Kontrola logu rootkit
Napsal: 21 čer 2009 18:00
Zdravim,
v posledni dobu jsem mel problemy s internetem. AVG naslo trojsky kun Rootkit Agent - ten bohuzel neumelo odstranit. Prolezal jsem ruzne diskuze a nakonec jsem pouzil tyto nastroje: Spybot,RootkitRevealer, Malwarebytes' Anti-Malware (ten toho zachytil celkem dost), ashampoo_antispyware203, a samozrejme combofix.
Krome Rootkit Revealeru je nyni vse ciste. Prikladam sem log z Rootkit Revealeru a combofixu. Prosim o sdeleni, zda jsem se te haveti zbavil ci o pomoc, jak na to? Diky moc
ComboFix 09-06-20.04 - Vladimír Hynek 21.06.2009 17:26.5 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.502.236 [GMT 2:00]
Spuštěný z: c:\documents and settings\Vladimír Hynek\Plocha\ComboFix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
-- Snímek resetován k současnému datu --
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"pdfSaver3"="c:\program files\PDF\pdfSaver\pdfSaver3.exe" [2004-05-19 385024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2006-04-19 65536]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2006-05-04 86016]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-21 761946]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"ACU"="c:\program files\Atheros\ACU.exe" [2005-08-19 303104]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-18 1948440]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [BU]
"'Ashampoo AntiSpyWare 2 Guard'"="c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe" [2008-09-08 2349912]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-07-21 16261632]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2006-01-20 544768]
"PRISMSTA.EXE"="PRISMSTA.EXE" - c:\windows\system32\PRISMSTA.exe [2003-05-08 215552]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Vladimˇr Hynek\Nabˇdka Start\Programy\Po spuçtŘnˇ\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-2-11 2301952]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2007-11-29 28672]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-18 09:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"TRUCK & CARGO Online"=c:\tccargo\tccargo.exe --autostart
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"602PC SUITE PDF Saver"="c:\program files\Common Files\soft602\pdfSaver.exe"
"DownloadAccelerator"=c:\progra~1\DAP\DAP.EXE /STARTUP
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26755:TCP"= 26755:TCP:BitComet 26755 TCP
"26755:UDP"= 26755:UDP:BitComet 26755 UDP
"24872:TCP"= 24872:TCP:BitComet 24872 TCP
"24872:UDP"= 24872:UDP:BitComet 24872 UDP
"22254:TCP"= 22254:TCP:BitComet 22254 TCP
"22254:UDP"= 22254:UDP:BitComet 22254 UDP
"12846:TCP"= 12846:TCP:BitComet 12846 TCP
"12846:UDP"= 12846:UDP:BitComet 12846 UDP
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18.6.2009 11:52 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18.6.2009 11:52 108552]
R2 AASW2_Service;Ashampoo AntiSpyWare 2 Service;c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe [21.6.2009 15:32 749400]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [18.6.2009 11:51 298776]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\SophosMEMSWEEP.SYS --> c:\windows\system32\SophosMEMSWEEP.SYS [?]
S1 mailKmd;mailKmd; [x]
S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [29.11.2007 12:37 61776]
S3 PRISM_ICB;Intersil PRISM Wireless LAN 802.11g Driver;c:\windows\system32\drivers\PRISMICB.sys [2.2.2008 18:39 55488]
--- Ostatní služby/ovladače v paměti ---
*NewlyCreated* - AASW2_SERVICE
*Deregistered* - mchInjDrv
*Deregistered* - RKREVEAL150
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
IE: Download &all with DAP - c:\progra~1\DAP\dapextie2.htm
IE: Stáhnout odkaz s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: Stáhnout všechna videa s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Stáhnout všechny odkazy s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: {{C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - c:\microgaming\Poker\UnibetpokerMPP\MPPoker.exe
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 17:33
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CtrlVol = c:\program files\Launch Manager\CtrlVol.exe? 5??\??? ??|h??|????a??|Nj?w?j?w????????0??? ???????????????d??????|????????p?????@??y??????h{?w???????????????sx??s@??????????????|h??st??????????s?????????????????C?sc"?sx??s??????7~??@?N'?sTC9? :@?`C9????????
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\athgina.dll
c:\windows\system32\athcfg11.dll
c:\windows\system32\athcfg11Res.dll
c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\Guard.dll
- - - - - - - > 'lsass.exe'(1004)
c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\Guard.dll
- - - - - - - > 'csrss.exe'(916)
c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\Guard.dll
.
Celkový čas: 2009-06-21 17:35
ComboFix-quarantined-files.txt 2009-06-21 15:35
ComboFix2.txt 2009-06-21 08:27
ComboFix3.txt 2009-06-20 19:33
ComboFix4.txt 2009-06-13 09:57
ComboFix5.txt 2009-06-21 15:25
Před spuštěním: 2 199 568 384
Po spuštění: 2 692 366 336
4649 --- E O F --- 2009-06-21 09:04
log z rootkitrevealu
HKU\S-1-5-21-1454471165-1390067357-725345543-1003\Console 21.6.2009 17:35 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 28.11.2007 13:31 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 28.11.2007 13:31 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 21.6.2009 17:38 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 21.6.2009 17:38 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\swearware\backup\winsock2 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022 20.6.2009 21:15 0 bytes Security mismatch.
v posledni dobu jsem mel problemy s internetem. AVG naslo trojsky kun Rootkit Agent - ten bohuzel neumelo odstranit. Prolezal jsem ruzne diskuze a nakonec jsem pouzil tyto nastroje: Spybot,RootkitRevealer, Malwarebytes' Anti-Malware (ten toho zachytil celkem dost), ashampoo_antispyware203, a samozrejme combofix.
