Win32/Mebroot.K

[lukyluk]

ok;
Ak sa detektovalo ako G:,tak malsi zadat:
FIXMBR \Device\DRIVE_G nakolko si strcil do ineho USB>vstupu.

Ne, ten inkriminovaný USB disk jsem připojil tak, aby se znovu zahlásil jako H: (tzn. během konzole byly připojeny USB disky G: i H:, přičemž H: je ten, který nás zajímá) - přesto v konzoli příkaz FIXMBR \Device\DRIVE_H nefungoval.

[stell]

ok:
Vloz tu potom sinowal log a MBR z 1_PC.
V druhomm PC_nevidno Rootkit.
Toto vies co je??
C:\Bosch_pr\rbser32\rbser32.exe

[lukyluk]

Scan na Normanovi na PC_1 stále běží.

C:\Bosch_pr\rbser32\rbser32.exe toto souvisí s mojí prací je to oficiální software pro diagnostiku vozidel od firmy Bosch.

[stell]

ok,ja dnes koncim.Ty musis vsetky pridavne USB,Flash,atd..preskenovat WEB CUREIT>Navod je v mojom podpise,teda nastrkaj neotvaraj ale preskenuj to Cureitom,co najde daj zmazat alebo liecit.Potom nahlas vysledok.ok.
2-Pc vyzera dobre aj podla logu MWAV .

[lukyluk]

Tak Norman po nějaké době vyhodil tento log:

Norman SinowalMBR Cleaner
Copyright © 1990 - 2008, Norman ASA. Built 2008/05/13 16:21:18

Norman Scanner Engine Version: 5.92.04
Nvcbin.def Version: 5.92.00, Date: 2008/05/13 16:21:18, Variants: 0

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 3
Logged on user: LUKAS-NEW\Lukas a Misa


Scan started: 11/07/2008 23:13:19

Scanning bootsectors...

No SinowalMBR hooks found

Number of sectors found: 4
Number of sectors scanned: 4
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 250ms


Scanning running processes and process memory...

Number of processes/threads found: 1983
Number of processes/threads scanned: 1983
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 11s


Scanning file system...

Scanning: C:\*.*

Scanning: E:\*.*

Scanning: F:\*.*

Scanning: G:\*.*

Scanning: H:\*.*

Scanning: C:\Documents and Settings\All Users\Dokumenty\*.*

Scanning: C:\Documents and Settings\Lukas a Misa\Dokumenty\*.*

Scanning: C:\Documents and Settings\Lukas a Misa\Plocha\Svatba-výběr pro tisk\*.*

Scanning: C:\Documents and Settings\Lukas a Misa\Plocha\vir\*.*


Running post-scan cleanup routine:

Number of files found: 292117
Number of archives unpacked: 1802
Number of files scanned: 292076
Number of files not scanned: 41
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0
Total scanning time: 1h 16m 35s

Poté jsem pustil MBR z příkazového řádku:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x25429800 size 0x2c3 !
copy of MBR has been found in sector 62 !

Pak pro jistotu ještě MWAV na H:
12 VII 2008 00:33:29 - ***** Test dokončen *****

12 VII 2008 00:33:29 - Testovaných objektů: 978
12 VII 2008 00:33:29 - Kritických objektů: 0
12 VII 2008 00:33:29 - Celkem vyléčených objektů: 0
12 VII 2008 00:33:29 - Celkem přejmenováno: 0
12 VII 2008 00:33:29 - Smazaných objektů: 0
12 VII 2008 00:33:29 - Celkem chyb: 0
12 VII 2008 00:33:29 - Uplynulý čas: 00:01:24
12 VII 2008 00:33:29 - Datum vydání databáze: 05 Jul 2008
12 VII 2008 00:33:29 - Verze virové databáze: 915351

12 VII 2008 00:33:29 - Test je dokončen

Nyní nechám běžet CUREIT a uvidíme ráno.

[stell]

Tak ako, WEB CUREIT nasiel daco??

