VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

Mám podezření na infekci (a avast taky, hlásí rootkity)

https://forum.viry.cz:443/viewtopic.php?t=111964

Stránka 1 z 1

Mám podezření na infekci (a avast taky, hlásí rootkity)

Napsal: 24 kvě 2011 20:22
od Maniacccc
Zdravím,
po každém startu windows je nahlášen avastem rootkit v uživatelské složce temp. Tu jsem vymazal a problém nezmizel... Rootkit který avast nalazne má pokaždé jiné jméno. Poslední dobou často zamrzá průzkumník windows.

Předem díky za čas

Log:
Logfile of random's system information tool 1.08 (written by random/random)
Run by Pepa at 2011-05-24 21:19:13
Microsoft Windows 7 Professional
System drive C: has 182 GB (38%) free of 477 GB
Total RAM: 4094 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:19:15, on 24.5.2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\Users\Pepa\AppData\Roaming\Microsoft\my-slide-show-picture.exe
C:\Data\DAEMON Tools Pro\DTAgent.exe
C:\Data\Avast4\ashDisp.exe
C:\Data\VirtualCloneDrive\VCDDaemon.exe
C:\Data\QIP\qip.exe
C:\Program Files (x86)\Common Files\Teleca Shared\Generic.exe
C:\Data\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Data\Mozilla Firefox\firefox.exe
C:\Data\Mozilla Firefox\plugin-container.exe
C:\Program Files\trend micro\Pepa.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CStat - {DD92DE22-ED91-4560-B788-DEE2B26612E6} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\IEHelper.dll
O4 - HKLM\..\Run: [avast!] "C:\Data\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Data\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Window update] C:\Users\Pepa\AppData\Roaming\Microsoft\my-slide-show-picture.exe
O4 - HKCU\..\Run: [MultiScreen]
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Data\DAEMON Tools Pro\DTAgent.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Data\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Data\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Data\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Data\Avast4\ashWebSv.exe
O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7196 bytes

======Listing Processes======

\SystemRoot\System32\smss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
wininit.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
winlogon.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
"C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe"
atieclxx
C:\Windows\system32\svchost.exe -k NetworkService
"C:\Data\Avast4\aswUpdSv.exe"
"C:\Data\Avast4\ashServ.exe"
"C:\Windows\system32\Dwm.exe"
"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
"C:\Users\Pepa\AppData\Roaming\Microsoft\my-slide-show-picture.exe"
"C:\Data\DAEMON Tools Pro\DTAgent.exe" -autorun
"C:\Data\Avast4\ashDisp.exe"
"C:\Data\VirtualCloneDrive\VCDDaemon.exe" /s
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
"C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe"
"C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS
"taskhost.exe"
C:\Windows\SysWOW64\PnkBstrA.exe
"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\wbem\wmiprvse.exe
"C:\Data\Avast4\ashWebSv.exe" /service
C:\Windows\system32\SearchIndexer.exe /Embedding
"C:\Data\Avast4\ashMaiSv.exe" /service
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
"C:\Windows\system32\wuauclt.exe"
"C:\Windows\system32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-25a5c318-8989-40d7-83ce-ec0f85c23a65 -SystemEventPortName:HostProcess-bd44afea-2509-48e5-b7ba-c3b7c4e135de -IoCancelEventPortName:HostProcess-cae8b7d9-7dc2-4888-a17a-3db65e03287a -NonStateChangingEventPortName:HostProcess-585aad6a-f7fd-40f4-8549-6d006567a048 -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:064a125b-82c2-4bb7-811f-1e0b6f201ea1
"C:\Data\QIP\qip.exe"
"C:\Program Files (x86)\Common Files\Teleca Shared\Generic.exe" -Embedding
"C:\Data\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe" -Embedding
C:\Windows\system32\svchost.exe -k SDRSVC
"C:\Program Files (x86)\Skype\Phone\Skype.exe"
"C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe" /SILENT
explorer.exe
"C:\Data\Mozilla Firefox\firefox.exe"
"C:\Data\Mozilla Firefox\plugin-container.exe" --channel=3980.880c200.2084488110 "C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll" "Mozilla.Firefox.4.0.1" -omnijar C:\Data\Mozilla Firefox\omni.jar 3980 \\.\pipe\gecko-crash-server-pipe.3980 plugin
"C:\Users\Pepa\Downloads\RSITx64.exe"
"C:\Users\Pepa\Downloads\RSITx64.exe"

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-10-30 49440]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-01-30 62376]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DD92DE22-ED91-4560-B788-DEE2B26612E6}]
BHO Class - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\IEHelper.dll [2009-06-22 335104]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-07-14 1475072]
"Window update"=C:\Users\Pepa\AppData\Roaming\Microsoft\my-slide-show-picture.exe [2010-09-24 105984]
"MultiScreen"= []
"DAEMON Tools Pro Agent"=C:\Data\DAEMON Tools Pro\DTAgent.exe [2011-03-17 842048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [2010-09-16 1164584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVI]
C:\Program Files (x86)\GIGABYTE\ET6\ETcall.exe [2007-07-26 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files (x86)\Google\Google Talk\googletalk.exe [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2009-08-18 8067616]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Data\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [2007-06-13 528384]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\ProgramyFiles\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-11-04 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Update]
C:\Users\Pepa\Documents\SYS\winupdate.exe [2010-09-24 23552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Pepa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
C:\Data\Office\OPENOF~1.ORG\program\QUICKS~1.EXE [2009-09-16 384512]

[HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run]
"avast!"=C:\Data\Avast4\ashDisp.exe [2009-11-25 81000]
"VirtualCloneDrive"=C:\Data\VirtualCloneDrive\VCDDaemon.exe [2009-06-17 85160]
"Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [2011-01-30 35736]
"Adobe ARM"=C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-11-15 932288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=0
"ConsentPromptBehaviorUser"=3
"EnableLUA"=0
"EnableUIADesktopToggle"=0
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=1
"NoActiveDesktopChanges"=1
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*
.txt - open - "C:\Data\PSPad editor\PSPad.exe" "%1"

======List of files/folders created in the last 1 months======

2011-05-24 21:18:00 ----D---- C:\rsit
2011-05-24 21:18:00 ----D---- C:\Program Files\trend micro
2011-05-24 19:09:17 ----D---- C:\Program Files\World of Warcraft – kopie
2011-05-24 18:49:21 ----D---- C:\Users\Pepa\AppData\Roaming\My Battle for Middle-earth Files
2011-05-19 11:09:22 ----A---- C:\Windows\system32\drivers\dtsoftbus01.sys
2011-05-19 11:08:37 ----D---- C:\Users\Pepa\AppData\Roaming\DAEMON Tools Pro
2011-05-19 11:08:37 ----D---- C:\ProgramData\DAEMON Tools Pro
2011-05-16 14:27:12 ----D---- C:\Users\Pepa\AppData\Roaming\YoudaGames
2011-05-09 23:12:12 ----D---- C:\Windows\pss
2011-05-09 22:15:04 ----D---- C:\SE5
2011-05-04 16:52:50 ----D---- C:\Users\Pepa\AppData\Roaming\Stardock
2011-05-04 16:52:25 ----HDC---- C:\ProgramData\{1EB63B4B-5639-4477-8E24-05C31B5F8019}
2011-05-04 16:52:17 ----D---- C:\ProgramData\Stardock
2011-05-04 16:52:17 ----D---- C:\Program Files (x86)\Stardock
2011-05-02 15:19:30 ----D---- C:\Users\Pepa\AppData\Roaming\Firaxis

======List of files/folders modified in the last 1 months======

2011-05-24 21:19:14 ----D---- C:\Windows\Temp
2011-05-24 21:18:00 ----RD---- C:\Program Files
2011-05-24 21:15:47 ----D---- C:\Users\Pepa\AppData\Roaming\Skype
2011-05-24 20:35:03 ----D---- C:\utor
2011-05-24 20:11:07 ----D---- C:\Windows\Prefetch
2011-05-24 19:46:26 ----D---- C:\Program Files\World of Warcraft
2011-05-24 19:13:53 ----D---- C:\Users\Pepa\AppData\Roaming\skypePM
2011-05-24 18:43:24 ----D---- C:\Games
2011-05-24 12:39:27 ----D---- C:\Windows\System32
2011-05-24 12:39:27 ----A---- C:\Windows\system32\PerfStringBackup.INI
2011-05-24 12:39:26 ----D---- C:\Windows\inf
2011-05-24 07:09:32 ----D---- C:\Windows\system32\config
2011-05-19 11:23:49 ----D---- C:\Temp
2011-05-19 11:16:12 ----SHD---- C:\Windows\Installer
2011-05-19 11:10:03 ----D---- C:\Windows\system32\drivers
2011-05-19 11:10:01 ----SHD---- C:\System Volume Information
2011-05-19 11:10:01 ----D---- C:\Windows\system32\DriverStore
2011-05-19 11:10:01 ----D---- C:\Windows\system32\catroot
2011-05-19 11:09:17 ----D---- C:\Data
2011-05-19 11:08:37 ----HD---- C:\ProgramData
2011-05-16 16:10:47 ----D---- C:\Program Files (x86)\Common Files
2011-05-16 14:04:30 ----D---- C:\Windows\SysWOW64
2011-05-09 23:12:12 ----D---- C:\Windows
2011-05-04 16:53:34 ----RSD---- C:\Windows\assembly
2011-05-04 16:52:55 ----D---- C:\Windows\Microsoft.NET
2011-05-04 16:52:17 ----RD---- C:\Program Files (x86)
2011-05-02 15:21:57 ----D---- C:\Program Files (x86)\MSBuild
2011-04-28 00:24:16 ----D---- C:\Windows\system32\catroot2

