Прошу Вас:
ComboFix 09-11-21.03 — User 22.11.2009 14:18.2.2 — x86
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.2046.1601 [GMT 3:00]
Running from: c:documents and settingsUserРабочий столComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
—- Previous Run
.
c:documents and settingsUserApplication DataMicrosoftInternet ExplorerqiPSearchbar.dll
c:program filesAgnitumOutpost Firewallwl_hook.dll
c:windowssystem322.exe
c:windowssystem324.exe
c:windowssystem32ieuinit.inf
c:windowssystem32UnlockerHook.dll
m:faa2~1BLACKM~1XASTHU~1V4_X45~1uune-kon-une-Kon_u.exe
.
((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.
2009-11-21 16:31 . 2009-11-21 16:31 76288 —sh—r- c:windowsjcdrive32.exe
2009-11-21 16:06 . 2009-08-31 16:59 52224 —-a-w- c:documents and settingsUserApplication DataMozillaFirefoxProfilesdjndihia.defaultextensions{e0c7b854-d5ce-4db6-9804-be1438603d89}componentsFFExternalAlert.dll
2009-11-21 16:06 . 2009-08-31 16:59 114688 —-a-w- c:documents and settingsUserApplication DataMozillaFirefoxProfilesdjndihia.defaultextensions{e0c7b854-d5ce-4db6-9804-be1438603d89}componentsnpmozax.dll
2009-11-21 16:06 . 2009-08-31 14:46 52224 —-a-w- c:documents and settingsUserApplication DataMozillaFirefoxProfilesdjndihia.defaultextensions{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}componentsFFExternalAlert.dll
2009-11-21 16:06 . 2009-08-31 14:46 114688 —-a-w- c:documents and settingsUserApplication DataMozillaFirefoxProfilesdjndihia.defaultextensions{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}componentsnpmozax.dll
2009-11-21 15:34 . 2009-11-21 15:34
d
w- c:documents and settingsUserLocal SettingsApplication DataIdentities
2009-11-20 18:19 . 2009-11-20 18:19 411368 —-a-w- c:windowssystem32deploytk.dll
2009-11-20 18:18 . 2009-11-20 18:18 152576 —-a-w- c:documents and settingsUserApplication DataSunJavajre1.6.0_17lzma.dll
2009-11-20 18:16 . 2009-11-20 18:16 79488 —-a-w- c:documents and settingsUserApplication DataSunJavajre1.6.0_17gtapi.dll
2009-11-20 16:49 . 2009-11-20 16:50
d
w- C:rsit
2009-11-20 15:21 . 2009-11-20 15:47 63871 —-a-w- C:quarantine.zip
2009-11-16 14:02 . 2009-11-16 14:02
d
w- C:MANIA
2009-11-15 12:18 . 2004-06-10 14:34 53693 —-a-r- c:windowsUNDPX2A.sys
2009-11-15 12:18 . 2004-06-10 14:31 135168 —-a-r- c:windowsUNDPX2A.exe
2009-11-15 12:18 . 2004-06-09 23:42 15429 —-a-r- c:windowssystem32driversSacm2A.sys
2009-11-09 16:50 . 2009-11-09 16:50
d
w- c:documents and settingsUserApplication DataObsidium
2009-11-08 13:18 . 2007-06-05 21:32 2781184 —-a-w- c:documents and settingsUserApplication DataAdobeDreamweaver 9ConfigurationFlash Playerauthplay.dll
2009-11-01 09:46 . 2004-08-18 12:00 25600 —-a-w- c:documents and settingsLocalServiceApplication DataMicrosoftUPnP Device Hostupnphostudhisapi.dll
2009-10-23 19:14 . 2009-10-23 19:14
d
w- c:documents and settingsAll UsersApplication DataFLEXnet
2009-10-23 19:09 . 2009-10-23 19:09
d
w- c:program filesBonjour
2009-10-23 18:55 . 2009-10-23 18:55
d
w- c:program filesCommon FilesMacrovision Shared
2009-10-23 17:56 . 2009-10-23 17:56
d
w- c:documents and settingsUserLocal SettingsApplication DataHelp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 11:14 . 2008-01-01 01:07
d
w- c:program filesSuperCopier2
2009-11-21 15:51 . 2009-02-20 10:35
d
w- c:documents and settingsUserApplication DatauTorrent
2009-11-21 12:00 . 2008-01-01 01:31
d
w- c:program filesPowerArchiver
2009-11-20 18:19 . 2008-01-01 01:21
d
w- c:program filesJava
2009-11-18 09:45 . 2009-02-27 20:56
d
w- c:program filesCommon FilesYandex
2009-11-15 16:28 . 2009-02-28 12:01
d
w- c:program filesUltraISO
2009-11-15 16:25 . 2008-01-01 01:24
d
w- c:program filesIrfanView
2009-11-15 16:24 . 2008-01-01 01:29
d—h—w- c:program filesInstallShield Installation Information
2009-11-08 11:47 . 2008-01-01 01:22
d
w- c:program filesCommon FilesAdobe
2009-10-23 19:19 . 2009-03-01 12:17 116304 —-a-w- c:documents and settingsUserLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-10-11 18:39 . 2008-01-01 01:29
d
w- c:program filesOpera
2009-10-08 11:58 . 2009-10-08 11:58
d
w- c:program filesMSECache
2009-10-04 17:05 . 2004-08-18 12:00 12464 —-a-w- c:windowssystem32driverssecdrv.sys
2009-10-04 17:05 . 2009-10-04 17:05
d
w- c:program filesCreative
2005-02-04 15:03 . 2008-01-01 01:30 36864 —-a-w- c:program filesmozilla firefoxcomponentspragma.dll
.
