offline
- Pridružio: 19 Jan 2008
- Poruke: 42
|
GMER 1.0.13.12551 - gmer.net
Rootkit scan 2008-01-21 21:48:36
Windows 5.1.2600 Service Pack 2
---- Devices - GMER 1.0.13 ----
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F73FAC38] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F73FAC22] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F73FA3C2] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F73FA3AC] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F73F8C3C] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F73F8A00] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F73F89AE] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F73FAC38] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F73FAC22] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F73FA3C2] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F73FA3AC] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F73F8C3C] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F73F8A00] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F73F89AE] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F73F89C4] cavasm.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F73F89C4] cavasm.sys
---- EOF - GMER 1.0.13 ----
Dopuna: 21 Jan 2008 22:18
mycity.rs/must-login.png
ComboFix 08-01-20.1 - kole 2008-01-21 21:58:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.53 [GMT 1:00]
Running from: D:\Documents and Settings\kole\Desktop\ComboFix2.exe
Command switches used :: D:\Documents and Settings\kole\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= D:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 03:54 38400]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"cnfgCav"="D:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [2007-12-18 17:19 110592]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Skype"="D:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]
"SoundMan"="SOUNDMAN.EXE" [2002-11-19 14:01 46592 D:\WINDOWS\SOUNDMAN.EXE]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-10 00:50 171448]
"WinFaxAppPortStarter"="wfxsnt40.exe" [1998-07-27 03:54 43008 D:\WINDOWS\system32\WFXSNT40.EXE]
2007-12-18 16:19 --------- d-----w D:\Documents and Settings\All Users\Application Data\Comodo
2007-12-18 16:19 --------- d-----w D:\Program Files\Comodo
2007-12-18 16:19 1,060,864 ----a-w D:\WINDOWS\system32\MFC71.dll
2007-12-18 16:19 102,400 ----a-w D:\WINDOWS\system32\drivers\cavasm.sys
2007-12-18 16:19 216,576 ----a-w D:\WINDOWS\system32\monln.dll
2007-12-18 16:19 348,160 ----a-w D:\WINDOWS\system32\msvcr71.dll
2007-12-18 16:19 434,252 ----a-w D:\WINDOWS\system32\MSVCRTD.DLL
2007-12-18 16:19 499,712 ----a-w D:\WINDOWS\system32\msvcp71.dll
2007-12-18 16:19 73,728 ----a-w D:\WINDOWS\system32\CavEmLSP.dll
2008-01-07 16:59 . 2008-01-07 16:59 6,144 --a------ D:\Documents and Settings\kole\ie_updates3r.exe
2008-01-07 17:00 . 2008-01-07 17:00 4,224 --a------ D:\WINDOWS\system32\drivers\kcp.sys
2008-01-07 17:04 . 2008-01-07 18:32 21,760 --a------ D:\WINDOWS\Tyc36.sys
2008-01-08 10:19 . 2008-01-19 22:26 2,206 --a------ D:\WINDOWS\system32\wpa.dbl
2008-01-10 00:49 . 2008-01-10 00:50 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Skype
2008-01-10 00:50 . 2008-01-10 00:50 <DIR> d-------- D:\Program Files\Common Files\Skype
2008-01-10 00:50 . 2008-01-10 00:50 <DIR> d-------- D:\Program Files\Skype
2008-01-10 00:50 . 2008-01-12 20:25 <DIR> d-------- D:\Program Files\Google
2008-01-10 00:50 . 2008-01-19 23:24 <DIR> d-------- D:\Documents and Settings\kole\Application Data\Skype
2008-01-10 00:53 . 2008-01-10 00:53 32 --a------ D:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-10 00:53 . 2008-01-20 23:37 <DIR> d-------- D:\Documents and Settings\kole\Application Data\skypePM
2008-01-12 00:46 . 2008-01-14 01:51 6,656 --a------ D:\Documents and Settings\kole\admin.exe
2008-01-15 22:27 . 2008-01-15 22:28 <DIR> d-------- D:\Program Files\Cambridge
2008-01-15 22:28 . 1995-05-09 14:20 53,492 --a------ D:\WINDOWS\system\IP769292.TTF
2008-01-15 22:29 . 2008-01-15 22:29 <DIR> d-------- D:\Program Files\TEXTware
2008-01-19 02:41 . 2008-01-19 21:48 7 --a------ D:\WINDOWS\system32\ngxt.bin
2008-01-19 23:14 . 2008-01-19 23:12 449,326 --a------ D:\HaxFix.exe
2008-01-19 23:36 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
D:\Documents and Settings\kole\admin.exe
D:\Documents and Settings\kole\ie_updates3r.exe
D:\Program Files\akl
D:\Program Files\akl\curlog.htm
D:\Program Files\akl\keylog.txt
D:\Program Files\akl\readme.txt
D:\Program Files\akl\unsetup.dat
D:\Program Files\amsys
D:\Program Files\amsys\awmsg.dat
D:\Program Files\amsys\guid.dat
D:\Program Files\amsys\unins000.dat
D:\Program Files\amsys\winam.dat
D:\WINDOWS\aconti.log
D:\WINDOWS\acontidialer.txt
D:\WINDOWS\default.htm
D:\WINDOWS\system32\drivers\ip6fw.sys
D:\WINDOWS\system32\drivers\kcp.sys
D:\WINDOWS\system32\drivers\smtpdrv.sys
D:\WINDOWS\system32\drivers\Tyc36.sys
D:\WINDOWS\system32\wsnpoem
D:\WINDOWS\Tyc36.sys
monln.dll 2007-12-18 17:19 216576 D:\WINDOWS\system32\monln.dll
R2 wfxsvc;WinFax PRO;D:\WINDOWS\system32\WFXSVC.EXE [1998-07-27 03:54]
Running from: D:\Documents and Settings\kole\Desktop\ComboFix2.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Documents and Settings\kole\admin.exe
D:\Documents and Settings\kole\ie_updates3r.exe
D:\WINDOWS\system32\drivers\ip6fw.sys
D:\WINDOWS\system32\drivers\kcp.sys
D:\WINDOWS\Tyc36.sys
.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.
