prosím o kontrolu logu (rootkit?) Vyřešeno

[jaro3]

Víc tam toho nebylo?

Stáhni si RKUnhookerLE

a ulož si ho na svojí plochu. Poklepej na RKUnhookerLE ke spuštění programu.
Klikni na Report , potom klikni na Scan.
Dej zatržítka na Drivers, Stealth , zbytek musí být bez zatržítek.
Klikni na OK.
Počkej , až se sken dokončí a potom si zprávu ulož (File > Save Report).
Zkopíruj si celou zprávu a vlož ji sem.

[Reklama]

[joboj]

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #4
==============================================
>Drivers
==============================================
0xB7260000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 10604544 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 258.96 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6344704 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 258.96 )
0xB46ED000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 6234112 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB7EB4000 PCI_PNP4262 995328 bytes
0xB7EB4000 sppb.sys 995328 bytes
0xB7EB4000 sptd 995328 bytes
0xB7D34000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB4425000 C:\WINDOWS\System32\Drivers\aswSnx.SYS 446464 bytes (AVAST Software, avast! Virtualization Driver)
0xB7000000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB45ED000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB37B0000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB4492000 C:\WINDOWS\System32\Drivers\aswSP.SYS 307200 bytes (AVAST Software, avast! self protection module)
0xBD61F000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB3ACB000 C:\WINDOWS\system32\DRIVERS\atksgt.sys 274432 bytes
0xB714E000 C:\WINDOWS\System32\Drivers\aae5x1rw.SYS 233472 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB7E6E000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB6FD2000 C:\WINDOWS\system32\DRIVERS\MarvinBus.sys 188416 bytes (Pinnacle Systems GmbH, Pinnacle Marvin Discrete Bus Enumerator)
0xB3B36000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB7D07000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB7200000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB459F000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB45C7000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB46C9000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB7228000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB7187000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB71DD000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 143360 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xB457D000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB71BB000 C:\WINDOWS\system32\DRIVERS\nusb3xhc.sys 139264 bytes (NEC Electronics Corporation, USB 3.0 Host Controller Driver)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB7DEB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB7E3E000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB7E23000 jraid.sys 110592 bytes (JMicron Technology Corp., JMicron JMB36X RAID Driver)
0xB3E33000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 106496 bytes (AVAST Software, avast! File System Filter Driver for Windows XP)
0xB7CED000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB7E0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB436D000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB7E9C000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB7DD4000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB7137000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB3AB6000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB724C000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB4646000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB7DC1000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB0BD6000 C:\WINDOWS\system32\DRIVERS\sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB7E5D000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB7126000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB456D000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB82E8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB82B8000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xB80A8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xB82C8000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB8228000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xB81B8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB81C8000 C:\WINDOWS\system32\DRIVERS\nusb3hub.sys 61440 bytes (NEC Electronics Corporation, USB 3.0 Hub Driver)
0xB82F8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB70A6000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB81A8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xB80B8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xB8108000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB8308000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xB80E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB8138000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB81F8000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 45056 bytes (AVAST Software, avast! TDI Filter Driver)
0xB8208000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB82A8000 C:\WINDOWS\system32\DRIVERS\HECI.sys 45056 bytes (Intel Corporation, Intel(R) Management Engine Interface)
0xB82D8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xB80D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB8318000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB8298000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 40960 bytes (Microsoft Corporation, Processor Device Driver)
0xB80C8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB8178000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB8168000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB3BBB000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xB80F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB8288000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB8148000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB8218000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB43AD000 C:\DOCUME~1\milan\LOCALS~1\Temp\catchme.sys 32768 bytes
0xB83D8000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB8480000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xB8420000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB83E0000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 28672 bytes (AVAST Software, avast! TDI RDR Driver)
0xB8428000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xB83C0000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB8328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB83F0000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 24576 bytes (AVAST Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xB8430000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xB8350000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB8358000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB8390000 C:\WINDOWS\system32\DRIVERS\seehcri.sys 24576 bytes (Sony Ericsson Mobile Communications, seehcri Driver)
0xB8418000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xB83C8000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB83B0000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xB438D000 C:\WINDOWS\system32\DRIVERS\lirsgt.sys 20480 bytes
0xB83D0000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB84A8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB84B0000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xB8498000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB8410000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB467D000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB7CC1000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB3F59000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB858C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xB43ED000 C:\WINDOWS\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
0xB84B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB46B9000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB3464000 C:\WINDOWS\gdrv.sys 12288 bytes (Windows (R) 2000 DDK provider, GIGABYTE Tools)
0xB4689000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB4685000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB85A0000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB6F2D000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB85E2000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xB864E000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xB85E0000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xB85A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB85E4000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB8646000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes
0xB85E6000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xB85AC000 speedfan.sys 8192 bytes
0xB85CE000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xB85C6000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xB85AA000 C:\WINDOWS\System32\Drivers\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xB877A000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB87E1000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB8671000 giveio.sys 4096 bytes
0xB878B000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x8B4821F8 unknown_irp_handler 3592 bytes
0x8B0D91F8 unknown_irp_handler 3592 bytes
0x8B01C1F8 unknown_irp_handler 3592 bytes
0x8B40D1F8 unknown_irp_handler 3592 bytes
0x8B0DB1F8 unknown_irp_handler 3592 bytes
0x89EE01F8 unknown_irp_handler 3592 bytes
0x8B10E1F8 unknown_irp_handler 3592 bytes
0x8A418500 unknown_irp_handler 2816 bytes
==============================================
>Stealth
==============================================
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\sptd.sys]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

