Созданные ответы форума
-
Сообщения
-
Все отлично! Все чисто, никакой посторонней ерунды! 😀
Большое спасибо! Вы настоящий профессионал! И отличный форум, который реально помогает.
СПАСИБО!ps на счет nod32, он пару дней ругался на этот вирус, типа «троян, удалить не могу», а после очередного обновление просто перестал его замечать.
Сделал!
ComboFix 08-11-09.01 — Юрий 2008-11-10 16:26:38.7 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.1512 [GMT 5:00]
Running from: c:documents and settingsЮрийРабочий столComboFixComboFix.exe
Command switches used :: c:documents and settingsЮрийРабочий столComboFixCFScript.txt
* Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:windowssystem32catsrvp.dll
c:windowssystem32driversoclpbazx.sys
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:windowssystem32catsrvp.dll
c:windowssystem32driversoclpbazx.sys.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Legacy_OCLPBAZX
Service_oclpbazx((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.2008-11-06 17:00 . 2008-11-06 17:00 8,675 —a
c:windowsFontData.fdb
2008-10-28 13:57 . 2008-10-28 13:57d
c:program filesTrend Micro
2008-10-28 13:15 . 2008-10-28 13:15d
c:program filesMalwarebytes’ Anti-Malware
2008-10-28 13:15 . 2008-10-28 13:15d
c:documents and settingsAll UsersApplication DataMalwarebytes
2008-10-28 13:15 . 2008-10-28 13:15d
c:documents and settingsЮрийApplication DataMalwarebytes
2008-10-28 13:15 . 2008-10-22 16:10 38,496 —a
c:windowssystem32driversmbamswissarmy.sys
2008-10-28 13:15 . 2008-10-22 16:10 15,504 —a
c:windowssystem32driversmbam.sys
2008-10-28 12:16 . 2008-10-28 12:16d
c:program fileswww.freewordexcelpassword.com.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 08:38
d
w c:documents and settingsЮрийApplication DataNLDealer
2008-10-07 08:06
d
w c:documents and settingsЮрийApplication DataPC Suite
2008-10-03 07:34
d
w c:program filesQIP Infium
2008-10-03 07:34
d
w c:documents and settingsЮрийApplication DataQIP
2008-09-10 13:09 20,656 —-a-w c:documents and settingsЮрийApplication DataGDIPFONTCACHEV1.DAT
2008-08-22 05:55 499,712 —-a-w c:windowssystem32msvcp71.dll
2008-08-22 05:55 348,160 —-a-w c:windowssystem32msvcr71.dll
2006-06-23 06:48 32,768 —-a-r c:windowsinfUpdateUSB.exe
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2004-08-17 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2004-08-17 1667584]
«BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}»=»c:program filesCommon FilesNeroLibNMBgMonitor.exe» [2007-10-23 202024]
«H/PC Connection Agent»=»c:program filesMicrosoft ActiveSyncWcescomm.exe» [2006-11-13 1289000]
«Nokia.PCSync»=»c:program filesNokiaNokia PC Suite 6PCSync2.exe» [2008-03-26 1232896]
«PC Suite Tray»=»c:program filesNokiaNokia PC Suite 6PCSuite.exe» [2008-04-16 1079808][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«IAAnotif»=»c:program filesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2006-12-18 868352]
«JMB36X IDE Setup»=»c:windowsRaidToolxInsIDE.exe» [2007-03-20 36864]
«36X Raid Configurer»=»c:windowssystem32xRaidSetup.exe» [2007-03-21 1953792]
«NeroFilterCheck»=»c:program filesCommon FilesNeroLibNeroCheck.exe» [2007-03-01 153136]
«NBKeyScan»=»c:program filesNeroNero8Nero BackItUpNBKeyScan.exe» [2007-09-20 1836328]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2008-03-13 1443072]
«Scktsrvr for RgSr4″=»c:progra~1REGIST~1ServerBinscktsrvr.exe» [2002-08-09 678400]
«Gainward»=»c:program filesVDOToolTBPanel.exe» [2007-11-27 2169368]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2008-05-02 13529088]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2008-05-02 86016]
«TkBellExe»=»c:program filesCommon FilesRealUpdate_OBrealsched.exe» [2008-08-22 185896]
«BluetoothAuthenticationAgent»=»bthprops.cpl» [2004-08-17 c:windowssystem32bthprops.cpl][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2004-08-17 15360]c:documents and settingsћаЁ©ѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Adobe Gamma.lnk — c:program filesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe [2005-03-16 113664]
QIP 2005.lnk — c:program filesQIPqip.exe [2008-07-01 3256320]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
BlueSoleil.lnk — c:program filesIVT CorporationBlueSoleilBlueSoleil.exe [2008-04-30 1044480][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«msacm.l3fhg»= mp3fhg.acm[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«FirewallOverride»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\totalcmd\TOTALCMD.EXE»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\HP1005MC.EXE»=
«c:\Program Files\Casino.Net\casino.exe»=
«c:\WINDOWS\system32\ftp.exe»=
«c:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE»=
«c:\Games\OrangeBox\Steam\SteamApps\limbobimbo\team fortress 2\hl2.exe»=
«c:program filesMicrosoft ActiveSyncrapimgr.exe»= c:program filesMicrosoft ActiveSyncrapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
«c:program filesMicrosoft ActiveSyncwcescomm.exe»= c:program filesMicrosoft ActiveSyncwcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
«c:program filesMicrosoft ActiveSyncWCESMgr.exe»= c:program filesMicrosoft ActiveSyncWCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
«c:\Program Files\QIP\qip.exe»=
«c:\Program Files\Sprite Software\Sprite Backup\spriteservice.exe»=
«c:\projects\Мединком\LPU\Projects\MServer\MServer.exe»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE»=
«c:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«1433:TCP»= 1433:TCP:SQL SERVER
«26675:TCP»= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync ServiceR1 epfwtdir;epfwtdir;c:windowssystem32DRIVERSepfwtdir.sys [2008-03-13 33800]
R1 hwinterface;hwinterface;c:windowssystem32Drivershwinterface.sys [2008-05-20 3026]
R2 LogWatch;Event Log Watch;c:program filesCASharedComponentsCA_LICLogWatNT.exe [2005-02-24 53248]
S3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:windowssystem32DriversTEUSBMU.sys [2005-01-14 20992]*Newly Created Service* — OCLPBAZX
.
