21.177.36 lexikon.ikarus.at
O1 - Hosts: 54.21.177.36 research.sunbelt-software.com
O1 - Hosts: 54.21.177.36 www.virusdoctor.jp
O1 - Hosts: 54.21.177.36 www.elitepvpers.de
O1 - Hosts: 54.21.177.36 guru.avg.com
O1 - Hosts: 54.21.177.36 downloads.sophos.com
O1 - Hosts: 54.21.177.36 share.skype.com
O1 - Hosts: 54.21.177.36 myantispyware.com
O1 - Hosts: 54.21.177.36 www.computerhilfen.de
O1 - Hosts: 54.21.177.36 www.superuser.co.kr
O1 - Hosts: 54.21.177.36 ntfaq.co.kr
O1 - Hosts: 54.21.177.36 v.dreamwiz.com
O1 - Hosts: 54.21.177.36 cit.kookmin.ac.kr
O1 - Hosts: 54.21.177.36 forums.whatthetech.com
O1 - Hosts: 54.21.177.36 forum.hijackthis.de
O1 - Hosts: 54.21.177.36 avg.vo.llnwd.net
O1 - Hosts: 54.21.177.36 ftp.drweb.com
O1 - Hosts: 54.21.177.36 www.zonealarm.com
O1 - Hosts: 54.21.177.36 smadaver.com
O1 - Hosts: 54.21.177.36 support.emsisoft.com
O1 - Hosts: 54.21.177.36 psychoski.blogspot.com
O1 - Hosts: 54.21.177.36 www.huaifai.go.th
O1 - Hosts: 54.21.177.36 www.mostz.com
O1 - Hosts: 54.21.177.36 www.krupunmai.com
O1 - Hosts: 54.21.177.36 www.cddchiangmai.net
O1 - Hosts: 54.21.177.36 forum.malekal.com
O1 - Hosts: 54.21.177.36 tech.pantip.com
O1 - Hosts: 54.21.177.36 sapcupgrades.com
O1 - Hosts: 54.21.177.36 www.elguruinformatico.com
O1 - Hosts: 54.21.177.36 forums.avg.com
O1 - Hosts: 54.21.177.36 zastita.com
O1 - Hosts: 54.21.177.36 support.kaspersky.com
O1 - Hosts: 54.21.177.36 foro.msgpluslive.es
O1 - Hosts: 54.21.177.36 www.247fixes.com
O1 - Hosts: 54.21.177.36 forum.sysinternals.com
O1 - Hosts: 54.21.177.36 forum.telecharger.01net.com
O1 - Hosts: 54.21.177.36 sophos.com
O1 - Hosts: 54.21.177.36 foros.softonic.com
O1 - Hosts: 54.21.177.36 avast-home.uptodown.com
O1 - Hosts: 54.21.177.36 dr-web-cureit.softonic.com
O1 - Hosts: 54.21.177.36 heavenward.ru
O1 - Hosts: 54.21.177.36 forum.smadav.net
O1 - Hosts: 54.21.177.36 www.forum.kaspersky.com
O1 - Hosts: 54.21.177.36 www.dl4all.com
O1 - Hosts: 54.21.177.36 www.f-secure.com
O1 - Hosts: 54.21.177.36 www.chkrootkit.org
O1 - Hosts: 54.21.177.36 diamondcs.com.au
O1 - Hosts: 54.21.177.36 www.rootkit.nl
O1 - Hosts: 54.21.177.36 www.sysinternals.com
O1 - Hosts: 54.21.177.36 z-oleg.com
O1 - Hosts: 54.21.177.36 espanol.dir.groups.yahoo.com
O1 - Hosts: 54.21.177.36 ftp01net.telechargement.fr
O1 - Hosts: 54.21.177.36 modelayu.com
O1 - Hosts: 54.21.177.36 vaksin.com
O1 - Hosts: 54.21.177.36 bbs.kaspersky.com.cn
O1 - Hosts: 54.21.177.36 sf.tapuz.co.il
O1 - Hosts: 54.21.177.36 www.castlecrops.com
O1 - Hosts: 54.21.177.36 www.misec.net
O1 - Hosts: 54.21.177.36 safecomputing.umn.edu
O1 - Hosts: 54.21.177.36 www.antirootkit.com
O1 - Hosts: 54.21.177.36 www.greatis.com
O1 - Hosts: 54.21.177.36 ar.answers.yahoo.com
O1 - Hosts: 54.21.177.36 www.elhacker.org
O1 - Hosts: 54.21.177.36 research.pandasecurity.com
O1 - Hosts: 54.21.177.36 www.tpu.ro
O1 - Hosts: 54.21.177.36 www.pinoyden.com
O1 - Hosts: 54.21.177.36 forum.avira.de
O1 - Hosts: 54.21.177.36 www.tanya-it.com
O1 - Hosts: 54.21.177.36 www.rootkit.com
O1 - Hosts: 54.21.177.36 www.pctools.com
O1 - Hosts: 54.21.177.36 www.pcsupportadvisor.com
O1 - Hosts: 54.21.177.36 www.resplendence.com
O1 - Hosts: 54.21.177.36 www.personal.psu.edu
O1 - Hosts: 54.21.177.36 foro.ethek.com
O1 - Hosts: 54.21.177.36 foro.elhacker.net
O1 - Hosts: 54.21.177.36 download.zonealarm.com
O1 - Hosts: 54.21.177.36 spywarehammer.com
O1 - Hosts: 54.21.177.36 www.codelain.com
O1 - Hosts: 54.21.177.36 www.thaicert.org
O1 - Hosts: 54.21.177.36 vil.nail.com
O1 - Hosts: 54.21.177.36 search.mcafee.com
O1 - Hosts: 54.21.177.36 wwww.mcafee.com
O1 - Hosts: 54.21.177.36 download.nai.com
O1 - Hosts: 54.21.177.36 wwww.experts-exchange.com
O1 - Hosts: 54.21.177.36 www.bakunos.com
O1 - Hosts: 54.21.177.36 www.darkclockers.com
O1 - Hosts: 54.21.177.36 www2.gmer.net
O1 - Hosts: 54.21.177.36 ariefew.com
O1 - Hosts: 54.21.177.36 www.emsisoft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [ATKHOTKEY] "C:\Program Files\ATK Hotkey\Hcontrol.exe"
O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Wireless Console 2] "C:\Program Files\Wireless Console 2\wcourier.exe"
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [PowerForPhone] "C:\Program Files\P4P\P4P.exe"
O4 - HKLM\..\Run: [ACMON] "C:\Program Files\ASUS\Splendid\ACMON.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MultiFrame] C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\lucka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSConfig] C:\Documents and Settings\lucka\bclmr.exe \u
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSConfig] C:\Documents and Settings\NetworkService\jtqkx.exe \u (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Sally's Salon\Images\stg_drm.ocx
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.sk/OnlineScanner.cab
O16 - DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} (AXScan Control) - http://www.barracudanetworks.com/ns/pro ... emoval.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/vi ... ebscan.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://games.icq.com/online/online2/mah ... uncher.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Sally's Salon\Images\armhelper.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: csbdll - C:\WINDOWS\SYSTEM32\csbdll.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: FMMService - Flarion Technologies, Inc. - C:\PROGRA~1\MOBILI~1\FMMSER~1.EXE
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 15224 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1214440339-725345543-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1214440339-725345543-1003UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-08-04 1586472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{FE063DB9-4EC0-403e-8DD8-394C54984B2C}
{32099AAC-C132-4136-9E9A-4E364A424E17} - DAEMON Tools Toolbar - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll [2008-07-17 691656]

