- This topic has 11 ответов, 2 участника, and was last updated 16 years, 1 month назад by
.
-
Сообщения
-
Пожалуйста помогите проанализировать лог HijackThis
при открывании окон IE7 и при запуске любых программ появляется окно с сообщением: Some dangerous Trojan horses detected in your system. Microsoft Windows XP files corrupted. This may lead to the destruction of important files in C:Windows. Download protection software now! Click OK to download the antispyware и закачивается Total secure 2009
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:30:44, on 06.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: NormalRunning processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesCyberLinkPowerDVDPDVDServ.exe
C:AcerEmpowering TechnologyePresentationePresentation.exe
C:AcerEmpowering TechnologyePowerePower_DMC.exe
C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe
C:AcerEmpowering TechnologyeRecoveryeRAgent.exe
C:PROGRA~1LAUNCH~1LManager.exe
C:WINDOWSRTHDCPL.EXE
C:WINDOWSsystem32hkcmd.exe
C:WINDOWSsystem32igfxpers.exe
C:Program FilesKaspersky LabKaspersky Internet Security 7.0avp.exe
C:Program FilesQuickTimeqttask.exe
C:Program FilesMail.RuAgentMAgent.exe
C:Program FilesAdobeReader 8.0ReaderReader_sl.exe
C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE
C:Program FilesHPHP Software UpdateHPWuSchd2.exe
C:Program FilesJavajre1.6.0_07binjusched.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesSkypePhoneSkype.exe
C:Program FilesNokiaNokia PC Suite 6PcSync2.exe
C:Program FilesAgent VkontakteAgentVkontakte.exe
C:WINDOWSsystem32igfxsrvc.exe
C:AcerEmpowering TechnologyAcer.Empowering.Framework.Launcher.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:PROGRA~1COMMON~1NokiaMPAPIMPAPI3s.exe
C:WINDOWSsystem32agrsmsvc.exe
C:Program FilesKaspersky LabKaspersky Internet Security 7.0avp.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:Program FilesCommon FilesLightScribeLSSrvc.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSsystem32igfxext.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCyberLinkShared FilesRichVideo.exe
C:Program FilesAlcohol SoftAlcohol 120StarWindStarWindServiceAE.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32wbemwmiapsrv.exe
C:AcerEmpowering TechnologyeLockServiceeLockServ.exe
C:DOCUME~11LOCALS~1TempRtkBtMnt.exe
C:Program FilesCommon FilesPCSuiteServicesServiceLayer.exe
C:WINDOWSsystem32wbemunsecapp.exe
C:Program FilesSkypePlugin ManagerskypePM.exe
C:Program FilesHPDigital ImagingbinhpqSTE08.exe
C:Documents and SettingsAll UsersApplication DataSkypePluginsPluginsE12C95FCBD1240FEAE314D89676CA6F8LieDetector.exe
C:Program FilesOperaopera.exe
C:Program FilesTrend MicroHijackThisHijackThis.exeR1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 — HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 — HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Ссылки
R3 — URLSearchHook: (no name) — {83821C2B-32A8-4DD7-B6D4-44309A78E668} — C:Program FilesMail.RuAgentMradllnewmrasearch.dll
R3 — URLSearchHook: Yahoo! Toolbar — {EF99BD32-C1FB-11D2-892F-0090271D4F88} — C:Program FilesYahoo!CompanionInstallscpnyt.dll
R3 — URLSearchHook: Спутник@Mail.Ru — {09900DE8-1DCA-443F-9243-26FF581438AF} — C:Program FilesMail.RuSputnikMailRuSputnik.dll
R3 — URLSearchHook: Rambler-Ассистент — {468CD8A9-7C25-45FA-969E-3D925C689DC4} — C:Program FilesRambler AssistantramblertoolbarU0.dll
O2 — BHO: btorbit.com — {000123B4-9B42-4900-B3F7-F4B073EFC214} — C:Program FilesOrbitdownloaderorbitcth.dll
O2 — BHO: Yahoo! Toolbar Helper — {02478D38-C3F9-4EFB-9B51-7695ECA05670} — C:Program FilesYahoo!CompanionInstallscpnyt.dll
O2 — BHO: HP Print Enhancer — {0347C33E-8762-4905-BF09-768834316C61} — C:Program FilesHPSmart Web Printinghpswp_printenhancer.dll
O2 — BHO: HP Print Clips — {053F9267-DC04-4294-A72C-58F732D338C0} — C:Program FilesHPSmart Web Printinghpswp_framework.dll
O2 — BHO: Adobe PDF Reader Link Helper — {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} — C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 — BHO: Skype add-on (mastermind) — {22BF413B-C6D2-4d91-82A9-A0F997BA588C} — C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O2 — BHO: GigaNet — {5D682D50-876E-454C-90BE-EFE6028FE389} — C:WINDOWSsystem32fhl.dll
O2 — BHO: SSVHelper Class — {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} — C:Program FilesJavajre1.6.0_07binssv.dll
O2 — BHO: Спутник@Mail.Ru — {8984B388-A5BB-4DF7-B274-77B879E179DB} — C:Program FilesMail.RuSputnikMailRuSputnik.dll
O2 — BHO: IE 4.x-6.x BHO for Download Master — {9961627E-4059-41B4-8E0E-A7D6B3854ADF} — C:PROGRA~1DOWNLO~1dmiehlp.dll
O3 — Toolbar: Yahoo! Toolbar — {EF99BD32-C1FB-11D2-892F-0090271D4F88} — C:Program FilesYahoo!CompanionInstallscpnyt.dll
O3 — Toolbar: Acer eDataSecurity Management — {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} — C:WINDOWSsystem32eDStoolbar.dll
O3 — Toolbar: Спутник@Mail.Ru — {09900DE8-1DCA-443F-9243-26FF581438AF} — C:Program FilesMail.RuSputnikMailRuSputnik.dll
O3 — Toolbar: DM Bar — {0E1230F8-EA50-42A9-983C-D22ABC2EED3C} — C:Program FilesDownload Masterdmbar.dll
O3 — Toolbar: Rambler-Ассистент — {468CD8A9-7C25-45FA-969E-3D925C689DC4} — C:Program FilesRambler AssistantramblertoolbarU0.dll
O4 — HKLM..Run: [preload] C:WindowsRUNXMLPL.exe
O4 — HKLM..Run: [IAAnotif] «C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe»
O4 — HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
O4 — HKLM..Run: [AzMixerSel] C:Program FilesRealtekInstallShieldAzMixerSel.exe
O4 — HKLM..Run: [IMJPMIG8.1] «C:WINDOWSIMEimjp8_1IMJPMIG.EXE» /Spoil /RemAdvDef /Migration32
O4 — HKLM..Run: [MSPY2002] C:WINDOWSsystem32IMEPINTLGNTImScInst.exe /SYNC
O4 — HKLM..Run: [PHIME2002ASync] C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /SYNC
O4 — HKLM..Run: [PHIME2002A] C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /IMEName
O4 — HKLM..Run: [SynTPStart] C:Program FilesSynapticsSynTPSynTPStart.exe
O4 — HKLM..Run: [RemoteControl] «C:Program FilesCyberLinkPowerDVDPDVDServ.exe»
O4 — HKLM..Run: [LanguageShortcut] «C:Program FilesCyberLinkPowerDVDLanguageLanguage.exe»
O4 — HKLM..Run: [Acer ePresentation HPD] C:AcerEmpowering TechnologyePresentationePresentation.exe
O4 — HKLM..Run: [ePower_DMC] C:AcerEmpowering TechnologyePowerePower_DMC.exe
O4 — HKLM..Run: [Boot] C:AcerEmpowering TechnologyePowerBoot.exe
O4 — HKLM..Run: [eLockMonitor] C:AcerEmpowering TechnologyeLockMonitorLaunchMonitor.exe
O4 — HKLM..Run: [eDataSecurity Loader] C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe 0
O4 — HKLM..Run: [eRecoveryService] C:AcerEmpowering TechnologyeRecoveryeRAgent.exe
O4 — HKLM..Run: [LManager] C:PROGRA~1LAUNCH~1LManager.exe
O4 — HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 — HKLM..Run: [Alcmtr] ALCMTR.EXE
O4 — HKLM..Run: [IgfxTray] C:WINDOWSsystem32igfxtray.exe
O4 — HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe
O4 — HKLM..Run: [Persistence] C:WINDOWSsystem32igfxpers.exe
O4 — HKLM..Run: [AVP] «C:Program FilesKaspersky LabKaspersky Internet Security 7.0avp.exe»
O4 — HKLM..Run: [QuickTime Task] «C:Program FilesQuickTimeqttask.exe» -atboottime
O4 — HKLM..Run: [MAgent] C:Program FilesMail.RuAgentMAgent.exe -LM
O4 — HKLM..Run: [Adobe Reader Speed Launcher] «C:Program FilesAdobeReader 8.0ReaderReader_sl.exe»
O4 — HKLM..Run: [PCSuiteTrayApplication] C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE -startup
O4 — HKLM..Run: [HP Software Update] C:Program FilesHPHP Software UpdateHPWuSchd2.exe
O4 — HKLM..Run: [SunJavaUpdateSched] «C:Program FilesJavajre1.6.0_07binjusched.exe»
O4 — HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 — HKCU..Run: [Skype] «C:Program FilesSkypePhoneSkype.exe» /nosplash /minimized
O4 — HKCU..Run: [PcSync] C:Program FilesNokiaNokia PC Suite 6PcSync2.exe /NoDialog
O4 — HKCU..Run: [AlcoholAutomount] «C:Program FilesAlcohol SoftAlcohol 120axcmd.exe» /automount
O4 — HKCU..Run: [VKontakte] C:Program FilesAgent VkontakteAgentVkontakte.exe
O4 — HKCU..Run: [ParetoLogic Anti-Spyware] «C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe» -NM -hidesplash
O4 — HKCU..Run: [TotalSecure2009] C:Program FilesTS2009scan.exe
O4 — HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 — HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 — HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘SYSTEM’)
O4 — HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘Default user’)
O4 — Startup: Adobe Media Player.lnk = C:Program FilesAdobe Media PlayerAdobe Media Player.exe
O4 — Global Startup: Acer Empowering Technology.lnk = ?
