Здравствуйте, Valeri! Высылаю Вам лог, созданный программой Combofix.
ComboFix 09-11-26.01 — Ivan 27.11.2009 1:30.1.2 — x86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.2039.1608 [GMT 3:00]
Running from: c:documents and settingsIvanРабочий столComboFix.exe
Command switches used :: c:documents and settingsIvanРабочий столWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:documents and settingsIvanApplication DataAdSubscribe
c:documents and settingsIvanApplication DataAdSubscribeAdSubscribe.dat
c:documents and settingsIvanApplication DataAdSubscribeFeed.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed1.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed10.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed11.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed12.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed13.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed14.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed15.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed2.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed3.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed4.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed5.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed6.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed7.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed8.jpg
c:documents and settingsIvanApplication DataAdSubscribeFeed9.jpg
c:program filesMail.RuAgentMradllnewmrasearch.dll
C:test.txt
c:windowsa3kebook.ini
c:windowsakebook.ini
c:windowsANS2000.INI
c:windowssystem32Penx.dat
c:windowssystem32Xpen.dat
c:windowsufdata2000.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Service_AVPsys
((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.
2009-11-16 12:56 . 2009-11-20 16:48
d
w- c:program filestrend micro
2009-11-16 12:56 . 2009-11-16 12:56
d
w- C:rsit
2009-11-16 09:05 . 2009-11-16 09:05 932368 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataKasFltPluginsprofiles-1-6.dll
2009-11-16 09:05 . 2009-11-16 09:05 678416 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataKasFltPluginscontent_interpreter-1-1.dll
2009-11-16 09:05 . 2009-11-16 09:05 604688 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataKasFltPluginsgsg-3-9.dll
2009-11-16 09:05 . 2009-11-16 09:05 522768 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataKasFltPluginsdatabase-1-5.dll
2009-11-16 09:05 . 2009-11-16 09:05 1096208 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataKasFltPluginsfiltration-4-6.dll
2009-11-16 00:26 . 2009-11-16 00:26 604140 —sha-w- c:windowssystem32driversISwift3.dat
2009-11-15 19:46 . 2009-11-16 09:04 108059 —-a-w- c:windowssystem32driversklin.dat
2009-11-15 19:46 . 2009-11-16 09:04 95259 —-a-w- c:windowssystem32driversklick.dat
2009-11-11 18:54 . 2009-11-14 00:25
d
w- c:documents and settingsAll UsersApplication Datamsuwarn
2009-11-03 23:31 . 2009-11-03 23:31 63749 —-a-w- c:documents and settingsIvanApplication Data3po.ruUninstall.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 22:41 . 2008-11-13 21:25
d
w- c:documents and settingsAll UsersApplication DataKaspersky Lab
2009-11-26 21:54 . 2009-08-31 14:31
d
w- c:documents and settingsIvanApplication DataSkype
2009-11-22 22:40 . 2009-09-17 18:12
d
w- c:program filesStrongDC
2009-11-22 20:18 . 2009-06-06 19:46
d
w- c:program filesuTorrent
2009-11-22 09:26 . 2008-11-14 09:54
d
w- c:documents and settingsIvanApplication DatauTorrent
2009-11-19 18:43 . 2008-11-13 20:35 66 —-a-w- c:documents and settingsIvanApplication Dataisfree3_0.tmp
2009-11-19 18:43 . 2008-11-13 20:35 66 —-a-w- c:documents and settingsIvanApplication Dataisfree3_1.tmp