Sigcheck
[-] 2007-06-12 . BB4D3A8E6F7EB1D370BC4AD27AB23368 . 360576 . . [5.1.2600.2892] . . c:windowssystem32driverstcpip.sys
[-] 2007-08-02 . A812B7C00397507D53564DAFDBE6A2BB . 2278912 . . [5.1.2600.3093] . . c:windowssystem32ntoskrnl.exe
[-] 2007-08-02 . 069B745B92B94A4C43306C8E2CEC01DC . 1548288 . . [5.1.2600.2180] . . c:windowssystem32sfcfiles.dll
[-] 2007-08-02 . DD72CAACFE37C4110758BAEE299344A1 . 2158592 . . [5.1.2600.3093] . . c:windowssystem32ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«SuperCopier2.exe»=»c:program filesSuperCopier2SuperCopier2.exe» [2007-05-08 1052672]
«PowerArchiver Tray»=»c:program filesPowerArchiverPASTARTER.EXE» [2007-06-11 141352]
«DAEMON Tools Lite»=»c:program filesDAEMON Tools Litedaemon.exe» [2008-12-29 687560]
«AdobeUpdater»=»c:program filesCommon FilesAdobeUpdater5AdobeUpdater.exe» [2009-03-01 2356088]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«GEST»=»=» [X]
«IMJPMIG8.1″=»c:windowsIMEimjp8_1IMJPMIG.EXE» [2004-08-18 208952]
«PHIME2002ASync»=»c:windowssystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«PHIME2002A»=»c:windowssystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«CoolSwitch»=»c:windowssystem32TaskSwitch.exe» [2005-12-21 45632]
«Outpost Firewall»=»c:program filesAgnitumOutpost Firewalloutpost.exe» [2007-04-05 94720]
«OutpostFeedBack»=»c:program filesAgnitumOutpost Firewallfeedback.exe» [2007-06-09 335872]
«DiskeeperSystray»=»c:program filesDiskeeper CorporationDiskeeperDkIcon.exe» [2006-06-07 319488]
«NeroFilterCheck»=»c:windowssystem32NeroCheck.exe» [2006-01-12 155648]
«nod32kui»=»c:program filesEsetnod32kui.exe» [2008-01-01 949376]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2008-05-16 13529088]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2008-05-16 86016]
«ISUSScheduler»=»c:program filesCommon FilesInstallShieldUpdateServiceissch.exe» [2005-08-11 81920]
«HPDJ Taskbar Utility»=»c:windowssystem32spooldriversw32x863hpztsb08.exe» [2003-03-11 172032]
«HP Software Update»=»c:program filesHewlett-PackardHP Software UpdateHPWuSchd.exe» [2002-12-17 49152]
«DeviceDiscovery»=»c:program filesHewlett-PackardDigital Imagingbinhpotdd01.exe» [2002-12-02 40960]
«OSSelectorReinstall»=»c:program filesCommon FilesAcronisAcronis Disk Directoross_reinstall.exe» [2007-03-26 2227256]
«MAgent»=»m:program filesMail.RuAgentMAgent.exe» [2009-08-25 7975608]
«RTHDCPL»=»RTHDCPL.EXE» — c:windowsRTHDCPL.exe [2008-07-03 16876032]
«SoundMan»=»SOUNDMAN.EXE» — c:windowsSoundMan.exe [2008-06-18 77824]
«AlcWzrd»=»ALCWZRD.EXE» — c:windowsalcwzrd.exe [2008-06-19 2808832]
«nwiz»=»nwiz.exe» — c:windowssystem32nwiz.exe [2008-05-16 1630208]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2004-08-18 15360]
«SuperCopier2.exe»=»c:program filesSuperCopier2SuperCopier2.exe» [2007-05-08 1052672]
c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Adobe Reader Speed Launch.lnk — c:program filesAdobeReader 8.0Readerreader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk — c:program filesAdobeReader 8.0ReaderAdobeCollabSync.exe [2006-10-23 734872]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
«SynchronousMachineGroupPolicy»= 0 (0x0)
«SynchronousUserGroupPolicy»= 0 (0x0)
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)
[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«ForceClassicControlPanel»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)
«NoSMHelp»= 1 (0x1)
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001
«FirewallOverride»=dword:00000001
«Start»=dword:00000004
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\Program Files\uTorrent\utorrent.exe»=
«c:\Documents and Settings\User\Рабочий стол\uTorrent.exe»=
«c:\Program Files\Bonjour\mDNSResponder.exe»=
«m:\QIP\qip.exe»=
R0 a348scsi;a348scsi;c:windowssystem32driversa348scsi.sys [08.02.2009 8:34 5248]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:windowssystem32driverssfsync03.sys [13.10.2005 16:46 35328]
R1 nod32drv;nod32drv;c:windowssystem32driversnod32drv.sys [01.01.2008 4:30 15424]
R1 SandBox;Outpost Firewall Sandbox Driver;c:program filesAgnitumOutpost FirewallKernelSandBox.sys [01.01.2008 4:23 406344]
R1 VFILT;Outpost Firewall Kernel Driver;c:program filesAgnitumOutpost FirewallKernelfiltnt.sys [01.01.2008 4:23 163840]
S0 a348bus;a348bus;c:windowssystem32driversa348bus.sys [08.02.2009 8:34 160640]
