- Темы:532
- Сообщений:1553
- ☆☆☆☆☆
ComboFix 09-10-13.01 — Администратор 14.10.2009 1:16.1.1 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.511.174 [GMT 4:00]
Running from: c:documents and settingsАдминистраторРабочий столComboFix.exe
Command switches used :: c:documents and settingsАдминистраторРабочий столWindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:documents and settingsАдминистраторLocal SettingsApplication DataDownloaded Installations{5B00B6A7-3352-415F-A7C2-ABCCCEC5383E}
c:documents and settingsАдминистраторLocal SettingsApplication DataDownloaded Installations{5B00B6A7-3352-415F-A7C2-ABCCCEC5383E}1049.MST
c:documents and settingsАдминистраторLocal SettingsApplication DataDownloaded Installations{5B00B6A7-3352-415F-A7C2-ABCCCEC5383E}rserv33ru.msi
c:documents and settingsАдминистраторLocal SettingsTemporary Internet FilesEB9F12C_6E6B_4c03_AEBA_8C04CFA98AA4.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet Files15913497_F86C_4218_8817_F50940D1E1B2.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet Files29887DDE_00B9_4011_9CF7_59511F1ECC1B.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet Files2A665EDD_5758_480c_8366_66DFC5F23877.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet Files35B7DFFA_884F_4fbc_8E60_DA601BDC7BF7.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet Files362FD6E8_8CDA_4c2a_A8AA-BDA22B321711.jpg
c:documents and settingsАдминистраторLocal SettingsTemporary Internet Files3DF04940_9866_4241_A998_0CDDFAFD147A.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet Files426500D7_0FF3_426c_828D_065DBAEA0581.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet Files478BD4AE_2691_438d_BDCA_3485DC022700.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet Files5C6C645F_BAA8_4149_BFEB_2031230FF0FD.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet Files61EA7D69_19D4_421a_A899_0DF4D58CD119.jpg
c:documents and settingsАдминистраторLocal SettingsTemporary Internet Files777FDAFB_83CF_4960_AA71_4E5D7BCD8E57.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet Files8DA878D5_E80B_4721_B75A_17EFFAF1A700.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet Files98F6DF79_7171_452d_9C26_C0193E12DBDF.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet FilesA2B240D6_0386_419e_91C5_3F7D90437CD0.jpg
c:documents and settingsАдминистраторLocal SettingsTemporary Internet FilesC75CEF8D_5AF4_4563_8594_C45A45E14E63.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet FilesE21285C1_40E6_435c_A69F_3387E7BD89CB.gif
c:documents and settingsАдминистраторLocal SettingsTemporary Internet FilesE9A4D648_ED73_4ea7_88B2_18332DBA4F3E.jpg
c:program filesCommon FilesTarget Marketing Agency
c:program filesCommon FilesTarget Marketing AgencyTMAgentlicense.txt
c:program filesCommon FilesTarget Marketing AgencyTMAgenttmagent.dll
c:program filesCommon FilesTarget Marketing AgencyTMAgenttmasrv.exe
c:program filesCommon FilesTarget Marketing AgencyTMAgentUninstaller.exe
c:program filesMail.RuAgentMradllnewmrasearch.dll
c:program filesMyCentria
c:program filesMyCentriaFirefoxadcentria.xml
c:recyclerNPROTECT
c:recyclerS-1-5-21-3883234828-1318776618-2756503863-1005
c:windowsInstaller10fee5.msp
c:windowsInstaller10fee6.msp
c:windowsInstaller10fee7.msp
c:windowsInstaller10fee8.msp
c:windowsInstaller10fee9.msp
c:windowsInstaller10feea.msp
c:windowsInstaller10feeb.msp
c:windowsInstaller10feec.msp
c:windowsInstaller10feed.msp
c:windowsInstaller3d0b0.msp
c:windowsInstaller3d0b1.msp
c:windowsInstaller3d0b2.msp
c:windowsInstaller3d0b3.msp
c:windowsInstaller3d0b4.msp
c:windowsInstaller3d0b5.msp
c:windowsInstaller3d0b6.msp
c:windowsInstaller3d0b7.msp
c:windowsInstaller3d0b8.msp
c:windowsInstaller3d2ef7.msp
c:windowsInstaller3d2ef8.msp
c:windowsInstaller3d2ef9.msp
c:windowsInstaller3d2efa.msp
c:windowsInstaller3d2efb.msp
c:windowsInstaller3d2efc.msp
c:windowsInstaller3d2efd.msp
c:windowsInstaller3d2efe.msp
c:windowsInstaller3d2eff.msp
c:windowsInstaller3f733.msp
c:windowsInstaller3f734.msp
c:windowsInstaller3f735.msp
c:windowsInstaller3f736.msp
c:windowsInstaller3f737.msp
c:windowsInstaller3f738.msp
c:windowsInstaller3f739.msp
c:windowsInstaller3f73a.msp
c:windowsInstaller3f73b.msp
c:windowsInstaller4ae5dd3.msi
c:windowsInstaller4b5a744.msi
c:windowsInstallerd1956.msp
c:windowsInstallerd1957.msp
c:windowsInstallerd1958.msp
c:windowsInstallerd1959.msp
c:windowsInstallerd195a.msp
c:windowsInstallerd195b.msp
c:windowsInstallerd195c.msp
c:windowsInstallerd195d.msp
c:windowsInstallerd195e.msp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Legacy_IPRIP
Service_Iprip
((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.
