Результат ComboFix:
ComboFix 09-02-06.04 — Толя 2009-02-08 16:21:23.1 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.1.1049.18.1023.605 [GMT 6:00]
Running from: c:documents and settingsТоляРабочий столComboFix.exe
AV: Антивирусная система Eset NOD32 2.70 *On-access scanning enabled* (Updated)
FW: Outpost Firewall Pro *disabled*
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.
2009-02-08 15:40 . 2009-02-08 15:40
c:documents and settingsТоляApplication DataWinRAR
2009-02-08 15:33 . 2009-02-08 15:33 592,896 —a—c— c:windowssystem32dllcacheuser32.dll
2009-02-08 15:31 . 2009-02-08 15:31
c:windowsERUNT
2009-02-01 16:15 . 2009-02-01 16:16
C:FlylinkDC++
2009-01-29 22:56 . 2009-01-29 22:56
c:documents and settingsТоляApplication DataASCON
2009-01-29 22:13 . 2009-01-29 22:13
c:program filesASCON
2009-01-27 21:29 . 2009-02-08 14:27
c:program filesMozilla Thunderbird
2009-01-27 21:29 . 2009-01-27 21:29
c:documents and settingsТоляApplication DataThunderbird
2009-01-27 21:29 . 2009-01-27 21:29 0 —a
c:windowsnsreg.dat
2009-01-18 23:55 . 2009-01-18 23:55 60,735 —a
c:windowsFontData.fdb
2009-01-18 00:44 . 2009-01-18 00:44
c:documents and settingsТоляApplication DataCorel
2009-01-18 00:44 . 2009-01-19 23:06 3,192 —ahs—- c:documents and settingsAll UsersApplication DataKGyGaAvL.sys
2009-01-18 00:44 . 2009-01-18 00:44 8 -r-hs—- c:documents and settingsAll UsersApplication Data984F80BE39.sys
2009-01-18 00:42 . 2009-01-18 00:42
c:program filesCommon FilesProtexis
2009-01-18 00:42 . 2009-01-18 00:42
c:documents and settingsAll UsersApplication DataCorel
2009-01-18 00:39 . 2009-01-18 00:39
c:program filesCommon FilesCorel
2009-01-18 00:38 . 2009-01-18 00:38
c:program filesCorel
2009-01-11 20:20 . 2009-01-11 20:20
c:program filesSamsung
2009-01-11 20:20 . 2009-01-11 20:20
c:program filesInstallShield Installation Information
2009-01-11 20:15 . 2005-05-25 09:24 22,760 -ra
c:windowssystem32driversusb2vcom.sys
2009-01-10 12:36 . 2009-02-02 20:35
c:program filesMatrix
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 10:16
d
w c:documents and settingsТоляApplication DataOrbit
2009-02-08 08:18
d
w c:program filesOrbitdownloader
2009-02-08 03:39
d
w c:documents and settingsСережаApplication DataOrbit
2009-02-06 12:33
d
w c:program filesQIP Infium
2009-02-01 11:54
d
w c:program filesOpera
2009-01-18 05:15
d
w c:documents and settingsAll UsersApplication DataMicrosoft Help
2009-01-11 14:20
d
w c:program filesCommon FilesInstallShield
2009-01-08 13:29
d
w c:program filesESET
2009-01-07 14:27
d
w c:program filesPunto Switcher
2009-01-06 16:09
d
w c:program filesAutoCAD 2006
2009-01-06 16:08
d
w c:program filesCommon FilesAutodesk Shared
2009-01-06 16:08
d
w c:program filesAnswerWorks 4.0
2009-01-06 16:07
d
w c:documents and settingsAll UsersApplication DataAutodesk
2009-01-06 16:05
d
w c:program filesAutodesk
2009-01-06 14:06
d
w c:program filesaTunes
2009-01-06 13:54
d
w c:program files7-Zip
2009-01-04 16:31
d
w c:documents and settingsТоляApplication DataGrabPro
2008-12-23 14:35
d
w c:documents and settingsТоляApplication DataMagic Academy
2008-12-17 10:15
d
w c:documents and settingsСережаApplication DataMagic Academy
2008-12-14 13:53
d
w c:program filesCommon FilesYandex
2008-12-13 15:43
d
w c:documents and settingsСережаApplication DataHEXelon
2008-12-11 17:00
d
w c:program filesTrend Micro
2008-11-14 09:25 107,888 —-a-w c:windowssystem32CmdLineExt.dll
2008-11-10 15:51 298,104 —-a-w c:windowssystem32imon.dll
2008-10-10 18:16 16,384 —sha-w c:windowssystem32configsystemprofileCookiesindex.dat
2008-10-10 18:16 32,768 —sha-w c:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
2008-10-10 18:16 32,768 —sha-w c:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5MSHist012008101020081011index.dat
2008-10-10 18:16 32,768 —sha-w c:windowssystem32configsystemprofileLocal SettingsTemporary Internet FilesContent.IE5index.dat
.