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 AtiPcie;AMD PCI Express (3GIO) Filter; C:\Windows\system32\DRIVERS\AtiPcie.sys [2009-05-04 16440]
R0 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [2009-07-14 12352]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2009-07-14 214096]
R0 speedfan;speedfan; C:\Windows\SysWOW64\speedfan.sys [2007-02-07 14104]
R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2009-11-25 27216]
R1 aswSP;avast! Self Protection; C:\Windows\system32\drivers\aswSP.sys [2009-11-25 89680]
R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2009-11-25 53840]
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys [2009-07-14 514048]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver; C:\Windows\system32\DRIVERS\dtsoftbus01.sys [2011-05-19 272448]
R1 ElbyCDIO;ElbyCDIO Driver; C:\Windows\System32\Drivers\ElbyCDIO.sys [2009-12-18 34472]
R1 vpcnfltr;Virtual PC Network Filter Driver; C:\Windows\system32\DRIVERS\vpcnfltr.sys [2009-09-23 66304]
R1 vpcvmm;@%SystemRoot%\system32\drivers\vpcvmm.sys,-100; C:\Windows\system32\drivers\vpcvmm.sys [2009-09-23 359552]
R2 aswFsBlk;aswFsBlk; C:\Windows\system32\DRIVERS\aswFsBlk.sys [2009-11-25 22096]
R2 aswMonFlt;aswMonFlt; C:\Windows\system32\DRIVERS\aswMonFlt.sys [2009-11-25 65616]
R3 AtiHdmiService;ATI Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\AtiHdmi.sys [2009-09-30 121872]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2009-11-04 6088192]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys [2009-08-18 1983264]
R3 RTL8167;Realtek 8167 NT Driver; C:\Windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
R3 seehcri;Sony Ericsson seehcri Device Driver; C:\Windows\system32\DRIVERS\seehcri.sys [2010-07-07 34032]
R3 usbfilter;AMD USB Filter Driver; C:\Windows\system32\DRIVERS\usbfilter.sys [2009-04-03 34872]
R3 VClone;VClone; C:\Windows\system32\DRIVERS\VClone.sys [2009-08-09 36352]
R3 vpcbus;Služba hostitelské sběrnice programu Virtual PC; C:\Windows\system32\DRIVERS\vpchbus.sys [2009-09-23 187904]
R3 vpcusb;Služba konektoru virtualizace rozhraní USB; C:\Windows\system32\DRIVERS\vpcusb.sys [2009-09-23 95232]
S3 AF9035HB;AF9035 Hybrid Device; C:\Windows\System32\Drivers\AF9035HB.sys [2011-04-13 900480]
S3 ALSysIO;ALSysIO; \??\C:\Users\Pepa\AppData\Local\Temp\ALSysIO64.sys []
S3 AODDriver;AODDriver; \??\C:\Program Files (x86)\Gigabyte\ET6\amd64\AODDriver.sys [2009-02-23 14904]
S3 atidgllk;atidgllk; \??\C:\Program Files (x86)\Gigabyte\ET6\atidgllk.sys [2006-07-19 12048]
S3 etdrv;etdrv; \??\C:\Windows\etdrv.sys [2009-12-29 25640]
S3 gdrv;gdrv; \??\C:\Windows\gdrv.sys [2011-04-09 25640]
S3 GVTDrv64;GVTDrv64; \??\C:\Windows\GVTDrv64.sys [2011-04-09 30528]
S3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys [2009-07-14 165376]
S3 RTHDMIAzAudService;Service for HDMI; C:\Windows\system32\drivers\RtHDMIVX.sys [2009-07-17 201472]
S3 s115bus;Sony Ericsson Device 115 driver (WDM); C:\Windows\system32\DRIVERS\s115bus.sys [2007-04-23 108296]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter; C:\Windows\system32\DRIVERS\s115mdfl.sys [2007-04-23 19720]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver; C:\Windows\system32\DRIVERS\s115mdm.sys [2007-04-23 144648]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM); C:\Windows\system32\DRIVERS\s115mgmt.sys [2007-04-23 126216]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface; C:\Windows\system32\DRIVERS\s115obex.sys [2007-04-23 123656]
S3 s3cap;s3cap; C:\Windows\system32\DRIVERS\vms3cap.sys [2009-07-14 6656]
S3 storvsc;storvsc; C:\Windows\system32\DRIVERS\storvsc.sys [2009-07-14 34896]
S3 usbscan;Ovladač skeneru USB; C:\Windows\system32\DRIVERS\usbscan.sys [2009-07-14 41984]
S3 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\DRIVERS\vmbus.sys [2009-07-14 200272]
S3 VMBusHID;VMBusHID; C:\Windows\system32\DRIVERS\VMBusHID.sys [2009-07-14 21760]
S3 vpcuxd;Služba zástupné procedury virtualizace rozhraní USB; C:\Windows\system32\DRIVERS\vpcuxd.sys [2009-09-23 16384]
S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64; C:\Windows\system32\DRIVERS\vpnva64.sys [2009-12-18 24248]
S3 VSPerfDrv100;Performance Tools Driver 10.0; \??\C:\Data\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2010-03-18 68440]
S4 RsFx0103;RsFx0103 Driver; C:\Windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 311656]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AMD External Events Utility;AMD External Events Utility; C:\Windows\system32\atiesrxx.exe [2009-11-04 202752]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Data\Avast4\aswUpdSv.exe [2009-11-25 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Data\Avast4\ashServ.exe [2009-11-25 138680]
R2 BCUService;Browser Configuration Utility Service; C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-06-22 212232]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-14 27136]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [2009-03-30 57617752]
R2 PnkBstrA;PnkBstrA; C:\Windows\syswow64\PnkBstrA.exe [2010-01-10 75064]
R2 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-07-10 157720]
R2 vpnagent;Cisco AnyConnect VPN Agent; C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-18 497856]
R3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-14 27136]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Data\Avast4\ashMaiSv.exe [2009-11-25 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Data\Avast4\ashWebSv.exe [2009-11-25 352920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe [2010-03-18 44376]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-14 27136]
S3 Steam Client Service;Steam Client Service; C:\Program Files (x86)\Common Files\Steam\SteamService.exe [2009-07-16 316664]
S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-14 27136]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-14 27136]
S4 ES lite Service;ES lite Service for program management.; C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE [2009-03-02 68136]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service; C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
S4 NetMsmqActivator;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8195; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]
S4 NetPipeActivator;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8197; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]
S4 NetTcpActivator;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8199; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS); C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
S4 SQLBrowser;SQL Server Browser; C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2009-03-30 254808]

-----------------EOF-----------------

Re: Mám podezření na infekci (a avast taky, hlásí rootkity)

Napsal: 24 kvě 2011 20:59
od Rudy
Nezačíná název toho rootkitu vždy na "a", a mění se s každým startem?

Re: Mám podezření na infekci (a avast taky, hlásí rootkity)

Napsal: 24 kvě 2011 21:07
od Maniacccc
Zdravím,
název se opravdu mění s každým strartem, na "a" však nezačíná (2x restart pro test).