O4 — Global Startup: Hiro-Media Client.lnk = C:Program FilesHiro-MediaHiroClientHiroClient.exe
O4 — Global Startup: HP Digital Imaging Monitor.lnk = C:Program FilesHPDigital Imagingbinhpqtra08.exe
O8 — Extra context menu item: &Download by Orbit — res://C:Program FilesOrbitdownloaderorbitmxt.dll/201
O8 — Extra context menu item: &Grab video by Orbit — res://C:Program FilesOrbitdownloaderorbitmxt.dll/204
O8 — Extra context menu item: &Экспорт в Microsoft Excel — res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O8 — Extra context menu item: Do&wnload selected by Orbit — res://C:Program FilesOrbitdownloaderorbitmxt.dll/203
O8 — Extra context menu item: Down&load all by Orbit — res://C:Program FilesOrbitdownloaderorbitmxt.dll/202
O8 — Extra context menu item: Добавить в Rambler-Закладки — res://C:Program FilesRambler AssistantramblertoolbarU0.dll/zakladki.htm
O8 — Extra context menu item: Добавить в Анти-Баннер — C:Program FilesKaspersky LabKaspersky Internet Security 7.0ie_banner_deny.htm
O8 — Extra context menu item: Закачать ВСЕ при помощи Download Master — C:Program FilesDownload Masterdmieall.htm
O8 — Extra context menu item: Закачать при помощи Download Master — C:Program FilesDownload Masterdmie.htm
O8 — Extra context menu item: Найти в интернете — res://C:Program FilesMail.RuSputnikMailRuSputnik.dll/282
O8 — Extra context menu item: Найти в словарях — res://C:Program FilesMail.RuSputnikMailRuSputnik.dll/283
O8 — Extra context menu item: Найти с помощью Рамблера — res://C:Program FilesRambler AssistantramblertoolbarU0.dll/search.htm
O8 — Extra context menu item: Перевести с помощью словарей Рамблера — res://C:Program FilesRambler AssistantramblertoolbarU0.dll/dic.htm
O8 — Extra context menu item: Поиск@Mail.Ru — res://C:Program FilesMail.RuSputnikMailRuSputnik.dll/SEARCH.HTM
O8 — Extra context menu item: Словари@Mail.Ru — res://C:Program FilesMail.RuSputnikMailRuSputnik.dll/TRANSLATE.HTM
O9 — Extra button: (no name) — {08B0E5C0-4FCB-11CF-AAA5-00401C608501} — C:Program FilesJavajre1.6.0_07binssv.dll
O9 — Extra ‘Tools’ menuitem: Sun Java Console — {08B0E5C0-4FCB-11CF-AAA5-00401C608501} — C:Program FilesJavajre1.6.0_07binssv.dll
O9 — Extra button: Cтатистика Веб-Антивируса — {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} — C:Program FilesKaspersky LabKaspersky Internet Security 7.0SCIEPlgn.dll
O9 — Extra button: Альбом клипов HP — {58ECB495-38F0-49cb-A538-10282ABF65E7} — C:Program FilesHPSmart Web Printinghpswp_extensions.dll
O9 — Extra button: Расширенный выбор HP — {700259D7-1666-479a-93B1-3250410481E8} — C:Program FilesHPSmart Web Printinghpswp_extensions.dll
O9 — Extra button: Mail.Ru Агент — {7558B7E5-7B26-4201-BEDB-00D5FF534523} — C:Program FilesMail.RuAgentmagent.exe
O9 — Extra ‘Tools’ menuitem: Mail.Ru Агент — {7558B7E5-7B26-4201-BEDB-00D5FF534523} — C:Program FilesMail.RuAgentmagent.exe
O9 — Extra button: Skype — {77BF5300-1474-4EC7-9980-D32B190E9B07} — C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O9 — Extra button: Download Master — {8DAE90AD-4583-4977-9DD4-4360F7A45C74} — C:Program FilesDownload Masterdmaster.exe
O9 — Extra ‘Tools’ menuitem: &Download Master — {8DAE90AD-4583-4977-9DD4-4360F7A45C74} — C:Program FilesDownload Masterdmaster.exe
O9 — Extra button: Справочные материалы — {92780B25-18CC-41C8-B9BE-3C9C571A8263} — C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 — Extra button: (no name) — {e2e2dd38-d088-4134-82b7-f2ba38496583} — C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 — Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 — {e2e2dd38-d088-4134-82b7-f2ba38496583} — C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 — Extra button: ICQ6 — {E59EB121-F339-4851-A3BA-FE49C35617C2} — C:Program FilesICQ6ICQ.exe
O9 — Extra ‘Tools’ menuitem: ICQ6 — {E59EB121-F339-4851-A3BA-FE49C35617C2} — C:Program FilesICQ6ICQ.exe
O9 — Extra button: Messenger — {FB5F1910-F110-11d2-BB9E-00C04F795683} — C:Program FilesMessengermsmsgs.exe
O9 — Extra ‘Tools’ menuitem: Windows Messenger — {FB5F1910-F110-11d2-BB9E-00C04F795683} — C:Program FilesMessengermsmsgs.exe
O16 — DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) — http://go.microsoft.com/fwlink/?linkid=58813
O16 — DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) — http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 — Protocol: hiro — {50BA1131-168F-4C08-A69B-4012273F222E} — C:Program FilesHiro-MediaHiroClientHiroProtocolHandler.dll
O18 — Protocol: skype4com — {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} — C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O20 — AppInit_DLLs: C:PROGRA~1KASPER~1KASPER~1.0adialhk.dll
O23 — Service: Agere Modem Call Progress Audio (AgereModemAudio) — Agere Systems — C:WINDOWSsystem32agrsmsvc.exe
O23 — Service: Kaspersky Internet Security 7.0 (AVP) — Kaspersky Lab — C:Program FilesKaspersky LabKaspersky Internet Security 7.0avp.exe
O23 — Service: Symantec Lic NetConnect service (CLTNetCnService) — Unknown owner — C:Program FilesCommon FilesSymantec SharedccSvcHst.exe (file missing)
O23 — Service: eLock Service (eLockService) — — C:AcerEmpowering TechnologyeLockServiceeLockServ.exe
O23 — Service: Журнал событий (Eventlog) — Корпорация Майкрософт — C:WINDOWSsystem32services.exe
O23 — Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) — Intel Corporation — C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
O23 — Service: InstallDriver Table Manager (IDriverT) — Macrovision Corporation — C:Program FilesCommon FilesInstallShieldDriver1150Intel 32IDriverT.exe
O23 — Service: Служба COM записи компакт-дисков IMAPI (ImapiService) — Корпорация Майкрософт — C:WINDOWSsystem32imapi.exe
O23 — Service: LightScribeService Direct Disc Labeling Service (LightScribeService) — Hewlett-Packard Company — C:Program FilesCommon FilesLightScribeLSSrvc.exe
O23 — Service: NetMeeting Remote Desktop Sharing (mnmsrvc) — Корпорация Майкрософт — C:WINDOWSsystem32mnmsrvc.exe
O23 — Service: Plug and Play (PlugPlay) — Корпорация Майкрософт — C:WINDOWSsystem32services.exe
O23 — Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) — Корпорация Майкрософт — C:WINDOWSsystem32sessmgr.exe
O23 — Service: Cyberlink RichVideo Service(CRVS) (RichVideo) — Unknown owner — C:Program FilesCyberLinkShared FilesRichVideo.exe
O23 — Service: Смарт-карты (SCardSvr) — Корпорация Майкрософт — C:WINDOWSSystem32SCardSvr.exe
O23 — Service: ServiceLayer — Nokia. — C:Program FilesCommon FilesPCSuiteServicesServiceLayer.exe
O23 — Service: StarWind AE Service (StarWindServiceAE) — Rocket Division Software — C:Program FilesAlcohol SoftAlcohol 120StarWindStarWindServiceAE.exe
O23 — Service: Журналы и оповещения производительности (SysmonLog) — Корпорация Майкрософт — C:WINDOWSsystem32smlogsvc.exe
O23 — Service: Теневое копирование тома (VSS) — Корпорация Майкрософт — C:WINDOWSSystem32vssvc.exe
O23 — Service: Адаптер производительности WMI (WmiApSrv) — Корпорация Майкрософт — C:WINDOWSsystem32wbemwmiapsrv.exe—
End of file — 16559 bytesЗдравствуйте, добро пожаловать на Spyware-ru форум.
Ваш компьютер инфицирован поддельным антиспайваре TotalSecure2009 и его загрузчиком, который и генерирует сообщения о которых вы сообщили.
Запустите HijackThis, кликните по кнопке Do a system scan only.
Далее отметьте галочками (слева) следующие строки:O2 - BHO: GigaNet - {5D682D50-876E-454C-90BE-EFE6028FE389} - C:WINDOWSsystem32fhl.dll
O4 - HKCU..Run: [TotalSecure2009] C:Program FilesTS2009scan.exeКликните по кнопке Fix checked и подтвердите свои действия выбрав YES.
Закройте HijackThis и перезагрузите компьютер.
Отключите ваш антивирус (автозащиту).
Скачайте программу Combofix. Закройте все открытые окна и запустите эту программу.
После выполнения будет создан лог файл, пожалуйста вставьте его в ваш ответ.ComboFix 08-10-05.08 — 1 2008-10-06 21:39:41.1 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.259 [GMT 6:00]
Running from: C:Documents and Settings1??????? ????ComboFix.exe
* Created a new restore point
* Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:WINDOWSk.txt
C:WINDOWSsystem32AutoRun.inf
C:WINDOWSsystem32c.ico
C:WINDOWSsystem32Desktop_.ini
C:WINDOWSsystem32fhl.dll
C:WINDOWSsystem32m.ico
C:WINDOWSsystem32rgf.dll
C:WINDOWSsystem32rtl60.bpl
C:WINDOWSsystem32s.ico
C:WINDOWSTemplog.txt.