{855F3B16-6D32-4FE6-8A56-BBB695989046} - ICQToolBar - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll [2010-01-03 1019128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATKHOTKEY"=C:\Program Files\ATK Hotkey\Hcontrol.exe [2007-06-29 225280]
"ATKOSD2"=C:\Program Files\ATKOSD2\ATKOSD2.exe [2007-07-03 7708672]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-11-14 16270848]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"Wireless Console 2"=C:\Program Files\Wireless Console 2\wcourier.exe [2007-07-05 1040384]
"ACU"=C:\Program Files\Atheros\ACU.exe [2006-11-17 348249]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-05-25 786521]
"ASUS Live Update"=C:\Program Files\ASUS\ASUS Live Update\ALU.exe [2007-07-19 49520]
"ATKMEDIA"=C:\Program Files\ASUS\ATK Media\DMEDIA.EXE [2006-11-02 61440]
"Power_Gear"=C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe [2006-07-26 90112]
"PowerForPhone"=C:\Program Files\P4P\P4P.exe [2007-07-19 778240]
"ACMON"=C:\Program Files\ASUS\Splendid\ACMON.exe [2007-06-26 851968]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-03-28 413696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-11-25 81000]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-31 15360]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MultiFrame"=C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe [2007-06-21 999792]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-31 15360]
"LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2007-06-20 451872]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"Google Update"=C:\Documents and Settings\lucka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 133104]
"MSConfig"=C:\Documents and Settings\lucka\bclmr.exe [2005-04-12 17920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ask and Record FLV Service]
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe [2009-03-10 156672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
C:\Program Files\DNA\btdna.exe [2009-11-13 323392]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
C:\Program Files\DAEMON Tools Lite\DTLite.exe [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\lucka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
C:\Program Files\ICQ6.5\ICQ.exe [2010-01-03 172792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-12-05 54832]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobilityManager]
C:\Program Files\Mobility Manager\MobilityManager []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2006-11-23 56928]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [2006-11-24 630784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WHITNEY_S2P]
C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe [2006-03-27 229376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll]
C:\WINDOWS\system32\csbdll.dll [2005-04-12 78336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-06-05 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\EA GAMES\The Battle for Middle-earth (tm)\game.dat"="C:\Program Files\EA GAMES\The Battle for Middle-earth (tm)\game.dat:*:Enabled:The Battle for Middle-earth (tm)"
"C:\Program Files\ICQ6\ICQ.exe"="C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6"
"E:\games\Warcraft III\Warcraft III.exe"="E:\games\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat"="C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:*:Enabled:The Battle for Middle-earth(tm) II"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"E:\games\Poker\Poker3d.exe"="E:\games\Poker\Poker3d.exe:*:Enabled:Poker3d"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Documents and Settings\lucka\Desktop\Counterstrke\hl.exe"="C:\Documents and Settings\lucka\Desktop\Counterstrke\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\WINDOWS\system32\wmicvrts.exe"="C:\WINDOWS\system32\wmicvrts.exe:*:Enabled:DHCP Router"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ.exe"
"C:\WINDOWS\system32\wmicvrts.exe"="C:\WINDOWS\system32\wmicvrts.exe:*:Enabled:DHCP Router"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{371e8894-a9f5-11dd-a53e-0015af7d6c29}]
shell\AutoRun\command - H:\start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bd701a6-e361-11de-a7d8-0015af7d6c29}]
shell\AutoRun\command - H:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c8bd674-06c8-11dd-8c7f-001e8c598b41}]
shell\AutoRun\command - H:\mi9al8rs.exe
shell\open\command - H:\mi9al8rs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90b79f76-739a-11dd-a4ce-0015af7d6c29}]
shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90b79f78-739a-11dd-a4ce-0015af7d6c29}]
shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90b79f7f-739a-11dd-a4ce-0015af7d6c29}]
shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90b79f80-739a-11dd-a4ce-0015af7d6c29}]
shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ec41bd6-e8a5-11de-a7eb-0015af7d6c29}]
shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab9a8616-a039-11dd-a52f-0015af7d6c29}]
shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab9a8617-a039-11dd-a52f-0015af7d6c29}]
shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b90d057a-c141-11dd-a57f-0015af7d6c29}]
shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b90d057b-c141-11dd-a57f-0015af7d6c29}]
shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b90d057c-c141-11dd-a57f-0015af7d6c29}]
shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da1fb813-a459-11de-a72a-0015af7d6c29}]
shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e091e516-bfb6-11dd-a579-0015af7d6c29}]
shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e091e517-bfb6-11dd-a579-0015af7d6c29}]
shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e091e519-bfb6-11dd-a579-0015af7d6c29}]
shell\AutoRun\command - H:\AutoRun.exe


======List of files/folders created in the last 1 months======

2010-04-12 22:25:57 ----D---- C:\rsit
2010-03-28 20:11:48 ----A---- C:\WINDOWS\system32\acovcnt.exe
2010-03-14 13:57:57 ----D---- C:\Program Files\Veetle

======List of files/folders modified in the last 1 months======

2010-04-12 22:22:40 ----D---- C:\WINDOWS\system32
2010-04-12 22:21:58 ----AD---- C:\WINDOWS\Temp
2010-04-10 19:15:36 ----D---- C:\Documents and Settings\lucka\Application Data\ICQ
2010-04-10 11:11:21 ----D---- C:\Documents and Settings\lucka\Application Data\Skype
2010-04-10 10:48:39 ----D---- C:\Documents and Settings\lucka\Application Data\skypePM
2010-04-06 23:04:13 ----D---- C:\Documents and Settings\lucka\Application Data\BitTorrent
2010-04-04 12:58:09 ----A---- C:\WINDOWS\WDICT32.INI
2010-04-01 10:04:10 ----A---- C:\WINDOWS\winamp.ini
2010-03-28 09:34:14 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-19 11:12:52 ----D---- C:\Documents and Settings\lucka\Application Data\Facebook