Sigcheck
2008-09-15 03:35 592896 f7af57aa04ec029609f083c07e691e37 c:windowssystem32user32.dll
2009-02-08 15:33 592896 f7af57aa04ec029609f083c07e691e37 c:windowssystem32dllcacheuser32.dll
2008-09-15 03:36 1061376 b4c6c4d50f2dab96d7f66bd11482c8a5 c:windowssystem32wininet.dll
2008-04-15 16:00 361344 eaec6ea32bdabd7622371c10b8d68a17 c:windowssystem32driverstcpip.sys
2008-09-15 03:30 2165248 9c8b91ff9f5cc6c6c17a1593255f46d3 c:windowssystem32ntkrnlpa.exe
2008-09-15 03:26 2286592 047953a8b30891f5f8f0bf68abfea339 c:windowssystem32ntoskrnl.exe
2008-09-15 03:34 1619456 a6add9aaa27cfc44b8af42732ebea899 c:windowsexplorer.exe
2008-09-15 03:34 37376 01e0bc2b993ebcca9dbc6d878f14a878 c:windowssystem32ctfmon.exe
2008-09-15 03:36 76488 8c0c6aeb8e39913d95c66b1040f0d7bb c:windowssystem32wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-03-23 132096]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2004-11-14 205824]
«H/PC Connection Agent»=»c:program filesMicrosoft ActiveSyncwcescomm.exe» [2006-06-21 1211176]
«HEXelon MAX»=»c:program filesHEXelon MAX 6hexelon.exe» [2007-06-28 2816512]
«CPU_Control»=»c:program filesCPU-ControlCPU_Control.exe» [2008-11-03 1034240]
«ctfmon.exe»=»c:windowssystem32ctfmon.exe» [2008-09-15 37376]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«Outpost Firewall»=»c:program filesAgnitumOutpost Firewalloutpost.exe» [2007-04-05 94720]
«OutpostFeedBack»=»c:program filesAgnitumOutpost Firewallfeedback.exe» [2007-06-28 335872]
«DAEMON Tools»=»c:program filesDAEMON Toolsdaemon.exe» [2006-11-12 157592]
«nod32kui»=»c:program filesEsetnod32kui.exe» [2008-11-10 949376]
«2gis update client UI»=»c:program files2gisUpdateClientWin32UpdateClientUI.exe» [2008-09-17 4055040]
«SoundMan»=»SOUNDMAN.EXE» [2007-04-17 c:windowsSOUNDMAN.EXE]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-09-15 37376]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-03-23 132096]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«IE7_012″=»advpack.dll» [2008-09-15 c:windowssystem32advpack.dll]
c:documents and settingsЂ¤¬ЁЁбва в®аѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Rainlendar.lnk — c:program filesRainlendarRainlendar.exe [2005-07-22 118784]
c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Orbit.lnk — c:program filesOrbitdownloaderorbitdm.exe [2009-01-04 1711304]
Ѓлбвал© § ЇгбЄ AutoCAD.lnk — c:program filesCommon FilesAutodesk Sharedacstart16.exe [2007-03-23 10872]
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)
«NoSMHelp»= 1 (0x1)
[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)
«NoSMHelp»= 1 (0x1)
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupreg2gis update client UI]
—a
2008-09-17 11:03 4055040 c:program files2gisUpdateClientWin32UpdateClientUI.exe
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesOverride»=dword:00000001
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)
«DisableNotifications»= 1 (0x1)
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
«c:program filesMicrosoft ActiveSyncrapimgr.exe»= c:program filesMicrosoft ActiveSyncrapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
«c:program filesMicrosoft ActiveSyncwcescomm.exe»= c:program filesMicrosoft ActiveSyncwcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
«c:program filesMicrosoft ActiveSyncWCESMgr.exe»= c:program filesMicrosoft ActiveSyncWCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
«c:\Program Files\Orbitdownloader\orbitdm.exe»=
«c:\Program Files\Orbitdownloader\orbitnet.exe»=
«c:\Program Files\Bonjour\mDNSResponder.exe»=
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«26675:TCP»= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 nod32drv;nod32drv;c:windowssystem32driversnod32drv.sys [2008-11-03 15424]
R1 SandBox;Outpost Firewall Sandbox Driver;c:program filesAgnitumOutpost FirewallKernelSandBox.sys [2008-10-11 408352]
R1 VFILT;Outpost Firewall Kernel Driver;c:program filesAgnitumOutpost FirewallKernelfiltnt.sys [2008-10-11 163840]
R2 2GIS UpdateClientService;2GIS UpdateClientService;c:program files2gisUpdateClientWin32UpdateClientService.exe [2008-09-17 1134592]
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);c:program filesAgnitumOutpost FirewallKerneladblock.dll [2008-10-11 33568]
S3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);c:program filesAgnitumOutpost FirewallKernelarp.dll [2008-10-11 17632]
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);c:program filesAgnitumOutpost FirewallKernelcontent.dll [2008-10-11 4896]
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);c:program filesAgnitumOutpost FirewallKerneldnscache.dll [2008-10-11 14656]
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);c:program filesAgnitumOutpost FirewallKernelftpfilt.dll [2008-10-11 9248]
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);c:program filesAgnitumOutpost FirewallKernelhtmlfilt.dll [2008-10-11 11552]
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);c:program filesAgnitumOutpost FirewallKernelhttpfilt.dll [2008-10-11 13216]
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);c:program filesAgnitumOutpost FirewallKernelimapfilt.dll [2008-10-11 7168]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);c:program filesAgnitumOutpost FirewallKernelmailfilt.dll [2008-10-11 14880]
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);c:program filesAgnitumOutpost FirewallKernelnntpfilt.dll [2008-10-11 6752]
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);c:program filesAgnitumOutpost FirewallKernelpop3filt.dll [2008-10-11 10048]
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);c:program filesAgnitumOutpost FirewallKernelprotect.dll [2008-10-11 15200]
S3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);c:program filesAgnitumOutpost FirewallKernelsecret.dll [2008-10-11 13056]
S3 usb2vcom;USB Data Cable;c:windowssystem32driversusb2vcom.sys [2009-01-11 22760]
— Other Services/Drivers In Memory —
*NewlyCreated* — SRSERVICE
.
.
Supplementary Scan
.
uStart Page = hxxp://search.orbitdownloader.com
IE: &Download by Orbit — c:program filesOrbitdownloaderorbitmxt.dll/201
IE: &Grab video by Orbit — c:program filesOrbitdownloaderorbitmxt.dll/204
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2Office12EXCEL.EXE/3000
IE: Do&wnload selected by Orbit — c:program filesOrbitdownloaderorbitmxt.dll/203
IE: Down&load all by Orbit — c:program filesOrbitdownloaderorbitmxt.dll/202
IE: Закачать ВСЕ при помощи Download Master
IE: Закачать при помощи Download Master
IE: {{8DAE90AD-4583-4977-9DD4-4360F7A45C74}
LSP: c:windowssystem32imon.dll
TCP: {610C49BF-872B-4686-B793-F0664080844C} = 217.70.106.5,217.70.96.34
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 16:24:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(696)
c:windowssystem32SETUPAPI.dll
c:program filesAgnitumOutpost Firewallwl_hook.dll
c:windowssystem32Ati2evxx.dll
c:windowssystem32cscui.dll
c:windowssystem32COMRes.dll
— — — — — — — > ‘lsass.exe'(756)
c:windowssystem32setupapi.dll
c:windowssystem32imon.dll
c:program filesEsetpr_imon.dll
.
Completion time: 2009-02-08 16:25:41
ComboFix-quarantined-files.txt 2009-02-08 10:25:38
Pre-Run: 16 523 378 688 байт свободно
Post-Run: 16,739,094,528 байт свободно
194
