Help
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
This topic is locked
WHAT I'VE FOUND (on all 3 pc's)
-----------------------------------
(1) a lot of hijacks in SSDT. 50% with a named driver, 50% hex addresses (0x???????).
(2) the stealth driver uses a pattern for filename. "sp??.sys". The name varies from machine to machine.
Some names i've found so far:
- spwa.sys
- spek.sys
- spxe.sys
- spbz.sys
- spom.sys
- sppn.sys
(3) interesting, it can survive gmer/rootrepeal action. If you remove it and reboot,you'll find it back in place, with a new name respecting the pattern (e.g you remove spex.sys, reboot, detect spfu.sys).
(4) the rootkit is detectable in aswMBR. some examples:
01:15:20.968 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spek.sys >>UNKNOWN [0x8738a938]<<
19:27:27.734 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spxe.sys >>UNKNOWN [0x8738a938]<<
21:03:16.843 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spom.sys >>UNKNOWN [0x8738a938]<<
INSIGHTS
------------------------
The target computer has been using Comodo Firewall (free), which appears often in SSDT, and Avira Antivir Personal (free) and Spybot (free) and SuperAntiSpyware and MalwareBytes (free). The user seems wise, but that rootkit is evil.
I dumped the sp??.sys with rootrepeal. The file seems different from machine to machine. The file remains the same "inside one machine". That is, if you remove it via gmer, the rootkit comes back at next reboot as I said, but it's the same file on that machine. I'm attaching it to make this case easier and let you analyze the code.
Rootrepeal shows a lot of hijack in IRQ's too. I'll attach RootRepeal log, too.
I dumped the MBR with aswMBR, and again I'll attach it to make your work easier.
Avira Rescue CD was able to find a botnet installer inside a .zip. Detection was "Zbot". I wonder if the user ran it...
Combofix ran (without script), detected and deleted 3 malware, but not the rootkit. I'll attach both the log and the quarantined files for your eyes.
Malware bytes got 1 registry doubtful configuration. Nothing else. The log is attached, obviously.
The target machine had an alcohol 120% but it was removed long time ago.
HALL OF FAIL (who failed so far) all tools were updated!
---------------------------------------------------------
Avira Antivir Personal: failed as base protection
Comodo Firewall: as above, in the firewall role.
Spybot S&D: ran, got just some tracing cookies.
Malware Bytes: ran, got 1 registry malconfiguration. I was expecting more from this guy.
gmer: doesn't suffice alone. Tried "restore SSDT" on all hooks. The evil got back at next reboot.
RootRepeal: goot detection, no cleaning. You can restore SSDT from here, and nothing happens. The rootkit retains the hooks. Or justs re-infects in microseconds. Can't clean IRQ from here.
Combofix: doesn't suffice without a CFscript. Deleted 3 files (other malware) but not the rootkit. I left it installed just in case.
Avira Rescue CD: found a botnet installer inside a .zip file. no rootkit detection.
Kaspersky Rescue Disk: nothing found.
TDSS killer: found that c:\windows\system\sptd is blocked. Sounded promising. Went ahead and got "system not infected" at end of scan. weird.
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by me at 9:55:28 on 2011-05-23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1022.238 [GMT 2:00]
.
AV: AntiVir Desktop *Enabled/Updated* {00000000-0012-0014-00EC-FD7F00000802}
AV: AntiVir Desktop *Enabled/Updated* {001300D4-0000-0000-1000-00007454927C}
AV: AntiVir Desktop *Enabled/Updated* {00000000-0000-0000-1200-140000ECFD7F}
AV: AntiVir Desktop *Disabled/Updated* {00000002-0002-0000-6C25-9E7C08000A00}
AV: AntiVir Desktop *Enabled/Updated* {00000000-0000-0000-1200-140000FCFD7F}
AV: AntiVir Desktop *Enabled/Updated* {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *Enabled/Updated* {001400D4-0000-0000-1000-00007454927C}
AV: AntiVir Desktop *Enabled/Updated* {00000000-0012-0014-00DC-FD7F00000802}
AV: AntiVir Desktop *Enabled/Updated* {00000000-0000-0000-2303-927C0000FD7F}
AV: AntiVir Desktop *Enabled/Updated* {00000000-0012-0014-00FC-FD7F00000802}
AV: AntiVir Desktop *Enabled/Updated* {00000000-0000-0000-1200-140000DCFD7F}
FW: COMODO Firewall Pro *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PGPserv.exe
C:\Programmi\Process Blocker\Process Blocker.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\IObit\Smart Defrag 2\SmartDefrag.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Apoint2K\Apoint.exe
C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
C:\Programmi\Everything\Everything.exe
C:\WINDOWS\vsnpstd.exe
C:\Programmi\FreeSoft\Uranium\Uranium.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\Programmi\Taskbar Shuffle\taskbarshuffle.exe
C:\Programmi\HPQ\SHARED\HPQWMI.exe
C:\Programmi\Launchy\Launchy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Documents and Settings\me\Dati applicazioni\Dropbox\bin\Dropbox.exe