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-11-25 27408]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-09-15 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-11-25 48560]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-31 36096]
R1 Tosrfcom;Bluetooth RFCOMM; C:\WINDOWS\System32\Drivers\tosrfcom.sys [2007-05-24 64000]
R2 ASMMAP;ASMMAP; \??\C:\Program Files\ATKGFNEX\ASMMAP.sys []
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-09-15 94160]
R2 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\WINDOWS\system32\DRIVERS\rimsptsk.sys [2007-01-23 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\WINDOWS\system32\DRIVERS\rixdptsk.sys [2007-03-21 37376]
R3 AR5211;Atheros Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2006-12-05 529344]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-31 60800]
R3 ASNDIS5;ASNDIS5 Protocol Driver; \??\C:\PROGRA~1\ATKHOT~1\ASNDIS5.SYS []
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-11-25 23120]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller; C:\WINDOWS\system32\DRIVERS\l151x86.sys [2007-07-03 39424]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-06-05 5761728]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-11-15 4225920]
R3 kbfiltr;Keyboard Filter; C:\WINDOWS\system32\DRIVERS\kbfiltr.sys [2007-01-24 5632]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 MTsensor;ATK0100 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ATKACPI.sys [2006-12-14 7680]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-31 61824]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-31 5888]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-31 67584]
R3 smserial;smserial; C:\WINDOWS\system32\DRIVERS\smserial.sys [2006-11-24 982272]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC); C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2007-05-25 1743232]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2006-05-25 193088]
R3 tosporte;Bluetooth COM Port; C:\WINDOWS\system32\DRIVERS\tosporte.sys [2006-10-10 41600]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 WSIMD;wsimd Service; C:\WINDOWS\system32\DRIVERS\wsimd.sys [2006-07-20 54432]
S1 4287d6e;4287d6e; C:\WINDOWS\System32\drivers\4287d6e.sys []
S2 DgiVecp;DgiVecp; \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys []
S2 SSPORT;SSPORT; \??\C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 a97k7rkb;a97k7rkb; C:\WINDOWS\system32\drivers\a97k7rkb.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 FlrnUSB;Leadtek USB Network Interface; C:\WINDOWS\system32\DRIVERS\LtkUSB.sys [2008-05-14 41907]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2006-10-30 88960]
S3 lvupdtio;lvupdtio; \??\C:\Program Files\ASUS\ASUS Live Update\SYS\lvupdtio.sys []
S3 motccgp;Motorola USB Composite Device Driver; C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-06-18 17920]
S3 motccgpfl;MotCcgpFlService; C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 7680]
S3 MotoSwitchService;MotoSwitch Service; C:\WINDOWS\system32\DRIVERS\motswch.sys [2006-12-06 6400]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 sffdisk;SFF Storage Class Driver; C:\WINDOWS\system32\DRIVERS\sffdisk.sys [2004-08-31 11136]
S3 sffp_sd;SFF Storage Protocol Driver for SDBus; C:\WINDOWS\system32\DRIVERS\sffp_sd.sys [2004-08-31 10240]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 tosrfbd;Bluetooth RFBUS; C:\WINDOWS\system32\DRIVERS\tosrfbd.sys [2007-04-24 113920]
S3 tosrfbnp;Bluetooth RFBNEP; C:\WINDOWS\System32\Drivers\tosrfbnp.sys [2006-11-20 36480]
S3 Tosrfhid;Bluetooth RFHID; C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys [2007-03-01 73728]
S3 tosrfnds;Bluetooth Personal Area Network; C:\WINDOWS\system32\DRIVERS\tosrfnds.sys [2005-01-06 18612]
S3 tosrfusb;Bluetooth USB Controller; C:\WINDOWS\system32\DRIVERS\tosrfusb.sys [2007-06-11 41856]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-31 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2004-08-04 78464]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 dwshd;dwshd; C:\WINDOWS\System32\drivers\dwshd.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACS;Atheros Configuration Service; C:\WINDOWS\system32\acs.exe [2006-11-17 360533]
R2 ADSMService;ADSM Service; C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe [2007-05-18 73728]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-11-25 18752]
R2 ATKGFNEXSrv;ATKGFNEX Service; C:\Program Files\ATKGFNEX\GFNEXSrv.exe [2007-06-11 94208]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-11-25 138680]
R2 FMMService;FMMService; C:\PROGRA~1\MOBILI~1\FMMSER~1.EXE [2007-12-06 40960]
R2 ICQ Service;ICQ Service; C:\Program Files\ICQ6Toolbar\ICQ Service.exe [2010-01-03 246520]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-06-28 79136]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2006-09-29 266343]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service; C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-25 125048]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2005-04-12 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-11-25 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-11-25 352920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-01 271920]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 21:36
od lusi86
a este pripajam aj info