C:\Users\Pepa\AppData\Local\Temp\i_2yzjbf.exe
Win32:Rootkit-gen [Rtk]
Rootkit
110524-1, 24.05.2011

Pokaždé dám "smazat", při restartu se objeví podobná mrška.

Re: Mám podezření na infekci (a avast taky, hlásí rootkity)

Napsal: 24 kvě 2011 21:41
od Rudy
Tak to není to, co jsem myslel. Dejte log z ComboFix.
Stahnete a ulozte nejlepe na plochu ComboFix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim

na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle

toho, o jak rychly stroj se

jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte

spoustet zadne jine

aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri

prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho

rezidentni stit do Install Mode,

pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu

pripadneho malware k

nezadoucim kolizim s rezidentem antispyware

Re: Mám podezření na infekci (a avast taky, hlásí rootkity)

Napsal: 24 kvě 2011 22:23
od Maniacccc
Omlouvám se za spoždění. Byl to trošku oříšek... Ten program chtěl abych vypl avast a jakmile jsem vypl avast, tak se mi 2x sekl explorer (ten widláckej, ne IE).

ComboFix 11-05-24.01 - Pepa 24.05.2011 23:13:00.1.4 - x64
Microsoft Windows 7 Professional 6.1.7600.0.1250.420.1029.18.4094.2578 [GMT 2:00]
Spuštěný z: C:\Users\Pepa\Desktop\ComboFix.exe
AV: avast! antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Vytvořen nový Bod Obnovení


((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Users\Pepa\AppData\Roaming\Microsoft\my-slide-show-picture.exe
C:\Users\Pepa\Documents\SYS
C:\Users\Pepa\Documents\SYS\winupdate.exe
C:\Users\Public\winupdate.exe


((((((((((((((((((((((((( Soubory vytvořené od 2011-04-24 do 2011-05-24 )))))))))))))))))))))))))))))))


2011-05-24 21:19:07 . 2011-05-24 21:19:07 -------- d-----w- C:\Users\Default\AppData\Local\temp
2011-05-24 19:18:00 . 2011-05-24 19:19:14 -------- d-----w- C:\Program Files\trend micro
2011-05-24 19:18:00 . 2011-05-24 19:18:11 -------- d-----w- C:\rsit
2011-05-24 17:09:17 . 2011-05-24 17:10:41 -------- d-----w- C:\Program Files\World of Warcraft – kopie
2011-05-24 16:49:21 . 2011-05-24 16:49:21 -------- d-----w- C:\Users\Pepa\AppData\Roaming\My Battle for Middle-earth Files
2011-05-19 09:23:50 . 2011-05-19 09:23:50 38849 ----a-w- C:\temp\X3 map by Scorp\Uninstall.exe
2011-05-19 09:09:22 . 2011-05-19 09:09:22 272448 ----a-w- C:\Windows\system32\drivers\dtsoftbus01.sys
2011-05-19 09:08:37 . 2011-05-19 09:12:49 -------- d-----w- C:\Users\Pepa\AppData\Roaming\DAEMON Tools Pro
2011-05-19 09:08:37 . 2011-05-19 09:08:54 -------- d-----w- C:\ProgramData\DAEMON Tools Pro
2011-05-17 01:36:08 . 2011-04-18 07:15:22 8802128 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{9854B11F-1A4E-4C11-AC60-DD417F2379A8}\mpengine.dll
2011-05-16 12:27:12 . 2011-05-16 12:27:12 -------- d-----w- C:\Users\Pepa\AppData\Roaming\YoudaGames
2011-05-16 12:04:30 . 2011-05-16 12:04:30 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-09 22:21:04 . 2011-05-09 20:08:33 7727495 ----a-w- C:\temp\Universal Extractor\se5patch_v179.exe
2011-05-09 20:15:04 . 2011-05-09 22:22:42 -------- d-----w- C:\SE5
2011-05-04 14:52:50 . 2011-05-04 14:52:50 -------- d-----w- C:\Users\Pepa\AppData\Roaming\Stardock
2011-05-04 14:52:25 . 2011-05-04 14:52:25 -------- dc-h--w- C:\ProgramData\{1EB63B4B-5639-4477-8E24-05C31B5F8019}
2011-05-04 14:52:17 . 2011-05-04 14:52:17 -------- d-----w- C:\ProgramData\Stardock
2011-05-04 14:52:17 . 2011-05-04 14:52:17 -------- d-----w- C:\Program Files (x86)\Stardock
2011-05-04 14:49:14 . 2011-05-04 14:49:14 -------- d-----w- C:\Users\Pepa\AppData\Local\Stardock
2011-05-02 13:21:57 . 2010-09-29 12:08:59 1223168 ----a-w- C:\Program Files (x86)\MSBuild\Firaxis\ModBuddy\7z.dll
2011-05-02 13:21:57 . 2010-09-29 12:08:50 142336 ----a-w- C:\Program Files (x86)\MSBuild\Firaxis\ModBuddy\SevenZipSharp.dll
2011-05-02 13:21:57 . 2010-09-29 12:08:39 19456 ----a-w- C:\Program Files (x86)\MSBuild\Firaxis\ModBuddy\ModBuddy.Civ5ModBuildTasks.dll
2011-05-02 13:19:30 . 2011-05-02 13:19:30 -------- d-----w- C:\Users\Pepa\AppData\Roaming\Firaxis
2011-05-02 13:19:29 . 2011-05-02 13:19:29 -------- d-----w- C:\Users\Pepa\AppData\Local\Firaxis
.


