Лог ComboFix
ComboFix 09-03-10.03 — Administrator 2009-03-12 22:48:53.1 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.1.1049.18.2047.1379 [GMT 6:00]
Running from: E:ComboFix.exe
FW: Outpost Firewall Pro *disabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS — svchost.exe: deleted 88 bytes in 2 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:documents and settingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr0.dat
c:documents and settingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr1.dat
BITS: Possible infected sites
hxxp://soft.export.yandex.ru
.
((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.
2009-03-11 20:27 . 2009-03-11 20:28 d
C:rsit
2009-03-11 20:27 . 2009-03-12 22:03 d
c:program filestrend micro
2009-03-11 18:28 . 2009-03-11 18:28 d
c:program filesMalwarebytes’ Anti-Malware
2009-03-11 18:28 . 2009-03-11 18:28 d
c:documents and settingsAll UsersApplication DataMalwarebytes
2009-03-11 18:28 . 2009-03-11 18:28 d
c:documents and settingsAdministratorApplication DataMalwarebytes
2009-03-11 18:28 . 2009-02-11 10:19 38,496 —a
c:windowssystem32driversmbamswissarmy.sys
2009-03-11 18:28 . 2009-02-11 10:19 15,504 —a
c:windowssystem32driversmbam.sys
2009-03-09 19:42 . 2009-03-09 19:42 d
c:program filesDjvuReader
2009-03-09 18:21 . 2009-03-09 18:21 d
c:documents and settingsAdministratorApplication DataTurbogames.ru
2009-03-09 16:42 . 2009-03-09 16:50 d
c:documents and settingsAdministratorApplication DataDAEMON Tools Pro
2009-03-09 16:42 . 2009-03-09 16:42 d
c:documents and settingsAdministratorApplication DataDAEMON Tools
2009-03-09 16:41 . 2009-03-09 16:41 d
c:documents and settingsAll UsersApplication DataDAEMON Tools Lite
2009-03-09 16:40 . 2009-03-09 16:42 d
c:documents and settingsAdministratorApplication DataYandex
2009-03-09 16:39 . 2009-03-09 16:40 d
c:program filesDAEMON Tools Lite
2009-03-09 16:39 . 2009-03-09 16:57 d
c:documents and settingsAdministratorApplication DataDAEMON Tools Lite
2009-03-08 18:40 . 2009-03-08 18:40 d
c:program files3D Fish School 4
2009-03-08 18:40 . 2009-01-28 14:46 5,775,872 —a
c:windowsss3dfish.scr
2009-03-08 18:40 . 2008-08-08 10:19 125,440 —a
c:windowsdx7ogl32.dll
2009-03-07 20:08 . 2009-03-11 17:18 d
c:windowssystem32Filt
2009-03-07 20:08 . 2009-03-07 20:08 d
c:program filesAgnitum
2009-03-07 20:08 . 2009-03-07 20:08 d
c:documents and settingsAll UsersApplication DataAgnitum
2009-03-07 20:08 . 2009-02-26 10:27 704,384 —a
c:windowssystem32driversSandBox.sys
2009-03-07 20:08 . 2009-02-10 16:15 257,432 —a
c:windowssystem32driversafwcore.sys
2009-03-07 20:08 . 2008-06-20 09:45 30,864 —a
c:windowssystem32driversafw.sys
2009-03-07 16:15 . 2009-03-07 19:54 d
c:documents and settingsAll UsersApplication DataDoctor Web
2009-03-01 22:46 . 2009-03-01 22:46 d
c:windowssystem32LogFiles
2009-03-01 22:46 . 2009-03-01 22:46 d
c:windowssystem32driversUMDF
2009-03-01 22:46 . 2009-03-01 22:46 d
c:program filesWindows Media Connect 2
2009-03-01 13:01 . 2008-10-30 19:24 d
c:program filesPlugins
2009-03-01 13:01 . 2008-10-30 19:52 d
c:program filesLangs
2009-03-01 13:01 . 2008-10-30 19:24 d
c:program filesHelp
2009-02-28 19:12 . 2000-07-10 11:04 155,648 —a