[jaro3]

Stáhni si Rooter.exe

na plochu. Poklepej na něj ke startu nástroje, až se objeví v poznámkovém bloku zpráva ( je i zde: C:\Rooter.txt), zkopíruj jí a vlož sem.

pokračování zítra.

[joboj]

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 37 Stepping 2, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 7.0.5730.13
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:97 Go - Free:5 Go )
D:\ [Fixed-NTFS] .. ( Total:62 Go - Free:3 Go )
E:\ [Fixed-NTFS] .. ( Total:72 Go - Free:2 Go )
F:\ [CD_Rom]
G:\ [CD_Rom]
.
Scan : 23:54.03
Path : C:\Documents and Settings\milan\Plocha\Rooter.exe
User : milan ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (792)
______ \??\C:\WINDOWS\system32\csrss.exe (1492)
______ \??\C:\WINDOWS\system32\winlogon.exe (1516)
______ C:\WINDOWS\system32\services.exe (1560)
______ C:\WINDOWS\system32\lsass.exe (1572)
______ C:\WINDOWS\system32\nvsvc32.exe (1740)
______ C:\WINDOWS\system32\svchost.exe (1776)
______ C:\WINDOWS\system32\svchost.exe (1844)
______ C:\WINDOWS\System32\svchost.exe (1980)
______ C:\WINDOWS\system32\svchost.exe (2032)
______ C:\WINDOWS\system32\svchost.exe (260)
______ C:\WINDOWS\system32\svchost.exe (484)
______ C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (584)
______ C:\WINDOWS\system32\spoolsv.exe (1380)
______ C:\WINDOWS\system32\svchost.exe (1436)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (1468)
______ C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe (1784)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1900)
______ C:\Program Files\Gigabyte\EnergySaver2\des2svr.exe (888)
______ C:\Program Files\Java\jre6\bin\jqs.exe (936)
______ C:\Program Files\Common Files\LightScribe\LSSrvc.exe (1208)
______ C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe (1224)
______ C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (1344)
______ C:\WINDOWS\system32\PnkBstrA.exe (2372)
______ C:\WINDOWS\system32\PnkBstrB.exe (2464)
______ C:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe (2604)
______ C:\WINDOWS\system32\svchost.exe (2624)
______ C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (2644)
______ C:\WINDOWS\system32\ctfmon.exe (3332)
______ C:\WINDOWS\system32\wbem\wmiapsrv.exe (3388)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (3536)
______ C:\WINDOWS\System32\alg.exe (3608)
______ C:\Program Files\GIGABYTE\Smart6\Timelock\AlarmClock.exe (2968)
______ C:\WINDOWS\explorer.exe (2964)
______ C:\Program Files\Alwil Software\Avast5\AvastUI.exe (3664)
______ C:\Documents and Settings\milan\Plocha\Rooter.exe (3884)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:104855837184)
\Device\Harddisk0\Partition0 (Start_Offset:104855869440 | Length:145192642560)
\Device\Harddisk0\Partition2 (Start_Offset:104855901696 | Length:67110027264)
\Device\Harddisk0\Partition0 (Start_Offset:171965928960 | Length:78082583040)
\Device\Harddisk0\Partition3 (Start_Offset:171965961216 | Length:78082550784)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\1-Click Maintenance.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 23:54.04
.
C:\Rooter$\Rooter_1.txt - (08/12/2011 | 23:54.04)

Zatím díky, tak zítra...

