nelze uložit do truhly,následně avast nabízí smazat nebo ignorovat,mazat nechci protože nevim co to udělá
Prosím o kontrolu logu
Jméno postiženého souboru C:\WINDOWS\System32\Drivers\vutmao.sys
Log z combofixu :
ComboFix 10-02-25.02 - Honza PC 25.02.2010 23:48:14.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.3582.3227 [GMT 1:00]
Spuštěný z: c:\documents and settings\Honza PC\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100225-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\patchw32.dll
c:\windows\srchasst\nls302en.lex
E:\install.exe
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-01-25 do 2010-02-25 )))))))))))))))))))))))))))))))
.
2010-02-25 22:39 . 2010-02-25 22:52 792064 ----a-w- c:\windows\system32\drivers\vutmao.sys
2010-02-25 22:39 . 2008-04-13 21:09 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-02-25 22:39 . 2008-04-13 21:09 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-02-24 11:17 . 2010-02-24 11:17 -------- d-----w- c:\program files\Roger Wilco
2010-02-23 17:30 . 2010-02-23 17:30 -------- d-----w- c:\program files\ICQ6Toolbar
2010-02-23 17:28 . 2010-02-23 17:42 -------- d-----w- c:\program files\ICQ6.5
2010-02-22 22:27 . 2010-02-24 11:20 1065 ----a-w- c:\windows\eReg.dat
2010-02-22 21:58 . 2010-02-22 21:58 -------- d-----w- c:\program files\Common Files\EasyInfo
2010-02-22 17:44 . 2010-02-24 11:17 -------- d-----w- c:\program files\GameSpy Arcade
2010-02-22 17:39 . 2010-02-22 22:12 -------- d-----w- c:\program files\EA GAMES
2010-02-18 21:01 . 2010-02-18 21:05 -------- d-----w- c:\program files\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 19:01 . 2009-12-18 12:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-22 22:10 . 2009-12-18 12:26 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-22 20:59 . 2009-12-18 13:33 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-22 20:41 . 2010-01-20 16:35 -------- d-----w- c:\program files\M-Audio
2010-02-22 20:01 . 2009-12-18 13:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-20 16:53 . 2010-01-20 16:53 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-01-20 16:51 . 2010-01-20 16:51 -------- d-----w- c:\program files\InterLok
2010-01-20 16:42 . 2010-01-20 16:35 -------- d-----w- c:\program files\Common Files\Digidesign
2010-01-20 16:42 . 2010-01-20 16:37 -------- d-----w- c:\program files\Digidesign
2010-01-19 18:29 . 2009-12-18 13:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-15 17:57 . 2010-01-15 17:57 -------- d-----w- c:\program files\Blender Foundation
2010-01-07 13:48 . 2004-08-18 12:00 83652 ----a-w- c:\windows\system32\perfc005.dat
2010-01-07 13:48 . 2004-08-18 12:00 440316 ----a-w- c:\windows\system32\perfh005.dat
2010-01-05 23:37 . 2010-01-05 23:37 -------- d-----w- c:\program files\Emote
2010-01-05 12:26 . 2010-01-05 12:26 -------- d-----w- c:\program files\Team17 Software Ltd
2010-01-04 17:58 . 2010-01-04 17:57 -------- d-----w- c:\program files\Euro Truck Simulator
2009-12-19 13:31 . 2009-12-19 13:31 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-19 12:25 . 2009-12-19 12:25 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-19 12:25 . 2009-12-19 12:25 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-19 12:25 . 2009-12-19 12:25 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-12-19 12:25 . 2009-12-19 12:25 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-19 12:16 . 2009-12-18 12:34 17488 ----a-w- c:\windows\gdrv.sys
2009-12-18 16:18 . 2009-12-18 16:18 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-18 13:45 . 2009-12-18 13:45 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-18 13:26 . 2009-12-18 13:26 0 ----a-w- c:\windows\nsreg.dat
2009-12-18 13:19 . 2009-12-18 13:19 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-18 12:51 . 2009-12-18 12:18 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-18 12:51 . 2009-12-18 12:18 2740 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-12-18 12:51 . 2009-12-18 12:18 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-12-18 12:17 . 2009-12-18 12:17 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-11 18:00 . 2009-12-18 13:43 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-11-30 17:02 . 2009-11-30 17:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 17:02 . 2009-11-30 17:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-12-19 306088]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2007-02-10 241664]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2009-02-11 480264]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2009-06-18 77824]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Honza PC\Nabˇdka Start\Programy\Po spuçtŘnˇ\
winesm32.exe [2008-4-14 29184]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-19 113664]
Media Key.lnk - c:\program files\Media Key\MagicKey.exe [2009-12-20 159744]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\THQ\\Frontlines-Fuel of War\\Binaries\\FFOW.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Modern Warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\fpupdate.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.12.2009 14:45 691696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [18.12.2009 13:58 114768]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [20.12.2009 1:39 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [20.12.2009 1:39 9291]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18.12.2009 13:58 20560]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [18.12.2009 13:26 219360]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [23.2.2010 18:30 222456]
R3 MAUSBFT;Service for M-Audio Fast Track;c:\windows\system32\drivers\mausbft.sys [20.1.2010 17:35 156552]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18.2.2010 22:01 135664]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [18.12.2009 13:29 1684736]
--- Ostatní služby/ovladače v paměti ---
*Deregistered* - vutmao
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-11-20 13:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'
2010-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
2010-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://start.icq.com/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Honza PC\Data aplikací\Mozilla\Firefox\Profiles\e2vcwhwg.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
HKLM-Run-nwiz - nwiz.exe
AddRemove-Guitar Pro 5_is1 - c:\program files\Guitar Pro 5\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-25 23:51
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe 29184 bytes executable
sken byl úspešně dokončen
skryté soubory: 1
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spvz.sys >>UNKNOWN [0x84172938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7e74cb8