((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.2008-10-06 16:05 . 2008-10-06 16:05
d
C:Program FilesTrend Micro
2008-10-06 15:16 . 2008-10-06 15:18d
C:Program FilesMalwarebytes’ Anti-Malware
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and SettingsAll UsersApplication DataMalwarebytes
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and Settings1Application DataMalwarebytes
2008-10-06 15:16 . 2008-09-10 00:04 38,528 —a
C:WINDOWSsystem32driversmbamswissarmy.sys
2008-10-06 15:16 . 2008-09-10 00:03 17,200 —a
C:WINDOWSsystem32driversmbam.sys
2008-10-06 14:13 . 2008-10-06 14:13d
C:Program FilesESET
2008-10-06 14:13 . 2008-10-06 14:13d
C:Documents and SettingsAll UsersApplication DataESET
2008-10-06 13:14 . 2008-10-06 13:14d
C:Program FilesCommon FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Program FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Documents and SettingsAll UsersApplication DataParetoLogic Anti-Spyware
2008-10-06 12:12 . 2008-10-06 13:35d
C:Program FilesXoftSpySE
2008-10-06 12:00 . 2008-10-06 12:00 15,360 —ahs—- C:WINDOWSsystem32Thumbs.db
2008-10-06 11:07 . 2008-10-06 16:35d
C:Program FilesTS2009
2008-10-06 10:57 . 2008-10-06 10:57d
C:Games
2008-10-01 18:13 . 2008-10-01 18:13d
C:Program FilesHiro-Media
2008-10-01 18:13 . 2008-10-01 18:13d
C:Documents and SettingsAll UsersApplication DataHiro-Media
2008-10-01 15:13 . 2008-10-01 15:13 792 —a
C:WINDOWSlines98.sav
2008-10-01 14:04 . 2008-10-01 14:04 120 —a
C:WINDOWSd4s.hst
2008-09-20 22:46 . 2008-04-14 22:10 159,232 —a
C:WINDOWSsystem32ptpusd.dll
2008-09-20 22:46 . 2001-10-19 21:06 5,632 —a
C:WINDOWSsystem32ptpusb.dll
2008-09-11 15:24 . 2008-09-11 16:09d
C:Documents and Settings1Application DataVKLife
2008-09-11 15:22 . 2008-09-17 10:14d
C:Program FilesAgent Vkontakte
2008-09-11 15:22 . 2008-09-11 15:38d
C:Documents and Settings1Application DataVKontakte
2008-09-10 21:51 . 2008-09-10 21:51d
C:Program FilesEA GAMES
2008-09-08 22:29 . 2008-09-08 22:29d
C:WINDOWSSun
2008-09-08 22:28 . 2008-06-10 02:32 73,728 —a
C:WINDOWSsystem32javacpl.cpl
2008-09-08 22:27 . 2008-09-08 22:28d
C:Program FilesJava
2008-09-08 22:20 . 2008-09-08 22:20d
C:Program FilesCommon FilesJava
2008-09-08 11:48 . 2008-08-28 11:50d
C:Program FilesMovie Maker.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 15:55 747,296 —sha-w C:WINDOWSsystem32driversfidbox2.dat
2008-10-06 15:55 45,954,080 —sha-w C:WINDOWSsystem32driversfidbox.dat
2008-10-06 15:55
d
w C:Documents and Settings1Application DataSkype
2008-10-06 15:51 70,916 —sha-w C:WINDOWSsystem32driversfidbox2.idx
2008-10-06 15:51 616,292 —sha-w C:WINDOWSsystem32driversfidbox.idx
2008-10-06 15:35
d
w C:Documents and SettingsAll UsersApplication DataKaspersky Lab
2008-10-06 14:45
d
w C:Program FilesQUIK КИТ Финанс
2008-10-06 10:20
d
w C:Documents and Settings1Application DataskypePM
2008-10-06 09:49
d
w C:Program FilesICQToolbar
2008-10-06 09:48
d
w C:Documents and Settings1Application DataOrbit
2008-10-06 09:03
d
w C:Program FilesOpera
2008-09-24 03:51
d
w C:Program FilesICQ6
2008-09-20 19:40
d
w C:Documents and Settings1Application DatauTorrent
2008-09-20 12:24
d
w C:Documents and Settings1Application DataMra
2008-09-17 12:49
d
w C:Program FilesuTorrent
2008-09-17 08:55
d
w C:Documents and Settings1Application DataICQ
2008-09-10 15:51
d—h—w C:Program FilesInstallShield Installation Information
2008-09-08 05:48
d
w C:Program FilesНовая папка
2008-08-29 18:44
d
w C:Program FilesRambler Assistant
2008-08-28 13:31
d
w C:Program FilesWindows Media Connect 2
2008-08-28 13:10
d
w C:Documents and Settings1Application DataDataLayer
2008-08-28 13:07
d
w C:Program FilesShasoft eBook 3.0
2008-08-28 05:29
d
w C:Documents and Settings1Application DataDownload Master
2008-08-27 17:58
d
w C:Program FilesDivX
2008-08-26 05:20
d
w C:Documents and SettingsAll UsersApplication DataOffice Genuine Advantage
2008-08-24 13:59
d
w C:Documents and Settings1Application DataNokia
2008-08-24 09:29
d
w C:Program FilesMSXML 4.0
2008-08-23 11:57
d
w C:Documents and SettingsAll UsersApplication DataHP
2008-08-23 11:57
d
w C:Documents and Settings1Application DataHP
2008-08-23 11:50
d
w C:Documents and SettingsAll UsersApplication DataWEBREG
2008-08-23 11:48
d
w C:Program FilesHP
2008-08-23 11:48
d
w C:Documents and SettingsAll UsersApplication DataHPSSUPPLY
2008-08-23 11:48
d
w C:Documents and Settings1Application DataHPAppData
2008-08-23 11:47
d
w C:Program FilesCommon FilesHP
2008-08-23 11:47
d
w C:Documents and SettingsAll UsersApplication DataHP Product Assistant
2008-08-23 11:46
d
w C:Program FilesHewlett-Packard
2008-08-23 11:46
d
w C:Program FilesCommon FilesHewlett-Packard
2008-08-23 11:45
d
w C:Documents and SettingsAll UsersApplication DataHewlett-Packard
2008-08-21 10:48
d
w C:Documents and Settings1Application Datarambler.ru
2008-08-21 05:07
d
w C:Documents and Settings1Application DataU3
2008-08-19 13:12
d
w C:Program FilesOrbitdownloader
2008-08-18 14:56
d
w C:Program FilesAlcohol Soft
2008-08-18 14:52 716,272 —-a-w C:WINDOWSsystem32driverssptd.sys
2008-08-15 09:24
d
w C:Program FilesJavaSoft
2008-08-14 14:13
d
w C:Program FilesGames.Rambler.ru
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataPlayFirst
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataAlawarWrapper
2008-08-14 14:13
d
w C:Documents and Settings1Application DataPlayFirst
2008-08-13 14:57
d
w C:Program FilesGames.Mail.Ru
2008-08-13 11:27
d
w C:Program FilesDIFX
2008-08-13 11:27
d
w C:Documents and SettingsAll UsersApplication DataPC Suite
2008-08-13 11:26
d
w C:Program FilesNokia
2008-08-13 11:26
d
w C:Program FilesCommon FilesPCSuite
2008-08-13 11:26
d
w C:Program FilesCommon FilesNokia
2008-08-13 11:26
d
w C:Documents and SettingsAll UsersApplication DataDownloaded Installations
2008-08-13 11:26
d
w C:Documents and Settings1Application DataPC Suite
2008-08-13 10:58
d
w C:Documents and SettingsAll UsersApplication DataEgoset
2008-08-13 07:13
d
w C:Program FilesDownload Master
2008-08-13 06:15
d
w C:Documents and SettingsAll UsersApplication DataNtiDvdCopy
2008-08-13 05:33
d
w C:Documents and Settings1Application DataMedia Player Classic
2008-08-08 05:10
d—h—w C:Documents and SettingsAll UsersApplication DataCanonBJ
2008-08-06 17:01 96,976 —-a-w C:WINDOWSsystem32driversklin.dat
2008-08-06 13:52
d
w C:Documents and SettingsAll UsersApplication DataCyberLink
2008-08-06 13:52
d
w C:Documents and Settings1Application DataCyberLink
2008-07-23 16:48 200,704 —-a-w C:WINDOWSsystem32ssldivx.dll
2008-07-23 16:48 1,044,480 —-a-w C:WINDOWSsystem32libdivx.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32dllcachecdm.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32cdm.dll
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32wuauclt.exe
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32dllcachewuauclt.exe
2008-07-18 16:10 45,768 —-a-w C:WINDOWSsystem32wups2.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32wups.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32dllcachewups.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32wuapi.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32dllcachewuapi.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32wucltui.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32dllcachewucltui.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32wuweb.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32dllcachewuweb.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32wuaueng.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32dllcachewuaueng.dll
2008-07-07 20:29 253,952 —-a-w C:WINDOWSsystem32es.dll
2008-07-07 20:29 253,952
w C:WINDOWSsystem32dllcachees.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks]
«{83821C2B-32A8-4DD7-B6D4-44309A78E668}»= «C:Program FilesMail.RuAgentMradllnewmrasearch.dll» [2008-09-22 46584][HKEY_CLASSES_ROOTclsid{83821c2b-32a8-4dd7-b6d4-44309a78e668}]
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32ctfmon.exe» [2008-04-14 15360]
«Skype»=»C:Program FilesSkypePhoneSkype.exe» [2008-07-23 21738792]
«PcSync»=»C:Program FilesNokiaNokia PC Suite 6PcSync2.exe» [2006-06-27 1449984]
«AlcoholAutomount»=»C:Program FilesAlcohol SoftAlcohol 120axcmd.exe» [2008-03-20 217544]
«VKontakte»=»C:Program FilesAgent VkontakteAgentVkontakte.exe» [2008-05-21 3537920]
«ParetoLogic Anti-Spyware»=»C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe» [2007-04-02 2639472][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«preload»=»C:WindowsRUNXMLPL.exe» [2007-04-21 20480]
«IAAnotif»=»C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SynTPEnh»=»C:Program FilesSynapticsSynTPSynTPEnh.exe» [2007-09-08 1015808]
«AzMixerSel»=»C:Program FilesRealtekInstallShieldAzMixerSel.exe» [2005-06-11 53248]
«IMJPMIG8.1″=»C:WINDOWSIMEimjp8_1IMJPMIG.EXE» [2004-08-18 208952]
«MSPY2002″=»C:WINDOWSsystem32IMEPINTLGNTImScInst.exe» [2004-08-18 59392]
«PHIME2002ASync»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«PHIME2002A»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«SynTPStart»=»C:Program FilesSynapticsSynTPSynTPStart.exe» [2007-09-08 102400]
«RemoteControl»=»C:Program FilesCyberLinkPowerDVDPDVDServ.exe» [2007-01-09 68640]
«LanguageShortcut»=»C:Program FilesCyberLinkPowerDVDLanguageLanguage.exe» [2007-01-09 52256]
«Acer ePresentation HPD»=»C:AcerEmpowering TechnologyePresentationePresentation.exe» [2007-03-02 208896]
«ePower_DMC»=»C:AcerEmpowering TechnologyePowerePower_DMC.exe» [2007-07-04 475136]
«Boot»=»C:AcerEmpowering TechnologyePowerBoot.exe» [2006-03-16 579584]
«eDataSecurity Loader»=»C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe» [2007-05-28 342528]
«eRecoveryService»=»C:AcerEmpowering TechnologyeRecoveryeRAgent.exe» [2007-07-11 421888]
«LManager»=»C:PROGRA~1LAUNCH~1LManager.exe» [2007-10-17 858632]
«IgfxTray»=»C:WINDOWSsystem32igfxtray.exe» [2007-06-13 142104]
«HotKeysCmds»=»C:WINDOWSsystem32hkcmd.exe» [2007-06-13 162584]
«Persistence»=»C:WINDOWSsystem32igfxpers.exe» [2007-06-13 138008]
«QuickTime Task»=»C:Program FilesQuickTimeqttask.exe» [2008-07-27 77824]
«MAgent»=»C:Program FilesMail.RuAgentMAgent.exe» [2008-09-22 3110392]
«Adobe Reader Speed Launcher»=»C:Program FilesAdobeReader 8.0ReaderReader_sl.exe» [2008-01-11 39792]
«PCSuiteTrayApplication»=»C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE» [2006-06-15 229376]
«HP Software Update»=»C:Program FilesHPHP Software UpdateHPWuSchd2.exe» [2007-03-11 49152]
«SunJavaUpdateSched»=»C:Program FilesJavajre1.6.0_07binjusched.exe» [2008-06-10 144784]
«AVP»=»C:Program FilesKaspersky LabKaspersky Internet Security 7.0avp.exe» [2007-06-28 218376]
«RTHDCPL»=»RTHDCPL.EXE» [2007-05-28 C:WINDOWSRTHDCPL.exe][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32CTFMON.EXE» [2008-04-14 15360][hkey_local_machinesoftwaremicrosoftwindowscurrentversionexplorerShellExecuteHooks]
«{51C55F9E-C308-4c95-89AB-8858D8AFD819}»= «C:Program FilesParetoLogicAnti-SpywarePASShlExt.dll» [2007-03-29 98304][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«VIDC.YV12″= yv12vfw.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe»=
«C:\Program Files\ICQ6\ICQ.exe»=
«C:\Program Files\Mail.Ru\Agent\magent.exe»=
«C:\Program Files\BitTornado\btdownloadgui.exe»=
«C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe»=
«C:\Program Files\Orbitdownloader\orbitnet.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«C:\Program Files\ZyXEL\NetFriend\NetFriend.exe»=
«C:\Program Files\uTorrent\uTorrent.exe»=
«C:\Program Files\Opera\opera.exe»=
«C:\Program Files\Skype\Phone\Skype.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«45533:TCP»= 45533:TCP:utorrent
«45533:UDP»= 45533:UDP:ut
«55555:TCP»= 55555:TCP:1
«55555:UDP»= 55555:UDP:12R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe [2006-04-14 28933976]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:WINDOWSsystem32DRIVERSklim5.sys [2007-04-04 24344]
R3 usbstor;Драйвер запоминающих устройств для USB;C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2008-04-14 26368]
S3 int15.sys;int15.sys;C:AcerEmpowering TechnologyeRecoveryint15.sys [2005-01-13 69632]
S3 usbprint;Класс принтеров Microsoft USB;C:WINDOWSsystem32DRIVERSusbprint.sys [2008-04-14 25856][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85b-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — G:LaunchU3.exe -a[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85c-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — evkq381.com
ShellexploreCommand — evkq381.com
ShellopenCommand — evkq381.com[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{942ffed1-90fd-11dd-894b-001d721a7948}]
ShellAutoRuncommand — H:
ShellopenCommand — rundll32.exe .\scdrnru.dll,InstallM
.