[jaro3]

Žádný rootkit nebyl nalezen...

Napiš celou cestu k tomu rootkitu
C:\Program Files\Common Files\Wise Installation Wizard\........ >WinstylerThemeHelper.dll---nestačí..

V možnostech složky si povol zobrazování skrytých souborů a složek+ odškrtni zatržítko skrýt chráněné soubory operačního systému

Toto otestuj na Virustotal
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe

Klikni vpravo od okénka na Vybrat a v Exploreru najdi požadovaný soubor v Tvém PC. Označ ho myší a klikni na Otevřít , poté klikni na Send File. Pokud už byl soubor testován , objeví se okno ve kterém klikni na Reanalyze. Soubor se začne postupně testovat více antivirovými programy. Až skončí test posledního antiviru , objeví se nahoře result a červeně počet nákaz , např. 0/43 , nebo 1/43. Pak zkopíruj myší odkaz na tuto stránku a vlož ji do svého příspěvku.

+
ESET OnlineScan

Poznámka:
Je doporučeno mít během skenu vypnutý antivirový a antispywarový program .Zároveň se doporučuje mít zavřeny všechny ostatní okna , programy a nesurfovat po netu. Po skončení skenu si nezapomeň zase ochrany antiviru a antispywaru zapnout.Je doporučeno použít pro kontrolu prohlížeč Internet Explorer , jinak je nutno nainstalovat ESET Smart Installer a po skončení skenu vše zase řádně odinstalovat.



1. Klikni na ESET OnlineScan http://eset.com/onlinescan
2. Klikni na tlačítko Run ESET Online Scanner
3. Jen pro jiné prohlížeče než je Internet Explorer ( Ti , co mají spuštěn IE mohou toto přeskočit)
1. Klikni na esetsmartinstaller_enu.exe ke stáhnutí ESET Smart Installeru , ulož si soubor na svojí plochu.
2. Poklepej na ploše na ikonu esetsmartinstaller_enu

4. Dej zatržítko do čtverečku YES , I accept the Terms of Use. ( k potvrzení podmínek užití)
5. Klikni na tlačítko Start
6. Akceptuj další bezpečnostní varování ze svého prohlížeče. Nainstaluj si ovl.prvek ActiveX
7. Dej zatržítko do čtverečku Scan archives
8. Ujisti se , že volba "Remove found threats" je nezaškrtnuta
9. Když se objeví display nastavení skenu počítače , klikni na Advanced settings , a dej zatržítko na
Enable Anti-Stealth technology (pokud není již zatržena)
10. Klikni na tlačítko Start
11. ESET si pak stáhne svojí aktualizaci , nainstaluje jí a poté začne skenovat Tvůj počítač
12. Když bude sken hotov , klikni na šipku List of found threads
13. Klikni na tlačítko Export to text file , a soubor si ulož pod nějakým jménem na svojí plochu
14. Klikni na tlačítko Back
15. Klikni na tlačítko Finish

Celý obsah textového souboru , který sis uložil na plochu sem prosím vlož.

[joboj]

Při testu po restartu je to tahle cesta:
C:\Program Files\Common Files\Wise Installation Wizard\WIS2C3738C956FA410ABCB579C5DFD238F0_4_1_2318.MSI
Infikováno virem: "Win32:PUP-gen [PUP]

VirusTotal v těchto dvou souborech nic nenašel.
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe

Tady je ten ESET:

D:\Downloads\Nero_Burning_Rom_8_3_2_1.exe Win32/Toolbar.AskSBar application
D:\sims 3\Sims 3\rzr-sim3.iso probably a variant of Win32/Hupigon.CJKIBCX trojan
E:\Pin-n-acle.Stud-io.Plu-s.v1-1.Bo-nus.D-VD.Multi-langua-ge\Pinnacle.11.KeyGen.exe a variant of Win32/Keygen.AF application

[jaro3]