Contents of the ‘Scheduled Tasks’ folder2008-11-09 c:windowsTasksMLCardsAgent ACTIVATEPOINT.job
— c:projects [2008-10-08 10:11]2008-11-07 c:windowsTasksMLCardsAgent BACKUP.job
— c:projects [2008-10-08 10:11]2008-11-09 c:windowsTasksMLCardsAgent CALCOPT.job
— c:projects [2008-10-08 10:11]
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 16:33:25
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
Other Running Processes
.
c:program filesIVT CorporationBlueSoleilBTNtService.exe
c:program filesESETESET NOD32 Antivirusekrn.exe
c:program filesIntelIntel Matrix Storage ManagerIAANTmon.exe
c:program filesCommon FilesMicrosoft SharedVS7DebugMDM.EXE
c:program filesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe
c:program filesNeroNero8Nero BackItUpNBService.exe
c:windowssystem32nvsvc32.exe
c:windowssystem32wdfmgr.exe
c:windowssystem32rundll32.exe
c:windowssystem32rundll32.exe
c:program filesCommon FilesNeroLibNMIndexingService.exe
c:progra~1MI3AA1~1rapimgr.exe
c:program filesCommon FilesNeroLibNMIndexStoreSvr.exe
c:program filesPC Connectivity SolutionServiceLayer.exe
c:program filesCommon FilesNokiaMPAPIMPAPI3s.exe
c:program filesPC Connectivity SolutionTransportsNclUSBSrv.exe
c:program filesPC Connectivity SolutionTransportsNclRSSrv.exe
.
**************************************************************************
.
Completion time: 2008-11-10 16:39:38 — machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 11:39:33
ComboFix2.txt 2008-11-10 10:54:34
ComboFix3.txt 2008-11-10 07:06:07
ComboFix4.txt 2008-11-10 06:29:06
ComboFix5.txt 2008-11-10 11:25:04Pre-Run: 292 930 945 024 байт свободно
Post-Run: 292,920,872,960 байт свободно158
Сделал. Перед перезагрузкой компьютера в процессе работы ComboFix выскочило окно Catchme — ошибка при инициализации службы …
после перезагрузки все файлы на месте (
вот новый лог:ComboFix 08-11-09.01 — Юрий 2008-11-10 15:41:25.6 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.1528 [GMT 5:00]
Running from: c:documents and settingsЮрийРабочий столComboFixComboFix.exe
* Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:windowssystem32catsrvp.dll . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.2008-11-06 17:00 . 2008-11-06 17:00 8,675 —a
c:windowsFontData.fdb
2008-10-28 13:57 . 2008-10-28 13:57d
c:program filesTrend Micro
2008-10-28 13:15 . 2008-10-28 13:15d
c:program filesMalwarebytes’ Anti-Malware
2008-10-28 13:15 . 2008-10-28 13:15d
c:documents and settingsAll UsersApplication DataMalwarebytes
2008-10-28 13:15 . 2008-10-28 13:15d
c:documents and settingsЮрийApplication DataMalwarebytes
2008-10-28 13:15 . 2008-10-22 16:10 38,496 —a
c:windowssystem32driversmbamswissarmy.sys
2008-10-28 13:15 . 2008-10-22 16:10 15,504 —a
c:windowssystem32driversmbam.sys
2008-10-28 12:16 . 2008-10-28 12:16d
c:program fileswww.freewordexcelpassword.com
2008-10-25 11:54 . 2004-08-17 17:04 93,184 —a
c:windowssystem32catsrvp.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 08:38
d
w c:documents and settingsЮрийApplication DataNLDealer
2008-10-07 08:06
d
w c:documents and settingsЮрийApplication DataPC Suite
2008-10-03 07:34
d
w c:program filesQIP Infium
2008-10-03 07:34
d
w c:documents and settingsЮрийApplication DataQIP
2008-09-10 13:09 20,656 —-a-w c:documents and settingsЮрийApplication DataGDIPFONTCACHEV1.DAT
2008-08-22 05:55 499,712 —-a-w c:windowssystem32msvcp71.dll
2008-08-22 05:55 348,160 —-a-w c:windowssystem32msvcr71.dll
2006-06-23 06:48 32,768 —-a-r c:windowsinfUpdateUSB.exe
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE~Browser Helper Objects{F026D7E8-4C41-4A89-A8B7-0FE2C52BF2B5}]
2004-08-17 17:04 93184 —a
c:windowssystem32catsrvp.dll[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2004-08-17 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2004-08-17 1667584]
«BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}»=»c:program filesCommon FilesNeroLibNMBgMonitor.exe» [2007-10-23 202024]
«H/PC Connection Agent»=»c:program filesMicrosoft ActiveSyncWcescomm.exe» [2006-11-13 1289000]
«Nokia.PCSync»=»c:program filesNokiaNokia PC Suite 6PCSync2.exe» [2008-03-26 1232896]
«PC Suite Tray»=»c:program filesNokiaNokia PC Suite 6PCSuite.exe» [2008-04-16 1079808][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«IAAnotif»=»c:program filesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2006-12-18 868352]
«JMB36X IDE Setup»=»c:windowsRaidToolxInsIDE.exe» [2007-03-20 36864]
«36X Raid Configurer»=»c:windowssystem32xRaidSetup.exe» [2007-03-21 1953792]
«NeroFilterCheck»=»c:program filesCommon FilesNeroLibNeroCheck.exe» [2007-03-01 153136]
«NBKeyScan»=»c:program filesNeroNero8Nero BackItUpNBKeyScan.exe» [2007-09-20 1836328]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2008-03-13 1443072]
«Scktsrvr for RgSr4″=»c:progra~1REGIST~1ServerBinscktsrvr.exe» [2002-08-09 678400]
«Gainward»=»c:program filesVDOToolTBPanel.exe» [2007-11-27 2169368]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2008-05-02 13529088]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2008-05-02 86016]
«TkBellExe»=»c:program filesCommon FilesRealUpdate_OBrealsched.exe» [2008-08-22 185896]
«BluetoothAuthenticationAgent»=»bthprops.cpl» [2004-08-17 c:windowssystem32bthprops.cpl][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2004-08-17 15360]c:documents and settingsћаЁ©ѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Adobe Gamma.lnk — c:program filesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe [2005-03-16 113664]
QIP 2005.lnk — c:program filesQIPqip.exe [2008-07-01 3256320]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
BlueSoleil.lnk — c:program filesIVT CorporationBlueSoleilBlueSoleil.exe [2008-04-30 1044480][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«msacm.l3fhg»= mp3fhg.acm[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«FirewallOverride»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\totalcmd\TOTALCMD.EXE»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\HP1005MC.EXE»=
«c:\Program Files\Casino.Net\casino.exe»=
«c:\WINDOWS\system32\ftp.exe»=
«c:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE»=
«c:\Games\OrangeBox\Steam\SteamApps\limbobimbo\team fortress 2\hl2.exe»=
«c:program filesMicrosoft ActiveSyncrapimgr.exe»= c:program filesMicrosoft ActiveSyncrapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
«c:program filesMicrosoft ActiveSyncwcescomm.exe»= c:program filesMicrosoft ActiveSyncwcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
«c:program filesMicrosoft ActiveSyncWCESMgr.exe»= c:program filesMicrosoft ActiveSyncWCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
«c:\Program Files\QIP\qip.exe»=
«c:\Program Files\Sprite Software\Sprite Backup\spriteservice.exe»=
«c:\projects\Мединком\LPU\Projects\MServer\MServer.exe»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE»=
«c:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«1433:TCP»= 1433:TCP:SQL SERVER
«26675:TCP»= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync ServiceR0 oclpbazx;oclpbazx;c:windowssystem32driversoclpbazx.sys [2001-10-20 23424]
R1 epfwtdir;epfwtdir;c:windowssystem32DRIVERSepfwtdir.sys [2008-03-13 33800]
R1 hwinterface;hwinterface;c:windowssystem32Drivershwinterface.sys [2008-05-20 3026]
R2 LogWatch;Event Log Watch;c:program filesCASharedComponentsCA_LICLogWatNT.exe [2005-02-24 53248]
S3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:windowssystem32DriversTEUSBMU.sys [2005-01-14 20992]
.