Krome Rootkit Revealeru je nyni vse ciste. Prikladam sem log z Rootkit Revealeru a combofixu. Prosim o sdeleni, zda jsem se te haveti zbavil ci o pomoc, jak na to? Diky moc
ComboFix 09-06-20.04 - Vladimír Hynek 21.06.2009 17:26.5 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.502.236 [GMT 2:00]
Spuštěný z: c:\documents and settings\Vladimír Hynek\Plocha\ComboFix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
-- Snímek resetován k současnému datu --
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"pdfSaver3"="c:\program files\PDF\pdfSaver\pdfSaver3.exe" [2004-05-19 385024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2006-04-19 65536]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2006-05-04 86016]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-21 761946]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"ACU"="c:\program files\Atheros\ACU.exe" [2005-08-19 303104]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-18 1948440]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [BU]
"'Ashampoo AntiSpyWare 2 Guard'"="c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe" [2008-09-08 2349912]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-07-21 16261632]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2006-01-20 544768]
"PRISMSTA.EXE"="PRISMSTA.EXE" - c:\windows\system32\PRISMSTA.exe [2003-05-08 215552]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Vladimˇr Hynek\Nabˇdka Start\Programy\Po spuçtŘnˇ\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-2-11 2301952]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2007-11-29 28672]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-18 09:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"TRUCK & CARGO Online"=c:\tccargo\tccargo.exe --autostart
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"602PC SUITE PDF Saver"="c:\program files\Common Files\soft602\pdfSaver.exe"
"DownloadAccelerator"=c:\progra~1\DAP\DAP.EXE /STARTUP
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26755:TCP"= 26755:TCP:BitComet 26755 TCP
"26755:UDP"= 26755:UDP:BitComet 26755 UDP
"24872:TCP"= 24872:TCP:BitComet 24872 TCP
"24872:UDP"= 24872:UDP:BitComet 24872 UDP
"22254:TCP"= 22254:TCP:BitComet 22254 TCP
"22254:UDP"= 22254:UDP:BitComet 22254 UDP
"12846:TCP"= 12846:TCP:BitComet 12846 TCP
"12846:UDP"= 12846:UDP:BitComet 12846 UDP
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18.6.2009 11:52 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18.6.2009 11:52 108552]
R2 AASW2_Service;Ashampoo AntiSpyWare 2 Service;c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe [21.6.2009 15:32 749400]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [18.6.2009 11:51 298776]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\SophosMEMSWEEP.SYS --> c:\windows\system32\SophosMEMSWEEP.SYS [?]
S1 mailKmd;mailKmd; [x]
S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [29.11.2007 12:37 61776]
S3 PRISM_ICB;Intersil PRISM Wireless LAN 802.11g Driver;c:\windows\system32\drivers\PRISMICB.sys [2.2.2008 18:39 55488]
--- Ostatní služby/ovladače v paměti ---
*NewlyCreated* - AASW2_SERVICE
*Deregistered* - mchInjDrv
*Deregistered* - RKREVEAL150
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
IE: Download &all with DAP - c:\progra~1\DAP\dapextie2.htm
IE: Stáhnout odkaz s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: Stáhnout všechna videa s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Stáhnout všechny odkazy s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: {{C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - c:\microgaming\Poker\UnibetpokerMPP\MPPoker.exe
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 17:33
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CtrlVol = c:\program files\Launch Manager\CtrlVol.exe? 5??\??? ??|h??|????a??|Nj?w?j?w????????0??? ???????????????d??????|????????p?????@??y??????h{?w???????????????sx??s@??????????????|h??st??????????s?????????????????C?sc"?sx??s??????7~??@?N'?sTC9? :@?`C9????????
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\athgina.dll
c:\windows\system32\athcfg11.dll
c:\windows\system32\athcfg11Res.dll
c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\Guard.dll
- - - - - - - > 'lsass.exe'(1004)
c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\Guard.dll
- - - - - - - > 'csrss.exe'(916)
c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\Guard.dll
.
Celkový čas: 2009-06-21 17:35
ComboFix-quarantined-files.txt 2009-06-21 15:35
ComboFix2.txt 2009-06-21 08:27
ComboFix3.txt 2009-06-20 19:33
ComboFix4.txt 2009-06-13 09:57
ComboFix5.txt 2009-06-21 15:25
Před spuštěním: 2 199 568 384
Po spuštění: 2 692 366 336
4649 --- E O F --- 2009-06-21 09:04
log z rootkitrevealu
HKU\S-1-5-21-1454471165-1390067357-725345543-1003\Console 21.6.2009 17:35 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 28.11.2007 13:31 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 28.11.2007 13:31 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 21.6.2009 17:38 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 21.6.2009 17:38 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\swearware\backup\winsock2 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021 20.6.2009 21:15 0 bytes Security mismatch.
HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022 20.6.2009 21:15 0 bytes Security mismatch.