Stáhni si program OTM (by OldTimer)
a ulož si ho na disk C a spusť ho.
- Do levého sloupce (Paste Instructions for Items to be Moved) zkopíruj tyto cesty:
Poznámka: Nepoužij k označení funkci VYBRAT VŠE

Kód: Vybrat vše

:Processes
explorer.exe

:Services

:Reg

:Files
C:\WINDOWS\System32\*.tmp
C:\WINDOWS\*.tmp
C:\WINDOWS\system32\*.tmp.dll
C:\WINDOWS\System32\dllcache\*.tmp
C:\WINDOWS\system32\SET*.tmp
c:\windows\Tasks\*.job
C:\*.tmp
C:\Documents and Settings\All Users\Data aplikací\*.tmp
D:\Downloads\Nero_Burning_Rom_8_3_2_1.exe
D:\sims 3\Sims 3\rzr-sim3.iso
E:\Pin-n-acle.Stud-io.Plu-s.v1-1.Bo-nus.D-VD.Multi-langua-ge\Pinnacle.11.KeyGen.exe a variant of Win32
C:\Program Files\Common Files\Wise Installation Wizard\WIS2C3738C956FA410ABCB579C5DFD238F0_4_1_2318.MSI

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

- Po zkopírování klikni na tlačítko MoveIt! a vlož sem následně celý obsah z pravého sloupce, jinak uložený ve složce C:\_OTMoveIt\MovedFiles\, který bude informovat o výsledcích
- Je možné, že pokud nebudou moci být soubory odstraněny, budeš dotázán na restart počítače, v tom případě restart potvrď.

[joboj]

Error: Unable to interpret <C:\WINDOWS\System32\*.tmp > in the current context!
Error: Unable to interpret <C:\WINDOWS\*.tmp > in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\*.tmp.dll > in the current context!
Error: Unable to interpret <C:\WINDOWS\System32\dllcache\*.tmp> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\SET*.tmp > in the current context!
Error: Unable to interpret <c:\windows\Tasks\*.job > in the current context!
Error: Unable to interpret <C:\*.tmp> in the current context!
Error: Unable to interpret <C:\Documents and Settings\All Users\Data aplikací\*.tmp> in the current context!
Error: Unable to interpret <D:\Downloads\Nero_Burning_Rom_8_3_2_1.exe > in the current context!
Error: Unable to interpret <D:\sims 3\Sims 3\rzr-sim3.iso > in the current context!
Error: Unable to interpret <E:\Pin-n-acle.Stud-io.Plu-s.v1-1.Bo-nus.D-VD.Multi-langua-ge\Pinnacle.11.KeyGen.exe a variant of Win32> in the current context!
Error: Unable to interpret <C:\Program Files\Common Files\Wise Installation Wizard\WIS2C3738C956FA410ABCB579C5DFD238F0_4_1_2318.MSI> in the current context!

OTM by OldTimer - Version 3.1.19.0 log created on 12092011_183236

[jaro3]

Stáhni si OTL by OldTimer
na plochu. Ujisti se , že máš zavřena všechna ostatní okna a poklepej na ikonu OTL.
Ujisti se , že máš všechny ostatní aplikace a prohlížeče zavřeny.
Pod Vlastní skenování/opravy do okénka vlož následující text, zobrazený zeleně:

Kód: Vybrat vše

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

:Files
C:\WINDOWS\System32\dllcache\*.tmp
C:\WINDOWS\system32\SET*.tmp
c:\windows\Tasks\*.job
C:\*.tmp
C:\Documents and Settings\All Users\Data aplikací\*.tmp
D:\Downloads\Nero_Burning_Rom_8_3_2_1.exe
D:\sims 3\Sims 3\rzr-sim3.iso
E:\Pin-n-acle.Stud-io.Plu-s.v1-1.Bo-nus.D-VD.Multi-langua-ge\Pinnacle.11.KeyGen.exe
C:\Program Files\Common Files\Wise Installation Wizard\WIS2C3738C956FA410ABCB579C5DFD238F0_4_1_2318.MSI

:Reg
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Poté klikni nahoře na Opravit. Nech program nerušeně běžet, na konci se provede restart PC.
Po restartu se objeví log , prosím zkopíruj sem celý jeho obsah.

