############################## [FindyKill V4.720]
User : KONRAD (Administratorzy) # WOJNAR-8CCBDDBC
Update on 22/03/09 by Chiquitine29
Start at: 18:17:16 | 2009-03-26
AMD Athlon XP 3200+
Microsoft Windows XP Professional (5.1.2600 32-bit) # Dodatek Service Pack 2
Internet Explorer 6.0.2900.2180
Windows Firewall Status : Disabled
AV : Kaspersky Anti-Virus 7.0.1.325 [(!) Disabled | (!) Outdated]
A:\ # Stacja dyskietek 3,5 cala
C:\ # Lokalny dysk stay # 6,83 Go (274,65 Mo free) [WINDOWS] # NTFS
D:\ # Lokalny dysk stay # 20,84 Go (15 Go free) [uNIVERSAL] # NTFS
E:\ # Lokalny dysk stay # 9,77 Go (7,23 Go free) [PROFRAMY] # NTFS
F:\ # Lokalny dysk stay # 37,11 Go (12,65 Go free) [MP3&FILMY] # NTFS
G:\ # Dysk CD-ROM
H:\ # Dysk CD-ROM
############################## [Active Processes]
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Nowe Gadu-Gadu\gg.exe
C:\WINDOWS\system32\svchost.exe
E:\Vista Inspirat 2\RocketDock\RocketDock.exe
E:\Nowe Gadu-Gadu\spellchecker_gg.exe
C:\Program Files\Java\jre6\bin\java.exe
E:\FlashGet\flashget.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
################## [Infected Files / Folders C:]
################## [C:\WINDOWS]
################## [C:\WINDOWS\system32]
Deleted ! - C:\WINDOWS\system32\mdelk.exe
Deleted ! - C:\WINDOWS\system32\wintems.exe
Deleted ! - C:\WINDOWS\system32\ban_list.txt
################## [C:\WINDOWS\system32\drivers]
################## [C:… Application Data …]
Deleted ! - “C:\Documents and Settings\KONRAD\Dane aplikacji\m\flec006.exe”
Deleted ! - “C:\Documents and Settings\KONRAD\Dane aplikacji\m\list.oct”
Deleted ! - “C:\Documents and Settings\KONRAD\Dane aplikacji\m\data.oct”
Deleted ! - “C:\Documents and Settings\KONRAD\Dane aplikacji\m\srvlist.oct”
Deleted ! - “C:\Documents and Settings\KONRAD\Dane aplikacji\m\shared”
Deleted ! - “C:\Documents and Settings\KONRAD\Dane aplikacji\m”
Deleted ! - “C:\Documents and Settings\KONRAD\Dane aplikacji\drivers\srosa2.sys”
Deleted ! - “C:\Documents and Settings\KONRAD\Dane aplikacji\drivers\wfsintwq.sys”
Deleted ! - “C:\Documents and Settings\KONRAD\Dane aplikacji\drivers\winupgro.exe”
Deleted ! - “C:\Documents and Settings\KONRAD\Dane aplikacji\drivers\downld”
Deleted ! - “C:\Documents and Settings\KONRAD\Dane aplikacji\drivers”
################## [Registry / Infected keys]
Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa
Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA
Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sK9Ou0s
Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SK9OU0S
Deleted ! - HKEY_CURRENT_USER\Software\bisoft
Deleted ! - HKEY_CURRENT_USER\Software\DateTime4
Deleted ! - HKEY_CURRENT_USER\Software\FirtR
Deleted ! - HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\winupgro
Deleted ! - HKEY_USERS\S-1-5-21-436374069-117609710-839522115-1003\Software\FFC
Deleted ! - HKEY_USERS\S-1-5-21-436374069-117609710-839522115-1003\Software\MuleAppData
Deleted ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\“drvsyskit”
Deleted ! - HKEY_USERS\S-1-5-21-436374069-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\“drvsyskit”
Deleted ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\“german.exe”
Deleted ! - HKEY_USERS\S-1-5-21-436374069-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\“german.exe”
Deleted ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\“mule_st_key”
Deleted ! - HKEY_USERS\S-1-5-21-436374069-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\“mule_st_key”
################## [Cleaning Removable drives]
Deleting files :
################## [Registry / Mountpoint2]
-> Not found !
################## [Searching Other Infections]
Références de comparaison Bagle MD5 :
File … : C:\Documents and Settings\KONRAD\Dane aplikacji\drivers\winupgro.exe
CRC32 … : f3a03290
MD5 … : 1f3e8528f35f8d85c790f7f9b30e1119
Deleted ! : E:\AutoConnect\AutoConnect.exe
Taille : 868352 # MD5 : 1F3E8528F35F8D85C790F7F9B30E1119
################## [PEH Corrupted]
C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft\Ad-Aware\Update\AAWService.exe
C:\Documents and Settings\KONRAD\Ustawienia lokalne\Temp\jkos-KONRAD\binaries\ScanningProcess.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Mozilla Firefox\uninstall\helper.exe
C:\WINDOWS\system32\dllcache\register.exe
C:\WINDOWS\system32\dllcache\sysinfo.exe
E:\cureit.exe
E:\Hijack\ComboFix.exe
E:\Hijack\HijackThis.exe
E:\Kalendarz XP\Kalendarz XP\Update.exe
E:\Spybot - Search & Destroy\blindman.exe
E:\Spybot - Search & Destroy\SpybotSD.exe
E:\Spybot - Search & Destroy\TeaTimer.exe
E:\Spybot - Search & Destroy\Update.exe
E:\Vista Inspirat 2\Update.exe
################## [! End of Report # FindyKill V4.720 !]