2009-11-18 00:39 . 2009-01-25 15:06
d
w- c:program filesCommon FilesAdobe
2009-11-15 19:45 . 2008-11-13 21:53
d
w- c:program filesKaspersky Lab
2009-11-15 19:41 . 2008-11-13 21:22
d
w- c:documents and settingsAll UsersApplication DataKaspersky Lab Setup Files
2009-11-15 16:31 . 2009-09-07 21:38
d
w- c:program filesQIP
2009-11-14 06:01 . 2009-08-31 14:33
d
w- c:documents and settingsIvanApplication DataskypePM
2009-11-12 15:09 . 2009-03-14 14:40
d
w- c:documents and settingsIvanApplication DataDiskAid
2009-11-03 23:32 . 2009-09-06 19:14
d
w- c:documents and settingsIvanApplication Data3po.ru
2009-10-27 10:50 . 2006-03-02 12:00 84482 —-a-w- c:windowssystem32perfc019.dat
2009-10-27 10:50 . 2006-03-02 12:00 484908 —-a-w- c:windowssystem32perfh019.dat
2009-10-27 09:02 . 2009-10-27 09:02 1580544 —-a-w- c:documents and settingsIvanApplication Data3po.ruKonusic.exe
2009-10-27 08:57 . 2009-10-27 08:57 894976 —-a-w- c:documents and settingsIvanApplication Data3po.ruVkonpic.exe
2009-10-27 08:48 . 2009-10-27 08:48 720896 —-a-w- c:documents and settingsIvanApplication Data3po.ruAuth.exe
2009-10-16 11:39 . 2009-10-16 11:39
d
w- c:program filesWinDjView
2009-10-08 21:27 . 2008-09-18 16:40
d
w- c:program filesRed Kawa
2009-10-07 17:50 . 2008-08-26 05:15 664 —-a-w- c:windowssystem32d3d9caps.dat
2009-10-02 21:34 . 2008-05-31 13:06 60424 —-a-w- c:documents and settingsIvanLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-09-21 19:23 . 2009-02-12 09:30 4045528 —-a-w- c:documents and settingsAll UsersApplication DataMalwarebytesMalwarebytes’ Anti-Malwarembam-setup.exe
2009-09-10 10:54 . 2009-02-03 20:36 38224 —-a-w- c:windowssystem32driversmbamswissarmy.sys
2009-09-10 10:53 . 2009-02-03 20:36 19160 —-a-w- c:windowssystem32driversmbam.sys
2009-08-31 14:53 . 2009-08-31 14:54 410984 —-a-w- c:windowssystem32deploytk.dll
2009-08-31 14:48 . 2009-08-31 14:48 152576 —-a-w- c:documents and settingsIvanApplication DataSunJavajre1.6.0_11lzma.dll
2009-08-31 14:33 . 2009-08-31 14:33 56 —ha-w- c:windowssystem32ezsidmv.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«Malwarebytes Anti-Malware (reboot)»=»c:program filesMalwarebytes’ Anti-Malwarembam.exe» [2009-09-10 1312080]
«AVP»=»c:program filesKaspersky LabKaspersky Internet Security 2010avp.exe» [2009-08-12 328096]
«Adobe Reader Speed Launcher»=»c:program filesAdobeReader 9.0ReaderReader_sl.exe» [2009-10-03 35696]
«Adobe ARM»=»c:program filesCommon FilesAdobeARM1.0AdobeARM.exe» [2009-09-04 935288]
«SynTPEnh»=»c:program filesSynapticsSynTPSynTPEnh.exe» [2008-03-27 1040384]
«WatchDog»=»c:program filesInterVideoDVD CheckDVDCheck.exe» [2007-05-23 192512]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyOneCard]
2007-02-07 01:30 74240 —-a-r- c:program filesHewlett-PackardIAMBinASWLNPkg.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\HPQ\HP Connection Manager\SwiApiMux.exe»=
«c:\Program Files\Samsung Electronics\mWiMAX U200\YotaAccess.exe»=
«c:\Program Files\Bonjour\mDNSResponder.exe»=
«c:\Program Files\iTunes\iTunes.exe»=
«c:\Program Files\uTorrent\uTorrent.exe»=
«c:\Program Files\ICQ6.5\ICQ.exe»=
«c:\Program Files\ARIS6.2\JavaClient\jre\bin\java.exe»=
«c:\Program Files\ARIS6.2\LocalServer\jre\bin\java.exe»=
«c:\Program Files\ARIS6.2\LocalServer\ASA8\win32\dbsrv8.exe»=
«c:\Program Files\ARIS6.2\ScriptCv.exe»=
«c:\Program Files\ARIS6.2\Aris62.exe»=
«c:\Program Files\ARIS6.2\Regsvr32.exe»=
«c:\Program Files\ARIS6.2\regall.exe»=
«c:\Program Files\ARIS6.2\ArisAdm62.exe»=
«c:\Program Files\ARIS6.2\html\binaries\setup\WPSetup.exe»=
«c:\Program Files\ARIS6.2\simple\eM-Plant.exe»=
«c:\Program Files\ARIS6.2\JavaClient\SiteAdmin.exe»=
«c:\Program Files\ARIS6.2\JavaClient\ConverterGUI.exe»=
