Здравствуйте!Создал файл CFScrit на рабочем столе.Не знаю получилось или нет .Ярлыки на рабочем столе не перемещаются,тлоько работают на два клика- открытие.попробывал несколько раз вот лог.ComboFix 09-07-05.01 — Admin 06.07.2009 8:24.6 — NTFSx86
Running from: c:documents and settingsAdminРабочий столComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:data
C:restore
C:System
.
((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.
2009-07-04 07:28 . 2009-07-04 07:28
d
w- C:_OTM
2009-07-02 09:36 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Datazifhh.exe
2009-07-02 09:36 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Databhomf.exe
2009-07-02 09:31 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Datafemfb.exe
2009-06-29 15:40 . 2009-06-29 15:40
d
w- c:windowssystem32%DataRoot%
2009-06-28 16:41 . 2009-06-29 08:51
d
w- c:program filestrend micro
2009-06-28 08:30 . 2009-06-28 08:30 220 —-a-w- C:ScreenSaveActive.reg
2009-06-28 08:30 . 2009-06-28 08:30 226 —-a-w- C:ScreenSaverIsSecure.reg
2009-06-28 08:30 . 2009-06-28 08:30 222 —-a-w- C:PowerOffTimeOut.reg
2009-06-28 08:29 . 2009-06-28 08:29 226 —-a-w- C:ScreenSaveTimeOut.reg
2009-06-25 16:37 . 2009-06-25 17:18
d
w- c:windowssystem32CatRoot
2009-06-21 11:26 . 2009-07-06 03:55
d
w- c:windowssystem32NtmsData
2009-06-19 07:06 . 2009-06-19 07:06
d-sh—w- c:documents and settingsNetworkServiceIETldCache
2009-06-14 05:32 . 2009-06-14 05:32
d
w- C:graphics
2009-06-12 06:22 . 2009-06-12 06:22
d
w- c:windowssystem32%Report%
2009-06-12 06:22 . 2009-06-12 06:22
d
w- c:windowssystem32%Quarantine%
2009-06-12 06:22 . 2009-06-12 06:22
d
w- c:windowssystem32%Backup%
2009-06-11 14:30 . 2009-06-11 14:30
d-sh—r- C:NEXT
2009-06-11 04:23 . 2009-04-30 21:16 12800 -c—-w- c:windowssystem32dllcachexpshims.dll
2009-06-11 04:23 . 2009-04-30 21:16 246272 -c—-w- c:windowssystem32dllcacheieproxy.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 03:57 . 2008-09-08 17:50
d
w- c:documents and settingsAdminApplication DataGetRight
2009-07-05 20:50 . 2008-06-10 16:53 1025056 —sha-w- c:windowssystem32driversfidbox2.dat
2009-07-05 20:50 . 2008-06-10 16:53 100148 —sha-w- c:windowssystem32driversfidbox2.idx
2009-07-05 20:50 . 2008-06-10 16:53 651884 —sha-w- c:windowssystem32driversfidbox.idx
2009-07-05 20:50 . 2008-06-10 16:53 48559648 —sha-w- c:windowssystem32driversfidbox.dat
2009-07-05 20:48 . 2008-08-02 11:22
d
w- c:documents and settingsAdminApplication DataMra
2009-07-05 17:04 . 2009-05-10 20:24
d
w- c:program filesMetin2_RU
2009-07-04 09:04 . 2008-06-11 15:54 77168 —-a-w- c:documents and settingsAdminLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-07-04 08:06 . 2008-08-17 19:59
d
w- c:program filesGoogle
2009-06-26 11:14 . 2008-06-10 16:05
d
w- c:program filesCommon FilesAhead
2009-06-25 15:15 . 2008-07-04 06:20
d
w- c:program filesCommon FilesAdobe
2009-06-20 12:06 . 2004-08-18 12:00 78258 —-a-w- c:windowssystem32perfc019.dat
2009-06-20 12:06 . 2004-08-18 12:00 452866 —-a-w- c:windowssystem32perfh019.dat
2009-06-02 05:48 . 2009-06-02 05:48
d
w- c:documents and settingsAll UsersApplication DatanView_Profiles
2009-06-02 05:30 . 2008-06-10 16:53
d
w- c:program filesKaspersky Lab
2009-06-01 15:23 . 2009-06-01 15:23
d
w- c:program filesOpera
2009-05-29 12:59 . 2009-05-29 12:43 103680 —-a-w- c:windowsmemtest86+-2.11.iso.zip