\Driver\atapi -> atapi.sys @ 0xb7cdab40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> NDIS.sys @ 0xb7bc5bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7bd2a21
SendHandler -> NDIS.sys @ 0xb7bb087b
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vutmao]
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'explorer.exe'(2944)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Media Key\OSD.EXE
c:\program files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Celkový čas: 2010-02-25 23:55:09 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-02-25 22:55
Před spuštěním: Volných bajtů: 151 633 207 296
Po spuštění: Volných bajtů: 152 867 303 424
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 31A4C0CA3163688DD36FCFAC53051458
Virus Total: soubor č. 1
Rozšiřující informace
File size: 142592 bytes
MD5...: 8bed39e3c35d6a489438b8141717a557
SHA1..: 7ccd9dda4ed4c776cd1a1be021a13dbc4b277c7e
SHA256: 1b5796e56b0927360ce0759641b1151828bc0a9e45620d2b2d880491f5ce33d0
ssdeep: 3072:/G09oYX0fLiARBfZ2GaQbYS8OMIKG00D6eOBRRhrGfkQqlIPWHCsyVCvk9A
qVu:f9NXuRbVYE7kyvWq
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x2186a
timedatestamp.....: 0x4655ed3c (Thu May 24 19:53:32 2007)
machinetype.......: 0x14c (I386)
( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x1722 0x1780 6.49 7ee2463242024daeb5b6de516c7611a0
.rdata 0x1b00 0x528 0x580 5.08 701033574d4b84815b4ff5f120aff4b3
.data 0x2080 0xe764 0xe780 7.38 aca6584a0ee27c68547161a37df3efa3
PAGE 0x10800 0xcf97 0xd000 6.59 a4171616989422194826fc54be5b35d9
PAGEDATA 0x1d800 0x3420 0x3480 7.38 ec72840a24316eaffafa2cefec3af7b4
PAGECONS 0x20c80 0xa7c 0xa80 3.30 6b9bf618e75b6b264e1c0584edaa73da
INIT 0x21700 0x860 0x880 5.48 166cdb92814dd6c47840958718d5fb0b
.rsrc 0x21f80 0x3c8 0x400 3.24 336ada92a9f25fc195aa599d4fbf9b4b
.reloc 0x22380 0x970 0x980 5.99 57151fe394329fb822093dffd6eed515
( 3 imports )
> ntoskrnl.exe: _wcslwr, wcslen, IoGetDeviceInterfaces, swprintf, PsTerminateSystemThread, KeWaitForSingleObject, wcsstr, KeSetTimer, ZwClose, ObReferenceObjectByHandle, PsCreateSystemThread, KeInitializeTimerEx, KeBugCheckEx, ObfReferenceObject, ObfDereferenceObject, _aulldiv, _allmul, InterlockedExchange, KeGetCurrentThread, KeSetTimerEx, DbgPrint, KeDelayExecutionThread, KeTickCount, KeQueryTimeIncrement, InterlockedCompareExchange, InterlockedIncrement, RtlCheckRegistryKey, RtlCreateRegistryKey, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlFreeUnicodeString, ExFreePoolWithTag, KeSaveFloatingPointState, KeRestoreFloatingPointState, ExAllocatePoolWithTag, KeSetPriorityThread, ExFreePool, RtlRaiseException
> HAL.dll: KeQueryPerformanceCounter
> ks.sys: KsPinGetAvailableByteCount, KsPinRegisterIrpCompletionCallback, KsFilterAttemptProcessing, KsFilterAcquireProcessingMutex, KsFilterReleaseProcessingMutex, KsPinGetConnectedPinDeviceObject, KsPinGetConnectedPinFileObject, KsGetObjectFromFileObject, KsPinGetParentFilter, KsGetPinFromIrp, _KsEdit, KsStreamPointerClone, KsProcessPinUpdate, KsPinGetConnectedPinInterface, KsStreamPointerGetIrp, KsStreamPointerDelete, KsReleaseControl, KsAcquireControl, KsInitializeDriver, KsFilterGetFirstChildPin, KsGetFilterFromIrp
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Acoustic Echo Canceller
original name: aec.sys
internal name: aec.sys
file version.: 5.1.2601.3142
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
virus total soubor č.2:
Rozšiřující informace
File size: 142592 bytes
MD5...: 8bed39e3c35d6a489438b8141717a557
SHA1..: 7ccd9dda4ed4c776cd1a1be021a13dbc4b277c7e
SHA256: 1b5796e56b0927360ce0759641b1151828bc0a9e45620d2b2d880491f5ce33d0
ssdeep: 3072:/G09oYX0fLiARBfZ2GaQbYS8OMIKG00D6eOBRRhrGfkQqlIPWHCsyVCvk9A
qVu:f9NXuRbVYE7kyvWq
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x2186a
timedatestamp.....: 0x4655ed3c (Thu May 24 19:53:32 2007)
machinetype.......: 0x14c (I386)
( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x1722 0x1780 6.49 7ee2463242024daeb5b6de516c7611a0
.rdata 0x1b00 0x528 0x580 5.08 701033574d4b84815b4ff5f120aff4b3
.data 0x2080 0xe764 0xe780 7.38 aca6584a0ee27c68547161a37df3efa3
PAGE 0x10800 0xcf97 0xd000 6.59 a4171616989422194826fc54be5b35d9
PAGEDATA 0x1d800 0x3420 0x3480 7.38 ec72840a24316eaffafa2cefec3af7b4
PAGECONS 0x20c80 0xa7c 0xa80 3.30 6b9bf618e75b6b264e1c0584edaa73da
INIT 0x21700 0x860 0x880 5.48 166cdb92814dd6c47840958718d5fb0b
.rsrc 0x21f80 0x3c8 0x400 3.24 336ada92a9f25fc195aa599d4fbf9b4b
.reloc 0x22380 0x970 0x980 5.99 57151fe394329fb822093dffd6eed515
( 3 imports )
> ntoskrnl.exe: _wcslwr, wcslen, IoGetDeviceInterfaces, swprintf, PsTerminateSystemThread, KeWaitForSingleObject, wcsstr, KeSetTimer, ZwClose, ObReferenceObjectByHandle, PsCreateSystemThread, KeInitializeTimerEx, KeBugCheckEx, ObfReferenceObject, ObfDereferenceObject, _aulldiv, _allmul, InterlockedExchange, KeGetCurrentThread, KeSetTimerEx, DbgPrint, KeDelayExecutionThread, KeTickCount, KeQueryTimeIncrement, InterlockedCompareExchange, InterlockedIncrement, RtlCheckRegistryKey, RtlCreateRegistryKey, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlFreeUnicodeString, ExFreePoolWithTag, KeSaveFloatingPointState, KeRestoreFloatingPointState, ExAllocatePoolWithTag, KeSetPriorityThread, ExFreePool, RtlRaiseException
> HAL.dll: KeQueryPerformanceCounter
> ks.sys: KsPinGetAvailableByteCount, KsPinRegisterIrpCompletionCallback, KsFilterAttemptProcessing, KsFilterAcquireProcessingMutex, KsFilterReleaseProcessingMutex, KsPinGetConnectedPinDeviceObject, KsPinGetConnectedPinFileObject, KsGetObjectFromFileObject, KsPinGetParentFilter, KsGetPinFromIrp, _KsEdit, KsStreamPointerClone, KsProcessPinUpdate, KsPinGetConnectedPinInterface, KsStreamPointerGetIrp, KsStreamPointerDelete, KsReleaseControl, KsAcquireControl, KsInitializeDriver, KsFilterGetFirstChildPin, KsGetFilterFromIrp
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Acoustic Echo Canceller
original name: aec.sys
internal name: aec.sys
file version.: 5.1.2601.3142
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Jottiho testy hlásily ,že nic nenalezly
Combofix : log po vložení scriptu:
ComboFix 10-02-25.02 - Honza PC 26.02.2010 16:36:29.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.3582.3244 [GMT 1:00]
Spuštěný z: c:\documents and settings\Honza PC\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Honza PC\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100226-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
file zipped: c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe
file zipped: c:\windows\system32\drivers\vutmao.sys
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe
c:\windows\system32\drivers\vutmao.sys
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_VUTMAO
-------\Service_vutmao
((((((((((((((((((((((((( Soubory vytvořené od 2010-01-26 do 2010-02-26 )))))))))))))))))))))))))))))))
.