Contents of the ‘Scheduled Tasks’ folder2008-11-09 c:windowsTasksMLCardsAgent ACTIVATEPOINT.job
— c:projects [2008-10-08 10:11]2008-11-07 c:windowsTasksMLCardsAgent BACKUP.job
— c:projects [2008-10-08 10:11]2008-11-09 c:windowsTasksMLCardsAgent CALCOPT.job
— c:projects [2008-10-08 10:11]
.
.
Supplementary Scan
.
R0 -: HKCU-Main,Start Page = about:blank
O8 -: &Экспорт в Microsoft Excel — c:progra~1MICROS~2Office10EXCEL.EXE/3000
O17 -: HKLMCCSInterface{7F134F2C-57D2-4BD5-9782-42A60BB0D76D}: NameServer = 192.168.1.1
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 15:47:32
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
Other Running Processes
.
c:program filesIVT CorporationBlueSoleilBTNtService.exe
c:program filesESETESET NOD32 Antivirusekrn.exe
c:program filesIntelIntel Matrix Storage ManagerIAANTmon.exe
c:program filesCommon FilesMicrosoft SharedVS7DebugMDM.EXE
c:program filesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe
c:program filesNeroNero8Nero BackItUpNBService.exe
c:windowssystem32nvsvc32.exe
c:windowssystem32wdfmgr.exe
c:windowssystem32rundll32.exe
c:windowssystem32rundll32.exe
c:program filesCommon FilesNeroLibNMIndexingService.exe
c:program filesCommon FilesNeroLibNMIndexStoreSvr.exe
c:progra~1MI3AA1~1rapimgr.exe
c:program filesPC Connectivity SolutionServiceLayer.exe
c:program filesPC Connectivity SolutionTransportsNclUSBSrv.exe
c:program filesCommon FilesNokiaMPAPIMPAPI3s.exe
c:program filesPC Connectivity SolutionTransportsNclRSSrv.exe
.
**************************************************************************
.
Completion time: 2008-11-10 15:54:33 — machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 10:54:29
ComboFix2.txt 2008-11-10 07:06:07
ComboFix3.txt 2008-11-10 06:29:06
ComboFix4.txt 2008-11-07 15:32:59
ComboFix5.txt 2008-11-10 10:40:45Pre-Run: 292 854 587 392 байт свободно
Post-Run: 292,846,440,448 байт свободно160
Сделал!
ComboFix 08-11-09.01 — Юрий 2008-11-10 11:58:05.5 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.1494 [GMT 5:00]
Running from: c:documents and settingsЮрийРабочий столComboFixComboFix.exe
Command switches used :: c:documents and settingsЮрийРабочий столComboFixCFScript.txt
* Created a new restore point
* Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:windowssystem32catsrvp.dll
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:windowssystem32catsrvp.dll . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Legacy_OCLPBAZX
Service_oclpbazx((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.2008-11-06 17:00 . 2008-11-06 17:00 8,675 —a
c:windowsFontData.fdb
2008-10-30 13:20 . 2008-10-29 09:33 79,195,624 —a
C:Буклет последний.cdr
2008-10-28 13:57 . 2008-10-28 13:57d
c:program filesTrend Micro
2008-10-28 13:15 . 2008-10-28 13:15d
c:program filesMalwarebytes’ Anti-Malware
2008-10-28 13:15 . 2008-10-28 13:15d
c:documents and settingsAll UsersApplication DataMalwarebytes
2008-10-28 13:15 . 2008-10-28 13:15d
c:documents and settingsЮрийApplication DataMalwarebytes
2008-10-28 13:15 . 2008-10-22 16:10 38,496 —a
c:windowssystem32driversmbamswissarmy.sys
2008-10-28 13:15 . 2008-10-22 16:10 15,504 —a
c:windowssystem32driversmbam.sys
2008-10-28 12:16 . 2008-10-28 12:16d
c:program fileswww.freewordexcelpassword.com
2008-10-25 11:54 . 2004-08-17 17:04 93,184 —a
c:windowssystem32catsrvp.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 08:38
d
w c:documents and settingsЮрийApplication DataNLDealer
2008-10-07 08:06
d
w c:documents and settingsЮрийApplication DataPC Suite
2008-10-03 07:34
d
w c:program filesQIP Infium
2008-10-03 07:34
d
w c:documents and settingsЮрийApplication DataQIP
2008-09-10 13:09 20,656 —-a-w c:documents and settingsЮрийApplication DataGDIPFONTCACHEV1.DAT
2008-08-22 05:55 499,712 —-a-w c:windowssystem32msvcp71.dll
2008-08-22 05:55 348,160 —-a-w c:windowssystem32msvcr71.dll
2006-06-23 06:48 32,768 —-a-r c:windowsinfUpdateUSB.exe
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE~Browser Helper Objects{F026D7E8-4C41-4A89-A8B7-0FE2C52BF2B5}]
2004-08-17 17:04 93184 —a
c:windowssystem32catsrvp.dll[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2004-08-17 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2004-08-17 1667584]
«BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}»=»c:program filesCommon FilesNeroLibNMBgMonitor.exe» [2007-10-23 202024]
«H/PC Connection Agent»=»c:program filesMicrosoft ActiveSyncWcescomm.exe» [2006-11-13 1289000]
«Nokia.PCSync»=»c:program filesNokiaNokia PC Suite 6PCSync2.exe» [2008-03-26 1232896]
«PC Suite Tray»=»c:program filesNokiaNokia PC Suite 6PCSuite.exe» [2008-04-16 1079808][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«IAAnotif»=»c:program filesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2006-12-18 868352]
«JMB36X IDE Setup»=»c:windowsRaidToolxInsIDE.exe» [2007-03-20 36864]
«36X Raid Configurer»=»c:windowssystem32xRaidSetup.exe» [2007-03-21 1953792]
«NeroFilterCheck»=»c:program filesCommon FilesNeroLibNeroCheck.exe» [2007-03-01 153136]
«NBKeyScan»=»c:program filesNeroNero8Nero BackItUpNBKeyScan.exe» [2007-09-20 1836328]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2008-03-13 1443072]
«Scktsrvr for RgSr4″=»c:progra~1REGIST~1ServerBinscktsrvr.exe» [2002-08-09 678400]
«Gainward»=»c:program filesVDOToolTBPanel.exe» [2007-11-27 2169368]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2008-05-02 13529088]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2008-05-02 86016]
«TkBellExe»=»c:program filesCommon FilesRealUpdate_OBrealsched.exe» [2008-08-22 185896]
«BluetoothAuthenticationAgent»=»bthprops.cpl» [2004-08-17 c:windowssystem32bthprops.cpl][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2004-08-17 15360]c:documents and settingsћаЁ©ѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Adobe Gamma.lnk — c:program filesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe [2005-03-16 113664]
