Zdravím.
Od včera mně dosti zpomalil comp při startu.
Pomalý je i při prohlížení internetu.
Čistil jsem,projel Avastem (nalezen červ,byl přesunut do truhly) ale změna žádná.Prosím tedy o kontrolu díky předem.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:25:42, on 24.10.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\PROGRA~1\AIMP2\AIMP2.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Documents and Settings\Varg\Plocha\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Stáhnout Free Download Managerem - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Stáhnout video Free Download Managerem - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Stáhnout vybrané Free Download Managerem - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Stáhnout vše Free Download Managerem - file://C:\Program Files\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9820371687
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
--
End of file - 6162 bytes
Prosím o kontrolu HJT
Re: Prosím o kontrolu HJT
Ahoj. Kde bol hlaseny ten cerv (adresa)?
Stiahni ComboFix, najlepsie na plochu. Vypni vsetky otvorene aplikacie, ako aj rezidenty antiviru, antispywaru a firewall. Spust program cez ucet s administratorskymi pravami a postupuj podla instrukcii. Cely sken bude trvat cca 10 minut. Pocas neho moze byt PC restartovane. Log, ktory ComboFix vytvori, najdes na adrese "C:\ComboFix.txt".
Ten vloz sem.
Pozor: Kym ComboFix nevytvori log, na nic neklikat, nic nestlacat !!
Stiahni ComboFix, najlepsie na plochu. Vypni vsetky otvorene aplikacie, ako aj rezidenty antiviru, antispywaru a firewall. Spust program cez ucet s administratorskymi pravami a postupuj podla instrukcii. Cely sken bude trvat cca 10 minut. Pocas neho moze byt PC restartovane. Log, ktory ComboFix vytvori, najdes na adrese "C:\ComboFix.txt".
Ten vloz sem.
Pozor: Kym ComboFix nevytvori log, na nic neklikat, nic nestlacat !!
Nemam rad amaterizmus...
A adresat odkazu to vie :)
A adresat odkazu to vie :)
Re: Prosím o kontrolu HJT
Ahoj.
takže červ byl tady viz obr a ten log bude hned.
http://img132.imageshack.us/img132/8935/virz.png
takže červ byl tady viz obr a ten log bude hned.
http://img132.imageshack.us/img132/8935/virz.png
Re: Prosím o kontrolu HJT
ComboFix 09-10-24.03 - Varg 25.10.2009 15:34.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.2558.2093 [GMT 1:00]
Spuštěný z: c:\documents and settings\Varg\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 091024-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\regedit.com
c:\windows\system32\taskmgr.com
.
((((((((((((((((((((((((( Soubory vytvořené od 2009-09-25 do 2009-10-25 )))))))))))))))))))))))))))))))
.
2009-10-18 16:02 . 2009-10-19 12:45 -------- d-----w- c:\program files\GameShadow
2009-10-11 19:37 . 2009-10-11 19:38 5123811 ----a-w- c:\windows\REGBK00.ZIP
2009-10-11 19:32 . 2009-10-11 19:32 -------- d---a-w- c:\windows\VDLL.DLL
2009-10-11 19:32 . 2009-10-11 19:32 -------- d---a-w- c:\windows\system32\runouce.exe
2009-10-11 19:32 . 2009-10-11 19:32 -------- d---a-w- c:\windows\rundll16.exe
2009-10-11 19:32 . 2009-10-11 19:32 -------- d---a-w- c:\windows\RUNDL132.EXE
2009-10-11 19:32 . 2009-10-11 19:32 -------- d---a-w- c:\windows\logo1_.exe
2009-10-11 19:32 . 2009-10-11 19:32 -------- d---a-w- c:\windows\logo_1.exe
2009-10-11 19:21 . 2008-04-14 03:22 137216 ----a-w- c:\windows\system32\T.COM
2009-10-11 19:21 . 2008-04-14 03:22 147968 ----a-w- c:\windows\R.COM
2009-10-11 18:48 . 2009-10-11 18:48 -------- d-----w- c:\program files\Sierra Entertainment
2009-10-09 19:37 . 2009-10-09 19:37 -------- d-----w- c:\program files\DIFX
2009-09-25 19:32 . 2009-09-25 19:44 -------- d-----w- c:\program files\Seznam.cz
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 14:33 . 2004-09-06 14:23 82552 ----a-w- c:\windows\system32\perfc005.dat
2009-10-25 14:33 . 2004-09-06 14:23 437832 ----a-w- c:\windows\system32\perfh005.dat
2009-10-20 20:34 . 2009-04-15 18:25 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-19 14:34 . 2009-04-15 16:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-17 09:18 . 2009-06-24 18:15 -------- d-----w- c:\program files\Metin2_CZ
2009-10-09 19:35 . 2009-04-15 20:04 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-02 19:13 . 2009-05-02 08:14 -------- d-----w- c:\program files\Electronic Arts