2010-02-25 22:39 . 2008-04-13 21:09 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-02-25 22:39 . 2008-04-13 21:09 142592 ------w- c:\windows\system32\drivers\aec.sys
2010-02-24 11:17 . 2010-02-24 11:17 -------- d-----w- c:\program files\Roger Wilco
2010-02-23 17:30 . 2010-02-23 17:30 -------- d-----w- c:\program files\ICQ6Toolbar
2010-02-23 17:28 . 2010-02-23 17:42 -------- d-----w- c:\program files\ICQ6.5
2010-02-22 22:27 . 2010-02-24 11:20 1065 ----a-w- c:\windows\eReg.dat
2010-02-22 21:58 . 2010-02-22 21:58 -------- d-----w- c:\program files\Common Files\EasyInfo
2010-02-22 17:44 . 2010-02-24 11:17 -------- d-----w- c:\program files\GameSpy Arcade
2010-02-22 17:39 . 2010-02-22 22:12 -------- d-----w- c:\program files\EA GAMES
2010-02-18 21:01 . 2010-02-18 21:05 -------- d-----w- c:\program files\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 19:01 . 2009-12-18 12:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-22 22:10 . 2009-12-18 12:26 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-22 20:59 . 2009-12-18 13:33 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-22 20:41 . 2010-01-20 16:35 -------- d-----w- c:\program files\M-Audio
2010-02-22 20:01 . 2009-12-18 13:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-20 16:53 . 2010-01-20 16:53 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-01-20 16:51 . 2010-01-20 16:51 -------- d-----w- c:\program files\InterLok
2010-01-20 16:42 . 2010-01-20 16:35 -------- d-----w- c:\program files\Common Files\Digidesign
2010-01-20 16:42 . 2010-01-20 16:37 -------- d-----w- c:\program files\Digidesign
2010-01-19 18:29 . 2009-12-18 13:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-15 17:57 . 2010-01-15 17:57 -------- d-----w- c:\program files\Blender Foundation
2010-01-07 13:48 . 2004-08-18 12:00 83652 ----a-w- c:\windows\system32\perfc005.dat
2010-01-07 13:48 . 2004-08-18 12:00 440316 ----a-w- c:\windows\system32\perfh005.dat
2010-01-05 23:37 . 2010-01-05 23:37 -------- d-----w- c:\program files\Emote
2010-01-05 12:26 . 2010-01-05 12:26 -------- d-----w- c:\program files\Team17 Software Ltd
2010-01-04 17:58 . 2010-01-04 17:57 -------- d-----w- c:\program files\Euro Truck Simulator
2009-12-19 13:31 . 2009-12-19 13:31 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-19 12:25 . 2009-12-19 12:25 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-19 12:25 . 2009-12-19 12:25 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-19 12:25 . 2009-12-19 12:25 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-12-19 12:25 . 2009-12-19 12:25 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-19 12:16 . 2009-12-18 12:34 17488 ----a-w- c:\windows\gdrv.sys
2009-12-18 16:18 . 2009-12-18 16:18 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-18 13:45 . 2009-12-18 13:45 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-18 13:26 . 2009-12-18 13:26 0 ----a-w- c:\windows\nsreg.dat
2009-12-18 13:19 . 2009-12-18 13:19 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-18 12:51 . 2009-12-18 12:18 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-18 12:51 . 2009-12-18 12:18 2740 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-12-18 12:51 . 2009-12-18 12:18 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-12-18 12:17 . 2009-12-18 12:17 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-11 18:00 . 2009-12-18 13:43 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-11-30 17:02 . 2009-11-30 17:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 17:02 . 2009-11-30 17:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-02-25_22.51.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-26 15:35 . 2010-02-26 15:35 16384 c:\windows\Temp\Perflib_Perfdata_630.dat
+ 2010-02-26 15:41 . 2010-02-26 15:41 16384 c:\windows\Temp\Perflib_Perfdata_5a8.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-12-19 306088]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2007-02-10 241664]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2009-02-11 480264]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2009-06-18 77824]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-19 113664]
Media Key.lnk - c:\program files\Media Key\MagicKey.exe [2009-12-20 159744]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\THQ\\Frontlines-Fuel of War\\Binaries\\FFOW.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Modern Warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\fpupdate.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.12.2009 14:45 691696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [18.12.2009 13:58 114768]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [20.12.2009 1:39 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [20.12.2009 1:39 9291]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18.12.2009 13:58 20560]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [18.12.2009 13:26 219360]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [23.2.2010 18:30 222456]
R3 MAUSBFT;Service for M-Audio Fast Track;c:\windows\system32\drivers\mausbft.sys [20.1.2010 17:35 156552]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18.2.2010 22:01 135664]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [18.12.2009 13:29 1684736]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-11-20 13:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'
2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://start.icq.com/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Honza PC\Data aplikací\Mozilla\Firefox\Profiles\e2vcwhwg.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 16:42
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spyp.sys >>UNKNOWN [0x84172938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7e74cb8
\Driver\atapi -> atapi.sys @ 0xb7cdab40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> NDIS.sys @ 0xb7bc5bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7bd2a21
SendHandler -> NDIS.sys @ 0xb7bb087b
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'explorer.exe'(2960)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Media Key\OSD.EXE
c:\program files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Celkový čas: 2010-02-26 16:45:16 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-02-26 15:45
ComboFix2.txt 2010-02-25 22:55
Před spuštěním: Volných bajtů: 152 870 211 584
Po spuštění: Volných bajtů: 152 744 120 320
- - End Of File - - 526FC44C61FF298B9F2858A63DFD86F9
Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz
Zdravim můj problém - Win32:Rootkit-gen [Rtk]
Moderátor: Moderátoři
Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Zdravim můj problém - Win32:Rootkit-gen [Rtk]
Naposledy upravil(a) Hory53 dne 26 úno 2010 16:48, celkem upraveno 2 x.
Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]
Zdravim,
:arrow:Otestujte na VIRUSTOTALu a JOTTISCANu
c:\windows\system32\dllcache\aec.sys
c:\windows\system32\drivers\aec.sys
(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledky sem vlozte)
Pokud skener napíše, že soubor již byl testován, dejte otestovat znovu.
pokud jste tak jeste neucinil(a), presunte Combofix na plochu
otevrete si Poznamkovy blok
do nej zkopirujte skript z nasledujiciho okna:
ulozte vami vytvoreny textovy soubor jako CFScript.txt na plochu
po ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:
po aplikaci by na vas mel vyskocit dalsi log, vlozte jej sem
Upozorneni: je mozne, ze po aplikaci skriptu a restartu nenabehnou Windows, v takovem pripade znovu restartujte, po restartu mackejte F8 a zvolte Posledni znamou funkcni konfiguraci
:arrow:Otestujte na VIRUSTOTALu a JOTTISCANu
c:\windows\system32\dllcache\aec.sys
c:\windows\system32\drivers\aec.sys
(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledky sem vlozte)
Pokud skener napíše, že soubor již byl testován, dejte otestovat znovu.
pokud jste tak jeste neucinil(a), presunte Combofix na plochuotevrete si Poznamkovy blok
do nej zkopirujte skript z nasledujiciho okna:
Kód: Vybrat vše
KillAll::
Collect::
c:\windows\system32\drivers\vutmao.sys
c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe
Rootkit::
c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe
Driver::
vutmao
po ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:
po aplikaci by na vas mel vyskocit dalsi log, vlozte jej sem
Upozorneni: je mozne, ze po aplikaci skriptu a restartu nenabehnou Windows, v takovem pripade znovu restartujte, po restartu mackejte F8 a zvolte Posledni znamou funkcni konfiguraci
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU! ___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]
Virus Total: soubor č. 1
Rozšiřující informace
File size: 142592 bytes
MD5...: 8bed39e3c35d6a489438b8141717a557
SHA1..: 7ccd9dda4ed4c776cd1a1be021a13dbc4b277c7e
SHA256: 1b5796e56b0927360ce0759641b1151828bc0a9e45620d2b2d880491f5ce33d0
ssdeep: 3072:/G09oYX0fLiARBfZ2GaQbYS8OMIKG00D6eOBRRhrGfkQqlIPWHCsyVCvk9A
qVu:f9NXuRbVYE7kyvWq
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x2186a
timedatestamp.....: 0x4655ed3c (Thu May 24 19:53:32 2007)
machinetype.......: 0x14c (I386)
( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x1722 0x1780 6.49 7ee2463242024daeb5b6de516c7611a0
.rdata 0x1b00 0x528 0x580 5.08 701033574d4b84815b4ff5f120aff4b3
.data 0x2080 0xe764 0xe780 7.38 aca6584a0ee27c68547161a37df3efa3
PAGE 0x10800 0xcf97 0xd000 6.59 a4171616989422194826fc54be5b35d9
PAGEDATA 0x1d800 0x3420 0x3480 7.38 ec72840a24316eaffafa2cefec3af7b4
PAGECONS 0x20c80 0xa7c 0xa80 3.30 6b9bf618e75b6b264e1c0584edaa73da
INIT 0x21700 0x860 0x880 5.48 166cdb92814dd6c47840958718d5fb0b
.rsrc 0x21f80 0x3c8 0x400 3.24 336ada92a9f25fc195aa599d4fbf9b4b
.reloc 0x22380 0x970 0x980 5.99 57151fe394329fb822093dffd6eed515
( 3 imports )
> ntoskrnl.exe: _wcslwr, wcslen, IoGetDeviceInterfaces, swprintf, PsTerminateSystemThread, KeWaitForSingleObject, wcsstr, KeSetTimer, ZwClose, ObReferenceObjectByHandle, PsCreateSystemThread, KeInitializeTimerEx, KeBugCheckEx, ObfReferenceObject, ObfDereferenceObject, _aulldiv, _allmul, InterlockedExchange, KeGetCurrentThread, KeSetTimerEx, DbgPrint, KeDelayExecutionThread, KeTickCount, KeQueryTimeIncrement, InterlockedCompareExchange, InterlockedIncrement, RtlCheckRegistryKey, RtlCreateRegistryKey, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlFreeUnicodeString, ExFreePoolWithTag, KeSaveFloatingPointState, KeRestoreFloatingPointState, ExAllocatePoolWithTag, KeSetPriorityThread, ExFreePool, RtlRaiseException
> HAL.dll: KeQueryPerformanceCounter
> ks.sys: KsPinGetAvailableByteCount, KsPinRegisterIrpCompletionCallback, KsFilterAttemptProcessing, KsFilterAcquireProcessingMutex, KsFilterReleaseProcessingMutex, KsPinGetConnectedPinDeviceObject, KsPinGetConnectedPinFileObject, KsGetObjectFromFileObject, KsPinGetParentFilter, KsGetPinFromIrp, _KsEdit, KsStreamPointerClone, KsProcessPinUpdate, KsPinGetConnectedPinInterface, KsStreamPointerGetIrp, KsStreamPointerDelete, KsReleaseControl, KsAcquireControl, KsInitializeDriver, KsFilterGetFirstChildPin, KsGetFilterFromIrp
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Acoustic Echo Canceller
original name: aec.sys
internal name: aec.sys
file version.: 5.1.2601.3142
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
virus total soubor č.2:
Rozšiřující informace
File size: 142592 bytes
MD5...: 8bed39e3c35d6a489438b8141717a557
SHA1..: 7ccd9dda4ed4c776cd1a1be021a13dbc4b277c7e
SHA256: 1b5796e56b0927360ce0759641b1151828bc0a9e45620d2b2d880491f5ce33d0
ssdeep: 3072:/G09oYX0fLiARBfZ2GaQbYS8OMIKG00D6eOBRRhrGfkQqlIPWHCsyVCvk9A
qVu:f9NXuRbVYE7kyvWq
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x2186a
timedatestamp.....: 0x4655ed3c (Thu May 24 19:53:32 2007)
machinetype.......: 0x14c (I386)
( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x1722 0x1780 6.49 7ee2463242024daeb5b6de516c7611a0
.rdata 0x1b00 0x528 0x580 5.08 701033574d4b84815b4ff5f120aff4b3
.data 0x2080 0xe764 0xe780 7.38 aca6584a0ee27c68547161a37df3efa3
PAGE 0x10800 0xcf97 0xd000 6.59 a4171616989422194826fc54be5b35d9
PAGEDATA 0x1d800 0x3420 0x3480 7.38 ec72840a24316eaffafa2cefec3af7b4
PAGECONS 0x20c80 0xa7c 0xa80 3.30 6b9bf618e75b6b264e1c0584edaa73da
INIT 0x21700 0x860 0x880 5.48 166cdb92814dd6c47840958718d5fb0b
.rsrc 0x21f80 0x3c8 0x400 3.24 336ada92a9f25fc195aa599d4fbf9b4b
.reloc 0x22380 0x970 0x980 5.99 57151fe394329fb822093dffd6eed515
( 3 imports )