(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-04-13 17:52:05 . 2011-04-13 17:52:11 217 ----a-w- C:\Windows\system32\AF15IRTBL.bin
2011-04-13 17:52:05 . 2011-04-13 17:52:05 900480 ----a-w- C:\Windows\system32\drivers\AF9035HB.sys
2011-04-09 09:17:42 . 2009-12-26 17:41:10 30528 ----a-w- C:\Windows\GVTDrv64.sys
2011-04-09 09:17:26 . 2009-12-29 16:25:16 25640 ----a-w- C:\Windows\gdrv.sys
2011-03-09 20:13:57 . 2010-03-04 18:53:07 48648 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll


(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))


*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2009-07-14 01:39:41 1475072]
"DAEMON Tools Pro Agent"="C:\Data\DAEMON Tools Pro\DTAgent.exe" [2011-03-17 08:15:04 842048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="C:\Data\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 11:44:11 85160]
"Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 15:45:14 35736]
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-15 19:02:22 932288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 12:16:28 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 13:27:14 138576]
R3 AF9035HB;AF9035 Hybrid Device;C:\Windows\system32\Drivers\AF9035HB.sys [x]
R3 ALSysIO;ALSysIO;C:\Users\Pepa\AppData\Local\Temp\ALSysIO64.sys [x]
R3 AODDriver;AODDriver;C:\Program Files (x86)\Gigabyte\ET6\amd64\AODDriver.sys [2009-02-22 23:21:54 14904]
R3 atidgllk;atidgllk;C:\Program Files (x86)\Gigabyte\ET6\atidgllk.sys [2006-07-19 11:25:10 12048]
R3 etdrv;etdrv;C:\Windows\etdrv.sys [2009-12-29 16:41:38 25640]
R3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2011-04-09 09:17:42 30528]
R3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\Windows\system32\DRIVERS\s115bus.sys [x]
R3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\Windows\system32\DRIVERS\s115mdfl.sys [x]
R3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\Windows\system32\DRIVERS\s115mdm.sys [x]
R3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\Windows\system32\DRIVERS\s115mgmt.sys [x]
R3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\Windows\system32\DRIVERS\s115obex.sys [x]
R3 vpcuxd;Služba zástupné procedury virtualizace rozhraní USB;C:\Windows\system32\DRIVERS\vpcuxd.sys [x]
R3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Data\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2010-03-17 22:34:36 68440]
R4 ES lite Service;ES lite Service for program management.;C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE [2009-03-02 13:06:16 68136]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 08:17:44 61976]
R4 RsFx0103;RsFx0103 Driver;C:\Windows\system32\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 03:01:06 427880]
S1 aswSP;avast! Self Protection; [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe [x]
S2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [x]
S2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [x]
S2 BCUService;Browser Configuration Utility Service;C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-06-22 19:47:18 212232]
S2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 22:32:30 497856]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys [x]
S3 seehcri;Sony Ericsson seehcri Device Driver;C:\Windows\system32\DRIVERS\seehcri.sys [x]
S3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys [x]



--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0

------- Doplňkový sken -------

uLocal Page = C:\Windows\system32\blank.htm
uStart Page = hxxp://www.google.cz/
mLocal Page = C:\Windows\SysWOW64\blank.htm
FF - ProfilePath - C:\Users\Pepa\AppData\Roaming\Mozilla\Firefox\Profiles\7x52zeap.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.igoogle.com


------- Asociace souborů -------

txtfile="C:\Data\PSPad editor\PSPad.exe" "%1"

- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

Wow6432Node-HKCU-Run-Window update - C:\Users\Pepa\AppData\Roaming\Microsoft\my-slide-show-picture.exe
Wow6432Node-HKCU-Run-MultiScreen - (no file)
AddRemove-Pharaoh - C:\Games\Pharaoh\SIERRA\Pharaoh\Uninst.isu
AddRemove-PunkBusterSvc - C:\Windows\system32\pbsvc.exe

Re: Mám podezření na infekci (a avast taky, hlásí rootkity)

Napsal: 25 kvě 2011 18:32
od Rudy
Několik položek CF smazal, zbytek logu vypadá čistý. Nastala nějaká změna?

Re: Mám podezření na infekci (a avast taky, hlásí rootkity)

Napsal: 25 kvě 2011 22:46
od Maniacccc
Testoval jsem to čtyřmi restarty a byl jsem šťastný jako blecha, že už mi to rootkit nehlásí...

Ale když to tu teď tak píšu, tak koukám, že se mi po startu windows vůbec nespouští avast... Ikonka dole není, ve správci úloh také chybí... Může to být tím, že jsem vypl rezidentní ochranu, když jsem spouštěl předešlé testy?

Edit.: Ale test avastem nad složkou temp tam už viry nenašel.
Edit2: Hledal jsem v CCleaneru možnost zapnutí avasta po startu, ale nějak to tam chybí... Přidání řádku přes msconfig teď ověřuji...
Edit3.: Tak se vrátilo i staré, věrné zasekávání a nutné restartování explorera.

Re: Mám podezření na infekci (a avast taky, hlásí rootkity)

Napsal: 25 kvě 2011 23:02
od Maniacccc
Avast mne asi nemá rád :cry:

Vkládám log z toho RSIT, který jsem udělal hned potom co se spustil počítač (tj. žádný qip ani :iefox: )

Poznáte z toho, zda Avast běží? Alespoň někde skrytě, jaké démon? I když to je asi pitomost co?
Normálně na mne widle řvou upozornění zabezpečení, rezidentní štít není zapnut. Ale teď to nehlásí nic... Takže by Avast měl běžet... Na druhou stranu, pokud je to takové to ashněco, tak to ve správci úloh není... A ikonka u hodin taky chybí - jedna jak druhá - íčko i áčko.