2009-09-21 11:11 . 2009-05-02 08:13 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-21 11:11 . 2009-07-09 11:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-11 14:19 . 2004-08-17 22:49 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:05 . 2004-08-17 22:49 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 15:48 . 2009-04-15 19:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-29 07:58 . 2004-08-17 22:49 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:02 . 2004-08-17 22:49 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 16:10 . 2009-04-15 17:21 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2009-04-15 17:21 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2009-04-15 17:21 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2009-04-15 17:21 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2009-04-15 17:21 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2009-04-15 17:21 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2009-04-15 17:21 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2009-04-15 17:21 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2009-04-15 17:21 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-14 11:36 . 2009-08-14 11:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-08-10 09:31 . 2009-07-28 12:16 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-08-06 17:24 . 2004-08-17 22:49 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 17:24 . 2004-08-17 22:49 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 17:24 . 2008-10-16 12:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 17:24 . 2004-08-17 22:49 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 17:24 . 2004-08-17 22:49 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 17:24 . 2004-08-17 22:49 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 17:23 . 2004-08-17 22:49 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 17:23 . 2009-04-16 14:56 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 17:23 . 2008-10-16 12:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 17:23 . 2004-08-17 22:49 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-17 22:49 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 20:59 . 2004-08-17 22:45 2191360 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 17:29 . 2004-08-18 09:00 2068224 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelTraditionalChinese.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelSwedish.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelSpanish.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelPortugese.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelKorean.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelJapanese.dll
2009-08-02 22:21 . 2009-08-02 22:21 288024 ----a-w- c:\windows\system32\PhysXCplUI.exe
2009-08-02 22:21 . 2009-08-02 22:21 288024 ----a-w- c:\windows\system32\PhysXCompatCplUI.exe
2009-08-02 22:21 . 2009-08-02 22:21 23320 ----a-w- c:\windows\system32\PhysXDevice.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelGerman.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelFrench.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-07 337216]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Sniper Elite\\SniperElite.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\Metin2_CZ\\metin2.bin"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15.4.2009 18:21 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15.4.2009 18:21 20560]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: Stáhnout Free Download Managerem - file://c:\program files\Free Download Manager\dllink.htm
IE: Stáhnout video Free Download Managerem - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Stáhnout vybrané Free Download Managerem - file://c:\program files\Free Download Manager\dlselected.htm
IE: Stáhnout vše Free Download Managerem - file://c:\program files\Free Download Manager\dlall.htm
FF - ProfilePath - c:\documents and settings\Varg\Data aplikací\Mozilla\Firefox\Profiles\g1hz34eq.default\
FF - prefs.js: browser.startup.homepage - hxxp://seznam.cz
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 15:37
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2009-10-25 15:39
ComboFix-quarantined-files.txt 2009-10-25 14:39
Před spuštěním: Volných bajtů: 87 091 372 032
Po spuštění: Volných bajtů: 87 065 604 096
- - End Of File - - 972352BF902424C46A5E11F7AA759F35
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.2558.2093 [GMT 1:00]
Spuštěný z: c:\documents and settings\Varg\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 091024-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\regedit.com
c:\windows\system32\taskmgr.com
.