> ntoskrnl.exe: _wcslwr, wcslen, IoGetDeviceInterfaces, swprintf, PsTerminateSystemThread, KeWaitForSingleObject, wcsstr, KeSetTimer, ZwClose, ObReferenceObjectByHandle, PsCreateSystemThread, KeInitializeTimerEx, KeBugCheckEx, ObfReferenceObject, ObfDereferenceObject, _aulldiv, _allmul, InterlockedExchange, KeGetCurrentThread, KeSetTimerEx, DbgPrint, KeDelayExecutionThread, KeTickCount, KeQueryTimeIncrement, InterlockedCompareExchange, InterlockedIncrement, RtlCheckRegistryKey, RtlCreateRegistryKey, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlFreeUnicodeString, ExFreePoolWithTag, KeSaveFloatingPointState, KeRestoreFloatingPointState, ExAllocatePoolWithTag, KeSetPriorityThread, ExFreePool, RtlRaiseException
> HAL.dll: KeQueryPerformanceCounter
> ks.sys: KsPinGetAvailableByteCount, KsPinRegisterIrpCompletionCallback, KsFilterAttemptProcessing, KsFilterAcquireProcessingMutex, KsFilterReleaseProcessingMutex, KsPinGetConnectedPinDeviceObject, KsPinGetConnectedPinFileObject, KsGetObjectFromFileObject, KsPinGetParentFilter, KsGetPinFromIrp, _KsEdit, KsStreamPointerClone, KsProcessPinUpdate, KsPinGetConnectedPinInterface, KsStreamPointerGetIrp, KsStreamPointerDelete, KsReleaseControl, KsAcquireControl, KsInitializeDriver, KsFilterGetFirstChildPin, KsGetFilterFromIrp
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Acoustic Echo Canceller
original name: aec.sys
internal name: aec.sys
file version.: 5.1.2601.3142
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Jottiho testy hlásily ,že nic nenalezly
Combofix : log po vložení scriptu:
ComboFix 10-02-25.02 - Honza PC 26.02.2010 16:36:29.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.3582.3244 [GMT 1:00]
Spuštěný z: c:\documents and settings\Honza PC\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Honza PC\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100226-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
file zipped: c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe
file zipped: c:\windows\system32\drivers\vutmao.sys
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe
c:\windows\system32\drivers\vutmao.sys
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_VUTMAO
-------\Service_vutmao
((((((((((((((((((((((((( Soubory vytvořené od 2010-01-26 do 2010-02-26 )))))))))))))))))))))))))))))))
.
2010-02-25 22:39 . 2008-04-13 21:09 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-02-25 22:39 . 2008-04-13 21:09 142592 ------w- c:\windows\system32\drivers\aec.sys
2010-02-24 11:17 . 2010-02-24 11:17 -------- d-----w- c:\program files\Roger Wilco
2010-02-23 17:30 . 2010-02-23 17:30 -------- d-----w- c:\program files\ICQ6Toolbar
2010-02-23 17:28 . 2010-02-23 17:42 -------- d-----w- c:\program files\ICQ6.5
2010-02-22 22:27 . 2010-02-24 11:20 1065 ----a-w- c:\windows\eReg.dat
2010-02-22 21:58 . 2010-02-22 21:58 -------- d-----w- c:\program files\Common Files\EasyInfo
2010-02-22 17:44 . 2010-02-24 11:17 -------- d-----w- c:\program files\GameSpy Arcade
2010-02-22 17:39 . 2010-02-22 22:12 -------- d-----w- c:\program files\EA GAMES
2010-02-18 21:01 . 2010-02-18 21:05 -------- d-----w- c:\program files\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 19:01 . 2009-12-18 12:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-22 22:10 . 2009-12-18 12:26 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-22 20:59 . 2009-12-18 13:33 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-22 20:41 . 2010-01-20 16:35 -------- d-----w- c:\program files\M-Audio
2010-02-22 20:01 . 2009-12-18 13:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-20 16:53 . 2010-01-20 16:53 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-01-20 16:51 . 2010-01-20 16:51 -------- d-----w- c:\program files\InterLok
2010-01-20 16:42 . 2010-01-20 16:35 -------- d-----w- c:\program files\Common Files\Digidesign
2010-01-20 16:42 . 2010-01-20 16:37 -------- d-----w- c:\program files\Digidesign
2010-01-19 18:29 . 2009-12-18 13:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-15 17:57 . 2010-01-15 17:57 -------- d-----w- c:\program files\Blender Foundation
2010-01-07 13:48 . 2004-08-18 12:00 83652 ----a-w- c:\windows\system32\perfc005.dat
2010-01-07 13:48 . 2004-08-18 12:00 440316 ----a-w- c:\windows\system32\perfh005.dat
2010-01-05 23:37 . 2010-01-05 23:37 -------- d-----w- c:\program files\Emote
2010-01-05 12:26 . 2010-01-05 12:26 -------- d-----w- c:\program files\Team17 Software Ltd
2010-01-04 17:58 . 2010-01-04 17:57 -------- d-----w- c:\program files\Euro Truck Simulator
2009-12-19 13:31 . 2009-12-19 13:31 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-19 12:25 . 2009-12-19 12:25 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-19 12:25 . 2009-12-19 12:25 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-19 12:25 . 2009-12-19 12:25 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-12-19 12:25 . 2009-12-19 12:25 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-19 12:16 . 2009-12-18 12:34 17488 ----a-w- c:\windows\gdrv.sys
2009-12-18 16:18 . 2009-12-18 16:18 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-18 13:45 . 2009-12-18 13:45 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-18 13:26 . 2009-12-18 13:26 0 ----a-w- c:\windows\nsreg.dat
2009-12-18 13:19 . 2009-12-18 13:19 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-18 12:51 . 2009-12-18 12:18 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-18 12:51 . 2009-12-18 12:18 2740 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-12-18 12:51 . 2009-12-18 12:18 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-12-18 12:17 . 2009-12-18 12:17 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-11 18:00 . 2009-12-18 13:43 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-11-30 17:02 . 2009-11-30 17:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 17:02 . 2009-11-30 17:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-02-25_22.51.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-26 15:35 . 2010-02-26 15:35 16384 c:\windows\Temp\Perflib_Perfdata_630.dat