info.txt logfile of random's system information tool 1.06 2010-04-12 22:26:58

======Uninstall list======

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->MsiExec.exe /I{977FBE6C-AE9A-4429-B249-814F0B3A4CB1}
-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Applian FLV Player-->"C:\WINDOWS\Applian FLV Player\uninstall.exe" "/U:C:\Program Files\FLV Player\Uninstall\uninstall.xml"
Ask & Record Toolbar 4.00 -->"C:\WINDOWS\Ask & Record Toolbar\uninstall.exe" "/U:C:\Program Files\Ask & Record Toolbar\Uninstall\uninstall.xml"
ASUS Data Security Manager-->C:\Program Files\InstallShield Installation Information\{1C8521E5-5A7B-4A4E-A9CD-AD53116EAEE0}\setup.exe -runfromtemp -l0x0009 -removeonly
ASUS InstantFun-->MsiExec.exe /I{57B15AD4-8C9D-4164-82BB-E33D8644E757}
ASUS Live Update-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E657B243-9AD4-4ECC-BE81-4CCF8D667FD0}\setup.EXE" -l0x9
ASUS MultiFrame-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D48531D-2135-49FC-BC29-ACCDA5396A76}\setup.EXE" -l0x9
ASUS Splendid Video Enhancement Technology-->C:\Program Files\InstallShield Installation Information\{C0FC1C14-4824-4A73-87A6-9E888C9C3102}\setup.EXE -runfromtemp -l0x0009 -removeonly
ASUS Virtual Camera-->MsiExec.exe /I{4DFA6DA8-75D8-4F2B-A1A0-A5E7A3B779C8}
Atheros Client Installation Program-->C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\setup.exe -runfromtemp -l0x0009 -removeonly
Atheros Communications Inc.(R) L1 Gigabit Ethernet Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E19F210-3813-4002-B561-94D66AA182B6}\SETUP.EXE" -l0x9 -removeonly
ATK Generic Function Service-->C:\Program Files\InstallShield Installation Information\{D3D54F3E-C5C3-443D-978F-87A72E5616E8}\setup.exe -runfromtemp -l0x0009 -removeonly
ATK Hotkey-->C:\Program Files\InstallShield Installation Information\{3912D529-02BC-4CA8-B5ED-0D0C20EB6003}\setup.exe -runfromtemp -l0x0009 -removeonly
ATK Media-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{139B0FFA-187E-4BA1-BCA6-6B56B2B6AB8C}\setup.EXE" -l0x9
ATKOSD2-->C:\Program Files\InstallShield Installation Information\{5C1DB4ED-E9B4-402D-BB14-D75D97D6C1A6}\setup.exe -runfromtemp -l0x0009 -removeonly
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Bluetooth Stack for Windows by Toshiba-->MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
BS.Player FREE-->"C:\Program Files\Webteh\BSPlayer\uninstall.exe"
BSPlayer-->"C:\Program Files\Webteh\BSPlayer\uninstall.exe"
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Codec Pack - All In 1 6.0.3.0-->C:\WINDOWS\iun6002.exe "C:\Program Files\Codec Pack - All In 1\irunin.ini"
DAEMON Tools Toolbar-->C:\Program Files\DAEMON Tools Toolbar\uninst.exe
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
EVEREST Home Edition v2.20-->"C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
ICQ Toolbar-->C:\Program Files\ICQ6Toolbar\ICQUnToolbar.exe
ICQ6.5-->"C:\Program Files\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly
Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
K-Lite Codec Pack 4.4.5 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
LifeFrame2-->MsiExec.exe /I{1DBD1F12-ED93-49C0-A7CC-56CBDE488158}
MediaShow 3.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5A9B7C0-8751-11D8-9D75-000129760D75}\setup.exe" -uninstall
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110405-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft WSE 3.0 Runtime-->MsiExec.exe /X{E3E71D07-CD27-46CB-8448-16D4FB29AA13}
Mobility Manager-->"C:\Program Files\Mobility Manager\Uninstall Mobility Manager\Uninstall Mobility Manager.exe"
Motorola SM56 Speakerphone Modem-->rundll32.exe sm56co6a.dll,SM56UnInstaller
Mozilla Firefox (3.5.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Nero 7 Essentials-->MsiExec.exe /X{BC61F51E-8AF7-46B9-AF20-B33B5EE81051}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Opera 9.62-->MsiExec.exe /X{D9226EB1-C528-48AC-B423-BD9240E1F60B}
P4P-->C:\Program Files\InstallShield Installation Information\{FC3D290D-79BE-44B7-ABF9-FDD110925930}\setup.EXE -runfromtemp -l0x0009 -removeonly
Pán Prsteňov: Bitka o Stredozem II SK-->C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\Odinštalovať PP-BoS-II_SK.exe
PDFCreator-->C:\Program Files\PDFCreator\unins000.exe
Power4 Gear-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4462AD13-F2AA-4CBD-9F95-293C38EED870}\setup.EXE" -l0x9
PowerDirector-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\setup.exe" -uninstall
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Readiris Pro 9-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CA9D105-113C-11D8-AB3E-000102B0F79A}\setup.exe" -l0x9
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.EXE" -l0x9 anything
Samsung SCX-4x21 Series-->C:\Program Files\Samsung\Samsung SCX-4x21 Series\Install\Setup.exe /R
SAS 9.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{68624FB8-2512-46B5-9664-64366DCCB3EB}\setup.exe" -l0x9 uninstall
SAS Private JRE (J2SE(tm) Java Runtime Environment 1.4.1)-->C:\Program Files\SAS\Shared Files\JRE\1.4.1\_uninst\Uninst.exe
SAS Private JRE (J2SE(tm) Java Runtime Environment 1.4.2_09)-->C:\Program Files\SAS\Shared Files\JRE\1.4.2_09\_uninst\Uninst.exe
Skype web features-->MsiExec.exe /I{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
SmarThru 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{90F1943D-EA4A-4460-B59F-30023F3BA69A}\Setup.exe" -l0x9 uninstall -l0009
SmarThru PC Fax-->C:\WINDOWS\prinst.exe /m"Samsung" /u"SmarThru PC Fax"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The Battle for Middle-earth (tm) II-->C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\EAUninstall.exe
The Battle for Middle-earth (tm)-->C:\Program Files\EA GAMES\The Battle for Middle-earth (tm)\EAUninstall.exe
The Sims 2-->C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims™ 3-->"C:\Program Files\InstallShield Installation Information\{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}\Sims3Setup.exe" -runfromtemp -l0x0005 -removeonly
Total Commander (Remove or Repair)-->c:\totalcmd\tcuninst.exe
USB 2.0 1.3M UVC WebCam-->C:\WINDOWS\snuninst.exe /name='USB 2.0 1.3M UVC WebCam'
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Veetle TV 0.9.16-->C:\Program Files\Veetle\UninstallVeetleTV.exe
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinFlash-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE10AB76-4756-4913-BE25-55D1C1051F9A}\setup.EXE" -l0x9
WinRAR-->C:\Program Files\WinRAR\uninstall.exe
Wireless Console 2-->C:\Program Files\InstallShield Installation Information\{83F73CB1-7705-49D1-9852-84D839CA2A45}\setup.exe -runfromtemp -l0x0009 -removeonly

======Hosts File======

54.21.177.36 msnfix.changelog.fr
54.21.177.36 www.incodesolutions.com
54.21.177.36 virusinfo.prevx.com
54.21.177.36 download.bleepingcomputer.com
54.21.177.36 www.dazhizhu.cn
54.21.177.36 foro.noticias3d.com
54.21.177.36 www.spybotupdates.com
54.21.177.36 club.myce.com
54.21.177.36 www.k7computing.com
54.21.177.36 softwaresecuritysolutions.com

======Security center information======

AV: avast! antivirus 4.8.1368 [VPS 100411-1]

======System event log======

Computer Name: LUCKA
Event Code: 7036
Message: Služba Telephony vstúpila do stavu Spustené.

Record Number: 51384
Source Name: Service Control Manager
Time Written: 20100311143103.000000+060
Event Type: informácie
User:

Computer Name: LUCKA
Event Code: 7036
Message: Služba Fast User Switching Compatibility vstúpila do stavu Spustené.

Record Number: 51383
Source Name: Service Control Manager
Time Written: 20100311143103.000000+060
Event Type: informácie
User:

Computer Name: LUCKA
Event Code: 7000
Message: Spustenie služby DgiVecp zlyhalo kvôli nasledujúcej chybe:
Systém nemôže nájsť zadané zariadenie.


Record Number: 51382
Source Name: Service Control Manager
Time Written: 20100311143103.000000+060
Event Type: chyba
User:

Computer Name: LUCKA
Event Code: 7035
Message: Službe Telephony bolo úspešne odoslané riadenie Spustené.

Record Number: 51381
Source Name: Service Control Manager
Time Written: 20100311143103.000000+060
Event Type: informácie
User: LUCKA\lucka

Computer Name: LUCKA
Event Code: 7035
Message: Službe Fast User Switching Compatibility bolo úspešne odoslané riadenie Spustené.

Record Number: 51380
Source Name: Service Control Manager
Time Written: 20100311143103.000000+060
Event Type: informácie
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: LUCKA
Event Code: 1002
Message: Prostredie bolo neočakávane zastavené a počítač Explorer.exe sa reštartoval.

Record Number: 9900
Source Name: Winlogon
Time Written: 20091108103722.000000+060
Event Type: informácie
User:

Computer Name: LUCKA
Event Code: 1000
Message: Zlyhanie aplikácie explorer.exe, verzia 6.0.2900.2180, zlyhanie modulu mpeg2dmx.ax, verzia 2.0.84.30429, adresa zlyhania 0x0000dff3.

Record Number: 9899
Source Name: Application Error
Time Written: 20091108103717.000000+060
Event Type: chyba
User:

Computer Name: LUCKA
Event Code: 1002
Message: Prostredie bolo neočakávane zastavené a počítač Explorer.exe sa reštartoval.

Record Number: 9898
Source Name: Winlogon
Time Written: 20091108102216.000000+060
Event Type: informácie
User:

Computer Name: LUCKA
Event Code: 1000
Message: Zlyhanie aplikácie explorer.exe, verzia 6.0.2900.2180, zlyhanie modulu mpeg2dmx.ax, verzia 2.0.84.30429, adresa zlyhania 0x0000dff3.

Record Number: 9897
Source Name: Application Error
Time Written: 20091108102210.000000+060
Event Type: chyba
User:

Computer Name: LUCKA
Event Code: 1002
Message: Prostredie bolo neočakávane zastavené a počítač Explorer.exe sa reštartoval.

Record Number: 9896
Source Name: Winlogon
Time Written: 20091108102048.000000+060
Event Type: informácie
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\DivX Shared\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 21:42
od motji
Než napíšu skript, použijte tent program, restartujte počítač a napište, jestli už se dostanete na ty stránky, co Vám nešli :) Máte to parádně zavirované, jak se Vám to povedlo? :D . Já tu budu tak do půlnoci :)


:arrow: z přílohy stahněte soubor, rozbalte a použijte. Pak restartujte počítač a běžte rovnou do nouzového režimu s prací v síti (po restartu mačkejte F8)

:arrow: Z mého podpisu stahněte Ccleaner
- nainstalujte, při výběru, co se má nainstalovat, dejte pryč fajfku u instalace yahoo toolbaru

Obrázekzáložka čistič
-nechejte v levém sloupečku zatrhnuté vše jak je, klikněte na analyzovat
-po analýze klikněte na Spustit Ccleaner

Obrázekzáložka Registry
- klikněte na hledej problémy
- pak klikněte na opravit vybrané problémy -- udělat zálohu registrů - nemusíte
- kliknete opravit všechny problémy :arrow: ok :arrow: zavřít

Obrázek Záložka Nástroje
- zde můžete odinstalovat programy. Je to důkladnější odinstalace než u přidat/odebrat programy ve Windows.

Ccleaner - čistič doporučuji používat, krásně pročistí pc od dočasných souborů.
Registry pročistí třeba po odinstalaci nějakého programu.

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 21:46
od lusi86
CC Cleaner som pouzila podla navodu, ten mam nainstalovany uz dlhsie.

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 21:56
od motji
Zkuste, jestli se Vám combofix podaří stahnout, když tak napište :)

:arrow: Combofix stahněte takto:
- pravým myšítkem klikněte na odkaz combofixu --uložit jako.. ,a teď ho přejmenujte na Potvora.com a uložte.


:arrow: Stáhněte na plochu, ukončete všechna aktivní okna a spusťte ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe



- ComboFix je třeba spustit pod účtem s právy administrátora

- Před použitím vypněte všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary

- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano

- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna :!:

- Po dokončení skenování, trvajícího maximálně 10 minut, by měl program vytvořit log - C:\ComboFix.txt, zkopírujte celý jeho obsah sem

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 22:01
od lusi86
mam stiahnute vsetky subory, ktore mi predtym nesli z temy ROOTKITY - zakladny postup pri diagnostike

a takisto sa mi podarilo stiahnut combofix idem spustit

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 22:04
od motji
Doufám že combofix máte aktuální :o

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 22:18
od lusi86
stiahla som ho z toho vasho odkazu.

tu je log:

ComboFix 10-04-12.01 - lucka 12.04.2010 23:05:50.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.1015.582 [GMT 2:00]
Running from: c:\documents and settings\lucka\Desktop\potvora.com.exe
AV: avast! antivirus 4.8.1368 [VPS 100412-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\lucka\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\lucka\Application Data\wiaserva.log
c:\documents and settings\lucka\secupdat.dat
c:\documents and settings\NetworkService\secupdat.dat
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
C:\restore
c:\windows\system32\acovcnt.exe
c:\windows\system32\csbdll.dll
c:\windows\system32\secupdat.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICF


((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-12 20:25 . 2010-04-12 20:26 -------- d-----w- C:\rsit
2010-03-14 11:57 . 2010-03-14 11:58 -------- d-----w- c:\program files\Veetle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 17:15 . 2008-04-05 10:54 -------- d-----w- c:\documents and settings\lucka\Application Data\ICQ
2010-04-10 09:11 . 2008-04-05 15:59 -------- d-----w- c:\documents and settings\lucka\Application Data\Skype
2010-04-10 08:48 . 2008-05-24 19:47 -------- d-----w- c:\documents and settings\lucka\Application Data\skypePM
2010-04-06 21:04 . 2009-05-16 09:33 -------- d-----w- c:\documents and settings\lucka\Application Data\BitTorrent
2010-03-19 09:12 . 2010-02-06 19:35 50354 ----a-w- c:\documents and settings\lucka\Application Data\Facebook\uninstall.exe
2010-03-19 09:12 . 2010-02-06 19:35 -------- d-----w- c:\documents and settings\lucka\Application Data\Facebook
2010-03-12 20:54 . 2009-05-16 09:32 -------- d-----w- c:\documents and settings\lucka\Application Data\DNA
2010-03-12 20:45 . 2010-03-12 20:45 -------- d-----w- c:\program files\CCleaner
2010-03-12 19:33 . 2009-05-16 09:32 -------- d-----w- c:\program files\DNA
2010-03-12 19:33 . 2008-12-19 19:43 -------- d-----w- c:\program files\ICQ6Toolbar
2010-03-11 14:24 . 2010-03-11 14:21 -------- d-----w- c:\program files\ICQ6.5
2010-03-11 14:22 . 2008-12-19 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ICQ
2010-03-09 22:53 . 2008-03-26 18:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-06 16:35 . 2010-03-06 16:35 0 ----a-w- c:\documents and settings\lucka\MobilityManager.tmp
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\lucka\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-03-03 23:04 . 2004-12-14 21:57 -------- d-----w- c:\program files\SAS
2010-03-03 12:24 . 2010-03-03 12:18 -------- d-----w- c:\documents and settings\lucka\Application Data\DAEMON Tools Lite
2010-03-03 12:23 . 2010-03-03 12:19 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-03 12:20 . 2008-11-09 14:58 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-03-03 12:20 . 2008-11-09 14:54 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-03 12:18 . 2010-03-03 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\lucka\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\lucka\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-17 02:21 . 2010-01-17 02:21 79488 ----a-w- c:\documents and settings\lucka\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-04-24 15:39 . 2009-04-24 15:38 7349656 ----a-w- c:\program files\FLV PlayerATBSetup.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2004-08-31 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2004-08-31 . 7399D854596BFEFEED6B60879F28CE07 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 16:08 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MultiFrame"="c:\program files\ASUS\Asus MultiFrame\MultiFrame.exe" [2007-06-21 999792]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 451872]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\lucka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-06-29 225280]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2007-07-03 7708672]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ACU"="c:\program files\Atheros\ACU.exe" [2006-11-17 348249]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2007-07-19 49520]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"PowerForPhone"="c:\program files\P4P\P4P.exe" [2007-07-19 778240]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2007-06-26 851968]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-31 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobilityManager]
c:\program files\Mobility Manager\MobilityManager [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 20:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ask and Record FLV Service]
2009-03-10 00:29 156672 ----a-w- c:\program files\Ask & Record Toolbar\FLVSrvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-13 09:04 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-12-29 14:57 133104 ----atw- c:\documents and settings\lucka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
2010-01-03 15:30 172792 ----a-w- c:\program files\ICQ6.5\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 21:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 14:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-24 17:31 630784 ----a-r- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WHITNEY_S2P]
2006-03-27 06:35 229376 ----a-w- c:\program files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 huqqgocy;huqqgocy;c:\windows\system32\Drivers\huqqgocy.sys --> c:\windows\system32\Drivers\huqqgocy.sys [?]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9.11.2008 16:54 691696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [22.11.2009 3:54 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22.11.2009 3:54 20560]
R2 FMMService;FMMService;c:\progra~1\MOBILI~1\FMMSER~1.EXE [2.11.2009 19:35 40960]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [19.12.2008 21:43 246520]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [26.3.2008 20:47 39424]
S1 4287d6e;4287d6e;c:\windows\system32\drivers\4287d6e.sys --> c:\windows\system32\drivers\4287d6e.sys [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 FlrnUSB;Leadtek USB Network Interface;c:\windows\system32\drivers\LtkUSB.sys [2.11.2009 19:35 41907]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12.9.2008 20:29 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12.9.2008 20:29 7680]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-06-20 11:47 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1214440339-725345543-1003Core.job
- c:\documents and settings\lucka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 14:57]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1214440339-725345543-1003UA.job
- c:\documents and settings\lucka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} - hxxp://www.barracudanetworks.com/ns/products/s ... emoval.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://games.icq.com/online/online2/mahjong_escape_ancient_china/SpinTopGamesLauncher.cab
FF - ProfilePath - c:\documents and settings\lucka\Application Data\Mozilla\Firefox\Profiles\kded3tap.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\lucka\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\lucka\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\lucka\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
Notify-csbdll - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 23:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\ADSM_PData_0150

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86DD61F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7543fc3
\Driver\ACPI -> ACPI.sys @ 0xf72abcb8
\Driver\atapi -> 0x86dd61f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582384
ParseProcedure -> ntkrnlpa.exe @ 0x8058147e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582384
ParseProcedure -> ntkrnlpa.exe @ 0x8058147e
NDIS: Atheros AR5006X Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7138bc3
PacketIndicateHandler -> NDIS.sys @ 0xf7144b21
SendHandler -> NDIS.sys @ 0xf7138d33
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3916)
c:\program files\ASUS\Asus MultiFrame\HookTitle.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\acs.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\ACEngSvr.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\windows\system32\acovcnt.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATK Hotkey\ATKOSD.exe
c:\program files\ATK Hotkey\KBFiltr.exe
c:\program files\ATK Hotkey\WDC.exe
.
**************************************************************************
.
Completion time: 2010-04-12 23:16:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 21:16

Pre-Run: 7 886 868 480 bytes free
Post-Run: 7 753 420 800 voľných bajtov

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FF7B0E8AFD950FA49C124B59BD14C30C

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 22:31
od motji
:arrow: Vypněte Tea timer od Spybotu

:arrow: Pokud nemáte, přesuňte Combofix na plochu
-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka

Kód: Vybrat vše

KillAll::

restore::
c:\windows\system32\drivers\tcpip.sys

Collect::
c:\windows\system32\drivers\4287d6e.sys
c:\windows\system32\Drivers\huqqgocy.sys

File::
c:\windows\system32\Drivers\SSPORT.sys

Driver::
4287d6e
SSPORT
huqqgocy

Folder::
c:\program files\DAEMON Tools Toolbar

registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobilityManager]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

DDS::
uStart Page = hxxp://start.icq.com/
DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} - hxxp://www.barracudanetworks.com/ns/pro ... emoval.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://games.icq.com/online/online2/mah ... uncher.cab

Firefox::
FF - ProfilePath - c:\documents and settings\lucka\Application Data\Mozilla\Firefox\Profiles\kded3tap.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... id=afex&q=
-uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:

Obrázek


-po aplikaci na Vás vypadne další log,vložte ho sem

Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 22:52
od lusi86
novy log z combofixu:

ComboFix 10-04-12.01 - lucka 12.04.2010 23:39:26.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.1015.593 [GMT 2:00]
Running from: c:\documents and settings\lucka\Desktop\potvora.com.exe
Command switches used :: c:\documents and settings\lucka\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100412-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\Drivers\SSPORT.sys"

file zipped: c:\windows\system32\Drivers\huqqgocy.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\DAEMON Tools Toolbar
c:\program files\DAEMON Tools Toolbar\_DTLite.xml
c:\program files\DAEMON Tools Toolbar\DTToolbar.dll
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.xpt
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\chrome.manifest
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\chrome\dttoolbar.jar
c:\program files\DAEMON Tools Toolbar\FirefoxDTT\install.rdf
c:\program files\DAEMON Tools Toolbar\Resources\about.ico
c:\program files\DAEMON Tools Toolbar\Resources\as.ico
c:\program files\DAEMON Tools Toolbar\Resources\as.png
c:\program files\DAEMON Tools Toolbar\Resources\astro.ico
c:\program files\DAEMON Tools Toolbar\Resources\b1.bmp
c:\program files\DAEMON Tools Toolbar\Resources\b1.png
c:\program files\DAEMON Tools Toolbar\Resources\BurnImage.ico
c:\program files\DAEMON Tools Toolbar\Resources\buy.ico
c:\program files\DAEMON Tools Toolbar\Resources\cond000.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond001.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond003.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond004.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond005.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond006.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond007.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond008.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond009.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond010.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond011.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond019.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond020.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond021.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond022.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond023.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond024.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond025.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond026.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond037.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond038.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond039.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond040.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond041.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond046.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond048.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond050.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond051.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond052.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond053.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond054.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond055.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond056.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond057.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond058.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond059.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond060.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond061.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond062.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond063.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond064.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond065.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond066.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond067.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond068.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond069.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond075.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond076.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond077.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond078.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond079.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond080.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond084.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond085.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond086.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond087.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond088.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond089.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond090.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond091.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond092.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond093.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond094.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond095.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond108.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond109.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond110.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond111.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond112.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond113.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond120.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond121.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond122.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond126.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond127.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond128.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond129.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond130.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond131.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond132.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond133.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond134.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond135.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond136.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond137.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond138.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond140.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond141.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond142.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond143.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond148.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond149.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond152.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond154.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond155.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond156.gif
c:\program files\DAEMON Tools Toolbar\Resources\cond157.gif
c:\program files\DAEMON Tools Toolbar\Resources\d.ico
c:\program files\DAEMON Tools Toolbar\Resources\d2.ico
c:\program files\DAEMON Tools Toolbar\Resources\daemon.ico
c:\program files\DAEMON Tools Toolbar\Resources\ds.ico
c:\program files\DAEMON Tools Toolbar\Resources\dsearch.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt.ico
c:\program files\DAEMON Tools Toolbar\Resources\DTPro.ico
c:\program files\DAEMON Tools Toolbar\Resources\Dwnl.ico
c:\program files\DAEMON Tools Toolbar\Resources\emulation.ico
c:\program files\DAEMON Tools Toolbar\Resources\features.ico
c:\program files\DAEMON Tools Toolbar\Resources\gd.ico
c:\program files\DAEMON Tools Toolbar\Resources\globe.ico
c:\program files\DAEMON Tools Toolbar\Resources\GrabImage.ico
c:\program files\DAEMON Tools Toolbar\Resources\hb.bmp
c:\program files\DAEMON Tools Toolbar\Resources\hb.ico
c:\program files\DAEMON Tools Toolbar\Resources\help.ico
c:\program files\DAEMON Tools Toolbar\Resources\ip.ico
c:\program files\DAEMON Tools Toolbar\Resources\lang.xml
c:\program files\DAEMON Tools Toolbar\Resources\lingvo.ico
c:\program files\DAEMON Tools Toolbar\Resources\m.ico
c:\program files\DAEMON Tools Toolbar\Resources\mail.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_disable.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_disable.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\next.bmp
c:\program files\DAEMON Tools Toolbar\Resources\next_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\next_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\next_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\none.bmp
c:\program files\DAEMON Tools Toolbar\Resources\none_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\noW.gif
c:\program files\DAEMON Tools Toolbar\Resources\op.ico
c:\program files\DAEMON Tools Toolbar\Resources\pragma.ico
c:\program files\DAEMON Tools Toolbar\Resources\prev.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prev_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prev_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prev_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prod.ico
c:\program files\DAEMON Tools Toolbar\Resources\refresh.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Rss.ico
c:\program files\DAEMON Tools Toolbar\Resources\Rss1.ico
c:\program files\DAEMON Tools Toolbar\Resources\rssClose.ico
c:\program files\DAEMON Tools Toolbar\Resources\rssL.bmp
c:\program files\DAEMON Tools Toolbar\Resources\rssOpen.ico
c:\program files\DAEMON Tools Toolbar\Resources\size.bmp
c:\program files\DAEMON Tools Toolbar\Resources\size_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\skins.ico
c:\program files\DAEMON Tools Toolbar\Resources\spt.ico
c:\program files\DAEMON Tools Toolbar\Resources\SupportRequest.ico
c:\program files\DAEMON Tools Toolbar\Resources\time.ico
c:\program files\DAEMON Tools Toolbar\Resources\TitleIcon.ico
c:\program files\DAEMON Tools Toolbar\Resources\toolbar.xml
c:\program files\DAEMON Tools Toolbar\Resources\trans.ico
c:\program files\DAEMON Tools Toolbar\Resources\Trash.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_disable.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\u.ico
c:\program files\DAEMON Tools Toolbar\Resources\wb.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Weather_m42.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Weather_m43.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wi.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi0.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi1.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi10.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi11.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi12.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi13.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi2.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi3.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi4.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi5.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi6.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi7.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi8.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi9.ico
c:\program files\DAEMON Tools Toolbar\uninst.exe
c:\windows\system32\acovcnt.exe
c:\windows\system32\drivers\huqqgocy.sys

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\tcpip.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HUQQGOCY
-------\Service_4287d6e
-------\Service_huqqgocy
-------\Service_SSPORT