((((((((((((((((((((((((( Soubory vytvořené od 2009-09-25 do 2009-10-25 )))))))))))))))))))))))))))))))
.
2009-10-18 16:02 . 2009-10-19 12:45 -------- d-----w- c:\program files\GameShadow
2009-10-11 19:37 . 2009-10-11 19:38 5123811 ----a-w- c:\windows\REGBK00.ZIP
2009-10-11 19:32 . 2009-10-11 19:32 -------- d---a-w- c:\windows\VDLL.DLL
2009-10-11 19:32 . 2009-10-11 19:32 -------- d---a-w- c:\windows\system32\runouce.exe
2009-10-11 19:32 . 2009-10-11 19:32 -------- d---a-w- c:\windows\rundll16.exe
2009-10-11 19:32 . 2009-10-11 19:32 -------- d---a-w- c:\windows\RUNDL132.EXE
2009-10-11 19:32 . 2009-10-11 19:32 -------- d---a-w- c:\windows\logo1_.exe
2009-10-11 19:32 . 2009-10-11 19:32 -------- d---a-w- c:\windows\logo_1.exe
2009-10-11 19:21 . 2008-04-14 03:22 137216 ----a-w- c:\windows\system32\T.COM
2009-10-11 19:21 . 2008-04-14 03:22 147968 ----a-w- c:\windows\R.COM
2009-10-11 18:48 . 2009-10-11 18:48 -------- d-----w- c:\program files\Sierra Entertainment
2009-10-09 19:37 . 2009-10-09 19:37 -------- d-----w- c:\program files\DIFX
2009-09-25 19:32 . 2009-09-25 19:44 -------- d-----w- c:\program files\Seznam.cz
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 14:33 . 2004-09-06 14:23 82552 ----a-w- c:\windows\system32\perfc005.dat
2009-10-25 14:33 . 2004-09-06 14:23 437832 ----a-w- c:\windows\system32\perfh005.dat
2009-10-20 20:34 . 2009-04-15 18:25 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-19 14:34 . 2009-04-15 16:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-17 09:18 . 2009-06-24 18:15 -------- d-----w- c:\program files\Metin2_CZ
2009-10-09 19:35 . 2009-04-15 20:04 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-02 19:13 . 2009-05-02 08:14 -------- d-----w- c:\program files\Electronic Arts
2009-09-21 11:11 . 2009-05-02 08:13 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-21 11:11 . 2009-07-09 11:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-11 14:19 . 2004-08-17 22:49 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:05 . 2004-08-17 22:49 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 15:48 . 2009-04-15 19:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-29 07:58 . 2004-08-17 22:49 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:02 . 2004-08-17 22:49 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 16:10 . 2009-04-15 17:21 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2009-04-15 17:21 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2009-04-15 17:21 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2009-04-15 17:21 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2009-04-15 17:21 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2009-04-15 17:21 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2009-04-15 17:21 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2009-04-15 17:21 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2009-04-15 17:21 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-14 11:36 . 2009-08-14 11:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-08-10 09:31 . 2009-07-28 12:16 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-08-06 17:24 . 2004-08-17 22:49 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 17:24 . 2004-08-17 22:49 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 17:24 . 2008-10-16 12:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 17:24 . 2004-08-17 22:49 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 17:24 . 2004-08-17 22:49 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 17:24 . 2004-08-17 22:49 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 17:23 . 