Logfile of random's system information tool 1.08 (written by random/random)
Run by Pepa at 2011-05-25 23:59:25
Microsoft Windows 7 Professional
System drive C: has 193 GB (41%) free of 477 GB
Total RAM: 4094 MB (69% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:59:29, on 25.5.2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\Data\DAEMON Tools Pro\DTAgent.exe
C:\Data\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\trend micro\Pepa.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CStat - {DD92DE22-ED91-4560-B788-DEE2B26612E6} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\IEHelper.dll
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Data\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Data\DAEMON Tools Pro\DTAgent.exe" -autorun
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Data\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Data\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Data\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Data\Avast4\ashWebSv.exe
O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 5840 bytes

======Listing Processes======

\SystemRoot\System32\smss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
wininit.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
winlogon.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
"C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe"
atieclxx
C:\Windows\system32\svchost.exe -k NetworkService
"C:\Data\Avast4\aswUpdSv.exe"
"C:\Data\Avast4\ashServ.exe"
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
"C:\Data\DAEMON Tools Pro\DTAgent.exe" -autorun
"taskhost.exe"
C:\Windows\System32\spoolsv.exe
"C:\Data\VirtualCloneDrive\VCDDaemon.exe" /s
taskeng.exe {CDFFFD57-480B-4D43-8CDD-BD4C4A25AF8A}
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
"C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe"
"C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS
C:\Windows\SysWOW64\PnkBstrA.exe
"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\wbem\wmiprvse.exe
"C:\Data\Avast4\ashWebSv.exe" /service
C:\Windows\system32\SearchIndexer.exe /Embedding
"C:\Data\Avast4\ashMaiSv.exe" /service
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
"C:\Windows\system32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-04764168-1f52-42a7-82c5-528ef08db255 -SystemEventPortName:HostProcess-dae62313-a55f-482a-9f60-5db48e293bc2 -IoCancelEventPortName:HostProcess-915dfd29-252a-4322-ae10-b4d7438a2106 -NonStateChangingEventPortName:HostProcess-fa601a6a-e883-4c8a-8a2f-ffb1e0134080 -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:80f5c6e7-c1ee-431b-90f8-c8ed025f3d1a
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
"C:\Users\Pepa\Downloads\RSITx64.exe"

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-10-30 49440]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-01-30 62376]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DD92DE22-ED91-4560-B788-DEE2B26612E6}]
BHO Class - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\IEHelper.dll [2009-06-22 335104]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-07-14 1475072]
"DAEMON Tools Pro Agent"=C:\Data\DAEMON Tools Pro\DTAgent.exe [2011-03-17 842048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [2010-09-16 1164584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVI]
C:\Program Files (x86)\GIGABYTE\ET6\ETcall.exe [2007-07-26 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files (x86)\Google\Google Talk\googletalk.exe [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2009-08-18 8067616]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Data\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [2007-06-13 528384]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\ProgramyFiles\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-11-04 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Update]
C:\Users\Pepa\Documents\SYS\winupdate.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Pepa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
C:\Data\Office\OPENOF~1.ORG\program\QUICKS~1.EXE [2009-09-16 384512]

[HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"=C:\Data\VirtualCloneDrive\VCDDaemon.exe [2009-06-17 85160]
"Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [2011-01-30 35736]
"Adobe ARM"=C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-11-15 932288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\system32\webcheck.dll [2009-07-14 290304]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=0
"ConsentPromptBehaviorUser"=3
"EnableLUA"=0
"EnableUIADesktopToggle"=0
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.txt - open - "C:\Data\PSPad editor\PSPad.exe" "%1"

======List of files/folders created in the last 1 months======

2011-05-25 12:12:44 ----SHD---- C:\$RECYCLE.BIN
2011-05-24 23:21:23 ----A---- C:\ComboFix.txt
2011-05-24 23:11:04 ----A---- C:\Windows\zip.exe
2011-05-24 23:11:04 ----A---- C:\Windows\SWSC.exe
2011-05-24 23:11:04 ----A---- C:\Windows\SWREG.exe
2011-05-24 23:11:04 ----A---- C:\Windows\sed.exe
2011-05-24 23:11:04 ----A---- C:\Windows\PEV.exe
2011-05-24 23:11:04 ----A---- C:\Windows\NIRCMD.exe
2011-05-24 23:11:04 ----A---- C:\Windows\MBR.exe
2011-05-24 23:11:04 ----A---- C:\Windows\grep.exe
2011-05-24 23:10:59 ----D---- C:\Windows\ERDNT
2011-05-24 23:10:59 ----D---- C:\ComboFix
2011-05-24 23:10:30 ----D---- C:\Qoobox
2011-05-24 21:18:00 ----D---- C:\rsit
2011-05-24 21:18:00 ----D---- C:\Program Files\trend micro
2011-05-24 19:09:17 ----D---- C:\Program Files\World of Warcraft – kopie
2011-05-24 18:49:21 ----D---- C:\Users\Pepa\AppData\Roaming\My Battle for Middle-earth Files
2011-05-19 11:09:22 ----A---- C:\Windows\system32\drivers\dtsoftbus01.sys
2011-05-19 11:08:37 ----D---- C:\Users\Pepa\AppData\Roaming\DAEMON Tools Pro
2011-05-19 11:08:37 ----D---- C:\ProgramData\DAEMON Tools Pro
2011-05-16 14:27:12 ----D---- C:\Users\Pepa\AppData\Roaming\YoudaGames
2011-05-09 23:12:12 ----D---- C:\Windows\pss
2011-05-09 22:15:04 ----D---- C:\SE5
2011-05-04 16:52:50 ----D---- C:\Users\Pepa\AppData\Roaming\Stardock
2011-05-04 16:52:25 ----HDC---- C:\ProgramData\{1EB63B4B-5639-4477-8E24-05C31B5F8019}
2011-05-04 16:52:17 ----D---- C:\ProgramData\Stardock
2011-05-04 16:52:17 ----D---- C:\Program Files (x86)\Stardock
2011-05-02 15:19:30 ----D---- C:\Users\Pepa\AppData\Roaming\Firaxis