2008-01-21 21:05 . 2008-01-21 21:46 250 --a------ D:\WINDOWS\gmer.ini
2008-01-19 23:36 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2008-01-19 23:14 . 2008-01-19 23:12 449,326 --a------ D:\HaxFix.exe
2008-01-19 02:41 . 2008-01-19 21:48 7 --a------ D:\WINDOWS\system32\ngxt.bin
2008-01-15 22:29 . 2008-01-15 22:29 <DIR> d-------- D:\Program Files\TEXTware
2008-01-15 22:28 . 1995-05-09 14:20 53,492 --a------ D:\WINDOWS\system\IP769292.TTF
2008-01-15 22:27 . 2008-01-15 22:28 <DIR> d-------- D:\Program Files\Cambridge
2008-01-10 00:53 . 2008-01-21 19:02 <DIR> d-------- D:\Documents and Settings\kole\Application Data\skypePM
2008-01-10 00:53 . 2008-01-10 00:53 32 --a------ D:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-10 00:50 . 2008-01-10 00:50 <DIR> d-------- D:\Program Files\Skype
2008-01-10 00:50 . 2008-01-12 20:25 <DIR> d-------- D:\Program Files\Google
2008-01-10 00:50 . 2008-01-10 00:50 <DIR> d-------- D:\Program Files\Common Files\Skype
2008-01-10 00:50 . 2008-01-21 21:58 <DIR> d-------- D:\Documents and Settings\kole\Application Data\Skype
2008-01-10 00:49 . 2008-01-10 00:50 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Skype
2008-01-08 10:19 . 2008-01-20 10:35 2,206 --a------ D:\WINDOWS\system32\wpa.dbl
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 16:19 73,728 ----a-w D:\WINDOWS\system32\CavEmLSP.dll
2007-12-18 16:19 499,712 ----a-w D:\WINDOWS\system32\msvcp71.dll
2007-12-18 16:19 434,252 ----a-w D:\WINDOWS\system32\MSVCRTD.DLL
2007-12-18 16:19 348,160 ----a-w D:\WINDOWS\system32\msvcr71.dll
2007-12-18 16:19 216,576 ----a-w D:\WINDOWS\system32\monln.dll
2007-12-18 16:19 102,400 ----a-w D:\WINDOWS\system32\drivers\cavasm.sys
2007-12-18 16:19 1,060,864 ----a-w D:\WINDOWS\system32\MFC71.dll
2007-12-18 16:19 --------- d-----w D:\Program Files\Comodo
2007-12-18 16:19 --------- d-----w D:\Documents and Settings\All Users\Application Data\Comodo
.
((((((((((((((((((((((((((((( snapshot@2008-01-20_23.38.57,13 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 22:37:02 229,376 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-21 20:58:19 229,376 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 22:37:02 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 20:58:19 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 22:37:02 229,376 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-21 20:58:19 229,376 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 22:37:02 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-21 20:58:19 8,192 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 22:37:03 3,739,648 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-21 20:58:19 3,739,648 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-19 22:37:03 28,672 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 20:58:19 28,672 ----a-w D:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 20:05:19 585,791 ----a-w D:\WINDOWS\gmer.dll
+ 2007-06-29 08:38:18 581,632 ----a-r D:\WINDOWS\gmer.exe
+ 2008-01-21 20:05:19 70,001 ----a-w D:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Skype"="D:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-10 00:50 171448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFaxAppPortStarter"="wfxsnt40.exe" [1998-07-27 03:54 43008 D:\WINDOWS\system32\WFXSNT40.EXE]
"SoundMan"="SOUNDMAN.EXE" [2002-11-19 14:01 46592 D:\WINDOWS\SOUNDMAN.EXE]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"cnfgCav"="D:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [2007-12-18 17:19 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= D:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 03:54 38400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
monln.dll 2007-12-18 17:19 216576 D:\WINDOWS\system32\monln.dll
*Newly Created Service* - GMER
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-01-21 22:01:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-21 22:03:05
ComboFix-quarantined-files.txt 2008-01-21 21:02:56
ComboFix2.txt 2008-01-20 22:39:24
|