2009-05-29 10:01 . 2009-05-29 10:01 655728 —-a-w- c:windowsWindowsXP-KB958644-x86-RUS.exe
2009-05-29 07:36 . 2008-06-10 15:57
d
w- c:program filesThe KMPlayer
2009-05-29 07:31 . 2009-05-26 07:07
d—h—w- c:program filesInstallShield Installation Information
2009-05-27 18:46 . 2009-05-27 18:46
d
w- c:program filesMicrosoft Silverlight
2009-05-27 05:26 . 2009-05-27 05:26 1878888 —-a-w- c:documents and settingsAdminApplication DataOperaOpera 9.5 alphaprofilecache4temporary_downloadinstall_flash_player.exe
2009-05-26 12:29 . 2009-05-26 12:29
d
w- c:documents and settingsAdminApplication DataAdobeUM
2009-05-26 10:04 . 2009-05-26 10:04
d
w- c:program filesAnalog Devices
2009-05-25 13:09 . 2008-06-10 15:39 86327 —-a-w- c:windowspchealthhelpctrOfflineCacheindex.dat
2009-05-25 11:55 . 2008-07-04 06:23
d
w- c:program filese-Life Pal
2009-05-25 11:18 . 2008-06-10 16:01
d
w- c:program filesLClock
2009-05-25 08:50 . 2008-09-08 17:49
d
w- c:program filesGetRight
2009-05-16 14:32 . 2009-05-16 09:00 126976 —-a-w- c:windowssystem32mslpadap.dll
2009-05-13 05:05 . 2007-12-21 19:48 915456 —-a-w- c:windowssystem32wininet.dll
2009-05-10 08:32 . 2009-05-10 08:23
d
w- c:program filesFarlandsLite
2009-05-07 15:33 . 2004-08-18 12:00 346624 —-a-w- c:windowssystem32localspl.dll
2009-04-19 19:51 . 2007-12-21 19:18 1847296 —-a-w- c:windowssystem32win32k.sys
2009-04-15 14:53 . 2007-12-21 19:17 585216 —-a-w- c:windowssystem32rpcrt4.dll
2009-04-14 19:18 . 2009-04-14 19:18 5301432 —-a-w- c:documents and settingsAdminApplication DataMraUpdatemagentsetup.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-07-04_09.54.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-06 03:55 . 2009-07-06 03:55 16384 c:windowsTempPerflib_Perfdata_7d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«DAEMON Tools Lite»=»d:daemon tools litedaemon.exe» [2008-07-24 490952]
«ctfmon.exe»=»c:windowssystem32ctfmon.exe» [2008-04-14 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2008-04-14 1695232]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2007-01-25 201728]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2007-07-02 132608]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«kav»=»c:program filesKaspersky LabKaspersky Anti-Virus 6.0avp.exe» [2006-03-24 139367]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2007-07-13 8466432]
«MAgent»=»E:MAgent.exe» [2009-06-01 5603000]
«Ulead Photo Express Calendar Checker»=»c:program filesUlead SystemsUlead Photo Express 5 SEcalcheck.exe» [2004-01-12 69632]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2005-05-21 925696]
«nwiz»=»nwiz.exe» — c:windowssystem32nwiz.exe [2007-07-13 1626112]
«NvMediaCenter»=»NvMCTray.dll» — c:windowssystem32nvmctray.dll [2007-07-13 81920]
«Ярлык для страницы свойств High Definition Audio»=»HDAShCut.exe» — c:windowssystem32hdashcut.exe [2005-12-26 61952]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2007-01-25 201728]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2007-07-02 132608]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«ZZZZ2_FirstLogonSetting»=»advpack.dll» — c:windowssystem32advpack.dll [2009-03-08 128512]
«IE7_012″=»advpack.dll» — c:windowssystem32advpack.dll [2009-03-08 128512]
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)
«EditLevel»= 0 (0x0)