======List of files/folders modified in the last 1 months======

2011-05-25 23:59:29 ----D---- C:\Windows\Prefetch
2011-05-25 23:58:49 ----D---- C:\Windows\Temp
2011-05-25 23:57:18 ----D---- C:\Windows\system32\config
2011-05-25 23:48:50 ----D---- C:\Windows\System32
2011-05-25 23:48:50 ----D---- C:\Windows\inf
2011-05-25 23:48:50 ----A---- C:\Windows\system32\PerfStringBackup.INI
2011-05-25 21:52:43 ----D---- C:\Users\Pepa\AppData\Roaming\Skype
2011-05-25 18:25:57 ----D---- C:\Program Files\World of Warcraft
2011-05-25 16:28:14 ----D---- C:\Users\Pepa\AppData\Roaming\skypePM
2011-05-24 23:19:16 ----D---- C:\Windows
2011-05-24 23:19:16 ----A---- C:\Windows\system.ini
2011-05-24 23:19:11 ----D---- C:\Windows\system32\drivers\etc
2011-05-24 23:18:51 ----SD---- C:\Users\Pepa\AppData\Roaming\Microsoft
2011-05-24 23:17:08 ----D---- C:\Windows\SYSWOW64\drivers
2011-05-24 23:17:08 ----D---- C:\Windows\SysWOW64
2011-05-24 23:17:08 ----D---- C:\Windows\system32\drivers
2011-05-24 23:17:08 ----D---- C:\Windows\AppPatch
2011-05-24 23:17:06 ----D---- C:\Program Files\Common Files
2011-05-24 23:17:06 ----D---- C:\Program Files (x86)\Common Files
2011-05-24 23:11:20 ----SHD---- C:\System Volume Information
2011-05-24 21:18:00 ----RD---- C:\Program Files
2011-05-24 20:35:03 ----D---- C:\utor
2011-05-24 18:43:24 ----D---- C:\Games
2011-05-19 11:23:49 ----D---- C:\Temp
2011-05-19 11:16:12 ----SHD---- C:\Windows\Installer
2011-05-19 11:10:01 ----D---- C:\Windows\system32\DriverStore
2011-05-19 11:10:01 ----D---- C:\Windows\system32\catroot
2011-05-19 11:09:17 ----D---- C:\Data
2011-05-19 11:08:37 ----D---- C:\ProgramData
2011-05-04 16:53:34 ----RSD---- C:\Windows\assembly
2011-05-04 16:52:55 ----D---- C:\Windows\Microsoft.NET
2011-05-04 16:52:17 ----RD---- C:\Program Files (x86)
2011-05-02 15:21:57 ----D---- C:\Program Files (x86)\MSBuild
2011-04-28 00:24:16 ----D---- C:\Windows\system32\catroot2