c:windowsRusUinst.exe
2009-02-28 19:12 . 1998-06-25 15:13 28,160 —a
c:windowsUnSetup.exe
2009-02-28 18:46 . 2009-02-28 18:46 d
c:program filesSchool-Plus
2009-02-28 18:40 . 1998-09-02 14:02 194,320 —a
c:windowssystem32qcut.dll
2009-02-28 18:40 . 1998-08-27 10:51 182,032 —a
c:windowssystem32dxtmsft3.dll
2009-02-28 18:40 . 1998-08-20 17:02 140,800 —a
c:windowssystem32tm20dec.ax
2009-02-28 18:40 . 1998-09-02 14:28 63,488 —a
c:windowssystem32unam4ie.exe
2009-02-28 18:40 . 1998-09-02 14:28 38,160 —a
c:windowssystem32LMRTREND.dll
2009-02-28 18:40 . 1998-08-17 15:21 11,776 —a
c:windowssystem32mciqtz.drv
2009-02-28 18:40 . 1998-08-17 15:21 10,240 —a
c:windowssystem32vidx16.dll
2009-02-28 18:40 . 1998-08-17 15:21 5,672 —a
c:windowssystem32quartz.vxd
2009-02-28 18:40 . 2009-02-28 18:40 4,608 —a
c:windowssystem32w95inf32.dll
2009-02-28 18:40 . 2009-02-28 18:40 2,272 —a
c:windowssystem32w95inf16.dll
2009-02-28 18:38 . 1998-01-19 17:39 27,600 -ra
c:windowsisk3ro.exe
2009-02-28 18:38 . 2009-02-28 18:38 306 —a
c:windowsQTW.INI
2009-02-28 18:37 . 2009-02-28 18:38 30 —a
c:windowsRESULT.QTW
2009-02-28 18:34 . 2009-02-28 18:37 63 —a
c:windowsMaris.ini
2009-02-28 18:33 . 2009-02-28 18:33 d
c:documents and settingsAdministratorWINDOWS
2009-02-28 18:33 . 1996-11-06 11:58 302,592 —a
c:windowsunin0419.exe
2009-02-28 18:19 . 2009-02-28 18:20 d
c:program filesCommon FilesAdobe
2009-02-28 18:00 . 1998-10-02 19:00 327,168 —a
c:windowsIsUninst.exe
2009-02-26 22:57 . 2008-04-14 00:17 25,856 —a
c:windowssystem32driversusbprint.sys
2009-02-26 22:57 . 2008-04-14 00:17 25,856 —a—c— c:windowssystem32dllcacheusbprint.sys
2009-02-26 18:48 . 2009-02-26 18:48 d
c:documents and settingsAdministratorApplication DatamIRC
2009-02-23 21:20 . 2009-01-16 11:14 49 —a
c:windowstransp.gif
2009-02-23 21:17 . 2009-02-23 21:17 d
c:program filesCommon FilesAgnitum Shared
2009-02-21 18:01 . 2009-02-21 18:01 d-a
c:program filesCoolReader 3.0.8
2009-02-21 17:56 . 2009-02-21 17:57 d
c:documents and settingsAdministratorApplication Datacr3
2009-02-20 20:07 . 2001-10-19 20:33 12,160 —a
c:windowssystem32driversmouhid.sys
2009-02-20 20:07 . 2001-10-19 20:33 12,160 —a—c— c:windowssystem32dllcachemouhid.sys
2009-02-20 20:06 . 2008-04-14 00:15 10,368 —a
c:windowssystem32drivershidusb.sys
2009-02-20 20:06 . 2008-04-14 00:15 10,368 —a—c— c:windowssystem32dllcachehidusb.sys
2009-02-17 22:54 . 2009-02-17 22:54 d
c:program filesNative Instruments
2009-02-17 22:54 . 2009-02-17 22:56 d
c:program filesFinale GPO 2.0
2009-02-17 22:54 . 2006-05-19 16:54 393,216 —a
c:windowssystem32NI_IRC_1_1.dll
2009-02-17 22:54 . 2005-04-04 18:00 393,216 —a
c:windowssystem32NI_IRC_1_0_3.dll
2009-02-17 22:54 . 2006-07-11 16:16 61,440 —a
c:windowssystem32NI_DFD_1_4.dll
2009-02-17 22:52 . 2009-02-17 23:02 d
c:program filesFinale 2007
2009-02-17 22:36 . 2004-03-29 16:23 90,112 —a
c:windowsunvise32.exe
2009-02-17 22:35 . 2009-02-17 22:53 d
C:Psfonts
2009-02-17 22:34 . 2009-02-17 22:39 d
c:program filesFinale 2006
2009-02-17 22:34 . 2009-02-17 22:34 573 —a
c:windowswiniini.fin
2009-02-16 23:34 . 2009-02-16 23:34 d
c:program filesStamina
2009-02-16 22:57 . 2009-02-16 22:57 d