[lukyluk]

Nechal jsem ho puštěný přes noc, jenže on se po pár minutách zastavil s dotazem jakou akci provést s jedním souborem, takže začal scanovat teprve před pár minutami. Počítám, že do hodiny to tu je. Z Normana asi nic nového, co?

[stell]

Takto zatial vsetko ok,ak Cureit najde daco daj liecit ,alebo zmazat.
Potom este spust NOD ,tak ze vlozis aj USB,Flash a preskenujes pamat a Boot sector.Tak ako si robil na zaciatku a tiez daj sem log.A budeme mat komplet vsetko.

[lukyluk]

Ahoj, tak další výsledky jsou zde.

Dr.Web Cureit:
ComboFix.exe\327882R2FWJFW\psexec.cfexe C:\Documents and Settings\Lukas a Misa\Plocha\vir\ComboFix.exe Program.PsExec.171
ComboFix.exe C:\Documents and Settings\Lukas a Misa\Plocha\vir V archivu jsou infikované objekty Přesunut.
vncviewer.exe C:\Program Files\RealVNC\VNC4 Program.RemoteAdmin.51 Nevyléčitelný.Smazán.
A0001224.exe\327882R2FWJFW\psexec.cfexe C:\System Volume Information\_restore{FD9B0907-E5B1-460C-84F5-43FD11C39B7D}\RP1\A0001224.exe Program.PsExec.171
A0001224.exe C:\System Volume Information\_restore{FD9B0907-E5B1-460C-84F5-43FD11C39B7D}\RP1 V archivu jsou infikované objekty Přesunut.
vnc-4_1_2-x86_win32.exe\data005 E:\aktualizace programu\vnc-4_1_2-x86_win32.exe Program.RemoteAdmin.51
vnc-4_1_2-x86_win32.exe E:\aktualizace programu V archivu jsou infikované objekty Přesunut.
SDFix.exe\SDFix\apps\Process.exe E:\dokumenty\zjištěno 19.1.2008\SDFix.exe Tool.Prockill
SDFix.exe E:\dokumenty\zjištěno 19.1.2008 V archivu jsou infikované objekty Přesunut.
A0001226.exe\data005 E:\System Volume Information\_restore{FD9B0907-E5B1-460C-84F5-43FD11C39B7D}\RP1\A0001226.exe Program.RemoteAdmin.51
A0001226.exe E:\System Volume Information\_restore{FD9B0907-E5B1-460C-84F5-43FD11C39B7D}\RP1 V archivu jsou infikované objekty Přesunut.
A0001227.exe\SDFix\apps\Process.exe E:\System Volume Information\_restore{FD9B0907-E5B1-460C-84F5-43FD11C39B7D}\RP1\A0001227.exe Tool.Prockill
A0001227.exe E:\System Volume Information\_restore{FD9B0907-E5B1-460C-84F5-43FD11C39B7D}\RP1 V archivu jsou infikované objekty Přesunut.
vnc-4_1_2-x86_win32.exe\data005 H:\vnc-4_1_2-x86_win32.exe Program.RemoteAdmin.51
vnc-4_1_2-x86_win32.exe H:\ V archivu jsou infikované objekty Přesunut.

Scan NODem, pouze paměť a boot sektory všech disků:
Protokol o kontrole
Verze virové databáze: 3263 (20080711)
Datum: 12.7.2008 Čas: 13:17:29
Testované disky, adresáře a soubory: Paměť;C:\Boot sektor;D:\Boot sektor;E:\Boot sektor;F:\Boot sektor;G:\Boot sektor;G:\;H:\Boot sektor
G:\ - chyba při otevírání [4]
Počet zkontrolovaných objektů: 483
Počet nalezených infiltrací: 0
Čas ukončení: 13:17:32 Celkový čas diagnostiky: 3 sek (00:00:03)

Poznámky:
[4] Objekt nelze otevřít ke čtení. Je využíván jinou aplikací (nebo operačním systémem), která ho otevřela výhradně pro sebe.

NOD.gif (21.18 KiB) Zobrazeno 4100 x

Tady mi přijde divné, proč to tu flashku na G: nechce otevřít?

A nakonec slavný mbr.exe, který je stále stejný:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x25429800 size 0x2c3 !
copy of MBR has been found in sector 62 !

[lukyluk]

Ta flash G: je prázdná, tak jsem jí naformátoval na FAT32 a teď již boot sektor pomocí NODu zkontrolovat lze - bez nálezu.

[stell]

No to sa uvidi preco G:\nevedel NOD otvorit:
Takto,podla skenu vsetko je ok.Okrem mbr.exe>podle mna aj to uz je ok,nakolko nehlasi infected.Teraz este pouzijes na Flash a USB kluce>tento program:

- stiahnite tento program: http://www.techsupportforum.com/sectool ... fector.exe
- pripojte flashku k počítaču a použite ho

A na zaver este Rootkitunhooker:aby sme boli isti,USB,Flash nechaj vlozene.

Stáhněte RootkitUnhooker - http://antirootkit.com/software/RootKit-Unhooker.htm
Rozbalte a spusťte. Program se skládá z řady záložek. Ze záložek "Processes", "SSDT", "Drivers", "Code Hooks" udělejte log. To se provede tak, že přejdete na danou záložku, stisknete tlačítko "Scan" a potom v menu (vlevo) je položka "Quick report" - tím se log uloží. Logy sem hoďte. Vše by mělo jít udělat také najednou, pokud sisknete Scan v záložce "Report".

[lukyluk]

Tak provedeno. Jak jsem psal po formátu již G: zkontrolovat lze.

Aplikoval jsem Disinfektor.exe.

Nyní Rootkit Unhooker:

1. Report Scan
>SSDT State
>Shadow
>Processes
>Drivers
>Stealth
>Files
>Hooks
ntkrnlpa.exe+0x0006EC6E, Type: Inline - RelativeJump at address 0x80545C6E hook handler located in [ntkrnlpa.exe]
[1244]ekrn.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet at address 0x7C8449FD hook handler located in [unknown_code_page]
[3996]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

2. Report SSDT
RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.509
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================

3. Report shadow SSDT
RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.509
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================

4. Report Processes
RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.509
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
Process: System
Process Id: 4
EPROCESS Address: 0x8A400A00

Process: C:\Program Files\Analog Devices\Core\smax4pnp.exe
Process Id: 252
EPROCESS Address: 0x89FF5330

Process: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
Process Id: 260
EPROCESS Address: 0x89DC3BE0

Process: C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
Process Id: 348
EPROCESS Address: 0x89E82DA0

Process: C:\Program Files\CyberLink\Shared files\brs.exe
Process Id: 356
EPROCESS Address: 0x89F11DA0

Process: C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
Process Id: 364
EPROCESS Address: 0x89F7C880

Process: C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
Process Id: 440
EPROCESS Address: 0x89F0E580

Process: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
Process Id: 496
EPROCESS Address: 0x89F3A5A8

Process: C:\WINDOWS\system32\ctfmon.exe
Process Id: 508
EPROCESS Address: 0x89D3FDA0

Process: C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
Process Id: 536
EPROCESS Address: 0x89D5BBB8

Process: C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
Process Id: 564
EPROCESS Address: 0x89D3A9F8

Process: C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
Process Id: 608
EPROCESS Address: 0x89CAE5D0

Process: C:\WINDOWS\system32\smss.exe
Process Id: 664
EPROCESS Address: 0x89D76838

Process: C:\WINDOWS\system32\csrss.exe
Process Id: 728
EPROCESS Address: 0x89EDE460

Process: C:\WINDOWS\system32\winlogon.exe
Process Id: 760
EPROCESS Address: 0x89F27460

Process: C:\WINDOWS\system32\services.exe
Process Id: 804
EPROCESS Address: 0x89F3EBB8

Process: C:\WINDOWS\system32\lsass.exe
Process Id: 816
EPROCESS Address: 0x89EAB958

Process: C:\WINDOWS\system32\ati2evxx.exe
Process Id: 996
EPROCESS Address: 0x89E1C838

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1012
EPROCESS Address: 0x89E10DA0

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1084
EPROCESS Address: 0x89F59250

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1192
EPROCESS Address: 0x89E01DA0

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1236
EPROCESS Address: 0x89F58B10

Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
Process Id: 1244
EPROCESS Address: 0x89D499F8

Process: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
Process Id: 1304
EPROCESS Address: 0x89D9FDA0

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1392
EPROCESS Address: 0x8A14EDA0

Process: C:\WINDOWS\system32\ati2evxx.exe
Process Id: 1488
EPROCESS Address: 0x89DAB460

Process: C:\WINDOWS\system32\spoolsv.exe
Process Id: 1620
EPROCESS Address: 0x89D0DDA0

Process: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
Process Id: 1696
EPROCESS Address: 0x89CFEB98

Process: C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
Process Id: 1752
EPROCESS Address: 0x89CC7258

Process: C:\Program Files\CyberLink\Shared files\RichVideo.exe
Process Id: 1828
EPROCESS Address: 0x89F157D0

Process: C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
Process Id: 2180
EPROCESS Address: 0x89CC48D8

Process: C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
Process Id: 2208
EPROCESS Address: 0x89CE3A20

Process: C:\WINDOWS\system32\wbem\wmiprvse.exe
Process Id: 2384
EPROCESS Address: 0x89FF5A48

Process: C:\Documents and Settings\Lukas a Misa\Plocha\rku37300509.exe
Process Id: 2408
EPROCESS Address: 0x867EBAD0

Process: C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
Process Id: 2704
EPROCESS Address: 0x89DF7588

Process: C:\WINDOWS\system32\alg.exe
Process Id: 2824
EPROCESS Address: 0x89EC1DA0

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 3032
EPROCESS Address: 0x89FD3DA0

Process: C:\Documents and Settings\Lukas a Misa\Plocha\vir\RootkitRevealer\RootkitRevealer.exe
Process Id: 3040
EPROCESS Address: 0x89F22500

Process: C:\DOCUME~1\LUKASA~1\LOCALS~1\Temp\CTVHEIH.exe
Process Id: 3348
EPROCESS Address: 0x89F09480

Process: C:\Program Files\Mozilla Firefox\firefox.exe
Process Id: 3804
EPROCESS Address: 0x89EEA770

Process: C:\WINDOWS\explorer.exe
Process Id: 3996
EPROCESS Address: 0x8860DB50

5. Report Drivers
RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.509
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
Driver: C:\Program Files\CyberLink\PowerDVD\000.fcl
Address: 0xAA8FB000
Size: 118784 bytes

Driver: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA8C8000
Size: 57344 bytes

Driver: ACPI.sys
Address: 0xBA779000
Size: 188416 bytes

Driver: ACPI_HAL
Address: 0x806E4000
Size: 134400 bytes

Driver: C:\WINDOWS\system32\drivers\ADIHdAud.sys
Address: 0xADBD4000
Size: 311296 bytes

Driver: C:\WINDOWS\system32\drivers\AEAudio.sys
Address: 0xADAF9000
Size: 94208 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xAD94D000
Size: 139264 bytes

Driver: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xBAA28000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ASACPI.sys
Address: 0xBADF2000
Size: 8192 bytes

Driver: atapi.sys
Address: 0xBA70B000
Size: 98304 bytes

Driver: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBFA1B000
Size: 376832 bytes

Driver: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF9D5000
Size: 286720 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xB9E0E000
Size: 2510848 bytes

Driver: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBFAF3000
Size: 2945024 bytes

Driver: C:\WINDOWS\system32\drivers\atibtcap.sys
Address: 0xBAA58000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\atibtxbr.sys
Address: 0xBAE26000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBFA77000
Size: 331776 bytes

Driver: C:\WINDOWS\System32\atiok3x2.dll
Address: 0xBFAC8000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\drivers\ativtutw.sys
Address: 0xBAB90000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBFDC2000
Size: 1523712 bytes

Driver: C:\WINDOWS\system32\drivers\ativxstw.sys
Address: 0xBAB98000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000
Size: 286720 bytes

Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBAF10000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBAE66000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBACB8000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xADB80000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBAAB8000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA908000
Size: 53248 bytes

Driver: disk.sys
Address: 0xBA8F8000
Size: 36864 bytes

Driver: dmio.sys
Address: 0xBA723000
Size: 155648 bytes

Driver: dmload.sys
Address: 0xBADAC000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBA132000
Size: 61440 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAD757000
Size: 98304 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADF4000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xAD91E000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000
Size: 73728 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBAFFB000
Size: 4096 bytes

Driver: C:\WINDOWS\system32\DRIVERS\eamon.sys
Address: 0xAAB4A000
Size: 315392 bytes

Driver: C:\WINDOWS\system32\DRIVERS\easdrv.sys
Address: 0xBAA48000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
Address: 0xBA9D8000
Size: 49152 bytes

Driver: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xAB0D3000
Size: 147456 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBAA38000
Size: 45056 bytes

Driver: fltmgr.sys
Address: 0xBA6EB000
Size: 131072 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBAE64000
Size: 8192 bytes

Driver: ftdisk.sys
Address: 0xBA749000
Size: 126976 bytes

Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000
Size: 134400 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB9DAE000
Size: 163840 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xADBA0000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xBABE8000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xADA81000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xAA6DA000
Size: 266240 bytes

Driver: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xBA9C8000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBAAA8000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xBAA08000
Size: 40960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xAD997000
Size: 155648 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xADA3E000
Size: 77824 bytes

Driver: isapnp.sys
Address: 0xBA8A8000
Size: 40960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBAC98000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xBA5C2000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBADA8000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xAA317000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xB9D4E000
Size: 143360 bytes

Driver: KSecDD.sys
Address: 0xBA6C2000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
Address: 0xBA5BA000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
Address: 0xBAC40000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
Address: 0xBAC48000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\MarvinBus.sys
Address: 0xB9C6A000
Size: 188416 bytes

Driver: C:\DOCUME~1\LUKASA~1\LOCALS~1\Temp\mbr.sys
Address: 0xBADB0000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBAE68000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBAB40000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xBADA0000
Size: 12288 bytes

Driver: MountMgr.sys
Address: 0xBA8D8000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xAABBF000
Size: 184320 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xAD88A000
Size: 458752 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBABF8000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBAB08000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA087000
Size: 16384 bytes

Driver: Mup.sys
Address: 0xBA5EE000
Size: 106496 bytes

Driver: NDIS.sys
Address: 0xBA608000
Size: 184320 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBA5B2000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xAB43B000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB9D37000
Size: 94208 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA978000
Size: 40960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBA9F8000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xAD9BD000
Size: 163840 bytes

Driver: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xBAA78000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBAC00000
Size: 32768 bytes

Driver: Ntfs.sys
Address: 0xBA635000
Size: 577536 bytes

Driver: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000
Size: 2150400 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBAEEF000
Size: 4096 bytes

Driver: ohci1394.sys
Address: 0xBA8B8000
Size: 65536 bytes

Driver: PartMgr.sys
Address: 0xBAB30000
Size: 20480 bytes

Driver: pci.sys
Address: 0xBA768000
Size: 69632 bytes

Driver: pciide.sys
Address: 0xBAE70000
Size: 4096 bytes

Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBAB28000
Size: 28672 bytes

Driver: PnpManager
Address: 0x804D7000
Size: 2150400 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xADBB0000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB9D26000
Size: 69632 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBACA8000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB9C62000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBAAD8000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBAAE8000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBAAF8000
Size: 49152 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBACB0000
Size: 20480 bytes

Driver: RAW
Address: 0x804D7000
Size: 2150400 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xAD922000
Size: 176128 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBAE6A000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB9CF6000
Size: 196608 bytes

Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBAAC8000
Size: 61440 bytes

Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS
Address: 0xBAC30000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS
Address: 0xBADFC000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\SCDEmu.SYS
Address: 0xBAA18000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\drivers\Senfilt.sys
Address: 0xADA99000
Size: 393216 bytes

Driver: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xBA5BE000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xBAA88000
Size: 65536 bytes

Driver: sr.sys
Address: 0xBA6D9000
Size: 73728 bytes

Driver: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xAAAF8000
Size: 335872 bytes

Driver: C:\WINDOWS\system32\drivers\STREAM.SYS
Address: 0xBAA68000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBADFE000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xAB38F000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xAD9E5000
Size: 364544 bytes

Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBACA0000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBAB18000
Size: 40960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB9C98000
Size: 385024 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xBAC20000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBAE00000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBAC90000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA142000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB9DD6000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xBAC10000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xBAC88000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBABF0000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB9DFA000
Size: 81920 bytes

Driver: VolSnap.sys
Address: 0xBA8E8000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBA9E8000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xBAC70000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
Address: 0xAD76F000
Size: 503808 bytes

Driver: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS
Address: 0xADB70000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xAB0BE000
Size: 86016 bytes

Driver: Win32k
Address: 0xBF800000
Size: 1847296 bytes

Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1847296 bytes

Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBADAA000
Size: 8192 bytes

Driver: WMIxWDM
Address: 0x804D7000
Size: 2150400 bytes

Driver: C:\WINDOWS\system32\DRIVERS\yk51x86.sys
Address: 0xB9D71000
Size: 249856 bytes

7. Report Code Hooks
RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.509
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================

[1244]ekrn.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet at address 0x7C8449FD hook handler located in [unknown_code_page]
[3996]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]
ntkrnlpa.exe+0x0006EC6E, Type: Inline - RelativeJump at address 0x80545C6E hook handler located in [ntkrnlpa.exe]

[lukyluk]

Ještě jsem provedl scan pomocí RootkitRevealer:

HKU\.DEFAULT\Control Panel\International 11.7.2008 14:17 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 11.7.2008 14:17 0 bytes Security mismatch.
HKU\S-1-5-21-1614895754-1972579041-682003330-1003\Control Panel\International 11.7.2008 14:17 0 bytes Security mismatch.
HKU\S-1-5-21-1614895754-1972579041-682003330-1003\Control Panel\International\Geo 11.7.2008 14:17 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 11.7.2008 14:17 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 11.7.2008 14:17 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 3.3.2008 22:00 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 3.3.2008 22:00 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 18.5.2008 17:46 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 18.5.2008 17:46 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 18.5.2008 17:46 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 18.5.2008 17:46 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 18.5.2008 17:46 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 18.5.2008 17:46 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 18.5.2008 17:46 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 18.5.2008 17:46 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 18.5.2008 17:46 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 18.5.2008 17:46 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 18.5.2008 17:46 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 18.5.2008 17:46 0 bytes Key name contains embedded nulls (*)
C:\autorun.inf 12.7.2008 13:51 0 bytes Hidden from Windows API.
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector 12.7.2008 13:51 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Data aplikací\ESET\ESET NOD32 Antivirus\Charon\FND8.NFI 12.7.2008 13:35 277 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Data aplikací\ESET\ESET NOD32 Antivirus\Charon\FND9.NFI 12.7.2008 13:49 270 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Data aplikací\ESET\ESET NOD32 Antivirus\Logs\eScan\ndl29706.dat 12.7.2008 13:33 1.12 KB Hidden from Windows API.
C:\Documents and Settings\Lukas a Misa\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\1t791o26.default\Cache\2307B20Cd01 12.7.2008 13:34 24.09 KB Hidden from Windows API.
C:\Documents and Settings\Lukas a Misa\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\1t791o26.default\Cache\3A54FC37d01 12.7.2008 13:35 20.99 KB Hidden from Windows API.
C:\Documents and Settings\Lukas a Misa\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\1t791o26.default\Cache\426549C9d01 12.7.2008 13:50 101.55 KB Hidden from Windows API.
C:\Documents and Settings\Lukas a Misa\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\1t791o26.default\Cache\4D1C794Ad01 12.7.2008 13:47 106.91 KB Hidden from Windows API.
C:\Documents and Settings\Lukas a Misa\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\1t791o26.default\Cache\8365213Fd01 12.7.2008 13:51 62.07 KB Hidden from Windows API.
C:\Documents and Settings\Lukas a Misa\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\1t791o26.default\Cache\AEA623EEd01 12.7.2008 13:52 85.31 KB Hidden from Windows API.
C:\Documents and Settings\Lukas a Misa\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\1t791o26.default\Cache\B5F0580Bd01 12.7.2008 13:30 20.29 KB Hidden from Windows API.
C:\Documents and Settings\Lukas a Misa\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\1t791o26.default\Cache\D4B9B176d01 12.7.2008 13:31 17.68 KB Hidden from Windows API.
C:\Documents and Settings\Lukas a Misa\Local Settings\Temp\nircmd.exe 12.7.2008 13:50 25.50 KB Hidden from Windows API.
C:\Documents and Settings\Lukas a Misa\Plocha\20071210_182632_rku37300509.rar 11.7.2008 22:56 85.31 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Lukas a Misa\Plocha\20071210_182632_rku37300509.rar:Zone.Identifier 11.7.2008 22:56 26 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Lukas a Misa\Plocha\rku37300509.exe 12.7.2008 13:52 93.50 KB Hidden from Windows API.
C:\Documents and Settings\Lukas a Misa\Plocha\vir\Flash_Disinfector.exe 12.7.2008 13:51 101.55 KB Hidden from Windows API.
C:\Documents and Settings\Lukas a Misa\Plocha\vir\Flash_Disinfector.exe:Zone.Identifier 12.7.2008 13:51 26 bytes Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Plugins\RTFx\HfxXML\ HFX Filter.xml 25.9.1619 11:47 509 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Plugins\RTFx\HfxXML\ HFX Transition.xml 25.9.1619 11:47 539 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Plugins\RTFx\HfxXML\HFX Filter.xml 22.7.30046 0:36 509 bytes Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Plugins\RTFx\HfxXML\HFX Transition.xml 22.7.30046 0:36 539 bytes Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Baby Cough.wav 9.5.2007 15:40 382.76 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Champagne Pop and Pour.wav 9.5.2007 15:40 1.33 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Champagne Pop.wav 9.5.2007 15:40 386.49 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Champagne Pour.wav 9.5.2007 15:40 1.33 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Cough Harsh.wav 9.5.2007 15:40 745.09 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Coughing and Sneezing.wav 9.5.2007 15:40 1.70 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Crunch.wav 9.5.2007 15:40 797.06 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Dog Scratch Cartoon.wav 9.5.2007 15:40 2.08 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Dog Scratching and Breathing.wav 9.5.2007 15:40 3.15 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Female Cough and Sneeze.wav 9.5.2007 15:40 1.71 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Generator Motor.wav 9.5.2007 15:40 2.52 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Man Grunting and Straining.wav 9.5.2007 15:40 671.30 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Pet Eating.wav 9.5.2007 15:40 2.44 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Popcorn