«NoCommonGroups»= 0 (0x0)
[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)
[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«UpdatesOverride»=dword:00000001
«AntiVirusOverride»=dword:00000001
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\WINDOWS\system32\dpvsetup.exe»=
«c:\Program Files\Metin2_RU\metin2.bin»=
«c:\WINDOWS\system32\mmc.exe»=
«c:\Program Files\Opera\opera.exe»=
«c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe»=
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«6225:TCP»= 6225:TCP:oadcica
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
«AllowInboundEchoRequest»= 1 (0x1)
«AllowInboundTimestampRequest»= 1 (0x1)
«AllowInboundMaskRequest»= 1 (0x1)
«AllowInboundRouterRequest»= 1 (0x1)
«AllowOutboundParameterProblem»= 0 (0x0)
R2 ilvdxc;Driver Manager;c:windowssystem32svchost.exe [2008-04-14 14336]
S2 cglptnt;cglptnt;c:windowssystem32DRIVERScglptnt.sys [2007-09-06 7888]
S2 NwSapAgent;Агент SAP;c:windowssystem32svchost.exe [2008-04-14 14336]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost — NetSvcs
ilvdxc
[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
«c:windowssystem32rundll32.exe» «c:windowssystem32iedkcs32.dll»,BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{67KLN5J0-4OPM-33WE-AAX5-34KC2A3453431}]
c:setupDATAJune.exe
.
Contents of the ‘Scheduled Tasks’ folder
2009-07-06 c:windowsTasksUser_Feed_Synchronization-{567CECAE-CA91-4173-9C96-3E2C56356C82}.job
— c:windowssystem32msfeedssync.exe [2008-06-10 00:31]
2009-07-06 c:windowsTasksUser_Feed_Synchronization-{BFE786AA-C4C3-4355-BCE7-4C91AB78EB8A}.job
— c:windowssystem32msfeedssync.exe [2008-06-10 00:31]
.
.
Supplementary Scan
.
uStart Page = http://www.mail.ru
uInternet Settings,ProxyOverride =
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — E:magent.exe
TCP: {186459A1-0A8D-4FA8-875F-C2D9741A2840} = 80.95.32.19 80.95.32.20
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 08:38
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS.DefaultSoftwareMicrosoftInternet ExplorerUser Preferences]
@Denied: (2) (LocalSystem)
«88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,01,89,51,31,b6,22,49,81,69,23,
«2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,01,89,51,31,b6,22,49,81,69,23,
[HKEY_USERSS-1-5-21-57989841-2139871995-725345543-500SoftwareMicrosoftInternet ExplorerUser Preferences]
@Denied: (2) (Administrator)
«88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e3,fe,6e,5f,00,37,45,bb,51,d3,
«2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e3,fe,6e,5f,00,37,45,bb,51,d3,
[HKEY_USERSS-1-5-21-57989841-2139871995-725345543-500SoftwareMicrosoftSystemCertificatesAddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(816)
c:windowssystem32klogon.dll
— — — — — — — > ‘explorer.exe'(404)
c:windowssystem32WININET.dll
c:program filesPunto Switchercorrect.dll
c:windowssystem32wpdshserviceobj.dll
c:windowssystem32webcheck.dll
c:windowssystem32portabledevicetypes.dll
c:windowssystem32portabledeviceapi.dll
.
Completion time: 2009-07-06 8:44
ComboFix-quarantined-files.txt 2009-07-06 04:44
ComboFix2.txt 2009-07-05 16:06
ComboFix3.txt 2009-07-05 15:29
ComboFix4.txt 2009-07-04 10:00
ComboFix5.txt 2009-07-06 04:06
Pre-Run: 5 399 535 616 байт свободно
Post-Run: 5 390 487 552 байт свободно
205 — E O F — 2009-06-11 12:55