«c:\Program Files\ARIS6.2\JavaClient\aris502\ArisAdm.exe»=
«c:\Program Files\ARIS6.2\JavaClient\aris502\csf_srvp.exe»=
«c:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe»=
«c:\Documents and Settings\Ivan\Рабочий стол\magent.exe»=
«c:\Program Files\QIP\qip.exe»=
«c:\Program Files\StrongDC\StrongDC.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«8003:TCP»= 8003:TCP:aris50
«8004:TCP»= 8004:TCP:_aris50
«8005:TCP»= 8005:TCP:aris50_adm
«16040:TCP»= 16040:TCP:aris62_name_public
«16041:TCP»= 16041:TCP:aris62_name_private
«16042:TCP»= 16042:TCP:aris62_admin
«16043:TCP»= 16043:TCP:aris62_admin_agent
«16044:TCP»= 16044:TCP:aris62_Sybase
«16045:TCP»= 16045:TCP:aris62_local_public
«16046:TCP»= 16046:TCP:aris62_local_Sybase
«16047:TCP»= 16047:TCP:aris62_local_private
«16048:TCP»= 16048:TCP:aris62_local_admin
«443:TCP»= 443:TCP:aris62_SSL
R0 klbg;Kaspersky Lab Boot Guard Driver;c:windowssystem32driversklbg.sys [15.12.2008 20:41 33808]
R2 ASBroker;Logon Session Broker;c:windowsSystem32svchost.exe -k Cognizance [02.03.2006 15:00 14336]
R2 ASChannel;Local Communication Channel;c:windowsSystem32svchost.exe -k Cognizance [02.03.2006 15:00 14336]
R2 SWIHPWMI;SWIHPWMI;c:program filesHPQSharedSierra WirelessWin32UnicodeSWIHPWMI.exe [04.12.2006 15:13 292384]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:windowssystem32driversklim5.sys [13.05.2009 17:46 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:windowssystem32driversklmouflt.sys [16.05.2009 20:59 19472]
S2 LogWatch;Event Log Watch;c:windowsLogWatNT.exe —> c:windowsLogWatNT.exe [?]
S2 Netmgmt;Shell Helper;c:windowssystem32svchost.exe -k netsvcs [02.03.2006 15:00 14336]
S2 rma;Radia Management Agent;c:novadigmManagementAgentnvdkit.exe [19.09.2005 8:02 1968446]
S3 C7xxUSB;Samsung CMC7xx USB Network Driver;c:windowssystem32driversC7xUSBX3.sys [26.06.2008 17:17 39296]
S3 HP24X;HP PC Card Smart Card Reader;c:windowssystem32driversHP24X.sys [26.08.2008 7:44 33024]
S3 inmqqx;inmqqx;??c:windowssystem322.tmp —> c:windowssystem322.tmp [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;»c:program filesMicrosoft Visual Studio 8Common7IDERemote Debuggerx86msvsmon.exe» /service msvsmon80 —> c:program filesMicrosoft Visual Studio 8Common7IDERemote Debuggerx86msvsmon.exe [?]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost — NetSvcs
Netmgmt
[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
«c:program filesCommon FilesLightScribeLSRunOnce.exe»
.
Contents of the ‘Scheduled Tasks’ folder
2009-11-25 c:windowsTasksGoogleUpdateTaskUserS-1-5-21-861567501-2000478354-839522115-1003Core.job
— c:documents and settingsIvanLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe [2008-12-25 14:46]
2009-11-26 c:windowsTasksGoogleUpdateTaskUserS-1-5-21-861567501-2000478354-839522115-1003UA.job
— c:documents and settingsIvanLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe [2008-12-25 14:46]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.hp.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer = 192.168.0.1:8080
uInternet Settings,ProxyOverride = *.local
IE: &Отправить на устройство Bluetooth… — c:program filesWIDCOMMBluetooth Softwarebtsendto_ie_ctx.htm
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
IE: check in my books
IE: Translate with ABBYY &Lingvo… — c:program filesABBYY Lingvo 12Lingvo.exe/3000
IE: Закачать ВСЕ при помощи Download Master — c:program filesDownload Masterdmieall.htm
IE: Закачать при помощи Download Master — c:program filesDownload Masterdmie.htm
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe
IE: {{8DAE90AD-4583-4977-9DD4-4360F7A45C74} — c:program filesDownload Masterdmaster.exe
LSP: c:windowssystem32imon.dll
.