2004-08-17 22:49 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 17:23 . 2009-04-16 14:56 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 17:23 . 2008-10-16 12:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 17:23 . 2004-08-17 22:49 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-17 22:49 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 20:59 . 2004-08-17 22:45 2191360 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 17:29 . 2004-08-18 09:00 2068224 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelTraditionalChinese.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelSwedish.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelSpanish.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelPortugese.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelKorean.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelJapanese.dll
2009-08-02 22:21 . 2009-08-02 22:21 288024 ----a-w- c:\windows\system32\PhysXCplUI.exe
2009-08-02 22:21 . 2009-08-02 22:21 288024 ----a-w- c:\windows\system32\PhysXCompatCplUI.exe
2009-08-02 22:21 . 2009-08-02 22:21 23320 ----a-w- c:\windows\system32\PhysXDevice.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelGerman.dll
2009-08-02 22:21 . 2009-08-02 22:21 58648 ----a-w- c:\windows\system32\AgCPanelFrench.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-07 337216]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Sniper Elite\\SniperElite.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\Metin2_CZ\\metin2.bin"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15.4.2009 18:21 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15.4.2009 18:21 20560]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: Stáhnout Free Download Managerem - file://c:\program files\Free Download Manager\dllink.htm
IE: Stáhnout video Free Download Managerem - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Stáhnout vybrané Free Download Managerem - file://c:\program files\Free Download Manager\dlselected.htm
IE: Stáhnout vše Free Download Managerem - file://c:\program files\Free Download Manager\dlall.htm
FF - ProfilePath - c:\documents and settings\Varg\Data aplikací\Mozilla\Firefox\Profiles\g1hz34eq.default\
FF - prefs.js: browser.startup.homepage - hxxp://seznam.cz
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 15:37
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2009-10-25 15:39
ComboFix-quarantined-files.txt 2009-10-25 14:39
Před spuštěním: Volných bajtů: 87 091 372 032
Po spuštění: Volných bajtů: 87 065 604 096
- - End Of File - - 972352BF902424C46A5E11F7AA759F35
Re: Prosím o kontrolu HJT
Zatial cisto...
1) Pojdes >>sem<< a das si spravi scan - tu mas navod (by neomage):
2) Stiahni GMER, rozbal ho na plochu a spust. Program automaticky zacne scan (po jeho skonceni vloz log c. 1) - pokial pri scanovani nieco najde (=vyskoci nejake upozornenie), klik na "NO" a vpravo zafajknes vsetky polozky OKREM:
Ak nic nenajde (=nevyskoci nic), zaskrtaj vpravo vsetko a spusti scan. Po jeho ukonceni klik na "Copy" a vloz log c. 2.
1) Pojdes >>sem<< a das si spravi scan - tu mas navod (by neomage):
2) Stiahni GMER, rozbal ho na plochu a spust. Program automaticky zacne scan (po jeho skonceni vloz log c. 1) - pokial pri scanovani nieco najde (=vyskoci nejake upozornenie), klik na "NO" a vpravo zafajknes vsetky polozky OKREM:
- Sections
- IAT/EAT
- Registry
- nesystemovych diskov a particii (system je zvycajne na "C:\" - takze nezaskrtnute nechas "D:\", "E:\"...atd.)
- Show All
Ak nic nenajde (=nevyskoci nic), zaskrtaj vpravo vsetko a spusti scan. Po jeho ukonceni klik na "Copy" a vloz log c. 2.
Nemam rad amaterizmus...