QIP 2005.lnk — c:program filesQIPqip.exe [2008-07-01 3256320]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
BlueSoleil.lnk — c:program filesIVT CorporationBlueSoleilBlueSoleil.exe [2008-04-30 1044480][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«msacm.l3fhg»= mp3fhg.acm[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«FirewallOverride»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\totalcmd\TOTALCMD.EXE»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\HP1005MC.EXE»=
«c:\Program Files\Casino.Net\casino.exe»=
«c:\WINDOWS\system32\ftp.exe»=
«c:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE»=
«c:\Games\OrangeBox\Steam\SteamApps\limbobimbo\team fortress 2\hl2.exe»=
«c:program filesMicrosoft ActiveSyncrapimgr.exe»= c:program filesMicrosoft ActiveSyncrapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
«c:program filesMicrosoft ActiveSyncwcescomm.exe»= c:program filesMicrosoft ActiveSyncwcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
«c:program filesMicrosoft ActiveSyncWCESMgr.exe»= c:program filesMicrosoft ActiveSyncWCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
«c:\Program Files\QIP\qip.exe»=
«c:\Program Files\Sprite Software\Sprite Backup\spriteservice.exe»=
«c:\projects\Мединком\LPU\Projects\MServer\MServer.exe»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE»=
«c:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«1433:TCP»= 1433:TCP:SQL SERVER
«26675:TCP»= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync ServiceR0 oclpbazx;oclpbazx;c:windowssystem32driversoclpbazx.sys [2001-10-20 23424]
R1 epfwtdir;epfwtdir;c:windowssystem32DRIVERSepfwtdir.sys [2008-03-13 33800]
R1 hwinterface;hwinterface;c:windowssystem32Drivershwinterface.sys [2008-05-20 3026]
R2 LogWatch;Event Log Watch;c:program filesCASharedComponentsCA_LICLogWatNT.exe [2005-02-24 53248]
S3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:windowssystem32DriversTEUSBMU.sys [2005-01-14 20992]*Newly Created Service* — CATCHME
*Newly Created Service* — OCLPBAZX
.
Contents of the ‘Scheduled Tasks’ folder2008-11-09 c:windowsTasksMLCardsAgent ACTIVATEPOINT.job
— c:projects [2008-10-08 10:11]2008-11-07 c:windowsTasksMLCardsAgent BACKUP.job
— c:projects [2008-10-08 10:11]2008-11-09 c:windowsTasksMLCardsAgent CALCOPT.job
— c:projects [2008-10-08 10:11]
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 12:02:25
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
Other Running Processes
.
c:program filesIVT CorporationBlueSoleilBTNtService.exe
c:program filesESETESET NOD32 Antivirusekrn.exe
c:program filesIntelIntel Matrix Storage ManagerIAANTmon.exe
c:program filesCommon FilesMicrosoft SharedVS7DebugMDM.EXE
c:program filesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe
c:program filesNeroNero8Nero BackItUpNBService.exe
c:windowssystem32nvsvc32.exe
c:windowssystem32wdfmgr.exe
c:windowssystem32rundll32.exe
c:windowssystem32rundll32.exe
c:progra~1MI3AA1~1rapimgr.exe
c:program filesCommon FilesNeroLibNMIndexingService.exe
c:program filesCommon FilesNeroLibNMIndexStoreSvr.exe
c:program filesPC Connectivity SolutionServiceLayer.exe
c:program filesCommon FilesNokiaMPAPIMPAPI3s.exe
c:program filesPC Connectivity SolutionTransportsNclUSBSrv.exe
c:program filesPC Connectivity SolutionTransportsNclRSSrv.exe
.
**************************************************************************
.
Completion time: 2008-11-10 12:06:06 — machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 07:06:02
ComboFix2.txt 2008-11-10 06:29:06
ComboFix3.txt 2008-11-07 15:32:59
ComboFix4.txt 2008-11-07 13:28:46
ComboFix5.txt 2008-11-10 06:55:57Pre-Run: 292 886 253 568 байт свободно
Post-Run: 292,876,251,136 байт свободно163
Сделал, следующий лог:
ComboFix 08-11-09.01 — Юрий 2008-11-10 11:20:49.4 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.1487 [GMT 5:00]
Running from: c:documents and settingsЮрийРабочий столComboFixComboFix.exe
* Created a new restore point
* Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:windowssystem32catsrvp.dll . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.2008-11-06 17:00 . 2008-11-06 17:00 8,675 —a
c:windowsFontData.fdb
2008-10-30 13:20 . 2008-10-29 09:33 79,195,624 —a
C:Буклет последний.cdr
2008-10-28 13:57 . 2008-10-28 13:57d
c:program filesTrend Micro
2008-10-28 13:15 . 2008-10-28 13:15d
c:program filesMalwarebytes’ Anti-Malware
2008-10-28 13:15 . 2008-10-28 13:15d
c:documents and settingsAll UsersApplication DataMalwarebytes
2008-10-28 13:15 . 2008-10-28 13:15d
c:documents and settingsЮрийApplication DataMalwarebytes
2008-10-28 13:15 . 2008-10-22 16:10 38,496 —a
c:windowssystem32driversmbamswissarmy.sys
2008-10-28 13:15 . 2008-10-22 16:10 15,504 —a
c:windowssystem32driversmbam.sys
2008-10-28 12:16 . 2008-10-28 12:16d
c:program fileswww.freewordexcelpassword.com
2008-10-25 11:54 . 2004-08-17 17:04 93,184 —a
c:windowssystem32catsrvp.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 08:38
d
w c:documents and settingsЮрийApplication DataNLDealer
2008-10-07 08:06
d
w c:documents and settingsЮрийApplication DataPC Suite
2008-10-03 07:34
d
w c:program filesQIP Infium
2008-10-03 07:34
d
w c:documents and settingsЮрийApplication DataQIP
2008-09-10 13:09 20,656 —-a-w c:documents and settingsЮрийApplication DataGDIPFONTCACHEV1.DAT
2008-08-22 05:55 499,712 —-a-w c:windowssystem32msvcp71.dll
2008-08-22 05:55 348,160 —-a-w c:windowssystem32msvcr71.dll
2006-06-23 06:48 32,768 —-a-r c:windowsinfUpdateUSB.exe
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE~Browser Helper Objects{F026D7E8-4C41-4A89-A8B7-0FE2C52BF2B5}]
2004-08-17 17:04 93184 —a
c:windowssystem32catsrvp.dll[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2004-08-17 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2004-08-17 1667584]
«BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}»=»c:program filesCommon FilesNeroLibNMBgMonitor.exe» [2007-10-23 202024]
«H/PC Connection Agent»=»c:program filesMicrosoft ActiveSyncWcescomm.exe» [2006-11-13 1289000]
«Nokia.PCSync»=»c:program filesNokiaNokia PC Suite 6PCSync2.exe» [2008-03-26 1232896]
«PC Suite Tray»=»c:program filesNokiaNokia PC Suite 6PCSuite.exe» [2008-04-16 1079808][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«IAAnotif»=»c:program filesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2006-12-18 868352]
«JMB36X IDE Setup»=»c:windowsRaidToolxInsIDE.exe» [2007-03-20 36864]
«36X Raid Configurer»=»c:windowssystem32xRaidSetup.exe» [2007-03-21 1953792]
«NeroFilterCheck»=»c:program filesCommon FilesNeroLibNeroCheck.exe» [2007-03-01 153136]
«NBKeyScan»=»c:program filesNeroNero8Nero BackItUpNBKeyScan.exe» [2007-09-20 1836328]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2008-03-13 1443072]
«Scktsrvr for RgSr4″=»c:progra~1REGIST~1ServerBinscktsrvr.exe» [2002-08-09 678400]
«Gainward»=»c:program filesVDOToolTBPanel.exe» [2007-11-27 2169368]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2008-05-02 13529088]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2008-05-02 86016]
«TkBellExe»=»c:program filesCommon FilesRealUpdate_OBrealsched.exe» [2008-08-22 185896]
«BluetoothAuthenticationAgent»=»bthprops.cpl» [2004-08-17 c:windowssystem32bthprops.cpl][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2004-08-17 15360]c:documents and settingsћаЁ©ѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Adobe Gamma.lnk — c:program filesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe [2005-03-16 113664]
QIP 2005.lnk — c:program filesQIPqip.exe [2008-07-01 3256320]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
BlueSoleil.lnk — c:program filesIVT CorporationBlueSoleilBlueSoleil.exe [2008-04-30 1044480][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«msacm.l3fhg»= mp3fhg.acm[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«FirewallOverride»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\totalcmd\TOTALCMD.EXE»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\HP1005MC.EXE»=
«c:\Program Files\Casino.Net\casino.exe»=
«c:\WINDOWS\system32\ftp.exe»=
«c:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE»=
«c:\Games\OrangeBox\Steam\SteamApps\limbobimbo\team fortress 2\hl2.exe»=
«c:program filesMicrosoft ActiveSyncrapimgr.exe»= c:program filesMicrosoft ActiveSyncrapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
«c:program filesMicrosoft ActiveSyncwcescomm.exe»= c:program filesMicrosoft ActiveSyncwcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
«c:program filesMicrosoft ActiveSyncWCESMgr.exe»= c:program filesMicrosoft ActiveSyncWCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
«c:\Program Files\QIP\qip.exe»=
«c:\Program Files\Sprite Software\Sprite Backup\spriteservice.exe»=
«c:\projects\Мединком\LPU\Projects\MServer\MServer.exe»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE»=
«c:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«1433:TCP»= 1433:TCP:SQL SERVER
«26675:TCP»= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync ServiceR0 oclpbazx;oclpbazx;c:windowssystem32driversoclpbazx.sys [2001-10-20 23424]
R1 epfwtdir;epfwtdir;c:windowssystem32DRIVERSepfwtdir.sys [2008-03-13 33800]
R1 hwinterface;hwinterface;c:windowssystem32Drivershwinterface.sys [2008-05-20 3026]
R2 LogWatch;Event Log Watch;c:program filesCASharedComponentsCA_LICLogWatNT.exe [2005-02-24 53248]
S3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:windowssystem32DriversTEUSBMU.sys [2005-01-14 20992]
.
Contents of the ‘Scheduled Tasks’ folder2008-11-09 c:windowsTasksMLCardsAgent ACTIVATEPOINT.job
— c:projects [2008-10-08 10:11]2008-11-07 c:windowsTasksMLCardsAgent BACKUP.job
— c:projects [2008-10-08 10:11]2008-11-09 c:windowsTasksMLCardsAgent CALCOPT.job
— c:projects [2008-10-08 10:11]
.
.
Supplementary Scan
.
R0 -: HKCU-Main,Start Page = about:blank
O8 -: &Экспорт в Microsoft Excel — c:progra~1MICROS~2Office10EXCEL.EXE/3000
O17 -: HKLMCCSInterface{7F134F2C-57D2-4BD5-9782-42A60BB0D76D}: NameServer = 192.168.1.1
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 11:25:04
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
Other Running Processes
.
c:program filesIVT CorporationBlueSoleilBTNtService.exe
c:program filesESETESET NOD32 Antivirusekrn.exe
c:program filesIntelIntel Matrix Storage ManagerIAANTmon.exe
c:program filesCommon FilesMicrosoft SharedVS7DebugMDM.EXE
c:program filesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe
c:program filesNeroNero8Nero BackItUpNBService.exe
c:windowssystem32nvsvc32.exe
c:windowssystem32wdfmgr.exe
c:windowssystem32rundll32.exe
c:windowssystem32rundll32.exe
c:program filesCommon FilesNeroLibNMIndexingService.exe
c:progra~1MI3AA1~1rapimgr.exe
c:program filesCommon FilesNeroLibNMIndexStoreSvr.exe
c:program filesPC Connectivity SolutionServiceLayer.exe
c:program filesPC Connectivity SolutionTransportsNclUSBSrv.exe
c:program filesCommon FilesNokiaMPAPIMPAPI3s.exe
c:program filesPC Connectivity SolutionTransportsNclRSSrv.exe
.
**************************************************************************
.
Completion time: 2008-11-10 11:29:06 — machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 06:29:02
ComboFix2.txt 2008-11-07 15:32:59
ComboFix3.txt 2008-11-07 13:28:46
ComboFix4.txt 2008-11-07 11:43:43Pre-Run: 292 919 205 888 байт свободно
Post-Run: 292,907,962,368 байт свободно160
Сделал!
Вот лог:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.comPlatform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.Backups directory opened successfully at C:Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!Error: could not open file «c:windowssystem32catsrvp.dll»
Deletion of file «c:windowssystem32catsrvp.dll» failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)Error: could not open registry key «HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionexplorerBrowser Helper Objects{F026D7E8-4C41-4A89-A8B7-0FE2C52BF2B5}» for deletion
Deletion of registry key «HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionexplorerBrowser Helper Objects{F026D7E8-4C41-4A89-A8B7-0FE2C52BF2B5}» failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)Completed script processing.
*******************
Finished! Terminate.
Сделал!
ComboFix 08-11-06.01 — Юрий 2008-11-07 20:23:23.3 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.1525 [GMT 5:00]
Running from: c:documents and settingsЮрийРабочий столComboFixComboFix.exe
Command switches used :: c:documents and settingsЮрийРабочий столComboFixCFScript.txt
* Created a new restore point
* Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:windowssystem32catsrvp.dll
c:windowssystem32DriversWinav07.sys
c:windowssystem32DriversWinbf72.sys
c:windowssystem32DriversWinef50.sys
c:windowssystem32DriversWinfd72.sys
c:windowssystem32DriversWiniv13.sys
c:windowssystem32DriversWinmv35.sys
c:windowssystem32DriversWinpc26.sys
c:windowssystem32DriversWinqo52.sys
c:windowssystem32DriversWinvj26.sys
c:windowssystem32DriversWinyf50.sys
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:windowssystem32catsrvp.dll . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Service_Winav07
Service_Winbf72
Service_Winef50
Service_Winfd72
Service_Winiv13
Service_Winmv35
Service_Winpc26
Service_Winqo52
Service_Winvj26
Service_Winyf50((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.2008-11-06 17:00 . 2008-11-06 17:00 8,675 —a
c:windowsFontData.fdb
2008-10-28 13:57 . 2008-10-28 13:57d
c:program filesTrend Micro
2008-10-28 13:15 . 2008-10-28 13:15d
c:program filesMalwarebytes’ Anti-Malware
2008-10-28 13:15 . 2008-10-28 13:15d
c:documents and settingsAll UsersApplication DataMalwarebytes
2008-10-28 13:15 . 2008-10-28 13:15d
c:documents and settingsЮрийApplication DataMalwarebytes
2008-10-28 13:15 . 2008-10-22 16:10 38,496 —a
c:windowssystem32driversmbamswissarmy.sys
2008-10-28 13:15 . 2008-10-22 16:10 15,504 —a
c:windowssystem32driversmbam.sys
2008-10-28 12:16 . 2008-10-28 12:16d
c:program fileswww.freewordexcelpassword.com
2008-10-25 11:54 . 2004-08-17 17:04 93,184 —a
c:windowssystem32catsrvp.dll
2008-10-07 13:36 . 2001-09-30 18:10 246,784 —a
c:windowssystem32ActiveSkin.ocx
2008-10-07 13:36 . 2001-05-24 11:59 162,304 —a
C:UNWISE.EXE
2008-10-07 13:36 . 2002-01-18 17:12 112 —a
c:windowsActiveSkin.INI.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 08:38
d
w c:documents and settingsЮрийApplication DataNLDealer
2008-10-07 08:06
d
w c:documents and settingsЮрийApplication DataPC Suite
2008-10-03 07:34
d
w c:program filesQIP Infium
2008-10-03 07:34
d
w c:documents and settingsЮрийApplication DataQIP
2008-09-10 13:09 20,656 —-a-w c:documents and settingsЮрийApplication DataGDIPFONTCACHEV1.DAT
2006-06-23 06:48 32,768 —-a-r c:windowsinfUpdateUSB.exe
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE~Browser Helper Objects{F026D7E8-4C41-4A89-A8B7-0FE2C52BF2B5}]
2004-08-17 17:04 93184 —a
c:windowssystem32catsrvp.dll[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2004-08-17 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2004-08-17 1667584]
«BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}»=»c:program filesCommon FilesNeroLibNMBgMonitor.exe» [2007-10-23 202024]
«H/PC Connection Agent»=»c:program filesMicrosoft ActiveSyncWcescomm.exe» [2006-11-13 1289000]
«Nokia.PCSync»=»c:program filesNokiaNokia PC Suite 6PCSync2.exe» [2008-03-26 1232896]
«PC Suite Tray»=»c:program filesNokiaNokia PC Suite 6PCSuite.exe» [2008-04-16 1079808][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«IAAnotif»=»c:program filesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2006-12-18 868352]
«JMB36X IDE Setup»=»c:windowsRaidToolxInsIDE.exe» [2007-03-20 36864]
«36X Raid Configurer»=»c:windowssystem32xRaidSetup.exe» [2007-03-21 1953792]
«NeroFilterCheck»=»c:program filesCommon FilesNeroLibNeroCheck.exe» [2007-03-01 153136]
«NBKeyScan»=»c:program filesNeroNero8Nero BackItUpNBKeyScan.exe» [2007-09-20 1836328]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2008-03-13 1443072]
«Scktsrvr for RgSr4″=»c:progra~1REGIST~1ServerBinscktsrvr.exe» [2002-08-09 678400]
«Gainward»=»c:program filesVDOToolTBPanel.exe» [2007-11-27 2169368]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2008-05-02 13529088]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2008-05-02 86016]
«TkBellExe»=»c:program filesCommon FilesRealUpdate_OBrealsched.exe» [2008-08-22 185896]
«BluetoothAuthenticationAgent»=»bthprops.cpl» [2004-08-17 c:windowssystem32bthprops.cpl][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2004-08-17 15360]c:documents and settingsћаЁ©ѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Adobe Gamma.lnk — c:program filesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe [2005-03-16 113664]
QIP 2005.lnk — c:program filesQIPqip.exe [2008-07-01 3256320]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
BlueSoleil.lnk — c:program filesIVT CorporationBlueSoleilBlueSoleil.exe [2008-04-30 1044480][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«msacm.l3fhg»= mp3fhg.acm[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«FirewallOverride»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\totalcmd\TOTALCMD.EXE»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\HP1005MC.EXE»=
«c:\Program Files\Casino.Net\casino.exe»=
«c:\WINDOWS\system32\ftp.exe»=
«c:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE»=
«c:\Games\OrangeBox\Steam\SteamApps\limbobimbo\team fortress 2\hl2.exe»=
«c:program filesMicrosoft ActiveSyncrapimgr.exe»= c:program filesMicrosoft ActiveSyncrapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
«c:program filesMicrosoft ActiveSyncwcescomm.exe»= c:program filesMicrosoft ActiveSyncwcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
«c:program filesMicrosoft ActiveSyncWCESMgr.exe»= c:program filesMicrosoft ActiveSyncWCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
«c:\Program Files\QIP\qip.exe»=
«c:\Program Files\Sprite Software\Sprite Backup\spriteservice.exe»=
«c:\projects\Мединком\LPU\Projects\MServer\MServer.exe»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE»=
«c:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«1433:TCP»= 1433:TCP:SQL SERVER
«26675:TCP»= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync ServiceR0 oclpbazx;oclpbazx;c:windowssystem32driversoclpbazx.sys [2001-10-20 23424]
R1 epfwtdir;epfwtdir;c:windowssystem32DRIVERSepfwtdir.sys [2008-03-13 33800]
R1 hwinterface;hwinterface;c:windowssystem32Drivershwinterface.sys [2008-05-20 3026]
R2 LogWatch;Event Log Watch;c:program filesCASharedComponentsCA_LICLogWatNT.exe [2005-02-24 53248]
S3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:windowssystem32DriversTEUSBMU.sys [2005-01-14 20992]
.