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 AtiPcie;AMD PCI Express (3GIO) Filter; C:\Windows\system32\DRIVERS\AtiPcie.sys [2009-05-04 16440]
R0 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [2009-07-14 12352]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2009-07-14 214096]
R0 speedfan;speedfan; C:\Windows\SysWOW64\speedfan.sys [2007-02-07 14104]
R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2009-11-25 27216]
R1 aswSP;avast! Self Protection; C:\Windows\system32\drivers\aswSP.sys [2009-11-25 89680]
R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2009-11-25 53840]
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys [2009-07-14 514048]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver; C:\Windows\system32\DRIVERS\dtsoftbus01.sys [2011-05-19 272448]
R1 ElbyCDIO;ElbyCDIO Driver; C:\Windows\System32\Drivers\ElbyCDIO.sys [2009-12-18 34472]
R1 vpcnfltr;Virtual PC Network Filter Driver; C:\Windows\system32\DRIVERS\vpcnfltr.sys [2009-09-23 66304]
R1 vpcvmm;@%SystemRoot%\system32\drivers\vpcvmm.sys,-100; C:\Windows\system32\drivers\vpcvmm.sys [2009-09-23 359552]
R2 aswFsBlk;aswFsBlk; C:\Windows\system32\DRIVERS\aswFsBlk.sys [2009-11-25 22096]
R2 aswMonFlt;aswMonFlt; C:\Windows\system32\DRIVERS\aswMonFlt.sys [2009-11-25 65616]
R3 AtiHdmiService;ATI Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\AtiHdmi.sys [2009-09-30 121872]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2009-11-04 6088192]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys [2009-08-18 1983264]
R3 RTL8167;Realtek 8167 NT Driver; C:\Windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
R3 seehcri;Sony Ericsson seehcri Device Driver; C:\Windows\system32\DRIVERS\seehcri.sys [2010-07-07 34032]
R3 usbfilter;AMD USB Filter Driver; C:\Windows\system32\DRIVERS\usbfilter.sys [2009-04-03 34872]
R3 VClone;VClone; C:\Windows\system32\DRIVERS\VClone.sys [2009-08-09 36352]
R3 vpcbus;Služba hostitelské sběrnice programu Virtual PC; C:\Windows\system32\DRIVERS\vpchbus.sys [2009-09-23 187904]
R3 vpcusb;Služba konektoru virtualizace rozhraní USB; C:\Windows\system32\DRIVERS\vpcusb.sys [2009-09-23 95232]
S3 AF9035HB;AF9035 Hybrid Device; C:\Windows\System32\Drivers\AF9035HB.sys [2011-04-13 900480]
S3 ALSysIO;ALSysIO; \??\C:\Users\Pepa\AppData\Local\Temp\ALSysIO64.sys []
S3 AODDriver;AODDriver; \??\C:\Program Files (x86)\Gigabyte\ET6\amd64\AODDriver.sys [2009-02-23 14904]
S3 atidgllk;atidgllk; \??\C:\Program Files (x86)\Gigabyte\ET6\atidgllk.sys [2006-07-19 12048]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 etdrv;etdrv; \??\C:\Windows\etdrv.sys [2009-12-29 25640]
S3 gdrv;gdrv; \??\C:\Windows\gdrv.sys [2011-04-09 25640]
S3 GVTDrv64;GVTDrv64; \??\C:\Windows\GVTDrv64.sys [2011-04-09 30528]
S3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys [2009-07-14 165376]
S3 RTHDMIAzAudService;Service for HDMI; C:\Windows\system32\drivers\RtHDMIVX.sys [2009-07-17 201472]
S3 s115bus;Sony Ericsson Device 115 driver (WDM); C:\Windows\system32\DRIVERS\s115bus.sys [2007-04-23 108296]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter; C:\Windows\system32\DRIVERS\s115mdfl.sys [2007-04-23 19720]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver; C:\Windows\system32\DRIVERS\s115mdm.sys [2007-04-23 144648]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM); C:\Windows\system32\DRIVERS\s115mgmt.sys [2007-04-23 126216]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface; C:\Windows\system32\DRIVERS\s115obex.sys [2007-04-23 123656]
S3 s3cap;s3cap; C:\Windows\system32\DRIVERS\vms3cap.sys [2009-07-14 6656]
S3 storvsc;storvsc; C:\Windows\system32\DRIVERS\storvsc.sys [2009-07-14 34896]
S3 usbscan;Ovladač skeneru USB; C:\Windows\system32\DRIVERS\usbscan.sys [2009-07-14 41984]
S3 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\DRIVERS\vmbus.sys [2009-07-14 200272]
S3 VMBusHID;VMBusHID; C:\Windows\system32\DRIVERS\VMBusHID.sys [2009-07-14 21760]
S3 vpcuxd;Služba zástupné procedury virtualizace rozhraní USB; C:\Windows\system32\DRIVERS\vpcuxd.sys [2009-09-23 16384]
S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64; C:\Windows\system32\DRIVERS\vpnva64.sys [2009-12-18 24248]
S3 VSPerfDrv100;Performance Tools Driver 10.0; \??\C:\Data\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2010-03-18 68440]
S4 RsFx0103;RsFx0103 Driver; C:\Windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 311656]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AMD External Events Utility;AMD External Events Utility; C:\Windows\system32\atiesrxx.exe [2009-11-04 202752]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Data\Avast4\aswUpdSv.exe [2009-11-25 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Data\Avast4\ashServ.exe [2009-11-25 138680]
R2 BCUService;Browser Configuration Utility Service; C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-06-22 212232]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-14 27136]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [2009-03-30 57617752]
R2 PnkBstrA;PnkBstrA; C:\Windows\syswow64\PnkBstrA.exe [2010-01-10 75064]
R2 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-07-10 157720]
R2 vpnagent;Cisco AnyConnect VPN Agent; C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-18 497856]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Data\Avast4\ashMaiSv.exe [2009-11-25 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Data\Avast4\ashWebSv.exe [2009-11-25 352920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-14 27136]
S3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe [2010-03-18 44376]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-14 27136]
S3 Steam Client Service;Steam Client Service; C:\Program Files (x86)\Common Files\Steam\SteamService.exe [2009-07-16 316664]
S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-14 27136]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-14 27136]
S4 ES lite Service;ES lite Service for program management.; C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE [2009-03-02 68136]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service; C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
S4 NetMsmqActivator;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8195; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]
S4 NetPipeActivator;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8197; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]
S4 NetTcpActivator;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8199; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS); C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
S4 SQLBrowser;SQL Server Browser; C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2009-03-30 254808]

-----------------EOF-----------------

Re: Mám podezření na infekci (a avast taky, hlásí rootkity)

Napsal: 26 kvě 2011 17:54
od Rudy
Avast běží (je vidět ve službách). Pokud se ale nekorektně tváří, zkuste ho opravit, nebo reinstalovat.

Re: Mám podezření na infekci (a avast taky, hlásí rootkity)

Napsal: 26 kvě 2011 20:37
od Maniacccc
Místo Avastu 4. který jsem měl jsem nainstaloval Avast 6 a ten běží... Po restartu nehlasí rootkit... Ale ten prvotní důsledek viru, tedy seknutí exploreru, ten se oběvuje stále.

Program Explorer.EXE verze 6.1.7600.16450 přestal spolupracovat se systémem Windows a byl ukončen. Chcete-li zjistit, zda je k dispozici více informací o tomto problému, vyhledejte historii problému v ovládacím panelu Centrum akcí.
ID procesu: 644
Čas spuštění: 01cc1bcb7bb86b45
Čas ukončení: 0
Cesta k aplikaci: C:\Windows\Explorer.EXE
ID hlášení: cd14b1a0-87ce-11e0-98d4-00241ddeed10

Re: Mám podezření na infekci (a avast taky, hlásí rootkity)

Napsal: 26 kvě 2011 20:47
od Rudy
Zkuste obnovu systému k datu, kdy korektně fungoval.
Všechny časy jsou v UTC+01:00
Stránka 1 z 1

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz