ComboFix 08-11-27.07 — Admin 2008-11-28 20:42:22.7 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.1218 [GMT 2:00]
Running from: c:documents and settingsAdminРабочий столComboFix.exe
Command switches used :: c:documents and settingsAdminРабочий столCFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Legacy_WEBALTACONTROLLER
Service_WebaltaController
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.
2008-11-26 19:38 . 2008-11-26 21:14 250 —a
c:windowsgmer.ini
2008-11-26 15:16 . 2008-11-26 15:16
c:documents and settingsAdminApplication DataArtogon
2008-11-26 13:54 . 2008-11-26 13:54
c:documents and settingsAll UsersApplication DataHarley-Davidson_ Race to the Rally Saves
2008-11-23 20:45 . 2008-11-23 20:45
c:documents and settingsAdminApplication DataGaijin Ent
2008-11-23 19:13 . 2008-11-23 19:13
c:documents and settingsAdminApplication DataMeridian93
2008-11-22 16:07 . 2008-11-22 16:07
c:documents and settingsAll UsersApplication DataPlayrix Entertainment
2008-11-21 22:36 . 2008-11-21 22:36
c:documents and settingsAll UsersApplication DataEscapeTheMuseum
2008-11-13 20:52 . 2008-11-13 20:52
c:documents and settingsLocalServiceApplication DataWebalta
2008-11-13 13:56 . 2008-11-13 13:56
c:documents and settingsAdminApplication DataGames
2008-11-13 12:57 . 2008-11-13 12:57
c:documents and settingsAll UsersApplication DataFriday’s games
2008-11-09 21:15 . 2008-11-09 21:15
c:program filesTrend Micro
2008-11-09 20:53 . 2008-11-09 20:47 102,664 —a
c:windowssystem32driverstmcomm.sys
2008-11-09 20:46 . 2008-11-09 20:55
c:documents and settingsAdmin.housecall6.6
2008-11-09 10:31 . 2008-11-13 23:30 632 —a
C:settings.dat
2008-11-08 21:26 . 2008-11-08 21:26
c:documents and settingsAdminApplication DataBeezzle
2008-11-08 20:56 . 2008-11-08 20:56
c:documents and settingsAdminApplication DataBeachPartyCraze
2008-11-08 16:04 . 2008-11-08 16:04
c:program filesYandex
2008-11-08 16:04 . 2008-11-08 16:04
c:program filesCommon FilesYandex
2008-11-08 16:04 . 2008-11-08 16:04
c:documents and settingsAdminApplication DataYandex
2008-11-08 04:38 . 2008-11-08 04:50
c:documents and settingsAdminApplication DataLegends of pirates
2008-11-02 17:49 . 2008-11-02 17:49
c:program filesNevoSoft
2008-11-02 17:39 . 2008-11-28 20:30
c:program filesWebalta
2008-11-02 17:39 . 2008-11-02 17:39
c:documents and settingsAdminApplication DataWebalta
2008-11-02 16:33 . 2008-11-02 16:33
c:documents and settingsAdminApplication DataTemp App Data
2008-11-02 16:33 . 2008-11-02 16:33
c:documents and settingsAdminApplication DataMagic Academy
2008-11-01 23:32 . 2008-11-01 23:32
c:documents and settingsAll UsersApplication DataChristmasville
2008-11-01 20:49 . 2008-11-08 22:13
c:program filesИгры от NevoSoft
2008-11-01 17:44 . 2008-11-01 17:44
c:documents and settingsAll UsersApplication DataAstar Games
2008-11-01 12:44 . 2008-11-01 12:44
c:program filesMyCentria
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 13:06
d
w c:program filesИгры
2008-11-26 13:03
d
w c:program filesThe KMPlayer
2008-11-26 10:26
d
w c:program filesAIMP2
2008-11-21 19:02
d
w c:program filesAlawar.ru
2008-11-11 21:18
d
w c:documents and settingsAdminApplication DataSkype
2008-11-10 18:18
d
w c:program filesGoogle
2008-11-08 19:26
d
w c:documents and settingsAll UsersApplication DataAlawarWrapper
2008-11-06 23:01
d
w c:program filesESET
2008-10-29 17:40
d
w c:program filesFreeGamePick.com
2008-10-26 19:27
d
w c:documents and settingsAdminApplication DataQIP
2008-10-23 13:41
d
w c:documents and settingsAdminApplication DataAhead
2008-10-20 16:15
d
w c:program filesCommon FilesAhead
2008-10-20 16:13
d
w c:program filesNero
2008-10-20 16:06
d
w c:program filesAhead
2008-10-18 09:29
d
w c:documents and settingsAll UsersApplication DataSandlot Games
2008-10-18 07:15
d
w c:documents and settingsAll UsersApplication DataPlayFirst
2008-10-18 07:15
d
w c:documents and settingsAdminApplication DataPlayFirst
2008-10-14 16:53
d
w c:documents and settingsAdminApplication DataWindows Search
2008-10-14 16:51
d
w c:documents and settingsAll UsersApplication DataMicrosoft Help
2008-10-14 16:48
d
w c:program filesWindows Desktop Search
2008-10-11 20:07
d
w c:documents and settingsAdminApplication DataMy Games
2008-10-11 19:07
d
w c:documents and settingsAll UsersApplication DataNevoSoft Games
2008-10-09 15:44
d
w c:program filesMyRealGames.com
2008-10-08 09:07
d
w c:documents and settingsAll UsersApplication DataAlawar Stargaze
2008-10-06 19:34
d
w c:program filesAskTBar
2008-10-05 05:59
d
w c:documents and settingsAll UsersApplication DataВеселаяФерма2
2008-09-28 11:33
d
w c:documents and settingsAdminApplication Datacerasus.media
2008-09-23 09:29 270,336 —-a-w c:windowssystem32imon.dll
.
((((((((((((((((((((((((((((( snapshot@2008-11-28_20.36.44.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 —-a-w c:windowsERDNTsubsERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2008-06-02 1553672]
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2008-06-02 1553672]
[HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar]
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-05-20 30208]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096]
«Download Master»=»c:program filesDownload Masterdmaster.exe» [2008-01-26 3266560]
«Google Update»=»c:documents and settingsAdminLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe» [2008-10-20 133104]
«BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}»=»c:program filesCommon FilesAheadLibNMBgMonitor.exe» [2006-04-21 94208]
«Yupdate!»=»c:program filesCommon FilesYandexYupdateyupdate.exe» [2008-05-30 460040]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«AmlMaple»=»c:program filesAmlMapleAmlMaple.exe» [2008-04-24 91648]
«HP Software Update»=»c:program filesHPHP Software UpdateHPWuSchd2.exe» [2007-03-11 49152]
«nod32kui»=»c:program filesEsetnod32kui.exe» [2008-09-23 917504]
«Outpost Firewall»=»c:program filesAgnitumOutpost Firewalloutpost.exe» [2006-02-13 91648]
«OutpostFeedBack»=»c:program filesAgnitumOutpost Firewallfeedback.exe» [2006-02-14 352324]
«NeroFilterCheck»=»c:program filesCommon FilesAheadLibNeroCheck.exe» [2006-01-12 155648]
«Google Desktop Search»=»c:program filesGoogleGoogle Desktop SearchGoogleDesktop.exe» [2008-11-07 30192]
«NevoDRM»=»c:program filesИгрыNevoDRMNevoDRM.exe» [2008-07-29 201728]
«RTHDCPL»=»RTHDCPL.EXE» [2008-04-10 c:windowsRTHDCPL.EXE]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-05-20 30208]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«ZZZZ2_FirstLogonSetting»=»advpack.dll» [2008-05-20 c:windowssystem32advpack.dll]
«IE7_012″=»advpack.dll» [2008-05-20 c:windowssystem32advpack.dll]
c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
HP Digital Imaging Monitor.lnk — c:program filesHPDigital Imagingbinhpqtra08.exe [11.03.2007 19:26:24 210520]
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)
[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«FirewallOverride»=dword:00000001
«UpdatesDisableNotify»=dword:00000001
«UpdatesOverride»=dword:00000001
«AntiVirusDisableNotify»=dword:00000001
«AntiVirusOverride»=dword:00000001
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);??c:program filesAgnitumOutpost FirewallkernelADBLOCK.DLL [23.09.2008 12:02:41 33600]
S3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);??c:program filesAgnitumOutpost FirewallkernelARP.DLL [23.09.2008 12:02:41 17440]
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);??c:program filesAgnitumOutpost FirewallkernelCONTENT.DLL [23.09.2008 12:02:41 4896]
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);??c:program filesAgnitumOutpost FirewallkernelDNSCACHE.DLL [23.09.2008 12:02:41 14304]
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);??c:program filesAgnitumOutpost FirewallkernelFTPFILT.DLL [23.09.2008 12:02:41 9024]
S3 GoogleDesktopManager-092308-165331;Диспетчер Google Desktop 5.8.809.23506;»c:program filesGoogleGoogle Desktop SearchGoogleDesktop.exe» [22.10.2008 20:46:09 30192]
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);??c:program filesAgnitumOutpost FirewallkernelHTMLFILT.DLL [23.09.2008 12:02:41 11552]
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);??c:program filesAgnitumOutpost FirewallkernelHTTPFILT.DLL [23.09.2008 12:02:41 13248]
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);??c:program filesAgnitumOutpost FirewallkernelIMAPFILT.DLL [23.09.2008 12:02:41 7200]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);??c:program filesAgnitumOutpost FirewallkernelMAILFILT.DLL [23.09.2008 12:02:41 14912]
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);??c:program filesAgnitumOutpost FirewallkernelNNTPFILT.DLL [23.09.2008 12:02:41 6752]
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);??c:program filesAgnitumOutpost FirewallkernelPOP3FILT.DLL [23.09.2008 12:02:41 9984]
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);??c:program filesAgnitumOutpost FirewallkernelPROTECT.DLL [23.09.2008 12:02:41 16960]
S3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);??c:program filesAgnitumOutpost FirewallkernelSECRET.DLL [23.09.2008 12:02:41 9696]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled componentsWindows Sidebar]
c:windowssystem32hidec /W c:program filesWindows SidebarVAIOToolsREGTLIB.EXE «c:program filesWindows Sidebarsidebar.exe»
[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{34A19196-274E-4D75-9D30-D7A45A0A4178}]
«c:program filesWindows Sidebar.regsvr32.exe» /s wlsrvc.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{6B9228DA-9C15-419e-856C-19E768A13BDC}]
«c:program filesWindows Sidebar.regsvr32.exe» /s sbdrop.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{BADA65A0-86B7-462B-B720-CE66655C73F5}]
regsvr32 /s c:program filesWindows SidebarVAIO.vshellext.dll
.
Contents of the ‘Scheduled Tasks’ folder
2008-11-27 c:windowsTasksGoogleUpdateTaskUser.job
— c:documents and settingsAdminLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe [2008-10-20 17:38]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 20:45:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(736)
c:windowssystem32SETUPAPI.dll
c:windowssystem32Ati2evxx.dll
c:windowssystem32cscui.dll
c:windowssystem32COMRes.dll
— — — — — — — > ‘lsass.exe'(792)
c:windowssystem32SETUPAPI.dll
c:windowssystem32imon.dll
c:program filesEsetpr_imon.dll
.
Other Running Processes
.
c:windowssystem32ati2evxx.exe
c:windowssystem32ati2evxx.exe
c:program filesESETnod32krn.exe
c:program filesc:windowssystem32wbemwmiprvse.exe
c:program filesHPDigital Imagingbinhpqste08.exe
.
**************************************************************************
.
Completion time: 2008-11-28 20:47:06 — machine was rebooted
ComboFix-quarantined-files.txt 2008-11-28 18:47:00
ComboFix2.txt 2008-11-28 18:37:17
Pre-Run: 17,027,321,856 байт свободно
Post-Run: 16,986,857,472 байт свободно
204
На этот раз удалось. Но одно окно с рекламой, во всяком случае то, которое я видел, выплывает.