Cartoon 1.wav 9.5.2007 15:40 3.46 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Popcorn Cartoon 2.wav 9.5.2007 15:40 3.83 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Popcorn Machine Motor.wav 9.5.2007 15:40 801.65 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Popcorn Motor.wav 9.5.2007 15:40 882.91 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Products Chime.wav 9.5.2007 15:40 567.66 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Refrigerator Door Closing.wav 9.5.2007 15:40 379.03 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Refrigerator Door Opening.wav 9.5.2007 15:40 385.63 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Refrigerator Hum 1.wav 9.5.2007 15:40 1.63 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Refrigerator Hum 2.wav 9.5.2007 15:40 2.24 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Scouring Pad Cartoon.wav 9.5.2007 15:40 1.25 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Scratch Pitch Shift.wav 9.5.2007 15:40 383.62 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Sneeze Multiple.wav 9.5.2007 15:40 1.12 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Sneeze Single.wav 9.5.2007 15:40 379.89 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Sneezes and Nose Blow.wav 9.5.2007 15:40 2.21 MB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy \Throat Clearing.wav 9.5.2007 15:40 774.95 KB Hidden from Windows API.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Baby Cough.wav 9.5.2007 15:40 382.76 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Champagne Pop and Pour.wav 9.5.2007 15:40 1.33 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Champagne Pop.wav 9.5.2007 15:40 386.49 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Champagne Pour.wav 9.5.2007 15:40 1.33 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Cough Harsh.wav 9.5.2007 15:40 745.09 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Coughing and Sneezing.wav 9.5.2007 15:40 1.70 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Crunch.wav 9.5.2007 15:40 797.06 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Dog Scratch Cartoon.wav 9.5.2007 15:40 2.08 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Dog Scratching and Breathing.wav 9.5.2007 15:40 3.15 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Female Cough and Sneeze.wav 9.5.2007 15:40 1.71 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Generator Motor.wav 9.5.2007 15:40 2.52 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Man Grunting and Straining.wav 9.5.2007 15:40 671.30 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Pet Eating.wav 9.5.2007 15:40 2.44 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Popcorn Cartoon 1.wav 9.5.2007 15:40 3.46 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Popcorn Cartoon 2.wav 9.5.2007 15:40 3.83 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Popcorn Machine Motor.wav 9.5.2007 15:40 801.65 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Popcorn Motor.wav 9.5.2007 15:40 882.91 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Products Chime.wav 9.5.2007 15:40 567.66 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Refrigerator Door Closing.wav 9.5.2007 15:40 379.03 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Refrigerator Door Opening.wav 9.5.2007 15:40 385.63 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Refrigerator Hum 1.wav 9.5.2007 15:40 1.63 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Refrigerator Hum 2.wav 9.5.2007 15:40 2.24 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Scouring Pad Cartoon.wav 9.5.2007 15:40 1.25 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Scratch Pitch Shift.wav 9.5.2007 15:40 383.62 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Sneeze Multiple.wav 9.5.2007 15:40 1.12 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Sneeze Single.wav 9.5.2007 15:40 379.89 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Sneezes and Nose Blow.wav 9.5.2007 15:40 2.21 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Pinnacle\Studio 11\Sound Effects\UFX - Komiksy\Throat Clearing.wav 9.5.2007 15:40 774.95 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{FD9B0907-E5B1-460C-84F5-43FD11C39B7D}\RP1\A0001252.ini 11.7.2008 19:56 12.73 KB Hidden from Windows API.
C:\System Volume Information\_restore{FD9B0907-E5B1-460C-84F5-43FD11C39B7D}\RP1\A0001253.lnk 12.7.2008 13:51 516 bytes Hidden from Windows API.
C:\WINDOWS\Prefetch\ATTRIB.EXE-39EAFB02.pf 12.7.2008 13:51 14.61 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\CA9F16D0.EXE-36B0634B.pf 12.7.2008 13:54 61.83 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\CSCRIPT.EXE-1C26180C.pf 12.7.2008 13:51 68.69 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\FIND.EXE-0EC32F1E.pf 12.7.2008 13:51 14.22 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\FINDSTR.EXE-0CA6274B.pf 12.7.2008 13:51 12.90 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\FLASH_DISINFECTOR.EXE-2539D7E6.pf 12.7.2008 13:50 58.36 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\NET.EXE-01A53C2F.pf 12.7.2008 13:50 11.53 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf 12.7.2008 13:50 12.98 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\NIRCMD.EXE-1D5B08F6.pf 12.7.2008 13:51 10.20 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf 12.7.2008 13:51 20.28 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\RKU37300509.EXE-00088578.pf 12.7.2008 13:52 78.44 KB Hidden from Windows API.

[stell]

Ani tu nic nevidim ,ak som daco neprehliadol.Este klkni v mojom podpise na SVI a sprav to podla navodu.A malo by to byt ok.

[stell]

Takto podla mna je vsetko ok.PC>bolo preskenovane niekolkymi spickovymi programamy a nic nenasli,teda podla nich a podla mna je to ok.
Este toto je podozrive neviem co to je:
C:\DOCUME~1\LUKASA~1\LOCALS~1\Temp\CTVHEIH.exe
Otestuj to na Virustotal,potom zmaz programy co sme namontovali a precisti CCleanerom.A malo by to byt ok.