A adresat odkazu to vie :)
A adresat odkazu to vie :)
Re: Prosím o kontrolu HJT
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-25 23:36:34
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Varg\LOCALS~1\Temp\pxtyqfow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAD23D6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAD23D574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAD23DA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAD23D14C]
SSDT sphk.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT sphk.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAD23D64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAD23D08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAD23D0F0]
SSDT sphk.sys ZwQueryKey [0xB9EC610A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAD23D76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAD23D72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAD23D8AE]
INT 0x62 ? 8A1D2BF8
INT 0x83 ? 8A1D2BF8
INT 0xA4 ? 8A1D4BF8
INT 0xB4 ? 89F0CBF8
INT 0xB4 ? 89F0CBF8
INT 0xB4 ? 89F0CBF8
INT 0xB4 ? 89F0CBF8
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A1D11F8
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\PCI_PNP8962 \Device\00000041 sphk.sys
Device \Driver\usbohci \Device\USBPDO-0 89F0B1F8
Device \Driver\usbohci \Device\USBPDO-1 89F0B1F8
Device \Driver\usbehci \Device\USBPDO-2 89EA91F8
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A1661F8
Device \Driver\Cdrom \Device\CdRom0 89E9D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A1661F8
Device \Driver\Cdrom \Device\CdRom1 89E9D1F8
Device \Driver\atapi \Device\Ide\IdePort0 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-13 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-1b [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\USBSTOR \Device\00000066 89CB6500
Device \Driver\Cdrom \Device\CdRom2 89E9D1F8
Device \Driver\Cdrom \Device\CdRom3 89E9D1F8
Device \Driver\USBSTOR \Device\00000068 89CB6500
Device \Driver\Cdrom \Device\CdRom4 89E9D1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89C47500
Device \Driver\NetBT \Device\NetbiosSmb 89C47500
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\usbohci \Device\USBFDO-0 89F0B1F8
Device \Driver\sptd \Device\430102712 sphk.sys
Device \Driver\usbohci \Device\USBFDO-1 89F0B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89FF2500
Device \Driver\usbehci \Device\USBFDO-2 89EA91F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CCF5A52E-4EEB-45D9-8EA9-463831A990D7} 89C47500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89FF2500
Device \Driver\Ftdisk \Device\FtControl 8A1661F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31Port4Path0Target1Lun0 89DC21F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31 89DC21F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31Port4Path0Target2Lun0 89DC21F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31Port4Path0Target0Lun0 89DC21F8
Device \FileSystem\Cdfs \Cdfs 89CA4500
---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-25 21:38:41
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Varg\LOCALS~1\Temp\pxtyqfow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAD23D6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAD23D574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAD23DA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAD23D14C]
SSDT sphk.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT sphk.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAD23D64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAD23D08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAD23D0F0]
SSDT sphk.sys ZwQueryKey [0xB9EC610A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAD23D76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAD23D72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAD23D8AE]
INT 0x62 ? 8A1D2BF8
INT 0x83 ? 8A1D2BF8
INT 0xA4 ? 8A1D4BF8
INT 0xB4 ? 89F0CBF8
INT 0xB4 ? 89F0CBF8
INT 0xB4 ? 89F0CBF8
INT 0xB4 ? 89F0CBF8
---- Kernel code sections - GMER 1.0.15 ----
? sphk.sys Systém nemůže nalézt uvedený soubor. !
.text USBPORT.SYS!DllUnload B98A98AC 5 Bytes JMP 89F0C1D8
.text ag88yis3.SYS B95C1386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ag88yis3.SYS B95C13AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ag88yis3.SYS B95C13C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ag88yis3.SYS B95C13C9 1 Byte [30]
.text ag88yis3.SYS B95C13C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA8042] sphk.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA813E] sphk.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA80C0] sphk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA8800] sphk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA86D6] sphk.sys
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB7E9C] sphk.sys
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A1D11F8
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\PCI_PNP8962 \Device\00000041 sphk.sys
Device \Driver\usbohci \Device\USBPDO-0 89F0B1F8
Device \Driver\usbohci \Device\USBPDO-1 89F0B1F8
Device \Driver\usbehci \Device\USBPDO-2 89EA91F8
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A1661F8
Device \Driver\Cdrom \Device\CdRom0 89E9D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A1661F8
Device \Driver\Cdrom \Device\CdRom1 89E9D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-13 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-1b [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\USBSTOR \Device\00000066 89CB6500
Device \Driver\Cdrom \Device\CdRom2 89E9D1F8
Device \Driver\Cdrom \Device\CdRom3 89E9D1F8
Device \Driver\USBSTOR \Device\00000068 89CB6500
Device \Driver\Cdrom \Device\CdRom4 89E9D1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89C47500
Device \Driver\NetBT \Device\NetbiosSmb 89C47500
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\sptd \Device\430102712 sphk.sys
Device \Driver\usbohci \Device\USBFDO-0 89F0B1F8
