ComboFix 07-05.27.V - Running from: “D:\Documents and Settings\Kasia\Pulpit\waľne narz©dzia”
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
“D:\WINDOWS\system32\1_exception.nls”
Infected copy of D:\WINDOWS\system32\winlogon.exe was found & disinfected
Restored copy from - “D:\WINDOWS\system32\dllcache\winlogon.exe”
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_EXAMPLE
-------\LEGACY_NDNET1
-------\LEGACY_RUNTIME
-------\EXAMPLE
-------\NDnet1
-------\Runtime
((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))
2007-05-26 09:56
2007-05-11 21:46
2007-05-11 12:11
2007-05-10 21:11
2007-05-10 20:08
2007-05-10 19:35
2007-05-10 10:52
2007-05-06 19:05 73,728 --a------ D:\WINDOWS\system32\pv.exe
2007-05-06 19:05 39,184 --a------ D:\WINDOWS\system32\Ntrights.exe
2007-05-06 19:05 175,616 --a------ D:\WINDOWS\system32\strings.exe
2007-05-06 19:05 16,384 --a------ D:\WINDOWS\system32\restart.exe
2007-05-06 19:05 126,976 --a------ D:\WINDOWS\system32\zip.exe
2007-05-06 19:05 11,254 --a------ D:\WINDOWS\system32\locate.com
2007-05-05 19:39 76,560 --a------ D:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-05 19:39
2007-05-05 09:53 25,992 --a------ D:\WINDOWS\system32\pgdfgsvc.exe
2007-05-04 23:39
2007-05-04 22:02
2007-05-04 16:41
2007-05-02 21:30
2007-05-02 16:11 46,892 --a------ D:\WINDOWS\system32\adadix16.dll
2007-05-02 16:11 46,167 --a------ D:\WINDOWS\system32\drivers\adildr.sys
2007-05-02 16:11 4,981 --a------ D:\WINDOWS\system32\adadix2k.dll
2007-05-02 16:11 22,395 --a------ D:\WINDOWS\system32\drivers\fpga.bin
2007-05-02 16:11 155,648 --a------ D:\WINDOWS\system32\adadix32.dll
2007-05-02 16:11 143,360 --a------ D:\WINDOWS\autoclk.exe
2007-05-02 16:11 135,168 --a------ D:\WINDOWS\system32\unaddrv.exe
2007-05-02 16:11 127,497 --a------ D:\WINDOWS\system32\drivers\adiusbaw.sys
2007-05-02 16:11 127,456 --a------ D:\WINDOWS\system32\ipdetect.exe
2007-05-02 16:11 126,976 --a------ D:\WINDOWS\system32\coclassfast.dll
2007-05-02 16:11
2007-05-02 15:35
2007-05-02 15:35
2007-05-02 13:23
2007-05-02 12:59 3,145,728 --a------ D:\Documents and Settings\Kasia\ntuser.dat
2007-05-02 12:59 3,145,728 --a------ D:\DOCUME~1\Kasia\ntuser.dat
2007-05-01 17:45
2007-05-01 11:52
2007-05-01 11:46
2007-05-01 11:46
2007-05-01 11:45
2007-05-01 11:43
2007-05-01 11:43
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-26 07:58:36 12,400 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys
2007-04-27 20:39:52 26,622 ----a-w D:\WINDOWS\system32\lr86.exe
2007-04-16 14:58:40 0 ----a-w D:\WINDOWS\system32\CMMGR32.EXE
2007-04-14 17:02:50 726,920 ----a-w D:\Program Files\WindowsXP-KB935448-x86-PLK.exe
2007-04-14 16:57:24 4,709,688 ----a-w D:\Program Files\WindowsXP-KB922760-x86-PLK.exe
2007-04-14 15:43:24 49,492 ----a-w D:\WINDOWS\system32\perfc015.dat
2007-04-14 15:43:24 355,486 ----a-w D:\WINDOWS\system32\perfh015.dat
2007-04-14 14:50:36 23,016 ----a-w D:\WINDOWS\system32\emptyregdb.dat
2007-04-14 14:30:24 37,860,928 ----a-w D:\Program Files\iTunesSetup.exe
2007-04-10 18:54:30 -------- d-----w D:\DOCUME~1\Kasia\DANEAP~1\FunkyFarm
2007-04-10 18:32:16 -------- d-----w D:\Program Files\Play
2007-04-10 17:58:26 -------- d-----w D:\Program Files\Calaris
2007-04-06 09:53:20 -------- d-----w D:\Program Files\PITy
2007-03-30 15:00:22 -------- d-----w D:\Program Files\Microsoft.NET
2007-03-30 14:58:44 -------- d-----w D:\Program Files\Microsoft Works
2007-03-30 14:41:58 -------- d-----w D:\Program Files\Windows Messaging
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{089FD14D-132B-48FC-8861-0048AE113215}=D:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 17:41]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SiteAdvisor”=“D:\Program Files\SiteAdvisor\6066\SiteAdv.exe” [2007-03-30 17:42]
“WOOWATCH”=“D:\PROGRA~1\WANADOO\Watch.exe” [2002-12-09 18:24]
“WOOTASKBARICON”=“D:\PROGRA~1\WANADOO\TaskbarIcon.exe” [2002-12-09 18:24]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Odkurzacz-MCD”=“D:\Program Files\Odkurzacz\odk_mcd.exe” [2007-05-03 10:02]
“Spyware Doctor”=“D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe” [2007-03-26 21:09]
[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“Spyware Doctor”=“D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe” /Q
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk]
path=c:\Documents and Settings\All Users\Menu Start\Programy\Autostart\DSLMON.lnk
backup=D:\WINDOWS\pss\DSLMON.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^VIA RAID TOOL.lnk]