S0 sptd;sptd;c:windowssystem32driverssptd.sys [27.02.2009 23:52 717296]
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);c:program filesAgnitumOutpost FirewallKerneladblock.dll [01.01.2008 4:23 33568]
S3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);c:program filesAgnitumOutpost FirewallKernelarp.dll [01.01.2008 4:23 17632]
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);c:program filesAgnitumOutpost FirewallKernelcontent.dll [01.01.2008 4:23 4896]
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);c:program filesAgnitumOutpost FirewallKerneldnscache.dll [01.01.2008 4:23 14656]
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);c:program filesAgnitumOutpost FirewallKernelftpfilt.dll [01.01.2008 4:23 9248]
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);c:program filesAgnitumOutpost FirewallKernelhtmlfilt.dll [01.01.2008 4:23 11552]
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);c:program filesAgnitumOutpost FirewallKernelhttpfilt.dll [01.01.2008 4:23 13216]
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);c:program filesAgnitumOutpost FirewallKernelimapfilt.dll [01.01.2008 4:23 7168]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);c:program filesAgnitumOutpost FirewallKernelmailfilt.dll [01.01.2008 4:23 14880]
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);c:program filesAgnitumOutpost FirewallKernelnntpfilt.dll [01.01.2008 4:23 6752]
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);c:program filesAgnitumOutpost FirewallKernelpop3filt.dll [01.01.2008 4:23 10048]
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);c:program filesAgnitumOutpost FirewallKernelprotect.dll [01.01.2008 4:23 15200]
S3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);c:program filesAgnitumOutpost FirewallKernelsecret.dll [01.01.2008 4:23 13056]
— Other Services/Drivers In Memory —
*Deregistered* — mchInjDrv
.
.
Supplementary Scan
.
uStart Page = hxxp://www.apeha.ru
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = Root: HKCU; Subkey: SoftwareMicrosoftInternet ExplorerSearchUrl; ValueType: string; ValueName: ‘; ValueData: ‘; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
IE: Закачать ВСЕ при помощи Download Master — c:program filesDownload Masterdmieall.htm
IE: Закачать при помощи Download Master — c:program filesDownload Masterdmie.htm
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — m:program filesMail.RuAgentmagent.exe
IE: {{8DAE90AD-4583-4977-9DD4-4360F7A45C74} — c:program filesDownload Masterdmaster.exe
FF — ProfilePath — c:documents and settingsUserApplication DataMozillaFirefoxProfilesdjndihia.default
FF — prefs.js: browser.search.defaulturl — hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329536&SearchSource=3&q={searchTerms}
FF — prefs.js: browser.search.selectedEngine — QIP Search
FF — prefs.js: browser.startup.homepage — hxxp://start.qip.ru
FF — prefs.js: keyword.URL — hxxp://search.qip.ru/search?from=FF&query=
FF — component: c:documents and settingsUserApplication DataMozillaFirefoxProfilesdjndihia.defaultextensions{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}componentsFFExternalAlert.dll
FF — component: c:documents and settingsUserApplication DataMozillaFirefoxProfilesdjndihia.defaultextensions{e0c7b854-d5ce-4db6-9804-be1438603d89}componentsFFExternalAlert.dll
.
— — — — ORPHANS REMOVED — — — —
AddRemove-ShockwaveFlash — c:windowssystem32MacromedFlashFlashUtil9d.exe
AddRemove-Warhammer — Mark of Chaos — d:gamesWARHAM~1UNWISE.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 14:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINESystemControlSet001ServicesmchInjDrv]
«ImagePath»=»??c:docume~1UserLOCALS~1Tempmc22.tmp»
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(676)
c:windowssystem32SHSVCS.dll
— — — — — — — > ‘lsass.exe'(736)
c:windowssystem32psbase.dll
— — — — — — — > ‘explorer.exe'(3512)
c:windowssystem32msi.dll
.
Completion time: 2009-11-22 14:29
ComboFix-quarantined-files.txt 2009-11-22 11:29
Pre-Run: 6 218 756 096 байт свободно
Post-Run: 6 195 953 664 байт свободно
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT=»Microsoft Windows Recovery Console» /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS=»Microsoft Windows XP Professional RU» /noexecute=optin /fastdetect /usepmtimer
— — End Of File — — 8B2DFF7682D3BBE748A09AC41EB74964