Device \Driver\usbohci \Device\USBFDO-1 89F0B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89FF2500
Device \Driver\usbehci \Device\USBFDO-2 89EA91F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CCF5A52E-4EEB-45D9-8EA9-463831A990D7} 89C47500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89FF2500
Device \Driver\Ftdisk \Device\FtControl 8A1661F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31Port4Path0Target1Lun0 89DC21F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31 89DC21F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31Port4Path0Target2Lun0 89DC21F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31Port4Path0Target0Lun0 89DC21F8
Device \FileSystem\Cdfs \Cdfs 89CA4500
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4F 0xFE 0xAB 0xC9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF4 0x6C 0xE6 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBC 0x48 0xE1 0x47 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x37 0x11 0xD8 0xE0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x7F 0xF0 0x30 0xDA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5E 0xFB 0x3B 0xDD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x20 0x72 0xF2 0x73 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD5 0x74 0x0C 0xF5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE9 0x07 0x1F 0x69 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4F 0xFE 0xAB 0xC9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF4 0x6C 0xE6 0x55 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBC 0x48 0xE1 0x47 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x37 0x11 0xD8 0xE0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x7F 0xF0 0x30 0xDA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5E 0xFB 0x3B 0xDD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x20 0x72 0xF2 0x73 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD5 0x74 0x0C 0xF5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE9 0x07 0x1F 0x69 ...
---- EOF - GMER 1.0.15 ----
Rootkit scan 2009-10-25 23:36:34
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Varg\LOCALS~1\Temp\pxtyqfow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAD23D6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAD23D574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAD23DA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAD23D14C]
SSDT sphk.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT sphk.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAD23D64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAD23D08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAD23D0F0]
SSDT sphk.sys ZwQueryKey [0xB9EC610A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAD23D76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAD23D72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAD23D8AE]
INT 0x62 ? 8A1D2BF8
INT 0x83 ? 8A1D2BF8
INT 0xA4 ? 8A1D4BF8
INT 0xB4 ? 89F0CBF8
INT 0xB4 ? 89F0CBF8
INT 0xB4 ? 89F0CBF8
INT 0xB4 ? 89F0CBF8
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A1D11F8
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\PCI_PNP8962 \Device\00000041 sphk.sys
Device \Driver\usbohci \Device\USBPDO-0 89F0B1F8
Device \Driver\usbohci \Device\USBPDO-1 89F0B1F8
Device \Driver\usbehci \Device\USBPDO-2 89EA91F8
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A1661F8
Device \Driver\Cdrom \Device\CdRom0 89E9D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A1661F8
Device \Driver\Cdrom \Device\CdRom1 89E9D1F8
Device \Driver\atapi \Device\Ide\IdePort0 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-13 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-1b [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\USBSTOR \Device\00000066 89CB6500
Device \Driver\Cdrom \Device\CdRom2 89E9D1F8
Device \Driver\Cdrom \Device\CdRom3 89E9D1F8
Device \Driver\USBSTOR \Device\00000068 89CB6500
Device \Driver\Cdrom \Device\CdRom4 89E9D1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89C47500
Device \Driver\NetBT \Device\NetbiosSmb 89C47500
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\usbohci \Device\USBFDO-0 89F0B1F8
Device \Driver\sptd \Device\430102712 sphk.sys
Device \Driver\usbohci \Device\USBFDO-1 89F0B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89FF2500
Device \Driver\usbehci \Device\USBFDO-2 89EA91F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CCF5A52E-4EEB-45D9-8EA9-463831A990D7} 89C47500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89FF2500
Device \Driver\Ftdisk \Device\FtControl 8A1661F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31Port4Path0Target1Lun0 89DC21F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31 89DC21F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31Port4Path0Target2Lun0 89DC21F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31Port4Path0Target0Lun0 89DC21F8
Device \FileSystem\Cdfs \Cdfs 89CA4500
---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-25 21:38:41
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Varg\LOCALS~1\Temp\pxtyqfow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAD23D6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAD23D574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAD23DA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAD23D14C]
SSDT sphk.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT sphk.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAD23D64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAD23D08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAD23D0F0]
SSDT sphk.sys ZwQueryKey [0xB9EC610A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAD23D76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAD23D72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAD23D8AE]
INT 0x62 ? 8A1D2BF8
INT 0x83 ? 8A1D2BF8
INT 0xA4 ? 8A1D4BF8
INT 0xB4 ? 89F0CBF8
INT 0xB4 ? 89F0CBF8
INT 0xB4 ? 89F0CBF8
INT 0xB4 ? 89F0CBF8
---- Kernel code sections - GMER 1.0.15 ----
? sphk.sys Systém nemůže nalézt uvedený soubor. !