+ 2010-02-26 15:41 . 2010-02-26 15:41 16384 c:\windows\Temp\Perflib_Perfdata_5a8.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-12-19 306088]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2007-02-10 241664]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2009-02-11 480264]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2009-06-18 77824]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-19 113664]
Media Key.lnk - c:\program files\Media Key\MagicKey.exe [2009-12-20 159744]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\THQ\\Frontlines-Fuel of War\\Binaries\\FFOW.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Modern Warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\fpupdate.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.12.2009 14:45 691696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [18.12.2009 13:58 114768]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [20.12.2009 1:39 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [20.12.2009 1:39 9291]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18.12.2009 13:58 20560]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [18.12.2009 13:26 219360]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [23.2.2010 18:30 222456]
R3 MAUSBFT;Service for M-Audio Fast Track;c:\windows\system32\drivers\mausbft.sys [20.1.2010 17:35 156552]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18.2.2010 22:01 135664]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [18.12.2009 13:29 1684736]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-11-20 13:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'
2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://start.icq.com/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Honza PC\Data aplikací\Mozilla\Firefox\Profiles\e2vcwhwg.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 16:42
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spyp.sys >>UNKNOWN [0x84172938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7e74cb8
\Driver\atapi -> atapi.sys @ 0xb7cdab40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> NDIS.sys @ 0xb7bc5bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7bd2a21
SendHandler -> NDIS.sys @ 0xb7bb087b
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'explorer.exe'(2960)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Media Key\OSD.EXE
c:\program files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Celkový čas: 2010-02-26 16:45:16 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-02-26 15:45
ComboFix2.txt 2010-02-25 22:55
Před spuštěním: Volných bajtů: 152 870 211 584
Po spuštění: Volných bajtů: 152 744 120 320
- - End Of File - - 526FC44C61FF298B9F2858A63DFD86F9
Rozšiřující informace
File size: 142592 bytes
MD5...: 8bed39e3c35d6a489438b8141717a557
SHA1..: 7ccd9dda4ed4c776cd1a1be021a13dbc4b277c7e
SHA256: 1b5796e56b0927360ce0759641b1151828bc0a9e45620d2b2d880491f5ce33d0
ssdeep: 3072:/G09oYX0fLiARBfZ2GaQbYS8OMIKG00D6eOBRRhrGfkQqlIPWHCsyVCvk9A
qVu:f9NXuRbVYE7kyvWq
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x2186a
timedatestamp.....: 0x4655ed3c (Thu May 24 19:53:32 2007)
machinetype.......: 0x14c (I386)
( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x1722 0x1780 6.49 7ee2463242024daeb5b6de516c7611a0
.rdata 0x1b00 0x528 0x580 5.08 701033574d4b84815b4ff5f120aff4b3
.data 0x2080 0xe764 0xe780 7.38 aca6584a0ee27c68547161a37df3efa3
PAGE 0x10800 0xcf97 0xd000 6.59 a4171616989422194826fc54be5b35d9
PAGEDATA 0x1d800 0x3420 0x3480 7.38 ec72840a24316eaffafa2cefec3af7b4
PAGECONS 0x20c80 0xa7c 0xa80 3.30 6b9bf618e75b6b264e1c0584edaa73da
INIT 0x21700 0x860 0x880 5.48 166cdb92814dd6c47840958718d5fb0b
.rsrc 0x21f80 0x3c8 0x400 3.24 336ada92a9f25fc195aa599d4fbf9b4b
.reloc 0x22380 0x970 0x980 5.99 57151fe394329fb822093dffd6eed515
( 3 imports )
> ntoskrnl.exe: _wcslwr, wcslen, IoGetDeviceInterfaces, swprintf, PsTerminateSystemThread, KeWaitForSingleObject, wcsstr, KeSetTimer, ZwClose, ObReferenceObjectByHandle, PsCreateSystemThread, KeInitializeTimerEx, KeBugCheckEx, ObfReferenceObject, ObfDereferenceObject, _aulldiv, _allmul, InterlockedExchange, KeGetCurrentThread, KeSetTimerEx, DbgPrint, KeDelayExecutionThread, KeTickCount, KeQueryTimeIncrement, InterlockedCompareExchange, InterlockedIncrement, RtlCheckRegistryKey, RtlCreateRegistryKey, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlFreeUnicodeString, ExFreePoolWithTag, KeSaveFloatingPointState, KeRestoreFloatingPointState, ExAllocatePoolWithTag, KeSetPriorityThread, ExFreePool, RtlRaiseException
> HAL.dll: KeQueryPerformanceCounter
> ks.sys: KsPinGetAvailableByteCount, KsPinRegisterIrpCompletionCallback, KsFilterAttemptProcessing, KsFilterAcquireProcessingMutex, KsFilterReleaseProcessingMutex, KsPinGetConnectedPinDeviceObject, KsPinGetConnectedPinFileObject, KsGetObjectFromFileObject, KsPinGetParentFilter, KsGetPinFromIrp, _KsEdit, KsStreamPointerClone, KsProcessPinUpdate, KsPinGetConnectedPinInterface, KsStreamPointerGetIrp, KsStreamPointerDelete, KsReleaseControl, KsAcquireControl, KsInitializeDriver, KsFilterGetFirstChildPin, KsGetFilterFromIrp
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Acoustic Echo Canceller
original name: aec.sys
internal name: aec.sys
file version.: 5.1.2601.3142
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
virus total soubor č.2:
Rozšiřující informace
File size: 142592 bytes
MD5...: 8bed39e3c35d6a489438b8141717a557
SHA1..: 7ccd9dda4ed4c776cd1a1be021a13dbc4b277c7e
SHA256: 1b5796e56b0927360ce0759641b1151828bc0a9e45620d2b2d880491f5ce33d0
ssdeep: 3072:/G09oYX0fLiARBfZ2GaQbYS8OMIKG00D6eOBRRhrGfkQqlIPWHCsyVCvk9A
qVu:f9NXuRbVYE7kyvWq
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x2186a
timedatestamp.....: 0x4655ed3c (Thu May 24 19:53:32 2007)
machinetype.......: 0x14c (I386)
( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x1722 0x1780 6.49 7ee2463242024daeb5b6de516c7611a0
.rdata 0x1b00 0x528 0x580 5.08 701033574d4b84815b4ff5f120aff4b3
.data 0x2080 0xe764 0xe780 7.38 aca6584a0ee27c68547161a37df3efa3
PAGE 0x10800 0xcf97 0xd000 6.59 a4171616989422194826fc54be5b35d9