Contents of the ‘Scheduled Tasks’ folder2008-10-06 C:WINDOWSTasksParetoLogic Anti-Spyware.job
— C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe [2007-04-02 16:40]2008-10-06 C:WINDOWSTasksParetoLogic Update.job
— C:Program FilesCommon FilesParetoLogicUUSPareto_Update.exe [2007-08-01 13:39]2008-10-05 C:WINDOWSTasksUser_Feed_Synchronization-{1F20AC20-8159-4105-9DA9-46BAE8E5D3BF}.job
— C:WINDOWSsystem32msfeedssync.exe [2007-08-13 18:36]
.
— — — — ORPHANS REMOVED — — — —HKLM-Run-eLockMonitor — C:AcerEmpowering TechnologyeLockMonitorLaunchMonitor.exe
.
Supplementary Scan
.
R0 -: HKCU-Main,Start Page = hxxp://www.msn.com
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKLM-Main,Start Page = hxxp://www.msn.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
O8 -: &Download by Orbit — C:Program FilesOrbitdownloaderorbitmxt.dll/201
O8 -: &Grab video by Orbit — C:Program FilesOrbitdownloaderorbitmxt.dll/204
O8 -: &Экспорт в Microsoft Excel — C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O8 -: Do&wnload selected by Orbit — C:Program FilesOrbitdownloaderorbitmxt.dll/203
O8 -: Down&load all by Orbit — C:Program FilesOrbitdownloaderorbitmxt.dll/202
O8 -: Добавить в Rambler-Закладки — C:Program FilesRambler AssistantramblertoolbarU0.dll/zakladki.htm
O8 -: Закачать ВСЕ при помощи Download Master — C:Program FilesDownload Masterdmieall.htm
O8 -: Закачать при помощи Download Master — C:Program FilesDownload Masterdmie.htm
O8 -: Найти в интернете — C:Program FilesMail.RuSputnikMailRuSputnik.dll/282
O8 -: Найти в словарях — C:Program FilesMail.RuSputnikMailRuSputnik.dll/283
O8 -: Найти с помощью Рамблера — C:Program FilesRambler AssistantramblertoolbarU0.dll/search.htm
O8 -: Перевести с помощью словарей Рамблера — C:Program FilesRambler AssistantramblertoolbarU0.dll/dic.htm
O8 -: Поиск@Mail.Ru — C:Program FilesMail.RuSputnikMailRuSputnik.dll/SEARCH.HTM
O8 -: Словари@Mail.Ru — C:Program FilesMail.RuSputnikMailRuSputnik.dll/TRANSLATE.HTM
O9 -: {7558B7E5-7B26-4201-BEDB-00D5FF534523} — C:Program FilesMail.RuAgentmagent.exe
O9 -: {8DAE90AD-4583-4977-9DD4-4360F7A45C74} — C:Program FilesDownload Masterdmaster.exe
O9 -: {7558B7E5-7B26-4201-BEDB-00D5FF534523} — C:Program FilesMail.RuAgentmagent.exe —
O9 -: {8DAE90AD-4583-4977-9DD4-4360F7A45C74} — C:Program FilesDownload Masterdmaster.exe —
O18 -: Handler: hiro — {50BA1131-168F-4c08-A69B-4012273F222E} — %~$path:i
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 21:53:31
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
Other Running Processes
.
C:WINDOWSsystem32agrsmsvc.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAANTmon.exe
C:Program FilesCommon FilesLightScribeLSSrvc.exe
C:WINDOWSsystem32igfxsrvc.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesCyberLinkShared FilesRichVideo.exe
C:Program FilesAlcohol SoftAlcohol 120StarWindStarWindServiceAE.exe
C:WINDOWSsystem32wbemwmiapsrv.exe
C:AcerEmpowering TechnologyeLockServiceeLockServ.exe
C:PROGRA~1COMMON~1NokiaMPAPIMPAPI3s.exe
C:WINDOWSsystem32igfxext.exe
C:DOCUME~11LOCALS~1TempRtkBtMnt.exe
C:AcerEmpowering TechnologyAcer.Empowering.Framework.Launcher.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesCommon FilesPCSuiteServicesServiceLayer.exe
C:WINDOWSsystem32wbemunsecapp.exe
C:Program FilesHPDigital Imagingbinhpqste08.exe
.
**************************************************************************
.
Completion time: 2008-10-06 22:01:16 — machine was rebooted
ComboFix-quarantined-files.txt 2008-10-06 16:01:04Pre-Run: 1 511 211 008 ???? ????????
Post-Run: 2,583,867,392 ???? ????????308 — E O F — 2008-09-10 14:48:49
сделала так как вы написали в другой теме:
Откройте блокнот и вставьте в него следующий текст:
Код: Выделить всё
File::
C:WINDOWSsystem32mfmlib.dllRegistry::
[-HKEY_LOCAL_MACHINE~Browser Helper Objects{E5F76779-DE98-4045-AE76-1B5F8CB6B98D}]Запишите получившийся файл на ваш рабочий стол под именем CFScript
Далее перетащите получившийся файл на иконку Combofix, как показано на картинке ниже.По окончанию работы Combofix будет создан новый лог файл, пожалуйста вставьте его в ваше ответное сообщение.
это новый лог:
ComboFix 08-10-05.10 — 1 2008-10-06 22:12:54.2 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.1.1049.18.428 [GMT 6:00]
Running from: C:Documents and Settings1??????? ????ComboFix.exe
Command switches used :: C:Documents and Settings1??????? ????CFScript.txt
* Created a new restore point
* Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section not completed((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.2008-10-06 16:05 . 2008-10-06 16:05
d
C:Program FilesTrend Micro
2008-10-06 15:16 . 2008-10-06 15:18d
C:Program FilesMalwarebytes’ Anti-Malware
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and SettingsAll UsersApplication DataMalwarebytes
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and Settings1Application DataMalwarebytes
2008-10-06 15:16 . 2008-09-10 00:04 38,528 —a
C:WINDOWSsystem32driversmbamswissarmy.sys
2008-10-06 15:16 . 2008-09-10 00:03 17,200 —a
C:WINDOWSsystem32driversmbam.sys
2008-10-06 14:13 . 2008-10-06 14:13d
C:Program FilesESET
2008-10-06 14:13 . 2008-10-06 14:13d
C:Documents and SettingsAll UsersApplication DataESET
2008-10-06 13:14 . 2008-10-06 13:14d
C:Program FilesCommon FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Program FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Documents and SettingsAll UsersApplication DataParetoLogic Anti-Spyware
2008-10-06 12:12 . 2008-10-06 13:35d
C:Program FilesXoftSpySE
2008-10-06 12:00 . 2008-10-06 12:00 15,360 —ahs—- C:WINDOWSsystem32Thumbs.db
2008-10-06 11:07 . 2008-10-06 16:35d
C:Program FilesTS2009
2008-10-06 10:57 . 2008-10-06 10:57d
C:Games
2008-10-01 18:13 . 2008-10-01 18:13d
C:Program FilesHiro-Media
2008-10-01 18:13 . 2008-10-01 18:13d
C:Documents and SettingsAll UsersApplication DataHiro-Media
2008-10-01 15:13 . 2008-10-01 15:13 792 —a
C:WINDOWSlines98.sav
2008-10-01 14:04 . 2008-10-01 14:04 120 —a
C:WINDOWSd4s.hst
2008-09-20 22:46 . 2008-04-14 22:10 159,232 —a
C:WINDOWSsystem32ptpusd.dll
2008-09-20 22:46 . 2001-10-19 21:06 5,632 —a
C:WINDOWSsystem32ptpusb.dll
2008-09-11 15:24 . 2008-09-11 16:09d
C:Documents and Settings1Application DataVKLife
2008-09-11 15:22 . 2008-09-17 10:14d
C:Program FilesAgent Vkontakte
2008-09-11 15:22 . 2008-09-11 15:38d
C:Documents and Settings1Application DataVKontakte
2008-09-10 21:51 . 2008-09-10 21:51d
C:Program FilesEA GAMES
2008-09-08 22:29 . 2008-09-08 22:29d
C:WINDOWSSun
2008-09-08 22:28 . 2008-06-10 02:32 73,728 —a
C:WINDOWSsystem32javacpl.cpl
2008-09-08 22:27 . 2008-09-08 22:28d
C:Program FilesJava
2008-09-08 22:20 . 2008-09-08 22:20d
C:Program FilesCommon FilesJava
2008-09-08 11:48 . 2008-08-28 11:50d
C:Program FilesMovie Maker.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 16:13 750,624 —sha-w C:WINDOWSsystem32driversfidbox2.dat
2008-10-06 16:13 46,056,224 —sha-w C:WINDOWSsystem32driversfidbox.dat
2008-10-06 15:55
d
w C:Documents and Settings1Application DataSkype
2008-10-06 15:51 70,916 —sha-w C:WINDOWSsystem32driversfidbox2.idx
2008-10-06 15:51 616,292 —sha-w C:WINDOWSsystem32driversfidbox.idx
2008-10-06 15:35
d
w C:Documents and SettingsAll UsersApplication DataKaspersky Lab
2008-10-06 14:45
d
w C:Program FilesQUIK КИТ Финанс
2008-10-06 10:20
d
w C:Documents and Settings1Application DataskypePM
2008-10-06 09:49
d
w C:Program FilesICQToolbar
2008-10-06 09:48
d
w C:Documents and Settings1Application DataOrbit
2008-10-06 09:03
d
w C:Program FilesOpera
2008-09-24 03:51
d
w C:Program FilesICQ6
2008-09-20 19:40
d
w C:Documents and Settings1Application DatauTorrent
2008-09-20 12:24
d
w C:Documents and Settings1Application DataMra
2008-09-17 12:49
d
w C:Program FilesuTorrent
2008-09-17 08:55
d
w C:Documents and Settings1Application DataICQ
2008-09-10 15:51
d—h—w C:Program FilesInstallShield Installation Information
2008-09-08 05:48
d
w C:Program FilesНовая папка
2008-08-29 18:44
d
w C:Program FilesRambler Assistant
2008-08-28 13:31
d
w C:Program FilesWindows Media Connect 2
2008-08-28 13:10
d
w C:Documents and Settings1Application DataDataLayer
2008-08-28 13:07
d
w C:Program FilesShasoft eBook 3.0
2008-08-28 05:29
d
w C:Documents and Settings1Application DataDownload Master
2008-08-27 17:58
d
w C:Program FilesDivX
2008-08-26 05:20
d
w C:Documents and SettingsAll UsersApplication DataOffice Genuine Advantage
2008-08-24 13:59
d
w C:Documents and Settings1Application DataNokia
2008-08-24 09:29
d
w C:Program FilesMSXML 4.0
2008-08-23 11:57
d
w C:Documents and SettingsAll UsersApplication DataHP
2008-08-23 11:57
d
w C:Documents and Settings1Application DataHP
2008-08-23 11:50
d
w C:Documents and SettingsAll UsersApplication DataWEBREG
2008-08-23 11:48
d
w C:Program FilesHP
2008-08-23 11:48
d
w C:Documents and SettingsAll UsersApplication DataHPSSUPPLY
2008-08-23 11:48
d
w C:Documents and Settings1Application DataHPAppData
2008-08-23 11:47
d