[joboj]

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
No active process named firefox.exe was found!
========== FILES ==========
File\Folder C:\WINDOWS\System32\dllcache\*.tmp not found.
File\Folder C:\WINDOWS\system32\SET*.tmp not found.
c:\windows\Tasks\1-Click Maintenance.job moved successfully.
File\Folder C:\*.tmp not found.
File\Folder C:\Documents and Settings\All Users\Data aplikací\*.tmp not found.
D:\Downloads\Nero_Burning_Rom_8_3_2_1.exe moved successfully.
File move failed. D:\sims 3\Sims 3\rzr-sim3.iso scheduled to be moved on reboot.
E:\Pin-n-acle.Stud-io.Plu-s.v1-1.Bo-nus.D-VD.Multi-langua-ge\Pinnacle.11.KeyGen.exe moved successfully.
C:\Program Files\Common Files\Wise Installation Wizard\WIS2C3738C956FA410ABCB579C5DFD238F0_4_1_2318.MSI moved successfully.
========== REGISTRY ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Opera cache emptied: 91712 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: milan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 7432319 bytes
->Java cache emptied: 0 bytes
->Opera cache emptied: 19115746 bytes
->Flash cache emptied: 17045 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 401408 bytes
%systemroot%\System32 .tmp files removed: 2504 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 138496 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 506290 bytes

Total Files Cleaned = 27,00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 12092011_192139

Files\Folders moved on Reboot...
File move failed. D:\sims 3\Sims 3\rzr-sim3.iso scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[jaro3]

Byl restart?

Spusť OTL a klikni na Vyčisti.

Pokud nejsou problémy , je to vše a můžeš dát vyřešeno , zelenou fajfku.

[joboj]

Provedl jsem restart i vyčištění, dále sken Avastem po restartu a opět stejný vir "Win32:PUP-gen [PUP]", ale v jiném souboru a to:
C:\System Volume Information\_restore{25A30266-7150-4FFF-89A3-D743ADB406DC}\RP1\A0000241.MSI

Zkusil jsem znovu VirusTotal a vyšlo opět tohle:
Antivirus Version Last Update Result
AhnLab-V3 2011.12.10.00 2011.12.09 -
AntiVir 7.11.19.57 2011.12.09 -
Antiy-AVL 2.0.3.7 2011.12.09 Worm/Win32.Josam.gen
Avast 6.0.1289.0 2011.12.09 Win32:PUP-gen [PUP]
AVG 10.0.0.1190 2011.12.09 -
BitDefender 7.2 2011.12.09 -
ByteHero 1.0.0.1 2011.12.07 -
CAT-QuickHeal 12.00 2011.12.09 -
ClamAV 0.97.3.0 2011.12.09 -
Commtouch 5.3.2.6 2011.12.09 -
Comodo 10899 2011.12.09 -
Emsisoft 5.1.0.11 2011.12.09 -
eSafe 7.0.17.0 2011.12.08 -
eTrust-Vet 37.0.9616 2011.12.09 -
F-Prot 4.6.5.141 2011.11.29 -
Fortinet 4.3.388.0 2011.12.09 -
GData 22 2011.12.09 -
Ikarus T3.1.1.109.0 2011.12.09 -
Jiangmin 13.0.900 2011.12.09 -
K7AntiVirus 9.119.5640 2011.12.09 -
Kaspersky 9.0.0.837 2011.12.09 -
McAfee 5.400.0.1158 2011.12.09 -
McAfee-GW-Edition 2010.1E 2011.12.09 -
Microsoft 1.7903 2011.12.09 -
NOD32 6691 2011.12.07 -
nProtect 2011-12-09.01 2011.12.09 -
Panda 10.0.3.5 2011.12.09 -
PCTools 8.0.0.5 2011.12.09 -
Prevx 3.0 2011.12.09 -
Rising 23.87.03.02 2011.12.08 -
Sophos 4.72.0 2011.12.09 -
SUPERAntiSpyware 4.40.0.1006 2011.12.09 -
TheHacker 6.7.0.1.354 2011.12.09 -
TrendMicro 9.500.0.1008 2011.12.09 -
TrendMicro-HouseCall 9.500.0.1008 2011.12.09 -
VBA32 3.12.16.4 2011.12.09 -
VIPRE 11226 2011.12.09 -
ViRobot 2011.12.9.4817 2011.12.09 -
VirusBuster 14.1.107.0 2011.12.09 -

Nemůže se jednat o falešný poplach? Mělo by to být v souboru TuneUp Utilities (autor: TuneUp Software).