C:\Programmi\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
C:\DOCUME~1\me\IMPOST~1\Temp\TeamViewer\Version6\TeamViewer.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\uTorrent\uTorrent.exe
c:\docume~1\me\impost~1\temp\teamviewer\version6\TeamViewer_Desktop.exe
C:\DOCUME~1\me\IMPOST~1\Temp\TeamViewer\Version6\tv_w32.exe
D:\Desktop\assist\dds23552.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.it/
uInternet Connection Wizard,ShellNext = hxxp://www.google.it/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programmi\java\jre1.6.0_07\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Uranium] c:\programmi\freesoft\uranium\Uranium.exe reg
uRun: [Taskbar Shuffle] c:\programmi\taskbar shuffle\taskbarshuffle.exe
mRun: [ATIPTA] c:\programmi\ati technologies\ati control panel\atiptaxx.exe
mRun: [SoundMAXPnP] c:\programmi\analog devices\soundmax\SMax4PNP.exe
mRun: [Apoint] c:\programmi\apoint2k\Apoint.exe
mRun: [hpWirelessAssistant] c:\programmi\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [eabconfg.cpl] c:\programmi\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\programmi\hpq\default settings\cpqset.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [avgnt] "c:\programmi\avira\antivir desktop\avgnt.exe" /min
mRun: [HP Software Update] "c:\programmi\hp\hp software update\HPWuSchd2.exe"
mRun: [Everything] "c:\programmi\everything\Everything.exe" -startup
mRun: [COMODO Firewall Pro] "c:\programmi\comodo\firewall\cfp.exe" -h
mRun: [Adobe Reader Speed Launcher] "c:\programmi\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\programmi\file comuni\adobe\arm\1.0\AdobeARM.exe"
mRun: [snpstd] c:\windows\vsnpstd.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\me\menuav~1\progra~1\esecuz~1\dropbox.lnk - c:\documents and settings\me\dati applicazioni\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\me\menuav~1\progra~1\esecuz~1\screen~1.lnk - c:\programmi\wisdom-soft screenhunter 5 free\ScreenHunter.exe
StartupFolder: c:\docume~1\me\menuav~1\progra~1\esecuz~1\todotx~1.lnk - d:\my dropbox\TODO.txt
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\launchy.lnk - c:\programmi\launchy\Launchy.exe
IE: Add to &Teleport
IE: Download with GetRight
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel
IE: MediaManager tool grab multimedia file - c:\programmi\mp3 player utilities 4.00\mediamanager\grab.html
IE: Open with GetRight Browser
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\programmi\java\jre1.6.0_07\bin\ssv.dll
LSP: c:\windows\system32\PGPlsp.dll
DPF: {00000055-9980-0010-8000-00AA00389B71}
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A}
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141641708437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F}
DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
TCP: {444185EC-68A3-4B77-962D-FF500F41E426} = 208.67.222.222,208.67.220.220
TCP: {50ECF7E9-1C59-4581-9417-D76C4162D0B4} = 192.168.1.1
Notify: !SASWinLogon - c:\programmi\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\programmi\stardock\fences\FencesMenu.dll
SEH: RadExeExt Class: {35b2861b-2b26-4691-9ff0-09083722c736} - c:\windows\system32\RadExe.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programmi\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\me\dati applicazioni\mozilla\firefox\profiles\8ei3d7f4.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - plugin: c:\documents and settings\me\impostazioni locali\dati applicazioni\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: TrackMeNot: trackmenot@mrl.nyu.edu - %profile%\extensions\trackmenot@mrl.nyu.edu
FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF - Ext: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - %profile%\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
FF - Ext: Nuke Anything Enhanced: {1ced4832-f06e-413f-aa14-9eb63ad40ace} - %profile%\extensions\{1ced4832-f06e-413f-aa14-9eb63ad40ace}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: ShowIP: {3e9bb2a7-62ca-4efa-a4e6-f6f6168a652d} - %profile%\extensions\{3e9bb2a7-62ca-4efa-a4e6-f6f6168a652d}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Copy Plain Text: {723AAF16-AF1F-4404-A5D7-0BFE39766605} - %profile%\extensions\{723AAF16-AF1F-4404-A5D7-0BFE39766605}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Firefox Showcase: {89506680-e3f4-484c-a2c0-ed711d481eda} - %profile%\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}
FF - Ext: CoolPreviews : {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B} - %profile%\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Extended Statusbar: {daf44bf7-a45e-4450-979c-91cf07434c3d} - %profile%\extensions\{daf44bf7-a45e-4450-979c-91cf07434c3d}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Clipmarks: {e1170235-2845-420c-acc3-42261a29dd46} - %profile%\extensions\{e1170235-2845-420c-acc3-42261a29dd46}
FF - Ext: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - %profile%\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}