2009-10-12 11:12 . 2009-10-12 11:12
d
w- c:program filesAscaron Entertainment
2009-10-10 18:35 . 2009-10-10 18:36
d
w- c:program filestrend micro
2009-10-10 18:35 . 2009-10-10 18:36
d
w- C:rsit
2009-10-10 18:01 . 2009-10-10 18:01
d
w- c:documents and settingsАдминистраторApplication DataRadmin
2009-10-10 18:00 . 2009-10-10 18:00
d
w- c:program filesRadmin Viewer 3
2009-10-10 17:36 . 2009-10-10 17:37
d
w- c:windowssystem32rserver30
2009-10-10 17:35 . 2009-10-10 18:00
d
w- c:documents and settingsАдминистраторLocal SettingsApplication DataDownloaded Installations
2009-10-10 10:11 . 2009-10-10 10:42 25992 —-a-w- c:windowssystem32pgdfgsvc.exe
2009-10-09 13:41 . 2009-10-09 14:15
d
w- c:program filesWindows Live Safety Center
2009-10-08 21:11 . 2009-10-08 21:11
d
w- c:documents and settingsАдминистраторApplication DataMalwarebytes
2009-10-08 21:11 . 2009-09-10 10:54 38224 —-a-w- c:windowssystem32driversmbamswissarmy.sys
2009-10-08 21:11 . 2009-10-08 21:11
d
w- c:documents and settingsAll UsersApplication DataMalwarebytes
2009-10-08 21:11 . 2009-09-10 10:53 19160 —-a-w- c:windowssystem32driversmbam.sys
2009-10-08 21:11 . 2009-10-08 21:11
d
w- c:program filesMalwarebytes’ Anti-Malware
2009-10-08 11:52 . 2009-10-08 11:52
d
w- c:documents and settingsAll UsersApplication DataOffice Genuine Advantage
2009-10-08 11:52 . 2009-10-08 11:52
d
w- c:documents and settingsАдминистраторApplication DataOffice Genuine Advantage
2009-09-15 19:47 . 2009-09-15 19:47
d
w- c:documents and settingsNetworkServiceLocal SettingsApplication DataGoogle
2009-09-15 19:42 . 2009-09-23 21:19
d
w- c:documents and settingsАдминистраторLocal SettingsApplication DataTemp
2009-09-15 19:42 . 2009-09-15 19:42
d
w- c:documents and settingsLocalServiceLocal SettingsApplication DataGoogle
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-13 21:20 . 2007-01-04 01:35
d
w- c:documents and settingsАдминистраторApplication DataSkype
2009-10-13 20:00 . 2008-04-29 23:53
d
w- c:documents and settingsАдминистраторApplication DataskypePM
2009-10-12 08:09 . 2009-01-28 16:57
d
w- c:documents and settingsАдминистраторApplication DatauTorrent
2009-10-10 08:33 . 2009-06-21 15:44
d
w- c:program filesSpeedFan
2009-10-08 23:47 . 2007-01-04 01:35
d
w- c:program filesGoogle
2009-10-08 23:06 . 2006-04-24 15:59
d—h—w- c:program filesInstallShield Installation Information
2009-10-08 22:57 . 2009-04-18 23:58
d
w- c:documents and settingsАдминистраторApplication DataComfortSoftware
2009-08-15 11:43 . 2006-04-24 11:19 99640 -c—a-w- c:documents and settingsАдминистраторLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-08-15 06:19 . 2001-10-20 12:00 81324 —-a-w- c:windowssystem32perfc019.dat
2009-08-15 06:19 . 2001-10-20 12:00 479234 —-a-w- c:windowssystem32perfh019.dat
2009-08-06 15:24 . 2006-04-24 11:10 327896 —-a-w- c:windowssystem32wucltui.dll
2009-08-06 15:24 . 2006-04-24 11:10 209632 —-a-w- c:windowssystem32wuweb.dll
2009-08-06 15:24 . 2006-04-24 15:43 44768 -c—a-w- c:windowssystem32wups2.dll
2009-08-06 15:24 . 2006-04-24 11:10 35552 —-a-w- c:windowssystem32wups.dll
2009-08-06 15:24 . 2006-04-24 11:10 53472 —-a-w- c:windowssystem32wuauclt.exe
2009-08-06 15:24 . 2004-08-17 11:04 96480 —-a-w- c:windowssystem32cdm.dll
2009-08-06 15:23 . 2006-04-24 11:10 575704 —-a-w- c:windowssystem32wuapi.dll
2009-08-06 15:23 . 2009-06-25 12:42 274288 —-a-w- c:windowssystem32mucltui.dll
2009-08-06 15:23 . 2007-07-30 16:18 215920 —-a-w- c:windowssystem32muweb.dll
2009-08-06 15:23 . 2006-04-24 11:10 1929952 —-a-w- c:windowssystem32wuaueng.dll
2009-08-05 09:01 . 2004-08-17 11:04 204800 —-a-w- c:windowssystem32mswebdvd.dll
2009-08-03 11:07 . 2009-08-03 11:07 403816 —-a-w- c:windowssystem32OGACheckControl.dll