w C:Program FilesCommon FilesHP
2008-08-23 11:47
d
w C:Documents and SettingsAll UsersApplication DataHP Product Assistant
2008-08-23 11:46
d
w C:Program FilesHewlett-Packard
2008-08-23 11:46
d
w C:Program FilesCommon FilesHewlett-Packard
2008-08-23 11:45
d
w C:Documents and SettingsAll UsersApplication DataHewlett-Packard
2008-08-21 10:48
d
w C:Documents and Settings1Application Datarambler.ru
2008-08-21 05:07
d
w C:Documents and Settings1Application DataU3
2008-08-19 13:12
d
w C:Program FilesOrbitdownloader
2008-08-18 14:56
d
w C:Program FilesAlcohol Soft
2008-08-18 14:52 716,272 —-a-w C:WINDOWSsystem32driverssptd.sys
2008-08-15 09:24
d
w C:Program FilesJavaSoft
2008-08-14 14:13
d
w C:Program FilesGames.Rambler.ru
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataPlayFirst
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataAlawarWrapper
2008-08-14 14:13
d
w C:Documents and Settings1Application DataPlayFirst
2008-08-13 14:57
d
w C:Program FilesGames.Mail.Ru
2008-08-13 11:27
d
w C:Program FilesDIFX
2008-08-13 11:27
d
w C:Documents and SettingsAll UsersApplication DataPC Suite
2008-08-13 11:26
d
w C:Program FilesNokia
2008-08-13 11:26
d
w C:Program FilesCommon FilesPCSuite
2008-08-13 11:26
d
w C:Program FilesCommon FilesNokia
2008-08-13 11:26
d
w C:Documents and SettingsAll UsersApplication DataDownloaded Installations
2008-08-13 11:26
d
w C:Documents and Settings1Application DataPC Suite
2008-08-13 10:58
d
w C:Documents and SettingsAll UsersApplication DataEgoset
2008-08-13 07:13
d
w C:Program FilesDownload Master
2008-08-13 06:15
d
w C:Documents and SettingsAll UsersApplication DataNtiDvdCopy
2008-08-13 05:33
d
w C:Documents and Settings1Application DataMedia Player Classic
2008-08-08 05:10
d—h—w C:Documents and SettingsAll UsersApplication DataCanonBJ
2008-08-06 17:01 96,976 —-a-w C:WINDOWSsystem32driversklin.dat
2008-08-06 13:52
d
w C:Documents and SettingsAll UsersApplication DataCyberLink
2008-08-06 13:52
d
w C:Documents and Settings1Application DataCyberLink
2008-07-23 16:48 200,704 —-a-w C:WINDOWSsystem32ssldivx.dll
2008-07-23 16:48 1,044,480 —-a-w C:WINDOWSsystem32libdivx.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32dllcachecdm.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32cdm.dll
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32wuauclt.exe
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32dllcachewuauclt.exe
2008-07-18 16:10 45,768 —-a-w C:WINDOWSsystem32wups2.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32wups.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32dllcachewups.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32wuapi.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32dllcachewuapi.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32wucltui.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32dllcachewucltui.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32wuweb.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32dllcachewuweb.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32wuaueng.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32dllcachewuaueng.dll
2008-07-07 20:29 253,952 —-a-w C:WINDOWSsystem32es.dll
2008-07-07 20:29 253,952
w C:WINDOWSsystem32dllcachees.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32ctfmon.exe» [2008-04-14 15360]
«Skype»=»C:Program FilesSkypePhoneSkype.exe» [2008-07-23 21738792]
«PcSync»=»C:Program FilesNokiaNokia PC Suite 6PcSync2.exe» [2006-06-27 1449984]
«AlcoholAutomount»=»C:Program FilesAlcohol SoftAlcohol 120axcmd.exe» [2008-03-20 217544]
«VKontakte»=»C:Program FilesAgent VkontakteAgentVkontakte.exe» [2008-05-21 3537920]
«ParetoLogic Anti-Spyware»=»C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe» [2007-04-02 2639472][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«preload»=»C:WindowsRUNXMLPL.exe» [2007-04-21 20480]
«IAAnotif»=»C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SynTPEnh»=»C:Program FilesSynapticsSynTPSynTPEnh.exe» [2007-09-08 1015808]
«AzMixerSel»=»C:Program FilesRealtekInstallShieldAzMixerSel.exe» [2005-06-11 53248]
«IMJPMIG8.1″=»C:WINDOWSIMEimjp8_1IMJPMIG.EXE» [2004-08-18 208952]
«MSPY2002″=»C:WINDOWSsystem32IMEPINTLGNTImScInst.exe» [2004-08-18 59392]
«PHIME2002ASync»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«PHIME2002A»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«SynTPStart»=»C:Program FilesSynapticsSynTPSynTPStart.exe» [2007-09-08 102400]
«RemoteControl»=»C:Program FilesCyberLinkPowerDVDPDVDServ.exe» [2007-01-09 68640]
«LanguageShortcut»=»C:Program FilesCyberLinkPowerDVDLanguageLanguage.exe» [2007-01-09 52256]
«Acer ePresentation HPD»=»C:AcerEmpowering TechnologyePresentationePresentation.exe» [2007-03-02 208896]
«ePower_DMC»=»C:AcerEmpowering TechnologyePowerePower_DMC.exe» [2007-07-04 475136]
«Boot»=»C:AcerEmpowering TechnologyePowerBoot.exe» [2006-03-16 579584]
«eDataSecurity Loader»=»C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe» [2007-05-28 342528]
«eRecoveryService»=»C:AcerEmpowering TechnologyeRecoveryeRAgent.exe» [2007-07-11 421888]
«LManager»=»C:PROGRA~1LAUNCH~1LManager.exe» [2007-10-17 858632]
«IgfxTray»=»C:WINDOWSsystem32igfxtray.exe» [2007-06-13 142104]
«HotKeysCmds»=»C:WINDOWSsystem32hkcmd.exe» [2007-06-13 162584]
«Persistence»=»C:WINDOWSsystem32igfxpers.exe» [2007-06-13 138008]
«QuickTime Task»=»C:Program FilesQuickTimeqttask.exe» [2008-07-27 77824]
«MAgent»=»C:Program FilesMail.RuAgentMAgent.exe» [2008-09-22 3110392]
«Adobe Reader Speed Launcher»=»C:Program FilesAdobeReader 8.0ReaderReader_sl.exe» [2008-01-11 39792]
«PCSuiteTrayApplication»=»C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE» [2006-06-15 229376]
«HP Software Update»=»C:Program FilesHPHP Software UpdateHPWuSchd2.exe» [2007-03-11 49152]
«SunJavaUpdateSched»=»C:Program FilesJavajre1.6.0_07binjusched.exe» [2008-06-10 144784]
«RTHDCPL»=»RTHDCPL.EXE» [2007-05-28 C:WINDOWSRTHDCPL.exe][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32CTFMON.EXE» [2008-04-14 15360][hkey_local_machinesoftwaremicrosoftwindowscurrentversionexplorerShellExecuteHooks]
«{51C55F9E-C308-4c95-89AB-8858D8AFD819}»= «C:Program FilesParetoLogicAnti-SpywarePASShlExt.dll» [2007-03-29 98304][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«VIDC.YV12″= yv12vfw.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe»=
«C:\Program Files\ICQ6\ICQ.exe»=
«C:\Program Files\Mail.Ru\Agent\magent.exe»=
«C:\Program Files\BitTornado\btdownloadgui.exe»=
«C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe»=
«C:\Program Files\Orbitdownloader\orbitnet.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«C:\Program Files\ZyXEL\NetFriend\NetFriend.exe»=
«C:\Program Files\uTorrent\uTorrent.exe»=
«C:\Program Files\Opera\opera.exe»=
«C:\Program Files\Skype\Phone\Skype.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«45533:TCP»= 45533:TCP:utorrent
«45533:UDP»= 45533:UDP:ut
«55555:TCP»= 55555:TCP:1
«55555:UDP»= 55555:UDP:12R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe [2006-04-14 28933976]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:WINDOWSsystem32DRIVERSklim5.sys [2007-04-04 24344]
R3 usbstor;Драйвер запоминающих устройств для USB;C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2008-04-14 26368]
S3 int15.sys;int15.sys;C:AcerEmpowering TechnologyeRecoveryint15.sys [2005-01-13 69632]
S3 usbprint;Класс принтеров Microsoft USB;C:WINDOWSsystem32DRIVERSusbprint.sys [2008-04-14 25856][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85b-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — G:LaunchU3.exe -a[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85c-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — evkq381.com
ShellexploreCommand — evkq381.com
ShellopenCommand — evkq381.com[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{942ffed1-90fd-11dd-894b-001d721a7948}]
ShellAutoRuncommand — H:
ShellopenCommand — rundll32.exe .\scdrnru.dll,InstallM
.
Contents of the ‘Scheduled Tasks’ folder2008-10-06 C:WINDOWSTasksParetoLogic Anti-Spyware.job
— C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe [2007-04-02 16:40]2008-10-06 C:WINDOWSTasksParetoLogic Update.job
— C:Program FilesCommon FilesParetoLogicUUSPareto_Update.exe [2007-08-01 13:39]2008-10-05 C:WINDOWSTasksUser_Feed_Synchronization-{1F20AC20-8159-4105-9DA9-46BAE8E5D3BF}.job
— C:WINDOWSsystem32msfeedssync.exe [2007-08-13 18:36]
.
— — — — ORPHANS REMOVED — — — —URLSearchHooks-{83821C2B-32A8-4DD7-B6D4-44309A78E668} — (no file)
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 22:13:21
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
**************************************************************************
.
Completion time: 2008-10-06 22:16:04
ComboFix-quarantined-files.txt 2008-10-06 16:16:02
ComboFix2.txt 2008-10-06 16:01:19Pre-Run: 2 570 588 160 ???? ????????
Post-Run: 2,541,649,920 ???? ????????242 — E O F — 2008-09-10 14:48:49
теперь нет проблем!
Спасибо вам, Валерий!!! ОГРОМНОЕ!