FF - Ext: Media Converter: {6e764c17-863a-450f-bdd0-6772bd5aaa18} - %profile%\extensions\{6e764c17-863a-450f-bdd0-6772bd5aaa18}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Firecookie: firecookie@janodvarko.cz - %profile%\extensions\firecookie@janodvarko.cz
FF - Ext: Fast Dial: fastdial@telega.phpnet.us - %profile%\extensions\fastdial@telega.phpnet.us
FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Auto Copy: {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F} - %profile%\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
FF - Ext: Multiple Tab Handler: multipletab@piro.sakura.ne.jp - %profile%\extensions\multipletab@piro.sakura.ne.jp
FF - Ext: SkipScreen: SkipScreen@SkipScreen - %profile%\extensions\SkipScreen@SkipScreen
FF - Ext: Tab Scope: tabscope@xuldev.org - %profile%\extensions\tabscope@xuldev.org
FF - Ext: ErrorZilla Mod: ErrorZillaMod@jaybaldwin - %profile%\extensions\ErrorZillaMod@jaybaldwin
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programmi\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-28 28544]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-3-20 13496]
R1 avgio;avgio;c:\programmi\avira\antivir desktop\avgio.sys [2009-5-19 11608]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-6-11 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-11 24208]
R1 SASDIFSV;SASDIFSV;c:\programmi\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\programmi\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirScheduler;Avira AntiVir Scheduler;c:\programmi\avira\antivir desktop\sched.exe [2009-5-19 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programmi\avira\antivir desktop\avguard.exe [2009-5-19 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-19 56816]
R2 cmdAgent;COMODO Firewall Pro Helper Service;c:\programmi\comodo\firewall\cmdagent.exe [2010-6-11 519936]
R2 Process Blocker;Process Blocker;c:\programmi\process blocker\Process Blocker.exe [2010-4-22 106712]
S2 esentprf32;Server Database Storage Performance Library;c:\windows\system32\rundll32.exe esentprf32.dll,uhon --> c:\windows\system32\rundll32.exe esentprf32.dll,uhon [?]
S3 IrCOMM2k;Virtual IR COM Port;c:\windows\system32\drivers\ircomm2k.sys --> c:\windows\system32\drivers\ircomm2k.sys [?]
S3 IrDAFw2k;IrDA Forward Adapter;c:\windows\system32\drivers\irdafw2k.sys --> c:\windows\system32\drivers\irdafw2k.sys [?]
S3 PORTMON;PORTMON;\??\c:\programmi\utilities\portmsys.sys --> c:\programmi\utilities\PORTMSYS.SYS [?]
S3 ZD1211U(Sitecom);Sitecom Wireless Network USB Adapter 54G WL-117(Sitecom);c:\windows\system32\drivers\ZD1211U.sys [2007-11-30 233472]
S4 ConnectionMonitor;ConnectionMonitor;"c:\docume~1\me\impost~1\temp\~acetemp\connectionmonitor_eng\connectionmonitor.exe" /run_service --> c:\docume~1\me\impost~1\temp\~acetemp\connectionmonitor_eng\ConnectionMonitor.exe [?]
S4 HDDlife HDD Access service;HDDlife HDD Access service;c:\programmi\file comuni\binarysense\hldasvc.exe [2007-8-9 816376]
S4 MGTZL;MGTZL;c:\docume~1\me\impost~1\temp\mgtzl.exe --> c:\docume~1\me\impost~1\temp\MGTZL.exe [?]
S4 WYN;WYN;c:\docume~1\me\impost~1\temp\wyn.exe --> c:\docume~1\me\impost~1\temp\WYN.exe [?]
.
=============== Created Last 30 ================
.
2011-05-21 14:33:33 -------- d-----w- c:\programmi\Process Blocker
2011-05-14 19:23:16 -------- d-sha-r- C:\cmdcons
2011-05-14 19:18:57 98816 ----a-w- c:\windows\sed.exe
2011-05-14 19:18:57 89088 ----a-w- c:\windows\MBR.exe
2011-05-14 19:18:57 256512 ----a-w- c:\windows\PEV.exe
2011-05-14 19:18:57 161792 ----a-w- c:\windows\SWREG.exe
2011-05-12 23:25:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-06 18:11:12 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-05-01 21:19:08 -------- d-----w- C:\latino51 avanzato
.
==================== Find3M ====================
.
2011-03-07 05:33:45 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-06 22:27:44 49 ----a-w- c:\windows\wpd99.drv
2011-03-05 12:39:40 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-03-04 06:36:21 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:53:31 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 16:04:32 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-02-23 15:54:12 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-02-22 23:05:47 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:05:47 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:05:47 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:42:13 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 9.57.03,35 ===============
Attached File(s)
-
dds.txt (15.72K)
Number of downloads: 7 -
attach.zip (8.43K)
Number of downloads: 3 -
RootRepeal report 05-23-11 (09-21-43).txt (37.09K)
Number of downloads: 6 -
mbam-log-2011-04-11 (18-03-25).txt (1.06K)
Number of downloads: 1 -
combofix.txt (20.01K)
Number of downloads: 7 -
sppn.zip (267.75K)
Number of downloads: 4 -
Quarantine.zip (71.16K)
Number of downloads: 1 -
MBR.zip (164bytes)
Number of downloads: 1
This post has been edited by Noviciate: 26 May 2011 - 03:07 PM
Back to top