2009-08-03 11:07 . 2009-08-03 11:07 322928 —-a-w- c:windowssystem32OGAAddin.dll
2009-08-03 11:07 . 2009-08-03 11:07 230768 —-a-w- c:windowssystem32OGAEXEC.exe
2009-07-17 19:03 . 2004-08-17 11:04 58880 —-a-w- c:windowssystem32atl.dll
2008-01-13 17:16 . 2008-01-13 17:16 87 -csh—w- c:windowssystem32syswxr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE~Browser Helper Objects{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 09:58 333192 —-a-w- c:program filesAskBarDisbarbinaskBar.dll
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{3041d03e-fd4b-44e0-b742-2d9b88305f98}»= «c:program filesAskBarDisbarbinaskBar.dll» [2008-11-18 333192]
[HKEY_CLASSES_ROOTclsid{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOTTypeLib{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CursorXP»=»c:program filesCursorXPCursorXP.exe» [2003-03-01 138240]
«FotonNetworkGuardMngr»=»c:program filesFotonNetworkGuardbkpmgr32.exe» [2008-05-08 823296]
«Skype»=»c:program filesSkype\PhoneSkype.exe» [2009-09-02 25623336]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«MAgent»=»c:program filesMail.RuAgentMAgent.exe» [2009-07-16 7975608]
«LVCOMSX»=»c:windowssystem32LVCOMSX.EXE» [2005-12-09 225280]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2009-05-14 2029640]
«Malwarebytes Anti-Malware (reboot)»=»c:program filesMalwarebytes’ Anti-Malwarembam.exe» [2009-09-10 1312080]
«AGRSMMSG»=»AGRSMMSG.exe» — c:windowsAGRSMMSG.exe [2004-06-07 88363]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-04-14 15360]
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoStartMenuSubFolders»= 0 (0x0)
«NoCommonGroups»= 0 (0x0)
«NoPrinters»= 0 (0x0)
«NoRecentDocsNetHood»= 0 (0x0)
«NoChangeAnimation»= 0 (0x0)
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyMCPClient]
2003-08-25 07:25 139264 —-a-w- c:progra~1COMMON~1stardockMCPStub.dll
[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolsession manager]
BootExecute REG_MULTI_SZ autocheck autochk *pgdfgsvc C 1
[HKLM~startupfolderC:^Documents and Settings^Администратор^Главное меню^Программы^Автозагрузка^Analog Clock.lnk]
backup=c:windowspssAnalog Clock.lnkStartup
[HKLM~startupfolderC:^Documents and Settings^Администратор^Главное меню^Программы^Автозагрузка^Battery Meter Widget.lnk]
backup=c:windowspssBattery Meter Widget.lnkStartup
[HKLM~startupfolderC:^Documents and Settings^Администратор^Главное меню^Программы^Автозагрузка^Fishy.lnk]
backup=c:windowspssFishy.lnkStartup
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregH/PC Connection Agent
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNBJ
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregspdetector3
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«c:\Program Files\Mail.Ru\Agent\Magent.exe»=
«c:\Program Files\Outlook Express\msimn.exe»=
«c:\Program Files\WinRAR\WinRAR.exe»=
«c:\Program Files\Logitech\Video\Launcher.exe»=
«c:\Program Files\AutoCAD 2007\AdRefMan.exe»=
«c:\WINDOWS\system32\sessmgr.exe»=
«c:\WINDOWS\system32\mmc.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\Program Files\uTorrent\uTorrent.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«3389:TCP»= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
«AllowInboundEchoRequest»= 1 (0x1)
R0 atiide;atiide;c:windowssystem32driversatiide.sys [24.04.2006 20:01 5632]
R1 ehdrv;ehdrv;c:windowssystem32driversehdrv.sys [14.05.2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:windowssystem32driversepfwtdir.sys [14.05.2009 15:49 94360]
R1 raddrvv3;raddrvv3;c:windowssystem32rserver30raddrvv3.sys [24.04.2008 7:49 45848]
R1 uzezmtyx;AVZ-RK Kernel Driver;c:windowssystem32driversuzezmtyx.sys [02.02.2008 13:03 11264]
R2 BOTIKKEYPROSVC;Foton Network Guard Service;c:program filesFotonNetworkGuardbkpsvc32.exe [08.05.2008 15:13 90112]