Мне очень повезло что я сразу попала на этот форум!сделала так как вы написали в другой теме:
В этом не было необходимости, так как CFScript в той теме был разработан специально под тот тип заражения. Ваш компьютер заражён другими вредоносными программами.
После использования HijackThis стало получше, но нужно ещё кое-что подчистить.
Так же, видно из Combofix лога, что ваш компьютер заражён autorun.inf вирусом. Это вирус который распространяется через подключаемые диски (флэшки, флоппи диски и тд).Прочитайте следующую инструкцию Flash_Disinfector ещё одно оружие против autorun.inf троянов.
Выполните тот раздел, в котором описывается как скачать и использовать Flash Disinfector.Затем откройте блокнот и вставьте в него следующий текст:
Registry::
[-HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85c-68ec-11dd-88e6-001d721a7948}]
[-HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{942ffed1-90fd-11dd-894b-001d721a7948}]
Folder::
C:Program FilesTS2009Запишите получившийся файл на ваш рабочий стол под именем CFScript
Далее перетащите получившийся файл на иконку Combofix, как показано на картинке ниже.
Жду от вас свежий Combofix лог.
новый лог
ComboFix 08-10-06.05 — 1 2008-10-07 15:07:55.3 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.230 [GMT 6:00]
Running from: C:Documents and Settings1??????? ????ComboFix.exe
Command switches used :: C:Documents and Settings1??????? ????CFScript.txt
* Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.2008-10-07 10:08 . 2008-10-07 15:12 54,156 —ah
C:WINDOWSQTFont.qfn
2008-10-07 10:08 . 2008-10-07 15:12 1,409 —a
C:WINDOWSQTFont.for
2008-10-06 16:05 . 2008-10-06 16:05d
C:Program FilesTrend Micro
2008-10-06 15:16 . 2008-10-06 15:18d
C:Program FilesMalwarebytes’ Anti-Malware
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and SettingsAll UsersApplication DataMalwarebytes
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and Settings1Application DataMalwarebytes
2008-10-06 15:16 . 2008-09-10 00:04 38,528 —a
C:WINDOWSsystem32driversmbamswissarmy.sys
2008-10-06 15:16 . 2008-09-10 00:03 17,200 —a
C:WINDOWSsystem32driversmbam.sys
2008-10-06 14:13 . 2008-10-06 14:13d
C:Program FilesESET
2008-10-06 14:13 . 2008-10-06 14:13d
C:Documents and SettingsAll UsersApplication DataESET
2008-10-06 13:14 . 2008-10-06 13:14d
C:Program FilesCommon FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Program FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Documents and SettingsAll UsersApplication DataParetoLogic Anti-Spyware
2008-10-06 12:12 . 2008-10-06 13:35d
C:Program FilesXoftSpySE
2008-10-06 12:00 . 2008-10-06 12:00 15,360 —ahs—- C:WINDOWSsystem32Thumbs.db
2008-10-06 11:07 . 2008-10-06 16:35d
C:Program FilesTS2009
2008-10-06 10:57 . 2008-10-06 10:57d
C:Games
2008-10-01 18:13 . 2008-10-01 18:13d
C:Program FilesHiro-Media
2008-10-01 18:13 . 2008-10-01 18:13d
C:Documents and SettingsAll UsersApplication DataHiro-Media
2008-10-01 15:13 . 2008-10-01 15:13 792 —a
C:WINDOWSlines98.sav
2008-10-01 14:04 . 2008-10-01 14:04 120 —a
C:WINDOWSd4s.hst
2008-09-20 22:46 . 2008-04-14 22:10 159,232 —a
C:WINDOWSsystem32ptpusd.dll
2008-09-20 22:46 . 2001-10-19 21:06 5,632 —a
C:WINDOWSsystem32ptpusb.dll
2008-09-11 15:24 . 2008-09-11 16:09d
C:Documents and Settings1Application DataVKLife
2008-09-11 15:22 . 2008-09-17 10:14d
C:Program FilesAgent Vkontakte
2008-09-11 15:22 . 2008-09-11 15:38d
C:Documents and Settings1Application DataVKontakte
2008-09-10 21:51 . 2008-09-10 21:51d
C:Program FilesEA GAMES
2008-09-08 22:29 . 2008-09-08 22:29d
C:WINDOWSSun
2008-09-08 22:28 . 2008-06-10 02:32 73,728 —a
C:WINDOWSsystem32javacpl.cpl
2008-09-08 22:27 . 2008-09-08 22:28d
C:Program FilesJava
2008-09-08 22:20 . 2008-09-08 22:20d
C:Program FilesCommon FilesJava
2008-09-08 11:48 . 2008-08-28 11:50d
C:Program FilesMovie Maker.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 09:12 761,120 —sha-w C:WINDOWSsystem32driversfidbox2.dat
2008-10-07 09:12 46,323,232 —sha-w C:WINDOWSsystem32driversfidbox.dat
2008-10-07 09:02
d
w C:Documents and Settings1Application DataSkype
2008-10-07 09:01
d
w C:Documents and SettingsAll UsersApplication DataKaspersky Lab
2008-10-07 08:59 72,044 —sha-w C:WINDOWSsystem32driversfidbox2.idx
2008-10-07 08:59 620,132 —sha-w C:WINDOWSsystem32driversfidbox.idx
2008-10-07 08:58
d
w C:Program FilesQUIK КИТ Финанс
2008-10-07 04:10
d
w C:Documents and Settings1Application DataskypePM
2008-10-06 09:49
d
w C:Program FilesICQToolbar
2008-10-06 09:48
d
w C:Documents and Settings1Application DataOrbit
2008-10-06 09:03
d
w C:Program FilesOpera
2008-09-24 03:51
d
w C:Program FilesICQ6
2008-09-20 19:40
d
w C:Documents and Settings1Application DatauTorrent
2008-09-20 12:24
d
w C:Documents and Settings1Application DataMra
2008-09-17 12:49
d
w C:Program FilesuTorrent
2008-09-17 08:55
d
w C:Documents and Settings1Application DataICQ
2008-09-10 15:51
d—h—w C:Program FilesInstallShield Installation Information
2008-09-08 05:48
d
w C:Program FilesНовая папка
2008-08-29 18:44
d
w C:Program FilesRambler Assistant
2008-08-28 13:31
d
w C:Program FilesWindows Media Connect 2
2008-08-28 13:10
d
w C:Documents and Settings1Application DataDataLayer
2008-08-28 13:07
d
w C:Program FilesShasoft eBook 3.0
2008-08-28 05:29
d
w C:Documents and Settings1Application DataDownload Master
2008-08-27 17:58
d
w C:Program FilesDivX
2008-08-26 05:20
d
w C:Documents and SettingsAll UsersApplication DataOffice Genuine Advantage
2008-08-24 13:59
d
w C:Documents and Settings1Application DataNokia
2008-08-24 09:29
d
w C:Program FilesMSXML 4.0
2008-08-23 11:57
d
w C:Documents and SettingsAll UsersApplication DataHP
2008-08-23 11:57
d
w C:Documents and Settings1Application DataHP
2008-08-23 11:50
d
w C:Documents and SettingsAll UsersApplication DataWEBREG
2008-08-23 11:48
d
w C:Program FilesHP
2008-08-23 11:48
d
w C:Documents and SettingsAll UsersApplication DataHPSSUPPLY
2008-08-23 11:48
d
w C:Documents and Settings1Application DataHPAppData
2008-08-23 11:47
d
w C:Program FilesCommon FilesHP
2008-08-23 11:47
d
w C:Documents and SettingsAll UsersApplication DataHP Product Assistant
2008-08-23 11:46
d
w C:Program FilesHewlett-Packard
2008-08-23 11:46
d
w C:Program FilesCommon FilesHewlett-Packard
2008-08-23 11:45
d
w C:Documents and SettingsAll UsersApplication DataHewlett-Packard
2008-08-21 10:48
d
w C:Documents and Settings1Application Datarambler.ru
2008-08-21 05:07
d
w C:Documents and Settings1Application DataU3
2008-08-19 13:12
d
w C:Program FilesOrbitdownloader
2008-08-18 14:56
d
w C:Program FilesAlcohol Soft
2008-08-18 14:52 716,272 —-a-w C:WINDOWSsystem32driverssptd.sys
2008-08-15 09:24
d
w C:Program FilesJavaSoft
2008-08-14 14:13
d
w C:Program FilesGames.Rambler.ru
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataPlayFirst
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataAlawarWrapper
2008-08-14 14:13
d
w C:Documents and Settings1Application DataPlayFirst
2008-08-13 14:57
d
w C:Program FilesGames.Mail.Ru
2008-08-13 11:27
d
w C:Program FilesDIFX
2008-08-13 11:27
d
w C:Documents and SettingsAll UsersApplication DataPC Suite
2008-08-13 11:26
d
w C:Program FilesNokia
2008-08-13 11:26
d
w C:Program FilesCommon FilesPCSuite
2008-08-13 11:26
d
w C:Program FilesCommon FilesNokia
2008-08-13 11:26
d
w C:Documents and SettingsAll UsersApplication DataDownloaded Installations
2008-08-13 11:26
d
w C:Documents and Settings1Application DataPC Suite
2008-08-13 10:58
d
w C:Documents and SettingsAll UsersApplication DataEgoset
2008-08-13 07:13
d
w C:Program FilesDownload Master
2008-08-13 06:15
d
w C:Documents and SettingsAll UsersApplication DataNtiDvdCopy
2008-08-13 05:33
d
w C:Documents and Settings1Application DataMedia Player Classic
2008-08-08 05:10
d—h—w C:Documents and SettingsAll UsersApplication DataCanonBJ
2008-07-23 16:48 200,704 —-a-w C:WINDOWSsystem32ssldivx.dll
2008-07-23 16:48 1,044,480 —-a-w C:WINDOWSsystem32libdivx.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32dllcachecdm.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32cdm.dll
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32wuauclt.exe
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32dllcachewuauclt.exe
2008-07-18 16:10 45,768 —-a-w C:WINDOWSsystem32wups2.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32wups.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32dllcachewups.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32wuapi.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32dllcachewuapi.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32wucltui.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32dllcachewucltui.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32wuweb.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32dllcachewuweb.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32wuaueng.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32dllcachewuaueng.dll
2008-07-07 20:29 253,952 —-a-w C:WINDOWSsystem32es.dll
2008-07-07 20:29 253,952
w C:WINDOWSsystem32dllcachees.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32ctfmon.exe» [2008-04-14 15360]
«Skype»=»C:Program FilesSkypePhoneSkype.exe» [2008-07-23 21738792]
«PcSync»=»C:Program FilesNokiaNokia PC Suite 6PcSync2.exe» [2006-06-27 1449984]
«AlcoholAutomount»=»C:Program FilesAlcohol SoftAlcohol 120axcmd.exe» [2008-03-20 217544]
«VKontakte»=»C:Program FilesAgent VkontakteAgentVkontakte.exe» [2008-05-21 3537920]
«ParetoLogic Anti-Spyware»=»C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe» [2007-04-02 2639472][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«preload»=»C:WindowsRUNXMLPL.exe» [2007-04-21 20480]