.text USBPORT.SYS!DllUnload B98A98AC 5 Bytes JMP 89F0C1D8
.text ag88yis3.SYS B95C1386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ag88yis3.SYS B95C13AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ag88yis3.SYS B95C13C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ag88yis3.SYS B95C13C9 1 Byte [30]
.text ag88yis3.SYS B95C13C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA8042] sphk.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA813E] sphk.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA80C0] sphk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA8800] sphk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA86D6] sphk.sys
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\ag88yis3.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB7E9C] sphk.sys
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A1D11F8
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\PCI_PNP8962 \Device\00000041 sphk.sys
Device \Driver\usbohci \Device\USBPDO-0 89F0B1F8
Device \Driver\usbohci \Device\USBPDO-1 89F0B1F8
Device \Driver\usbehci \Device\USBPDO-2 89EA91F8
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A1661F8
Device \Driver\Cdrom \Device\CdRom0 89E9D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A1661F8
Device \Driver\Cdrom \Device\CdRom1 89E9D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-13 [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-1b [B9E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\USBSTOR \Device\00000066 89CB6500
Device \Driver\Cdrom \Device\CdRom2 89E9D1F8
Device \Driver\Cdrom \Device\CdRom3 89E9D1F8
Device \Driver\USBSTOR \Device\00000068 89CB6500
Device \Driver\Cdrom \Device\CdRom4 89E9D1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89C47500
Device \Driver\NetBT \Device\NetbiosSmb 89C47500
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\sptd \Device\430102712 sphk.sys
Device \Driver\usbohci \Device\USBFDO-0 89F0B1F8
Device \Driver\usbohci \Device\USBFDO-1 89F0B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89FF2500
Device \Driver\usbehci \Device\USBFDO-2 89EA91F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CCF5A52E-4EEB-45D9-8EA9-463831A990D7} 89C47500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89FF2500
Device \Driver\Ftdisk \Device\FtControl 8A1661F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31Port4Path0Target1Lun0 89DC21F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31 89DC21F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31Port4Path0Target2Lun0 89DC21F8
Device \Driver\ag88yis3 \Device\Scsi\ag88yis31Port4Path0Target0Lun0 89DC21F8
Device \FileSystem\Cdfs \Cdfs 89CA4500
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4F 0xFE 0xAB 0xC9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF4 0x6C 0xE6 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBC 0x48 0xE1 0x47 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x37 0x11 0xD8 0xE0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x7F 0xF0 0x30 0xDA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5E 0xFB 0x3B 0xDD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x20 0x72 0xF2 0x73 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD5 0x74 0x0C 0xF5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE9 0x07 0x1F 0x69 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4F 0xFE 0xAB 0xC9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF4 0x6C 0xE6 0x55 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBC 0x48 0xE1 0x47 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x37 0x11 0xD8 0xE0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x7F 0xF0 0x30 0xDA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5E 0xFB 0x3B 0xDD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x20 0x72 0xF2 0x73 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD5 0x74 0x0C 0xF5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE9 0x07 0x1F 0x69 ...