Contents of the ‘Scheduled Tasks’ folder2008-11-06 c:windowsTasksMLCardsAgent ACTIVATEPOINT.job
— c:projects [2008-10-08 10:11]2008-10-31 c:windowsTasksMLCardsAgent BACKUP.job
— c:projects [2008-10-08 10:11]2008-11-06 c:windowsTasksMLCardsAgent CALCOPT.job
— c:projects [2008-10-08 10:11]
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 20:29:12
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
Other Running Processes
.
c:program filesIVT CorporationBlueSoleilBTNtService.exe
c:program filesESETESET NOD32 Antivirusekrn.exe
c:program filesIntelIntel Matrix Storage ManagerIAANTmon.exe
c:program filesCommon FilesMicrosoft SharedVS7DebugMDM.EXE
c:program filesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe
c:program filesNeroNero8Nero BackItUpNBService.exe
c:windowssystem32nvsvc32.exe
c:windowssystem32wdfmgr.exe
c:windowssystem32rundll32.exe
c:windowssystem32rundll32.exe
c:program filesCommon FilesNeroLibNMIndexingService.exe
c:progra~1MI3AA1~1rapimgr.exe
c:program filesCommon FilesNeroLibNMIndexStoreSvr.exe
c:program filesPC Connectivity SolutionServiceLayer.exe
c:program filesCommon FilesNokiaMPAPIMPAPI3s.exe
c:program filesPC Connectivity SolutionTransportsNclUSBSrv.exe
c:program filesPC Connectivity SolutionTransportsNclRSSrv.exe
.
**************************************************************************
.
Completion time: 2008-11-07 20:32:58 — machine was rebooted
ComboFix-quarantined-files.txt 2008-11-07 15:32:55
ComboFix2.txt 2008-11-07 13:28:46
ComboFix3.txt 2008-11-07 11:43:43Pre-Run: 292 957 896 704 байт свободно
Post-Run: 292,949,020,672 байт свободно179
Все сделал!
Ниже лог ComboFix
ComboFix 08-11-06.01 — Юрий 2008-11-07 16:33:22.1 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.1446 [GMT 5:00]
Running from: c:documents and settingsЮрийРабочий столComboFixComboFix.exe
* Created a new restore point
* Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:windowsIE4 Error Log.txt
c:windowssystem32Cfx32.lic
c:windowssystem32cfx32.ocx
c:windowssystem32catsrvp.dll . . . . failed to delete.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Legacy_GOOGLE_ONLINE_SEARCH_SERVICE((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.2008-11-06 17:00 . 2008-11-06 17:00 8,675 —a
c:windowsFontData.fdb
2008-10-28 13:57 . 2008-10-28 13:57d
c:program filesTrend Micro
2008-10-28 13:15 . 2008-10-28 13:15d
c:program filesMalwarebytes’ Anti-Malware
2008-10-28 13:15 . 2008-10-28 13:15d
c:documents and settingsAll UsersApplication DataMalwarebytes
2008-10-28 13:15 . 2008-10-28 13:15d
c:documents and settingsЮрийApplication DataMalwarebytes
2008-10-28 13:15 . 2008-10-22 16:10 38,496 —a
c:windowssystem32driversmbamswissarmy.sys
2008-10-28 13:15 . 2008-10-22 16:10 15,504 —a
c:windowssystem32driversmbam.sys
2008-10-28 12:16 . 2008-10-28 12:16d
c:program fileswww.freewordexcelpassword.com
2008-10-25 11:54 . 2004-08-17 17:04 93,184 —a
c:windowssystem32catsrvp.dll
2008-10-07 13:36 . 2001-09-30 18:10 246,784 —a
c:windowssystem32ActiveSkin.ocx
2008-10-07 13:36 . 2001-05-24 11:59 162,304 —a
C:UNWISE.EXE
2008-10-07 13:36 . 2002-01-18 17:12 112 —a
c:windowsActiveSkin.INI.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 08:38
d
w c:documents and settingsЮрийApplication DataNLDealer
2008-10-07 08:06
d
w c:documents and settingsЮрийApplication DataPC Suite
2008-10-03 07:34
d
w c:program filesQIP Infium
2008-10-03 07:34
d
w c:documents and settingsЮрийApplication DataQIP
2008-09-10 13:09 20,656 —-a-w c:documents and settingsЮрийApplication DataGDIPFONTCACHEV1.DAT
2008-08-22 05:55 499,712 —-a-w c:windowssystem32msvcp71.dll
2008-08-22 05:55 348,160 —-a-w c:windowssystem32msvcr71.dll
2006-06-23 06:48 32,768 —-a-r c:windowsinfUpdateUSB.exe
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE~Browser Helper Objects{F026D7E8-4C41-4A89-A8B7-0FE2C52BF2B5}]
2004-08-17 17:04 93184 —a
c:windowssystem32catsrvp.dll[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2004-08-17 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2004-08-17 1667584]
«BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}»=»c:program filesCommon FilesNeroLibNMBgMonitor.exe» [2007-10-23 202024]
«H/PC Connection Agent»=»c:program filesMicrosoft ActiveSyncWcescomm.exe» [2006-11-13 1289000]
«Nokia.PCSync»=»c:program filesNokiaNokia PC Suite 6PCSync2.exe» [2008-03-26 1232896]
«PC Suite Tray»=»c:program filesNokiaNokia PC Suite 6PCSuite.exe» [2008-04-16 1079808][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«IAAnotif»=»c:program filesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2006-12-18 868352]
«JMB36X IDE Setup»=»c:windowsRaidToolxInsIDE.exe» [2007-03-20 36864]
«36X Raid Configurer»=»c:windowssystem32xRaidSetup.exe» [2007-03-21 1953792]
«NeroFilterCheck»=»c:program filesCommon FilesNeroLibNeroCheck.exe» [2007-03-01 153136]
«NBKeyScan»=»c:program filesNeroNero8Nero BackItUpNBKeyScan.exe» [2007-09-20 1836328]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2008-03-13 1443072]
«Scktsrvr for RgSr4″=»c:progra~1REGIST~1ServerBinscktsrvr.exe» [2002-08-09 678400]
«Gainward»=»c:program filesVDOToolTBPanel.exe» [2007-11-27 2169368]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2008-05-02 13529088]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2008-05-02 86016]
«TkBellExe»=»c:program filesCommon FilesRealUpdate_OBrealsched.exe» [2008-08-22 185896]
«BluetoothAuthenticationAgent»=»bthprops.cpl» [2004-08-17 c:windowssystem32bthprops.cpl][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2004-08-17 15360]c:documents and settingsћаЁ©ѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Adobe Gamma.lnk — c:program filesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe [2005-03-16 113664]
