cjoint

Publicité


Publicité

Format du document : text/plain

Prévisualisation

ÿþRkill 2.8.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/24/2015 07:21:55 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\WINDOWS\System32\SCardSvr.exe (PID: 2040) [WD-HEUR]
* C:\WINDOWS\RTHDCPL.EXE (PID: 1276) [WD-HEUR]
* C:\WINDOWS\system32\RunDLL32.exe (PID: 1312) [WD-HEUR]
* C:\WINDOWS\system32\FsUsbExService.Exe (PID: 1552) [WD-HEUR]
* C:\WINDOWS\System32\alg.exe (PID: 3672) [WD-HEUR]

5 proccesses terminated!

Possibly Patched Files.

* C:\WINDOWS\system32\services.exe
* C:\WINDOWS\system32\svchost.exe
* C:\WINDOWS\system32\svchost.exe
* C:\WINDOWS\System32\svchost.exe
* C:\WINDOWS\system32\svchost.exe
* C:\WINDOWS\system32\svchost.exe
* C:\WINDOWS\system32\svchost.exe
* C:\WINDOWS\system32\spoolsv.exe
* C:\WINDOWS\system32\ctfmon.exe
* C:\WINDOWS\system32\svchost.exe
* C:\WINDOWS\system32\wscntfy.exe
* C:\WINDOWS\System32\svchost.exe

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Reparse Point/Junctions Found (Most likely legitimate)!

* C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
* C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]

Checking Windows Service Integrity:

* dmadmin [Missing Service]

Searching for Missing Digital Signatures:

* C:\WINDOWS\System32\clipsrv.exe : 33 280 : 08/18/2015 03:23 PM : 60a4194b622904324d2665c60a5d206e [NoSig]
+-> C:\WINDOWS\system32\dllcache\clipsrv.exe : 60 928 : 04/14/2008 02:00 PM : 9a7811938926c3fa0793155a169e8191 [Pos Repl]

* C:\WINDOWS\System32\ctfmon.exe : 15 360 : 08/18/2015 01:45 PM : 585e846f76dece66b852cb19eb616c7e [NoSig]
+-> C:\WINDOWS\system32\dllcache\ctfmon.exe : 43 008 : 04/14/2008 02:00 PM : 459a67e61708f2079f622d95f4816374 [Pos Repl]

* C:\WINDOWS\System32\dllhost.exe : 5 120 : 08/18/2015 03:23 PM : 78289b46ff93b9542640ee0aab45ab96 [NoSig]
+-> C:\WINDOWS\system32\dllcache\dllhost.exe : 5 120 : 04/14/2008 02:00 PM : b741493240cfd3bc9db049de75dfea5c [Pos Repl]

* C:\WINDOWS\System32\services.exe : 111 104 : 08/22/2015 08:30 PM : 77ffe889e6d3239ce40ac27ef40eb780 [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe : 111 104 : 08/23/2015 08:59 AM : 493f24439993ed79365a212209ecf3a5 [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB956572$\services.exe : 136 704 : 04/14/2008 02:00 PM : 7f3cadb6037a651df480b13fe9710e25 [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP2GDR\services.exe : 111 104 : 02/09/2009 12:08 AM : 758554f23542cfe9dd0ab956e640afd5 [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP2QFE\services.exe : 111 104 : 02/09/2009 11:53 AM : ccb722020a0fb72a969bddd91e184614 [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP3GDR\services.exe : 111 104 : 08/23/2015 09:01 AM : 77ffe889e6d3239ce40ac27ef40eb780 [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP3QFE\services.exe : 111 104 : 08/23/2015 09:01 AM : 493f24439993ed79365a212209ecf3a5 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\services.exe : 111 104 : 08/23/2015 09:01 AM : 77ffe889e6d3239ce40ac27ef40eb780 [Pos Repl]

* C:\WINDOWS\System32\spoolsv.exe : 57 856 : 08/22/2015 08:25 PM : fbecc0af4547a38bb7ab908fbdfee703 [NoSig]
+-> C:\WINDOWS\SoftwareDistribution\Download\929204477dc4deabc58aeda98ffd7adb\sp3gdr\spoolsv.exe : 86 528 : 08/17/2010 03:17 PM : 00c89e2d4c302f18e9ab8bb4a40e52f9 [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\929204477dc4deabc58aeda98ffd7adb\sp3qfe\spoolsv.exe : 86 528 : 08/17/2010 03:19 PM : 10870d1e9b1c4bd93e5aa840cbea404c [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\spoolsv.exe : 57 856 : 04/14/2008 02:00 PM : e52bfc34ee991d0896c56a2b51fd0bb6 [Pos Repl]

* C:\WINDOWS\System32\svchost.exe : 14 336 : 08/22/2015 08:30 PM : 1ffc50e2b4b8513aafaf8e727a04e65e [NoSig]
+-> C:\WINDOWS\system32\dllcache\svchost.exe : 14 336 : 04/14/2008 02:00 PM : 8bdc4f32b0d7f6ec688a0bf6f334b7ab [Pos Repl]

* C:\WINDOWS\System32\userinit.exe : 26 624 : 08/18/2015 03:23 PM : 753df0d78696e65ee27a23cad4c6933c [NoSig]
+-> C:\WINDOWS\system32\dllcache\userinit.exe : 26 624 : 04/14/2008 02:00 PM : de1432499141bf480b9fad0833a530ad [Pos Repl]

* C:\WINDOWS\System32\wbem\wmiprvse.exe : 227 840 : 08/22/2015 08:32 PM : 2ccb9f9dde14f31ff12930e354abc60b [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe : 227 840 : 08/23/2015 08:59 AM : 13e2a8bf17b80b80330836bf5975650f [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe : 218 112 : 08/18/2015 02:07 PM : 7ac40f4ac8d17087253c2ef3c2ccd726 [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP2GDR\wmiprvse.exe : 227 840 : 02/06/2009 06:39 PM : 82466d3f3441e9c429a5184cbf896844 [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP2QFE\wmiprvse.exe : 227 840 : 02/06/2009 11:41 AM : 3285e3a268a5b00bf4b66116336caf85 [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP3GDR\wmiprvse.exe : 227 840 : 08/23/2015 09:01 AM : 2ccb9f9dde14f31ff12930e354abc60b [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\284fbcf1e8e0b40c0953d6b85a551eae\SP3QFE\wmiprvse.exe : 227 840 : 08/23/2015 09:01 AM : 13e2a8bf17b80b80330836bf5975650f [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\wmiprvse.exe : 227 840 : 08/23/2015 09:01 AM : 2ccb9f9dde14f31ff12930e354abc60b [Pos Repl]

* C:\WINDOWS\System32\wscntfy.exe : 13 824 : 08/18/2015 01:45 PM : 56cb83cc283faac9f02e1efc17ec6c88 [NoSig]
+-> C:\WINDOWS\system32\dllcache\wscntfy.exe : 13 824 : 04/14/2008 02:00 PM : 0719f7e24b43ef6e53b1504c5b9c44ea [Pos Repl]

* C:\WINDOWS\explorer.exe : 1 037 824 : 08/18/2015 03:24 PM : 1ce41eb08b0b1bff10035d167d3916b8 [NoSig]
+-> C:\WINDOWS\system32\dllcache\explorer.exe : 1 037 824 : 04/14/2008 02:00 PM : d9079484e6a61d15179606e36fb27477 [Pos Repl]

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 08/24/2015 07:26:11 PM
Execution time: 0 hours(s), 4 minute(s), and 15 seconds(s)

Publicité


Signaler le contenu de ce document

Publicité