backup=D:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^Kasia^Menu Start^Programy^Autostart^Trend Micro Anti-Spyware.lnk]
backup=D:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
“D:\Program Files\Messenger\msmsgs.exe” /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
“D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe” /Q
********************************************************************
catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-29 21:21:36
Windows 5.1.2600 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
disk error: D:\WINDOWS\
please note that you need administrator rights to perform deep scan
********************************************************************
Completion time: 2007-05-29 21:24:04 - machine was rebooted
D:\ComboFix-quarantined-files.txt … 2007-05-29 21:23
— E O F —
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
“D:\WINDOWS\system32\1_exception.nls”
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_EXAMPLE
-------\LEGACY_NDNET1
-------\LEGACY_RUNTIME
-------\EXAMPLE
-------\NDnet1
-------\Runtime
((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))
2007-05-29 21:24 49˙152 --a------ D:\WINDOWS\nircmd.exe
2007-05-10 19:35
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-26 07:58:36 12,400 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys
2007-04-27 20:39:52 26,622 ----a-w D:\WINDOWS\system32\lr86.exe
2007-04-16 14:58:40 0 ----a-w D:\WINDOWS\system32\CMMGR32.EXE
2007-04-14 17:02:50 726,920 ----a-w D:\Program Files\WindowsXP-KB935448-x86-PLK.exe
2007-04-14 16:57:24 4,709,688 ----a-w D:\Program Files\WindowsXP-KB922760-x86-PLK.exe
2007-04-14 15:43:24 49,492 ----a-w D:\WINDOWS\system32\perfc015.dat
2007-04-14 15:43:24 355,486 ----a-w D:\WINDOWS\system32\perfh015.dat
2007-04-14 14:50:36 23,016 ----a-w D:\WINDOWS\system32\emptyregdb.dat
2007-04-14 14:30:24 37,860,928 ----a-w D:\Program Files\iTunesSetup.exe
2007-04-10 18:54:30 -------- d-----w D:\DOCUME~1\Kasia\DANEAP~1\FunkyFarm
2007-04-10 18:32:16 -------- d-----w D:\Program Files\Play
2007-04-10 17:58:26 -------- d-----w D:\Program Files\Calaris
2007-04-06 09:53:20 -------- d-----w D:\Program Files\PITy
2007-03-30 15:00:22 -------- d-----w D:\Program Files\Microsoft.NET
2007-03-30 14:58:44 -------- d-----w D:\Program Files\Microsoft Works
2007-03-30 14:41:58 -------- d-----w D:\Program Files\Windows Messaging
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{089FD14D-132B-48FC-8861-0048AE113215}=D:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 17:41]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk]
path=c:\Documents and Settings\All Users\Menu Start\Programy\Autostart\DSLMON.lnk
backup=D:\WINDOWS\pss\DSLMON.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programy^Autostart^VIA RAID TOOL.lnk]
backup=D:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^Kasia^Menu Start^Programy^Autostart^Trend Micro Anti-Spyware.lnk]
backup=D:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
“D:\Program Files\Messenger\msmsgs.exe” /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
“D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe” /Q
Złączono Posta : 29.05.2007 (Wto) 21:29
2007-04-29 18:57 0 --a------ D:\Qoobox\Quarantine\D\WINDOWS\system32\1_exception.nls.vir
2007-05-01 21:02 432640 --a------ D:\Qoobox\Quarantine\D\WINDOWS\system32\winlogon.exe.vir
2007-05-29 21:19 1208 --a------ D:\Qoobox\Quarantine\Registry_backups\LEGACY_EXAMPLE.reg.cf
2007-05-29 21:19 1310 --a------ D:\Qoobox\Quarantine\Registry_backups\LEGACY_NDNET1.reg.cf
2007-05-29 21:19 1322 --a------ D:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME.reg.cf
2007-05-29 21:19 58 --a------ D:\Qoobox\Quarantine\catchme.log
2007-05-29 21:19 620 --a------ D:\Qoobox\Quarantine\Registry_backups\services_Runtime.reg.cf
2007-05-29 21:19 676 --a------ D:\Qoobox\Quarantine\Registry_backups\services_NDnet1.reg.cf
2007-05-29 21:19 750 --a------ D:\Qoobox\Quarantine\Registry_backups\services_EXAMPLE.reg.cf
Zmienna PATH folderu dla woluminu PROGRAMY
Numer seryjny woluminu: 71F5E346 1F46:1CEB
D:\QOOBOX
\---Quarantine
| catchme.log
|
+---Registry_backups
| LEGACY_EXAMPLE.reg.cf
| LEGACY_NDNET1.reg.cf
| LEGACY_RUNTIME.reg.cf
| services_EXAMPLE.reg.cf
| services_NDnet1.reg.cf
| services_Runtime.reg.cf
|
\---D
\---WINDOWS
\---system32
1_exception.nls.vir
winlogon.exe.vir
Złączono Posta : 29.05.2007 (Wto) 21:31
Na koniec pokazało się, że wystąpił jakiś błąd, że nie można odnaleźć jakiego pliku…już po skanowaniu Combo, tuż po wejściu w plik combofix.txt