---- EOF - GMER 1.0.15 ----
Re: Prosím o kontrolu HJT
Co ten Online scan?
Stiahni >>tento<< subor. Spust ho a malo by sa zjavit cierne okno, v ktorom by malo stat "Enter the link to query". Napis (skopiruj) tam nasledovne:
\Device\IdePort0
Enter. Program vygeneruje log na plochu s nazvom DirQuery.txt. Ten mi prosim posli.
Stiahni >>tento<< subor. Spust ho a malo by sa zjavit cierne okno, v ktorom by malo stat "Enter the link to query". Napis (skopiruj) tam nasledovne:
\Device\IdePort0
Enter. Program vygeneruje log na plochu s nazvom DirQuery.txt. Ten mi prosim posli.
Nemam rad amaterizmus...
A adresat odkazu to vie :)
A adresat odkazu to vie :)
Re: Prosím o kontrolu HJT
Ahoj.
Online scaner čistý omlouvám se že jsem to nenapsal.
Tady je ten log:
Running from: C:\Downloads\Software\DirQuery.exe
Log file at : C:\Documents and Settings\Varg\Plocha\DirQuery.txt
The driver that owns the link:
\Device\IdePortO
is located at:
́́́́́́́́́́́́́́́́́́́Ȑ́́́́́́́̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂Ȑ̂̂̂̂̂̂̂ȀĠ̂Ԅ܆ईଊഌ༎ᄐጒᔔᤘᬚᴜ℠⌢┤✦⤨⬪⼮㌲㔴㜶㤸㬺㴼㼾䅀䍂䕄䝆䥈䭊䵌低児卒啔坖奘孚嵜彞䅠䍂䕄䝆䥈䭊䵌低児卒啔坖奘筚Ⳏ粑ⴄ粑粑粑D
and the device link is:
Ề%Ȉ
Online scaner čistý omlouvám se že jsem to nenapsal.
Tady je ten log:
Running from: C:\Downloads\Software\DirQuery.exe
Log file at : C:\Documents and Settings\Varg\Plocha\DirQuery.txt
The driver that owns the link:
\Device\IdePortO
is located at:
́́́́́́́́́́́́́́́́́́́Ȑ́́́́́́́̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂Ȑ̂̂̂̂̂̂̂ȀĠ̂Ԅ܆ईଊഌ༎ᄐጒᔔᤘᬚᴜ℠⌢┤✦⤨⬪⼮㌲㔴㜶㤸㬺㴼㼾䅀䍂䕄䝆䥈䭊䵌低児卒啔坖奘孚嵜彞䅠䍂䕄䝆䥈䭊䵌低児卒啔坖奘筚Ⳏ粑ⴄ粑粑粑D
and the device link is:
Ề%Ȉ
Re: Prosím o kontrolu HJT
I když teda nechápu co to je 
Re: Prosím o kontrolu HJT
Popravde ani ja 
Skus tam vrazit este tento script:
\Device\Ide\IdePort0
Skus tam vrazit este tento script:
\Device\Ide\IdePort0
Nemam rad amaterizmus...
A adresat odkazu to vie :)
A adresat odkazu to vie :)
Re: Prosím o kontrolu HJT
No ono to vyhodilo znova to samé
Re: Prosím o kontrolu HJT
OK, nechajme to tak...bola to len skuska, pretoze mame novy rootkit a nevieme sa s nim vysomarit :/
Stiahni MWAV. Spust ho a riad sa instrukciami. Aktualizuj ho a nastav parametre.
Po scane skopiruj log zo spodneho okna.
Stiahni MWAV. Spust ho a riad sa instrukciami. Aktualizuj ho a nastav parametre.
Po scane skopiruj log zo spodneho okna.
Nemam rad amaterizmus...
A adresat odkazu to vie :)
A adresat odkazu to vie :)
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 90 hostů