PAGEDATA 0x1d800 0x3420 0x3480 7.38 ec72840a24316eaffafa2cefec3af7b4
PAGECONS 0x20c80 0xa7c 0xa80 3.30 6b9bf618e75b6b264e1c0584edaa73da
INIT 0x21700 0x860 0x880 5.48 166cdb92814dd6c47840958718d5fb0b
.rsrc 0x21f80 0x3c8 0x400 3.24 336ada92a9f25fc195aa599d4fbf9b4b
.reloc 0x22380 0x970 0x980 5.99 57151fe394329fb822093dffd6eed515
( 3 imports )
> ntoskrnl.exe: _wcslwr, wcslen, IoGetDeviceInterfaces, swprintf, PsTerminateSystemThread, KeWaitForSingleObject, wcsstr, KeSetTimer, ZwClose, ObReferenceObjectByHandle, PsCreateSystemThread, KeInitializeTimerEx, KeBugCheckEx, ObfReferenceObject, ObfDereferenceObject, _aulldiv, _allmul, InterlockedExchange, KeGetCurrentThread, KeSetTimerEx, DbgPrint, KeDelayExecutionThread, KeTickCount, KeQueryTimeIncrement, InterlockedCompareExchange, InterlockedIncrement, RtlCheckRegistryKey, RtlCreateRegistryKey, RtlWriteRegistryValue, RtlQueryRegistryValues, RtlFreeUnicodeString, ExFreePoolWithTag, KeSaveFloatingPointState, KeRestoreFloatingPointState, ExAllocatePoolWithTag, KeSetPriorityThread, ExFreePool, RtlRaiseException
> HAL.dll: KeQueryPerformanceCounter
> ks.sys: KsPinGetAvailableByteCount, KsPinRegisterIrpCompletionCallback, KsFilterAttemptProcessing, KsFilterAcquireProcessingMutex, KsFilterReleaseProcessingMutex, KsPinGetConnectedPinDeviceObject, KsPinGetConnectedPinFileObject, KsGetObjectFromFileObject, KsPinGetParentFilter, KsGetPinFromIrp, _KsEdit, KsStreamPointerClone, KsProcessPinUpdate, KsPinGetConnectedPinInterface, KsStreamPointerGetIrp, KsStreamPointerDelete, KsReleaseControl, KsAcquireControl, KsInitializeDriver, KsFilterGetFirstChildPin, KsGetFilterFromIrp
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Acoustic Echo Canceller
original name: aec.sys
internal name: aec.sys
file version.: 5.1.2601.3142
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Jottiho testy hlásily ,že nic nenalezly
Combofix : log po vložení scriptu:
ComboFix 10-02-25.02 - Honza PC 26.02.2010 16:36:29.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.3582.3244 [GMT 1:00]
Spuštěný z: c:\documents and settings\Honza PC\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Honza PC\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100226-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
file zipped: c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe
file zipped: c:\windows\system32\drivers\vutmao.sys
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Honza PC\Nabídka Start\Programy\Po spuštění\winesm32.exe
c:\windows\system32\drivers\vutmao.sys
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_VUTMAO
-------\Service_vutmao
((((((((((((((((((((((((( Soubory vytvořené od 2010-01-26 do 2010-02-26 )))))))))))))))))))))))))))))))
.
2010-02-25 22:39 . 2008-04-13 21:09 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-02-25 22:39 . 2008-04-13 21:09 142592 ------w- c:\windows\system32\drivers\aec.sys
2010-02-24 11:17 . 2010-02-24 11:17 -------- d-----w- c:\program files\Roger Wilco
2010-02-23 17:30 . 2010-02-23 17:30 -------- d-----w- c:\program files\ICQ6Toolbar
2010-02-23 17:28 . 2010-02-23 17:42 -------- d-----w- c:\program files\ICQ6.5
2010-02-22 22:27 . 2010-02-24 11:20 1065 ----a-w- c:\windows\eReg.dat
2010-02-22 21:58 . 2010-02-22 21:58 -------- d-----w- c:\program files\Common Files\EasyInfo
2010-02-22 17:44 . 2010-02-24 11:17 -------- d-----w- c:\program files\GameSpy Arcade
2010-02-22 17:39 . 2010-02-22 22:12 -------- d-----w- c:\program files\EA GAMES
2010-02-18 21:01 . 2010-02-18 21:05 -------- d-----w- c:\program files\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 19:01 . 2009-12-18 12:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-22 22:10 . 2009-12-18 12:26 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-22 20:59 . 2009-12-18 13:33 -------- d-----w- c:\program files\AGEIA Technologies
2010-02-22 20:41 . 2010-01-20 16:35 -------- d-----w- c:\program files\M-Audio
2010-02-22 20:01 . 2009-12-18 13:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-20 16:53 . 2010-01-20 16:53 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-01-20 16:51 . 2010-01-20 16:51 -------- d-----w- c:\program files\InterLok
2010-01-20 16:42 . 2010-01-20 16:35 -------- d-----w- c:\program files\Common Files\Digidesign
2010-01-20 16:42 . 2010-01-20 16:37 -------- d-----w- c:\program files\Digidesign
2010-01-19 18:29 . 2009-12-18 13:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-15 17:57 . 2010-01-15 17:57 -------- d-----w- c:\program files\Blender Foundation
2010-01-07 13:48 . 2004-08-18 12:00 83652 ----a-w- c:\windows\system32\perfc005.dat
2010-01-07 13:48 . 2004-08-18 12:00 440316 ----a-w- c:\windows\system32\perfh005.dat
2010-01-05 23:37 . 2010-01-05 23:37 -------- d-----w- c:\program files\Emote
2010-01-05 12:26 . 2010-01-05 12:26 -------- d-----w- c:\program files\Team17 Software Ltd
2010-01-04 17:58 . 2010-01-04 17:57 -------- d-----w- c:\program files\Euro Truck Simulator
2009-12-19 13:31 . 2009-12-19 13:31 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-19 12:25 . 2009-12-19 12:25 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-19 12:25 . 2009-12-19 12:25 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-19 12:25 . 2009-12-19 12:25 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-12-19 12:25 . 2009-12-19 12:25 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-19 12:16 . 2009-12-18 12:34 17488 ----a-w- c:\windows\gdrv.sys
2009-12-18 16:18 . 2009-12-18 16:18 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-18 13:45 . 2009-12-18 13:45 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-18 13:26 . 2009-12-18 13:26 0 ----a-w- c:\windows\nsreg.dat