— — — — ORPHANS REMOVED — — — —
HKLM-Run-MAgent — c:program filesMail.RuAgentMAgent.exe
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} — c:program filesInstallShield Installation Information{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}setup.exe REMOVEALL
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 01:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINESystemControlSet001Servicesrma]
«ImagePath»=»C:/Novadigm/ManagementAgent/nvdkit.exe»
[HKEY_LOCAL_MACHINESystemControlSet001Servicesinmqqx]
«ImagePath»=»??c:windowssystem322.tmp»
[HKEY_LOCAL_MACHINESystemControlSet001Servicesrma]
«ImagePath»=»C:/Novadigm/ManagementAgent/nvdkit.exe»
[HKEY_LOCAL_MACHINESystemControlSet001ServicesNetmgmt]
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(1504)
c:program filesHewlett-PackardIAMBinASWLNPkg.dll
c:program filesHewlett-PackardIAMbinItMsg.dll
c:program filesHewlett-PackardIAMBinTrayIcon.dll
c:program filesHewlett-PackardIAMbinHPBrand.dll
c:program filesHewlett-PackardIAMBinASChnl.dll
c:program filesHewlett-PackardIAMBinItDAC.dll
c:program filesHewlett-PackardIAMBinItReports.DLL
c:program filesHewlett-PackardIAMBinBioAuth.dll
c:program filesHewlett-PackardIAMBinASBIoAT.dll
c:program filesHewlett-PackardIAMBinittal.dll
c:program filesHewlett-PackardIAMBinSTEngine.dll
c:program filesHewlett-PackardIAMBinItVCClient.dll
c:program filesHewlett-PackardIAMBinAuthWiz.dll
c:program filesHewlett-PackardIAMBinItVCard.dll
c:windowssystem32xenroll.dll
c:windowssystem32WININET.dll
c:program filesHewlett-PackardIAMBinTokenAuth.dll
c:program filesHewlett-PackardIAMBinittalsnap.DLL
c:program filesHewlett-PackardIAMBinTpmAuth.dll
c:program filesHewlett-PackardIAMBinNetAdmin.dll
— — — — — — — > ‘lsass.exe'(1560)
c:windowssystem32imon.dll
— — — — — — — > ‘explorer.exe'(1056)
c:windowssystem32WININET.dll
c:windowssystem32APSHook.dll
c:program filesHewlett-PackardIAMbinItClient.dll
c:windowssystem32btmmhook.dll
c:progra~1WINDOW~2wmpband.dll
c:windowssystem32msi.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32btncopy.dll
c:program filesRoxioDrag-to-DiscShellex.dll
c:windowssystem32DLAAPI_W.DLL
c:program filesRoxioDrag-to-DiscShellRes.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
Other Running Processes
.
c:program filesWIDCOMMBluetooth Softwarebinbtwdins.exe
c:windowsSystem32SCardSvr.exe
c:program filesHewlett-PackardIAMbinasghost.exe
c:program filesWIDCOMMBluetooth SoftwareBTTray.exe
c:program filesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
c:program filesBonjourmDNSResponder.exe
c:program filesCommon FilesInterVideoRegMgriviRegMgr.exe
c:program filesJavajre6binjqs.exe
c:program filesCommon FilesLightScribeLSSrvc.exe
c:program filesSprint-HPSierra WirelessSprint PCS Connection ManagerSPCSUtilityService.exe
c:program filesHewlett-PackardSharedhpqWmiEx.exe
c:windowssystem32wbemwmiapsrv.exe
c:windowssystem32wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-27 01:45 — machine was rebooted
ComboFix-quarantined-files.txt 2009-11-26 22:45
Pre-Run: 75,381,075,968 байт свободно
Post-Run: 75,531,501,568 байт свободно
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT=»Microsoft Windows Recovery Console» /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS=»Microsoft Windows XP Professional RU» /noexecute=optin /fastdetect
— — End Of File — — D8F5B80DF0E2B3A2E93023B59D8962E6