QIP 2005.lnk — c:program filesQIPqip.exe [2008-07-01 3256320]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
BlueSoleil.lnk — c:program filesIVT CorporationBlueSoleilBlueSoleil.exe [2008-04-30 1044480][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«msacm.l3fhg»= mp3fhg.acm[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinav07.sys]
@=»Driver»[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinbf72.sys]
@=»Driver»[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinef50.sys]
@=»Driver»[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinfd72.sys]
@=»Driver»[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWiniv13.sys]
@=»Driver»[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinmv35.sys]
@=»Driver»[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinpc26.sys]
@=»Driver»[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinqo52.sys]
@=»Driver»[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinvj26.sys]
@=»Driver»[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinyf50.sys]
@=»Driver»[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«FirewallOverride»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\totalcmd\TOTALCMD.EXE»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\HP1005MC.EXE»=
«c:\Program Files\Casino.Net\casino.exe»=
«c:\WINDOWS\system32\ftp.exe»=
«c:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE»=
«c:\Games\OrangeBox\Steam\SteamApps\limbobimbo\team fortress 2\hl2.exe»=
«c:program filesMicrosoft ActiveSyncrapimgr.exe»= c:program filesMicrosoft ActiveSyncrapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
«c:program filesMicrosoft ActiveSyncwcescomm.exe»= c:program filesMicrosoft ActiveSyncwcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
«c:program filesMicrosoft ActiveSyncWCESMgr.exe»= c:program filesMicrosoft ActiveSyncWCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
«c:\Program Files\QIP\qip.exe»=
«c:\Program Files\Sprite Software\Sprite Backup\spriteservice.exe»=
«c:\projects\Мединком\LPU\Projects\MServer\MServer.exe»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE»=
«c:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«1433:TCP»= 1433:TCP:SQL SERVER
«26675:TCP»= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync ServiceR0 oclpbazx;oclpbazx;c:windowssystem32driversoclpbazx.sys [2001-10-20 23424]
R1 epfwtdir;epfwtdir;c:windowssystem32DRIVERSepfwtdir.sys [2008-03-13 33800]
R1 hwinterface;hwinterface;c:windowssystem32Drivershwinterface.sys [2008-05-20 3026]
R2 LogWatch;Event Log Watch;c:program filesCASharedComponentsCA_LICLogWatNT.exe [2005-02-24 53248]
S0 Winav07;Winav07;c:windowssystem32DriversWinav07.sys [ ]
S0 Winbf72;Winbf72;c:windowssystem32DriversWinbf72.sys [ ]
S0 Winef50;Winef50;c:windowssystem32DriversWinef50.sys [ ]
S0 Winfd72;Winfd72;c:windowssystem32DriversWinfd72.sys [ ]
S0 Winiv13;Winiv13;c:windowssystem32DriversWiniv13.sys [ ]
S0 Winmv35;Winmv35;c:windowssystem32DriversWinmv35.sys [ ]
S0 Winpc26;Winpc26;c:windowssystem32DriversWinpc26.sys [ ]
S0 Winqo52;Winqo52;c:windowssystem32DriversWinqo52.sys [ ]
S0 Winvj26;Winvj26;c:windowssystem32DriversWinvj26.sys [ ]
S0 Winyf50;Winyf50;c:windowssystem32DriversWinyf50.sys [ ]
S3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:windowssystem32DriversTEUSBMU.sys [2005-01-14 20992][HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{ec68fc4c-5713-11dd-9a03-001d60c920d3}]
Shellcmd1Command — J:copy.cmd
.
Contents of the ‘Scheduled Tasks’ folder2008-11-06 c:windowsTasksMLCardsAgent ACTIVATEPOINT.job
— c:projects [2008-10-08 10:11]2008-10-31 c:windowsTasksMLCardsAgent BACKUP.job
— c:projects [2008-10-08 10:11]2008-11-06 c:windowsTasksMLCardsAgent CALCOPT.job
— c:projects [2008-10-08 10:11]
.
— — — — ORPHANS REMOVED — — — —HKCU-Run-NVIDIA nTune — c:program filesNVIDIA CorporationnTunenTuneCmd.exe
HKLM-Run-Scktsrvr for RgSr2 — (no file)
HKLM-Run-Scktsrvr for RgSr — (no file)
HKLM-Run-Scktsrvr for RgSr3 — (no file)
SafeBoot-Winua63.sys.
Supplementary Scan
.
R0 -: HKCU-Main,Start Page = about:blank
O8 -: &Экспорт в Microsoft Excel — c:progra~1MICROS~2Office10EXCEL.EXE/3000
O17 -: HKLMCCSInterface{7F134F2C-57D2-4BD5-9782-42A60BB0D76D}: NameServer = 192.168.1.1
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 16:39:55
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
Other Running Processes
.
c:program filesIVT CorporationBlueSoleilBTNtService.exe
c:program filesESETESET NOD32 Antivirusekrn.exe
c:program filesIntelIntel Matrix Storage ManagerIAANTmon.exe
c:program filesCommon FilesMicrosoft SharedVS7DebugMDM.EXE
c:program filesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe
c:program filesNeroNero8Nero BackItUpNBService.exe
c:windowssystem32nvsvc32.exe
c:windowssystem32wdfmgr.exe
c:windowssystem32rundll32.exe
c:windowssystem32rundll32.exe
c:program filesCommon FilesNeroLibNMIndexingService.exe
c:progra~1MI3AA1~1rapimgr.exe
c:program filesCommon FilesNeroLibNMIndexStoreSvr.exe
c:program filesPC Connectivity SolutionServiceLayer.exe
c:program filesCommon FilesNokiaMPAPIMPAPI3s.exe
c:program filesPC Connectivity SolutionTransportsNclUSBSrv.exe
c:program filesPC Connectivity SolutionTransportsNclRSSrv.exe
.
**************************************************************************
.
Completion time: 2008-11-07 16:43:42 — machine was rebooted
ComboFix-quarantined-files.txt 2008-11-07 11:43:39Pre-Run: 291 424 940 032 байт свободно
Post-Run: 293,075,283,968 байт свободно206