«IAAnotif»=»C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SynTPEnh»=»C:Program FilesSynapticsSynTPSynTPEnh.exe» [2007-09-08 1015808]
«AzMixerSel»=»C:Program FilesRealtekInstallShieldAzMixerSel.exe» [2005-06-11 53248]
«IMJPMIG8.1″=»C:WINDOWSIMEimjp8_1IMJPMIG.EXE» [2004-08-18 208952]
«MSPY2002″=»C:WINDOWSsystem32IMEPINTLGNTImScInst.exe» [2004-08-18 59392]
«PHIME2002ASync»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«PHIME2002A»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«SynTPStart»=»C:Program FilesSynapticsSynTPSynTPStart.exe» [2007-09-08 102400]
«RemoteControl»=»C:Program FilesCyberLinkPowerDVDPDVDServ.exe» [2007-01-09 68640]
«LanguageShortcut»=»C:Program FilesCyberLinkPowerDVDLanguageLanguage.exe» [2007-01-09 52256]
«Acer ePresentation HPD»=»C:AcerEmpowering TechnologyePresentationePresentation.exe» [2007-03-02 208896]
«ePower_DMC»=»C:AcerEmpowering TechnologyePowerePower_DMC.exe» [2007-07-04 475136]
«Boot»=»C:AcerEmpowering TechnologyePowerBoot.exe» [2006-03-16 579584]
«eDataSecurity Loader»=»C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe» [2007-05-28 342528]
«eRecoveryService»=»C:AcerEmpowering TechnologyeRecoveryeRAgent.exe» [2007-07-11 421888]
«LManager»=»C:PROGRA~1LAUNCH~1LManager.exe» [2007-10-17 858632]
«IgfxTray»=»C:WINDOWSsystem32igfxtray.exe» [2007-06-13 142104]
«HotKeysCmds»=»C:WINDOWSsystem32hkcmd.exe» [2007-06-13 162584]
«Persistence»=»C:WINDOWSsystem32igfxpers.exe» [2007-06-13 138008]
«QuickTime Task»=»C:Program FilesQuickTimeqttask.exe» [2008-07-27 77824]
«MAgent»=»C:Program FilesMail.RuAgentMAgent.exe» [2008-09-22 3110392]
«Adobe Reader Speed Launcher»=»C:Program FilesAdobeReader 8.0ReaderReader_sl.exe» [2008-01-11 39792]
«PCSuiteTrayApplication»=»C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE» [2006-06-15 229376]
«HP Software Update»=»C:Program FilesHPHP Software UpdateHPWuSchd2.exe» [2007-03-11 49152]
«SunJavaUpdateSched»=»C:Program FilesJavajre1.6.0_07binjusched.exe» [2008-06-10 144784]
«RTHDCPL»=»RTHDCPL.EXE» [2007-05-28 C:WINDOWSRTHDCPL.exe][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32CTFMON.EXE» [2008-04-14 15360][hkey_local_machinesoftwaremicrosoftwindowscurrentversionexplorerShellExecuteHooks]
«{51C55F9E-C308-4c95-89AB-8858D8AFD819}»= «C:Program FilesParetoLogicAnti-SpywarePASShlExt.dll» [2007-03-29 98304][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«VIDC.YV12″= yv12vfw.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe»=
«C:\Program Files\ICQ6\ICQ.exe»=
«C:\Program Files\Mail.Ru\Agent\magent.exe»=
«C:\Program Files\BitTornado\btdownloadgui.exe»=
«C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe»=
«C:\Program Files\Orbitdownloader\orbitnet.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«C:\Program Files\ZyXEL\NetFriend\NetFriend.exe»=
«C:\Program Files\uTorrent\uTorrent.exe»=
«C:\Program Files\Opera\opera.exe»=
«C:\Program Files\Skype\Phone\Skype.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«45533:TCP»= 45533:TCP:utorrent
«45533:UDP»= 45533:UDP:ut
«55555:TCP»= 55555:TCP:1
«55555:UDP»= 55555:UDP:12R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe [2006-04-14 28933976]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:WINDOWSsystem32DRIVERSklim5.sys [2007-04-04 24344]
R3 usbstor;Драйвер запоминающих устройств для USB;C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2008-04-14 26368]
S3 int15.sys;int15.sys;C:AcerEmpowering TechnologyeRecoveryint15.sys [2005-01-13 69632]
S3 usbprint;Класс принтеров Microsoft USB;C:WINDOWSsystem32DRIVERSusbprint.sys [2008-04-14 25856][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85b-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — G:LaunchU3.exe -a[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85c-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — evkq381.com
ShellexploreCommand — evkq381.com
ShellopenCommand — evkq381.com[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{942ffed1-90fd-11dd-894b-001d721a7948}]
ShellAutoRuncommand — H:
ShellopenCommand — rundll32.exe .\scdrnru.dll,InstallM
.
Contents of the ‘Scheduled Tasks’ folder2008-10-06 C:WINDOWSTasksParetoLogic Anti-Spyware.job
— C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe [2007-04-02 16:40]2008-10-06 C:WINDOWSTasksParetoLogic Update.job
— C:Program FilesCommon FilesParetoLogicUUSPareto_Update.exe [2007-08-01 13:39]2008-10-07 C:WINDOWSTasksUser_Feed_Synchronization-{1F20AC20-8159-4105-9DA9-46BAE8E5D3BF}.job
— C:WINDOWSsystem32msfeedssync.exe [2007-08-13 18:36]
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 15:12:36
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-10-07 15:14:05
ComboFix-quarantined-files.txt 2008-10-07 09:14:00
ComboFix2.txt 2008-10-06 16:16:07Pre-Run: 3 180 777 472 ???? ????????
Post-Run: 3,156,447,232 ???? ????????239 — E O F — 2008-09-10 14:48:49
Судя по всему, Combofix неправильно выполняет скрипт (CFScript), если он расположен в папке, полное имя которой содержит русские буквы.
Поэтому поступим следующим образом.
Скопируйте CFScript в корень вашего диска или в папку путь к которой не содержит русских букв.
Например:d:CFScript — это если вы скопируете CFScript в корень диска
d:123CFScript — это если вы скопируете CFScript в папку 123. (папка может быть новой или старой, это не важно)Далее откройте эту папку или корень диска и перетащите и бросьте иконку CFScript на программу Combofix.
Жду от вас свежий Combofix лог.
ComboFix 08-10-06.08 — 1 2008-10-07 22:01:00.4 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.310 [GMT 6:00]
Running from: C:Documents and Settings1??????? ????ComboFix.exe
Command switches used :: D:CFScript.txt
* Created a new restore point
* Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:Program FilesTS2009
C:Program FilesTS2009totalsecure.s1
C:WINDOWSIE4 Error Log.txt.
((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.2008-10-07 10:08 . 2008-10-07 22:05 54,156 —ah
C:WINDOWSQTFont.qfn
2008-10-07 10:08 . 2008-10-07 22:05 1,409 —a
C:WINDOWSQTFont.for
2008-10-06 16:05 . 2008-10-06 16:05d
C:Program FilesTrend Micro
2008-10-06 15:16 . 2008-10-06 15:18d
C:Program FilesMalwarebytes’ Anti-Malware
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and SettingsAll UsersApplication DataMalwarebytes
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and Settings1Application DataMalwarebytes
2008-10-06 15:16 . 2008-09-10 00:04 38,528 —a
C:WINDOWSsystem32driversmbamswissarmy.sys
2008-10-06 15:16 . 2008-09-10 00:03 17,200 —a
C:WINDOWSsystem32driversmbam.sys
2008-10-06 14:13 . 2008-10-06 14:13d
C:Program FilesESET
2008-10-06 14:13 . 2008-10-06 14:13d
C:Documents and SettingsAll UsersApplication DataESET
2008-10-06 13:14 . 2008-10-06 13:14d
C:Program FilesCommon FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Program FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Documents and SettingsAll UsersApplication DataParetoLogic Anti-Spyware
2008-10-06 12:12 . 2008-10-06 13:35d
C:Program FilesXoftSpySE
2008-10-06 12:00 . 2008-10-06 12:00 15,360 —ahs—- C:WINDOWSsystem32Thumbs.db
2008-10-06 10:57 . 2008-10-06 10:57d
C:Games
2008-10-01 18:13 . 2008-10-01 18:13d
C:Program FilesHiro-Media
2008-10-01 18:13 . 2008-10-01 18:13d
C:Documents and SettingsAll UsersApplication DataHiro-Media
2008-10-01 15:13 . 2008-10-01 15:13 792 —a
C:WINDOWSlines98.sav
2008-10-01 14:04 . 2008-10-01 14:04 120 —a
C:WINDOWSd4s.hst
2008-09-20 22:46 . 2008-04-14 22:10 159,232 —a
C:WINDOWSsystem32ptpusd.dll
2008-09-20 22:46 . 2001-10-19 21:06 5,632 —a
C:WINDOWSsystem32ptpusb.dll
2008-09-11 15:24 . 2008-09-11 16:09d
C:Documents and Settings1Application DataVKLife
2008-09-11 15:22 . 2008-09-17 10:14d
C:Program FilesAgent Vkontakte
2008-09-11 15:22 . 2008-09-11 15:38d
C:Documents and Settings1Application DataVKontakte
2008-09-10 21:51 . 2008-09-10 21:51d
C:Program FilesEA GAMES
2008-09-08 22:29 . 2008-09-08 22:29d
C:WINDOWSSun
2008-09-08 22:28 . 2008-06-10 02:32 73,728 —a
C:WINDOWSsystem32javacpl.cpl
2008-09-08 22:27 . 2008-09-08 22:28d
C:Program FilesJava
2008-09-08 22:20 . 2008-09-08 22:20d
C:Program FilesCommon FilesJava
2008-09-08 11:48 . 2008-08-28 11:50d
C:Program FilesMovie Maker.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 16:06 46,939,680 —sha-w C:WINDOWSsystem32driversfidbox.dat
2008-10-07 16:05 768,032 —sha-w C:WINDOWSsystem32driversfidbox2.dat
2008-10-07 15:19
d
w C:Documents and Settings1Application DataskypePM
2008-10-07 15:19
d
w C:Documents and Settings1Application DataSkype
2008-10-07 14:46 72,596 —sha-w C:WINDOWSsystem32driversfidbox2.idx
2008-10-07 14:46 622,148 —sha-w C:WINDOWSsystem32driversfidbox.idx
2008-10-07 14:45
d
w C:Program FilesQUIK КИТ Финанс
2008-10-07 14:45
d
w C:Documents and Settings1Application DataOrbit
2008-10-07 09:01
d
w C:Documents and SettingsAll UsersApplication DataKaspersky Lab
2008-10-06 09:49
d
w C:Program FilesICQToolbar
2008-10-06 09:03
d
w C:Program FilesOpera
2008-09-24 03:51
d
w C:Program FilesICQ6
2008-09-20 19:40
d
w C:Documents and Settings1Application DatauTorrent
2008-09-20 12:24
d
w C:Documents and Settings1Application DataMra
2008-09-17 12:49
d
w C:Program FilesuTorrent
2008-09-17 08:55
d
w C:Documents and Settings1Application DataICQ
2008-09-10 15:51
d—h—w C:Program FilesInstallShield Installation Information
2008-09-08 05:48
d
w C:Program FilesНовая папка
2008-08-29 18:44
d
w C:Program FilesRambler Assistant
2008-08-28 13:31
d
w C:Program FilesWindows Media Connect 2
2008-08-28 13:10
d
w C:Documents and Settings1Application DataDataLayer
2008-08-28 13:07
d
w C:Program FilesShasoft eBook 3.0
2008-08-28 05:29
d
w C:Documents and Settings1Application DataDownload Master
2008-08-27 17:58
d
w C:Program FilesDivX
2008-08-26 05:20
d