2009-12-18 13:19 . 2009-12-18 13:19 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-18 12:51 . 2009-12-18 12:18 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-18 12:51 . 2009-12-18 12:18 2740 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-12-18 12:51 . 2009-12-18 12:18 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2009-12-18 12:17 . 2009-12-18 12:17 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-11 18:00 . 2009-12-18 13:43 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-11-30 17:02 . 2009-11-30 17:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 17:02 . 2009-11-30 17:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-02-25_22.51.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-26 15:35 . 2010-02-26 15:35 16384 c:\windows\Temp\Perflib_Perfdata_630.dat
+ 2010-02-26 15:41 . 2010-02-26 15:41 16384 c:\windows\Temp\Perflib_Perfdata_5a8.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-12-19 306088]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
"RTHDCPL"="RTHDCPL.EXE" [2009-06-25 17887232]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2007-02-10 241664]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2009-02-11 480264]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2009-06-18 77824]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-19 113664]
Media Key.lnk - c:\program files\Media Key\MagicKey.exe [2009-12-20 159744]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\THQ\\Frontlines-Fuel of War\\Binaries\\FFOW.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Modern Warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\fpupdate.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.12.2009 14:45 691696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [18.12.2009 13:58 114768]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [20.12.2009 1:39 12856]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [20.12.2009 1:39 9291]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18.12.2009 13:58 20560]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [18.12.2009 13:26 219360]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [23.2.2010 18:30 222456]
R3 MAUSBFT;Service for M-Audio Fast Track;c:\windows\system32\drivers\mausbft.sys [20.1.2010 17:35 156552]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18.2.2010 22:01 135664]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\HONZAP~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [18.12.2009 13:29 1684736]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-11-20 13:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'
2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 21:01]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://start.icq.com/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Honza PC\Data aplikací\Mozilla\Firefox\Profiles\e2vcwhwg.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 16:42
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spyp.sys >>UNKNOWN [0x84172938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7e74cb8
\Driver\atapi -> atapi.sys @ 0xb7cdab40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> NDIS.sys @ 0xb7bc5bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7bd2a21
SendHandler -> NDIS.sys @ 0xb7bb087b
user & kernel MBR OK
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'explorer.exe'(2960)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Media Key\OSD.EXE
c:\program files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Celkový čas: 2010-02-26 16:45:16 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-02-26 15:45
ComboFix2.txt 2010-02-25 22:55
Před spuštěním: Volných bajtů: 152 870 211 584
Po spuštění: Volných bajtů: 152 744 120 320
- - End Of File - - 526FC44C61FF298B9F2858A63DFD86F9
Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]
Ok.
Jak se chova pc nyni?
Jak se chova pc nyni?
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU! ___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]
pc se chová zatím normálně, avast při skenování hlásí rootkit,nechápu....
Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]
Kde presne ho Avast hlasi?
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU! ___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]
Zde hlásí avast win32: Trojan-gen (po odstranění zůstává)
E:\obrazy her\Crysis\DVD2_Crysis\DVD2_Crysis\Image\rzr-crys.iso\RAZOR191\RZR-CRYS.EXE
rootkit mi při poslední prohlídce nehlásil, ale! na konci mi otevřel okno kde hlásí 32 souborů, které nelze otestovat!!
Nejdou mi klasickou cestou zkopírovat a vložit sem,pro potřebu jsem je ale opsal:
c:/program Files/.../heightmaplayeridbitmap.editor_data
c:/program Files/.../heightmaplayeridbitmap.editor_data
c:/program Files/Nero/Nero 7/backitup/.../root.img
c:/Documents and Settings/Honza Pc/.../FilePCO.Arc
c:/System Volume Information/.../FilePCO.arc
c:/System Volume Information/.../A0007893.msi
A dalších 26 se týká obrazů her
E:\obrazy her\Crysis\DVD2_Crysis\DVD2_Crysis\Image\rzr-crys.iso\RAZOR191\RZR-CRYS.EXE
rootkit mi při poslední prohlídce nehlásil, ale! na konci mi otevřel okno kde hlásí 32 souborů, které nelze otestovat!!
Nejdou mi klasickou cestou zkopírovat a vložit sem,pro potřebu jsem je ale opsal:
c:/program Files/.../heightmaplayeridbitmap.editor_data
c:/program Files/.../heightmaplayeridbitmap.editor_data
c:/program Files/Nero/Nero 7/backitup/.../root.img
c:/Documents and Settings/Honza Pc/.../FilePCO.Arc
c:/System Volume Information/.../FilePCO.arc
c:/System Volume Information/.../A0007893.msi
A dalších 26 se týká obrazů her
Re: Zdravim můj problém - Win32:Rootkit-gen [Rtk]
Takze takto.
Z drtive vetsiny pripadu se jedna o nelegalni kopie softwaru(her) a cracky.
Az jich bude pc zbaveno,pak dejte vedet,jestli jeste Avast neco hlasi,ok.
Takto bychom se moc daleko nedostali.
Z drtive vetsiny pripadu se jedna o nelegalni kopie softwaru(her) a cracky.
Az jich bude pc zbaveno,pak dejte vedet,jestli jeste Avast neco hlasi,ok.
Takto bychom se moc daleko nedostali.
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU! ___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Přispějete na provoz fóra?