R2 ekrn;ESET Service;c:program filesESETESET NOD32 Antivirusekrn.exe [14.05.2009 15:47 731840]
R2 RServer3;Radmin Server V3;c:windowssystem32rserver30rserver3.exe [08.11.2008 16:11 1238344]
R3 mirrorv3;mirrorv3;c:windowssystem32driversrminiv3.sys [01.11.2006 5:01 3328]
S2 ameisvc;GPRS Explorer mobile equipment installation service; [x]
S2 spd3ssl;Spyware Process Detector v3.16; [x]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:windowssystem32drivershphius09.sys [08.12.2007 19:31 18864]
S3 genmcmnUSB;Genius USB Mouse Driver;c:windowssystem32DRIVERSgflmouhid.sys —> c:windowssystem32DRIVERSgflmouhid.sys [?]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
«c:windowssystem32rundll32.exe» «c:windowssystem32iedkcs32.dll»,BrandIEActiveSetup SIGNUP
.
Contents of the ‘Scheduled Tasks’ folder
2009-10-13 c:windowsTasksOGALogon.job
— c:windowssystem32OGAEXEC.exe [2009-08-03 11:07]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.yandex.ru?clid=38910&yasoft=online
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
IE: Найти в интернете — c:program filesMail.RuSputnikMailRuSputnik.dll/282
IE: Найти в словарях — c:program filesMail.RuSputnikMailRuSputnik.dll/283
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe
TCP: {55866909-482A-45E4-BC33-DFA6F7029603} = 172.16.0.5
TCP: {653AB7F5-FF2C-42B5-8F52-EAA49B6181A6} = 172.16.0.9,172.16.0.5
FF — ProfilePath — c:documents and settingsАдминистраторApplication DataMozillaFirefoxProfilesodgslbh0.default
FF — prefs.js: browser.search.defaulturl — hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-divxd&p=
FF — prefs.js: browser.search.selectedEngine — Yahoo
FF — prefs.js: browser.startup.homepage — hxxp://www.yandex.ru/
FF — plugin: c:program filesK-Lite Codec PackRealbrowserpluginsnppl3260.dll
FF — plugin: c:program filesK-Lite Codec PackRealbrowserpluginsnprpjplug.dll
FF — plugin: c:program filesMozilla FirefoxpluginsnpFoxitReaderPlugin.dll
FF — HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} — c:windowsMicrosoft.NETFrameworkv3.5Windows Presentation FoundationDotNetAssistantExtension
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 01:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
c:documents and settingsАдминистраторApplication DataSkypemmihalichdc.db-journal 12824 bytes
c:documents and settingsАдминистраторApplication DataSkypemmihalichdc.lock 0 bytes
c:documents and settingsАдминистраторApplication DataskypePM2009-10-12-0.ezlog
scan completed successfully
hidden files: 3
**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(888)
c:progra~1COMMON~1Stardockmcpstub.dll
— — — — — — — > ‘explorer.exe'(1708)
c:windowssystem32WININET.dll
c:windowssystem32msi.dll
c:program filesCommon FilesstardockMCPCore.dll
c:windowssystem32webcheck.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
Other Running Processes
.
c:windowssystem32ati2evxx.exe
c:progra~1COMMON~1stardockSDMCP.exe
c:program filesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
c:windowssystem32tcpsvcs.exe
c:windowssystem32rserver30FamItrfc.Exe
c:program filesSkypePhoneSkype.exe
c:windowssystem32wbemwmiapsrv.exe
c:program filesSkypePlugin ManagerskypePM.exe
.
**************************************************************************
.
Completion time: 2009-10-13 1:35 — machine was rebooted
ComboFix-quarantined-files.txt 2009-10-13 21:33
Pre-Run: 22 908 145 664 байт свободно
Post-Run: 23 153 807 360 байт свободно
WindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT=»Microsoft Windows Recovery Console» /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS=»Microsoft Windows XP Professional RU» /noexecute=optin /fastdetect
294 — E O F — 2009-10-12 23:48