w C:Documents and SettingsAll UsersApplication DataOffice Genuine Advantage
2008-08-24 13:59
d
w C:Documents and Settings1Application DataNokia
2008-08-24 09:29
d
w C:Program FilesMSXML 4.0
2008-08-23 11:57
d
w C:Documents and SettingsAll UsersApplication DataHP
2008-08-23 11:57
d
w C:Documents and Settings1Application DataHP
2008-08-23 11:50
d
w C:Documents and SettingsAll UsersApplication DataWEBREG
2008-08-23 11:48
d
w C:Program FilesHP
2008-08-23 11:48
d
w C:Documents and SettingsAll UsersApplication DataHPSSUPPLY
2008-08-23 11:48
d
w C:Documents and Settings1Application DataHPAppData
2008-08-23 11:47
d
w C:Program FilesCommon FilesHP
2008-08-23 11:47
d
w C:Documents and SettingsAll UsersApplication DataHP Product Assistant
2008-08-23 11:46
d
w C:Program FilesHewlett-Packard
2008-08-23 11:46
d
w C:Program FilesCommon FilesHewlett-Packard
2008-08-23 11:45
d
w C:Documents and SettingsAll UsersApplication DataHewlett-Packard
2008-08-21 10:48
d
w C:Documents and Settings1Application Datarambler.ru
2008-08-21 05:07
d
w C:Documents and Settings1Application DataU3
2008-08-19 13:12
d
w C:Program FilesOrbitdownloader
2008-08-18 14:56
d
w C:Program FilesAlcohol Soft
2008-08-18 14:52 716,272 —-a-w C:WINDOWSsystem32driverssptd.sys
2008-08-15 09:24
d
w C:Program FilesJavaSoft
2008-08-14 14:13
d
w C:Program FilesGames.Rambler.ru
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataPlayFirst
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataAlawarWrapper
2008-08-14 14:13
d
w C:Documents and Settings1Application DataPlayFirst
2008-08-13 14:57
d
w C:Program FilesGames.Mail.Ru
2008-08-13 11:27
d
w C:Program FilesDIFX
2008-08-13 11:27
d
w C:Documents and SettingsAll UsersApplication DataPC Suite
2008-08-13 11:26
d
w C:Program FilesNokia
2008-08-13 11:26
d
w C:Program FilesCommon FilesPCSuite
2008-08-13 11:26
d
w C:Program FilesCommon FilesNokia
2008-08-13 11:26
d
w C:Documents and SettingsAll UsersApplication DataDownloaded Installations
2008-08-13 11:26
d
w C:Documents and Settings1Application DataPC Suite
2008-08-13 10:58
d
w C:Documents and SettingsAll UsersApplication DataEgoset
2008-08-13 07:13
d
w C:Program FilesDownload Master
2008-08-13 06:15
d
w C:Documents and SettingsAll UsersApplication DataNtiDvdCopy
2008-08-13 05:33
d
w C:Documents and Settings1Application DataMedia Player Classic
2008-08-08 05:10
d—h—w C:Documents and SettingsAll UsersApplication DataCanonBJ
2008-07-23 16:48 200,704 —-a-w C:WINDOWSsystem32ssldivx.dll
2008-07-23 16:48 1,044,480 —-a-w C:WINDOWSsystem32libdivx.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32dllcachecdm.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32cdm.dll
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32wuauclt.exe
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32dllcachewuauclt.exe
2008-07-18 16:10 45,768 —-a-w C:WINDOWSsystem32wups2.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32wups.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32dllcachewups.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32wuapi.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32dllcachewuapi.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32wucltui.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32dllcachewucltui.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32wuweb.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32dllcachewuweb.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32wuaueng.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32dllcachewuaueng.dll
2008-07-07 20:29 253,952 —-a-w C:WINDOWSsystem32es.dll
2008-07-07 20:29 253,952
w C:WINDOWSsystem32dllcachees.dll
.((((((((((((((((((((((((((((( snapshot@2008-10-07_15.13.34.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-07 15:19:14 16,384 —-atw C:WINDOWSTempPerflib_Perfdata_dfc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32ctfmon.exe» [2008-04-14 15360]
«Skype»=»C:Program FilesSkypePhoneSkype.exe» [2008-07-23 21738792]
«PcSync»=»C:Program FilesNokiaNokia PC Suite 6PcSync2.exe» [2006-06-27 1449984]
«AlcoholAutomount»=»C:Program FilesAlcohol SoftAlcohol 120axcmd.exe» [2008-03-20 217544]
«VKontakte»=»C:Program FilesAgent VkontakteAgentVkontakte.exe» [2008-05-21 3537920]
«ParetoLogic Anti-Spyware»=»C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe» [2007-04-02 2639472][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«preload»=»C:WindowsRUNXMLPL.exe» [2007-04-21 20480]
«IAAnotif»=»C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SynTPEnh»=»C:Program FilesSynapticsSynTPSynTPEnh.exe» [2007-09-08 1015808]
«AzMixerSel»=»C:Program FilesRealtekInstallShieldAzMixerSel.exe» [2005-06-11 53248]
«IMJPMIG8.1″=»C:WINDOWSIMEimjp8_1IMJPMIG.EXE» [2004-08-18 208952]
«MSPY2002″=»C:WINDOWSsystem32IMEPINTLGNTImScInst.exe» [2004-08-18 59392]
«PHIME2002ASync»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«PHIME2002A»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«SynTPStart»=»C:Program FilesSynapticsSynTPSynTPStart.exe» [2007-09-08 102400]
«RemoteControl»=»C:Program FilesCyberLinkPowerDVDPDVDServ.exe» [2007-01-09 68640]
«LanguageShortcut»=»C:Program FilesCyberLinkPowerDVDLanguageLanguage.exe» [2007-01-09 52256]
«Acer ePresentation HPD»=»C:AcerEmpowering TechnologyePresentationePresentation.exe» [2007-03-02 208896]
«ePower_DMC»=»C:AcerEmpowering TechnologyePowerePower_DMC.exe» [2007-07-04 475136]
«Boot»=»C:AcerEmpowering TechnologyePowerBoot.exe» [2006-03-16 579584]
«eDataSecurity Loader»=»C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe» [2007-05-28 342528]
«eRecoveryService»=»C:AcerEmpowering TechnologyeRecoveryeRAgent.exe» [2007-07-11 421888]
«LManager»=»C:PROGRA~1LAUNCH~1LManager.exe» [2007-10-17 858632]
«IgfxTray»=»C:WINDOWSsystem32igfxtray.exe» [2007-06-13 142104]
«HotKeysCmds»=»C:WINDOWSsystem32hkcmd.exe» [2007-06-13 162584]
«Persistence»=»C:WINDOWSsystem32igfxpers.exe» [2007-06-13 138008]
«QuickTime Task»=»C:Program FilesQuickTimeqttask.exe» [2008-07-27 77824]
«MAgent»=»C:Program FilesMail.RuAgentMAgent.exe» [2008-09-22 3110392]
«Adobe Reader Speed Launcher»=»C:Program FilesAdobeReader 8.0ReaderReader_sl.exe» [2008-01-11 39792]
«PCSuiteTrayApplication»=»C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE» [2006-06-15 229376]
«HP Software Update»=»C:Program FilesHPHP Software UpdateHPWuSchd2.exe» [2007-03-11 49152]
«SunJavaUpdateSched»=»C:Program FilesJavajre1.6.0_07binjusched.exe» [2008-06-10 144784]
«RTHDCPL»=»RTHDCPL.EXE» [2007-05-28 C:WINDOWSRTHDCPL.exe][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32CTFMON.EXE» [2008-04-14 15360][hkey_local_machinesoftwaremicrosoftwindowscurrentversionexplorerShellExecuteHooks]
«{51C55F9E-C308-4c95-89AB-8858D8AFD819}»= «C:Program FilesParetoLogicAnti-SpywarePASShlExt.dll» [2007-03-29 98304][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«VIDC.YV12″= yv12vfw.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe»=
«C:\Program Files\ICQ6\ICQ.exe»=
«C:\Program Files\Mail.Ru\Agent\magent.exe»=
«C:\Program Files\BitTornado\btdownloadgui.exe»=
«C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe»=
«C:\Program Files\Orbitdownloader\orbitnet.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«C:\Program Files\ZyXEL\NetFriend\NetFriend.exe»=
«C:\Program Files\uTorrent\uTorrent.exe»=
«C:\Program Files\Opera\opera.exe»=
«C:\Program Files\Skype\Phone\Skype.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«45533:TCP»= 45533:TCP:utorrent
«45533:UDP»= 45533:UDP:ut
«55555:TCP»= 55555:TCP:1
«55555:UDP»= 55555:UDP:12R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe [2006-04-14 28933976]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:WINDOWSsystem32DRIVERSklim5.sys [2007-04-04 24344]
R3 usbstor;Драйвер запоминающих устройств для USB;C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2008-04-14 26368]
S3 int15.sys;int15.sys;C:AcerEmpowering TechnologyeRecoveryint15.sys [2005-01-13 69632]
S3 usbprint;Класс принтеров Microsoft USB;C:WINDOWSsystem32DRIVERSusbprint.sys [2008-04-14 25856][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85b-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — G:LaunchU3.exe -a
.
Contents of the ‘Scheduled Tasks’ folder2008-10-06 C:WINDOWSTasksParetoLogic Anti-Spyware.job
— C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe [2007-04-02 16:40]2008-10-06 C:WINDOWSTasksParetoLogic Update.job
— C:Program FilesCommon FilesParetoLogicUUSPareto_Update.exe [2007-08-01 13:39]2008-10-07 C:WINDOWSTasksUser_Feed_Synchronization-{1F20AC20-8159-4105-9DA9-46BAE8E5D3BF}.job
— C:WINDOWSsystem32msfeedssync.exe [2007-08-13 18:36]
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 22:05:34
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-10-07 22:08:01
ComboFix-quarantined-files.txt 2008-10-07 16:07:55
ComboFix2.txt 2008-10-07 09:14:07
ComboFix3.txt 2008-10-06 16:16:07Pre-Run: 3 100 409 856 ???? ????????
Post-Run: 3,069,489,152 ???? ????????243 — E O F — 2008-09-10 14:48:49
Рад помочь вам 😉
И последние инструкции:1. Удалите Combofix с вашего компьютера. Прочитайте следующее: Как правильно удалить combofix с компьютера.
2. Создайте новую точку восстановления. Это поможет вам в случае необходимости загрузить текущую конфигурацию Windows и быстро излечиться от спайваре/вируса.
Кликните по кнопке Пуск.
Выберите пункт Стандартные, в нём Служебные и запустите программу Восстановление системы.
В открывшемся окне выберите задачу Создать точку восстановления.
Нажмите кнопку Далее и следуйте указаниям.3. Если не используете, то рекомендую вам установить и использовать Firefox. Эта программа может всё то, что может InternetExplorer, но при этом более безопасна.
Всего хорошего!
- Для ответа в этой теме необходимо авторизоваться.