c:program filesSolo9
2009-02-16 22:57 . 2009-02-16 22:57 d
c:documents and settingsAll UsersApplication DataSolo9
2009-02-15 17:37 . 2009-02-15 17:37 d
c:program filesuTorrent
2009-02-14 22:16 . 2009-03-02 21:19 208 —a
c:windowsUpdateClientUI.INI
2009-02-13 15:01 . 2009-03-09 23:24 d
c:documents and settingsAdministratorApplication DatauTorrent
2009-02-12 19:34 . 2009-02-12 19:34 1,172 —a
c:windowsmozver.dat
2009-02-12 17:40 . 2009-02-12 17:40 0 —a
c:windowsnsreg.dat
2009-02-12 17:24 . 2009-02-12 17:24 d
c:program files2gis
2009-02-12 17:05 . 2009-02-12 17:05 d
c:documents and settingsAdministratorApplication DataGrym
2009-02-12 16:53 . 2009-02-12 17:09 d
c:documents and settingsAll UsersApplication Data2GIS
2009-02-12 16:30 . 2009-02-12 16:30 d
c:program filesK-Soft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 15:48
d
w c:documents and settingsAdministratorApplication DataAIMP
2009-03-12 15:13
d
w c:documents and settingsAll UsersApplication DataAlawarWrapper
2009-03-09 12:28
d
w c:documents and settingsAll UsersApplication DataPlayFirst
2009-03-09 12:28
d
w c:documents and settingsAdministratorApplication DataPlayFirst
2009-03-02 09:45
d—h—w c:program filesInstallShield Installation Information
2009-02-10 11:50
d
w c:program filesCommon FilesReGet Shared
2009-02-09 14:07 1,846,912 —-a-w c:windowssystem32win32k.sys
2009-02-08 12:26
d
w c:documents and settingsAdministratorApplication DataReGet Software
2009-02-07 18:52
d
w c:program filesMSXML 4.0
2009-01-31 11:43 14,336 —-a-w c:windowssystem32svchost.exe
2009-01-30 15:08
d
w c:program filesNero
2009-01-29 17:08
d
w c:program filesCommon FilesNero
2009-01-29 17:08
d
w c:documents and settingsAll UsersApplication DataNero
2009-01-29 17:08
d
w c:documents and settingsAdministratorApplication DataNero
2009-01-24 16:54
d
w c:program filesMicrosoft.NET
2009-01-24 16:46 717,296 —-a-w c:windowssystem32driverssptd.sys
2009-01-19 10:28
d
w c:documents and settingsAll UsersApplication DataEgoset
2009-01-18 12:04 632 —-a-w C:settings.dat
2009-01-18 10:13
d
w c:program filesAIMP2
2009-01-17 09:01
d
w c:documents and settingsAdministratorApplication DataAvant Profiles
2009-01-16 15:21
d
w c:program filesThe KMPlayer
2008-12-23 15:58 453,152 —-a-w c:windowssystem32NVUNINST.EXE
2008-12-20 23:03 826,368 —-a-w c:windowssystem32wininet.dll
2006-06-23 06:48 32,768 —-a-r c:windowsinfUpdateUSB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-04-15 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2008-04-14 1695232]
«DAEMON Tools Lite»=»c:program filesDAEMON Tools Litedaemon.exe» [2008-12-29 687560]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2006-12-18 868352]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2008-12-26 13680640]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2008-12-26 86016]
«2gis update client UI»=»c:program files2gisUpdateClientWin32UpdateClientUI.exe» [2008-09-17 4055040]
«Adobe Reader Speed Launcher»=»c:program filesAdobeReader 9.0ReaderReader_sl.exe» [2008-06-12 34672]
«OutpostFeedBack»=»c:program filesAgnitumOutpost Firewall Profeedback.exe» [2009-03-02 433480]
«OutpostMonitor»=»c:progra~1AgnitumOUTPOS~1op_mon.exe» [2009-03-02 1225032]
«nwiz»=»nwiz.exe» [2008-12-26 c:windowssystem32nwiz.exe]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-15 15360]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«AntiVirusOverride»=dword:00000001
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«c:\WINDOWS\Network Diagnostic\xpnetdiag.exe»=
«c:\WINDOWS\system32\sessmgr.exe»=
«c:\Program Files\uTorrent\utorrent.exe»=
R1 SandBox;SandBox;c:windowssystem32driversSandBox.sys [2009-03-07 704384]
R2 2GIS UpdateClientService;2GIS UpdateClientService;c:program files2gisUpdateClientWin32UpdateClientService.exe [2008-09-17 1134592]
R3 afw;Agnitum firewall driver;c:windowssystem32driversafw.sys [2009-03-07 30864]
R3 afwcore;afwcore;c:windowssystem32driversafwcore.sys [2009-03-07 257432]
R3 ASWFilt;ASWFilt;c:windowssystem32FiltASWFilt.dll [2009-03-07 33888]
S2 acssrv;Agnitum Client Security Service;c:progra~1AgnitumOUTPOS~1acs.exe [2009-03-07 1267016]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:windowssystem32driversatl01_xp.sys [2009-01-05 35840]
.
Contents of the ‘Scheduled Tasks’ folder
2009-03-11 c:windowsTasks{DB41A4E8-349D-406A-AAA5-9B1F0B64152B}_HOME_Administrator.job
— c:windowssystem32mobsync.exe [2008-04-15 18:00]
.
— — — — ORPHANS REMOVED — — — —
ShellExecuteHooks-{16664848-0E00-11D2-8059-000000000000} — (no file)
.
Supplementary Scan
.
uStart Page = hxxp://www.tomtel.ru/
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
Handler: solores — {8FA1F4E9-444B-48BF-98CD-B8ECA88E6BA5} — c:progra~1Solo9SoloRes.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 22:51:23
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Other Running Processes
.
c:windowssystem32nvsvc32.exe
c:windowssystem32rundll32.exe
c:windowssystem32wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-12 22:52:19 — machine was rebooted
ComboFix-quarantined-files.txt 2009-03-12 16:52:17
Pre-Run: 30 680 367 104 байт свободно
Post-Run: 30,891,356,160 байт свободно
203 — E O F — 2009-03-11 15:04:06
Лог MBAM
Лог MBAM
Malwarebytes’ Anti-Malware 1.34
Версия базы данных: 1840
Windows 5.1.2600 Service Pack 3
12.03.2009 22:44:36
mbam-log-2009-03-12 (22-44-36).txt
Тип проверки: Полная (A:|C:|D:|E:|F:|G:|H:|I:|)
Проверено объектов: 128268
Прошло времени: 17 minute(s), 12 second(s)
Заражено процессов в памяти: 0
Заражено модулей в памяти: 0
Заражено ключей реестра: 0
Заражено значений реестра: 0
Заражено параметров реестра: 0
Заражено папок: 0
Заражено файлов: 0
Заражено процессов в памяти:
(Вредоносные программы не обнаружены)
Заражено модулей в памяти:
(Вредоносные программы не обнаружены)
Заражено ключей реестра:
(Вредоносные программы не обнаружены)
Заражено значений реестра:
(Вредоносные программы не обнаружены)
Заражено параметров реестра:
(Вредоносные программы не обнаружены)
Заражено папок:
(Вредоносные программы не обнаружены)
Заражено файлов:
(Вредоносные программы не обнаружены)
//Кстати, мой Agnitum Outpost Firewall Pro 2009 после сканирования Combofix и получения лога (мой файрволл автоматически загружается после перезагрузки компьютера) нашел следующие трояны и удалил их:
«Autoruner» (Worm)
«BZub» (Trojan)
«BiFrost» (Backdoor)