((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-12 20:25 . 2010-04-12 20:26 -------- d-----w- C:\rsit
2010-03-14 11:57 . 2010-03-14 11:58 -------- d-----w- c:\program files\Veetle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 17:15 . 2008-04-05 10:54 -------- d-----w- c:\documents and settings\lucka\Application Data\ICQ
2010-04-10 09:11 . 2008-04-05 15:59 -------- d-----w- c:\documents and settings\lucka\Application Data\Skype
2010-04-10 08:48 . 2008-05-24 19:47 -------- d-----w- c:\documents and settings\lucka\Application Data\skypePM
2010-04-06 21:04 . 2009-05-16 09:33 -------- d-----w- c:\documents and settings\lucka\Application Data\BitTorrent
2010-03-19 09:12 . 2010-02-06 19:35 50354 ----a-w- c:\documents and settings\lucka\Application Data\Facebook\uninstall.exe
2010-03-19 09:12 . 2010-02-06 19:35 -------- d-----w- c:\documents and settings\lucka\Application Data\Facebook
2010-03-12 20:54 . 2009-05-16 09:32 -------- d-----w- c:\documents and settings\lucka\Application Data\DNA
2010-03-12 20:45 . 2010-03-12 20:45 -------- d-----w- c:\program files\CCleaner
2010-03-12 19:33 . 2009-05-16 09:32 -------- d-----w- c:\program files\DNA
2010-03-12 19:33 . 2008-12-19 19:43 -------- d-----w- c:\program files\ICQ6Toolbar
2010-03-11 14:24 . 2010-03-11 14:21 -------- d-----w- c:\program files\ICQ6.5
2010-03-11 14:22 . 2008-12-19 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ICQ
2010-03-09 22:53 . 2008-03-26 18:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-06 16:35 . 2010-03-06 16:35 0 ----a-w- c:\documents and settings\lucka\MobilityManager.tmp
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\lucka\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-03-03 23:04 . 2004-12-14 21:57 -------- d-----w- c:\program files\SAS
2010-03-03 12:24 . 2010-03-03 12:18 -------- d-----w- c:\documents and settings\lucka\Application Data\DAEMON Tools Lite
2010-03-03 12:23 . 2010-03-03 12:19 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-03 12:20 . 2008-11-09 14:54 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-03 12:18 . 2010-03-03 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\lucka\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\lucka\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-17 02:21 . 2010-01-17 02:21 79488 ----a-w- c:\documents and settings\lucka\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-04-24 15:39 . 2009-04-24 15:38 7349656 ----a-w- c:\program files\FLV PlayerATBSetup.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-12_21.13.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-12 21:47 . 2010-04-12 21:47 16384 c:\windows\Temp\Perflib_Perfdata_72c.dat
+ 2010-04-12 21:47 . 2010-04-12 21:47 16384 c:\windows\Temp\Perflib_Perfdata_580.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 16:08 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MultiFrame"="c:\program files\ASUS\Asus MultiFrame\MultiFrame.exe" [2007-06-21 999792]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 451872]
"Google Update"="c:\documents and settings\lucka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-06-29 225280]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2007-07-03 7708672]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 16270848]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ACU"="c:\program files\Atheros\ACU.exe" [2006-11-17 348249]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2007-07-19 49520]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"PowerForPhone"="c:\program files\P4P\P4P.exe" [2007-07-19 778240]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2007-06-26 851968]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-31 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 20:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ask and Record FLV Service]
2009-03-10 00:29 156672 ----a-w- c:\program files\Ask & Record Toolbar\FLVSrvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-13 09:04 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-12-29 14:57 133104 ----atw- c:\documents and settings\lucka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
2010-01-03 15:30 172792 ----a-w- c:\program files\ICQ6.5\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 21:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 14:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-24 17:31 630784 ----a-r- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WHITNEY_S2P]
2006-03-27 06:35 229376 ----a-w- c:\program files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9.11.2008 16:54 691696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [22.11.2009 3:54 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22.11.2009 3:54 20560]
R2 FMMService;FMMService;c:\progra~1\MOBILI~1\FMMSER~1.EXE [2.11.2009 19:35 40960]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [19.12.2008 21:43 246520]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [26.3.2008 20:47 39424]
S3 FlrnUSB;Leadtek USB Network Interface;c:\windows\system32\drivers\LtkUSB.sys [2.11.2009 19:35 41907]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12.9.2008 20:29 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12.9.2008 20:29 7680]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-06-20 11:47 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1214440339-725345543-1003Core.job
- c:\documents and settings\lucka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 14:57]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-1214440339-725345543-1003UA.job
- c:\documents and settings\lucka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 14:57]
.
.
------- Supplementary Scan -------
.
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\lucka\Application Data\Mozilla\Firefox\Profiles\kded3tap.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\lucka\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\lucka\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\lucka\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.
- - - - ORPHANS REMOVED - - - -

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 23:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D671F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7540fc3
\Driver\ACPI -> ACPI.sys @ 0xf72a8cb8
\Driver\atapi -> 0x86d671f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582384
ParseProcedure -> ntkrnlpa.exe @ 0x8058147e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582384
ParseProcedure -> ntkrnlpa.exe @ 0x8058147e
NDIS: Atheros AR5006X Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7135bc3
PacketIndicateHandler -> NDIS.sys @ 0xf7123a0b
SendHandler -> NDIS.sys @ 0xf7137b31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(464)
c:\program files\ASUS\Asus MultiFrame\HookTitle.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\acs.exe
c:\windows\RTHDCPL.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\ACEngSvr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\ATK Hotkey\ATKOSD.exe
c:\windows\system32\acovcnt.exe
c:\program files\ATK Hotkey\KBFiltr.exe
c:\program files\ATK Hotkey\WDC.exe
.
**************************************************************************
.
Completion time: 2010-04-12 23:50:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 21:50
ComboFix2.txt 2010-04-12 21:16

Pre-Run: 7 997 235 200 bytes free
Post-Run: 7 959 445 504 voľných bajtov

- - End Of File - - 47A84734504589417A931A7A3B035434

Re: prosba o pomoc - ROOTKIT

Napsal: 12 dub 2010 22:55
od motji
Fajn, jak to vypadá s počítačem?
Ještě provedeme kontrolu na rootkity :) . Já už dnes končím, pokračování zítra :)

:arrow: odinstalujte všechny virtuální jednotky (Daemon nebo alcohol)

:arrow: Stáhněte SPTD http://www.duplexsecure.com/en/downloads
-vyberte verzi podle svého operačního systému. SPTD for Windows (32 bit) nebo (64b)
-uložte na plochu a spusťte
- zvolte možnost Uninstall
- restart PC
- spusťte gmer


:arrow: Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, kliknete na Save a tím si uložíte log,který sem vložíte

-Podle návodu v odkazu proveďte druhý sken a log sem také vložte.

:arrow: stáhněte MBR
http://www2.gmer.net/mbr/mbr.exe
-uložte ho na plochu


:arrow: start-spustit
do okénka zkopírujte

Kód: Vybrat vše

"%userprofile%\plocha\mbr" -t
ok

:arrow: vytvoří se log s názvem mbr.log, vložte ho zde
Všechny časy jsou v UTC+01:00
Stránka 1 z 5

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz