Лог файл:
ComboFix 09-05-02.4 — Костик 05.05.2009 23:09.1 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2047.1579 [GMT 6:00]
Running from: c:documents and settingsКостикРабочий столComboFix.exe
Command switches used :: c:documents and settingsКостикРабочий столWindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
FW: Outpost Firewall Pro *disabled*
* Created a new restore point
.
/wow section — STAGE 41
pevFind by Billy Robert O’Neal III
Version 0.0.3.1
Distributed under the Boost Software License, Version 1.0.
(See accompanying file LICENSE_1_0.txt or copy at
http://www.boost.org/LICENSE_1_0.txt)
Filename regular expressions library is
«Copyright (C)1997-1998 by David R. Tribble, all rights reserved.»
Системе не удается найти указанный путь.
Не удается найти файл temp4001.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:documents and settingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr0.dat
c:documents and settingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr1.dat
BITS: Possible infected sites
hxxp://wsus.e-tagil.net:8530
.
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.
2009-05-05 13:26 . 2009-05-05 13:26
d
w c:documents and settingsКостикApplication DataDavis Software
2009-05-05 13:26 . 2009-05-05 13:26
d
w c:program filesFlash Guard 1.0.0.10
2009-05-05 10:56 . 2009-05-05 10:56
d
w C:rsit
2009-05-02 13:07 . 2009-05-05 17:08
d—h—r c:documents and settingsКостикRecent
2009-05-02 13:07 . 2009-05-05 17:08
d—h—r c:documents and settingsКостикRecent
2009-05-02 00:06 . 2009-05-02 00:06
d
w c:program filesScreenshot Creator 2.0 — Видеозахват экрана
2009-05-01 23:58 . 2009-05-01 23:58
d-sh—r C:SYSTEM
2009-05-01 23:44 . 2009-05-01 23:44
d
w c:documents and settingsКостикApplication DataMalwarebytes
2009-05-01 23:44 . 2009-04-06 09:32 15504 —-a-w c:windowssystem32driversmbam.sys
2009-05-01 23:44 . 2009-04-06 09:32 38496 —-a-w c:windowssystem32driversmbamswissarmy.sys
2009-05-01 23:44 . 2009-05-01 23:44
d
w c:documents and settingsAll UsersApplication DataMalwarebytes
2009-05-01 23:44 . 2009-05-01 23:44
d
w c:program filesMalwarebytes Anti-Malware 1.36
2009-04-27 17:23 . 2008-07-09 07:58 26488 —-a-w c:windowssystem32spupdsvc.exe
2009-04-27 17:07 . 2009-02-03 19:58 56832 -c—-w c:windowssystem32dllcachesecur32.dll
2009-04-27 17:07 . 2009-03-21 14:09 995840 -c—-w c:windowssystem32dllcachekernel32.dll
2009-04-27 16:57 . 2008-12-16 12:32 354304 -c—-w c:windowssystem32dllcachewinhttp.dll
2009-04-27 16:44 . 2009-04-27 16:44
d-sh—r C:BIN
2009-04-27 16:39 . 2008-08-23 06:46 26368 -c—a-w c:windowssystem32dllcacheusbstor.sys
2009-04-27 16:08 . 2009-04-27 15:58
d
w c:program filesESET
2009-04-27 15:49 . 2008-12-24 11:24 703904 —-a-w c:windowssystem32driversSandBox.sys
2009-04-27 15:49 . 2008-12-17 05:07 257176 —-a-w c:windowssystem32driversafwcore.sys
2009-04-27 15:49 . 2008-06-20 03:45 30864 —-a-w c:windowssystem32driversafw.sys
2009-04-27 15:49 . 2009-05-02 10:03
d
w c:windowssystem32Filt
2009-04-27 15:49 . 2009-05-05 17:12
d
w c:program filesAgnitum Outpost Firewall Pro 6.5.2509
2009-04-27 15:49 . 2009-04-27 15:49
d
w c:documents and settingsAll UsersApplication DataAgnitum
2009-04-27 15:35 . 2009-04-27 15:35
d
w c:program filesDownload Master 5.5.10.1163
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 17:12 . 2009-02-14 18:25 6 —ha-w c:windowsTasksSA.DAT
2009-05-05 15:41 . 2009-02-15 00:55
d
w c:program filesFlashGet 1.9.4
2009-04-27 18:29 . 2008-04-15 08:00 64962 —-a-w c:windowssystem32perfc019.dat
2009-04-27 18:29 . 2008-04-15 08:00 421458 —-a-w c:windowssystem32perfh019.dat
2009-03-06 13:51 . 2008-04-15 08:00 284672 —-a-w c:windowssystem32pdh.dll
2009-03-03 00:16 . 2008-08-23 08:38 828416 —-a-w c:windowssystem32wininet.dll
2009-02-20 17:19 . 2008-04-15 08:00 78336 —-a-w c:windowssystem32ieencode.dll
2009-02-15 17:29 . 2009-02-15 17:29 262144 —-a-w c:windowssystem32default_user_class.dat
2009-02-15 11:17 . 2009-02-14 18:28 18632 —-a-w c:documents and settingsКостикLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-02-15 09:27 . 2009-02-15 09:27 392320 —-a-w c:windowssystem32driverstimntr.sys
2009-02-15 09:27 . 2009-02-15 09:27 32768 —-a-w c:windowssystem32driverstifsfilt.sys
2009-02-15 09:27 . 2009-02-15 09:27 114048 —-a-w c:windowssystem32driverssnapman.sys
2009-02-14 21:17 . 2009-02-14 21:17 0 —-a-w c:windowsativpsrm.bin
2009-02-14 20:04 . 2009-02-14 18:22 86327 —-a-w c:windowspchealthhelpctrOfflineCacheindex.dat
2009-02-14 20:01 . 2009-02-14 20:01 142096 —-a-w c:windowssystem32driverstmcomm.sys
2009-02-14 18:33 . 2008-08-23 08:46 1571840 —-a-w c:windowssystem32sfcfiles.dll
2009-02-14 18:23 . 2009-02-14 18:23 717296 —-a-w c:windowssystem32driverssptd.sys
2009-02-14 18:22 . 2008-04-15 08:00 67 —sha-w c:windowsFontsdesktop.ini
2009-02-14 18:20 . 2009-02-14 18:20 22564 —-a-w c:windowssystem32emptyregdb.dat
2009-02-14 17:43 . 2009-02-14 17:43 503808 —-a-w c:windowsУльтрафиолет.scr
2009-02-14 17:43 . 2009-02-14 17:43 606848 —-a-w c:windowsflashax.exe
2009-02-14 17:43 . 2009-02-14 17:43 12288 —-a-w c:windowsimpborl.dll
2009-02-10 13:27 . 2008-04-15 08:00 687616 —-a-w c:windowssystem32advapi32.dll
2009-02-09 14:07 . 2008-04-15 08:00 1846912 —-a-w c:windowssystem32win32k.sys
2009-02-09 11:18 . 2008-08-23 12:46 2025984 —-a-w c:windowssystem32ntkrnlpa.exe
2009-02-09 11:18 . 2008-08-23 08:46 2147328 —-a-w c:windowssystem32ntoskrnl.exe
2009-02-09 11:18 . 2008-04-15 08:00 111104 —-a-w c:windowssystem32services.exe
2009-02-09 10:57 . 2008-08-23 08:38 731136 —-a-w c:windowssystem32lsasrv.dll
2009-02-09 10:57 . 2008-04-15 08:00 401408 —-a-w c:windowssystem32rpcss.dll
2009-02-09 10:57 . 2008-05-05 09:17 719360 —-a-w c:windowssystem32ntdll.dll
2009-02-06 10:36 . 2008-04-15 08:00 35328 —-a-w c:windowssystem32sc.exe
.
Sigcheck
[-] 2008-04-14 17:40 581632 884DE990C498D77C28F8608E09D4DFE1 c:windowssystem32user32.dll
[-] 2008-04-14 17:40 581632 884DE990C498D77C28F8608E09D4DFE1 c:windowssystem32dllcacheuser32.dll
[-] 2008-08-23 08:46 361600 1F39C7BDBA4C5F3F01C4EABF7EDBF4B3 c:windowssystem32driverstcpip.sys
[-] 2008-08-23 08:38 1520640 DA765FAEFC21A92269F301C147BE8B8C c:windowsexplorer.exe
[-] 2008-08-23 08:38 1520640 DA765FAEFC21A92269F301C147BE8B8C c:windowssystem32dllcacheexplorer.exe
[-] 2008-04-15 08:00 37376 0DE18690E4223998E471048889F09B8B c:windowssystem32ctfmon.exe
[-] 2008-04-15 08:00 37376 0DE18690E4223998E471048889F09B8B c:windowssystem32dllcachectfmon.exe
[-] 2008-08-19 20:00 295936 CDB13F1E48540E19F4B961E77904F168 c:windowssystem32termsrv.dll
[-] 2009-02-14 18:33 1571840 A80FDD604C80D496F2959F07F3494AA8 c:windowssystem32sfcfiles.dll
[-] 2009-02-14 18:33 1571840 A80FDD604C80D496F2959F07F3494AA8 c:windowssystem32dllcachesfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«ctfmon.exe»=»c:windowssystem32ctfmon.exe» [2008-04-15 37376]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«DrvIcon»=»c:program filesVista Drive IconDrvIcon.exe» [2007-07-04 45056]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2006-12-18 868352]
«OutpostMonitor»=»c:progra~1AGNITU~1.250op_mon.exe» [2008-12-25 1227080]
«OutpostFeedBack»=»c:program filesAgnitum Outpost Firewall Pro 6.5.2509feedback.exe» [2008-12-25 432968]
«OutpostFeedBack(1)»=»c:program filesAgnitum Outpost Firewall Pro 6.5.2509feedback.exe» [2008-12-25 432968]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
«AppInit_DLLs»=c:progra~1agnitu~1.250wl_hook.dll
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32
«wave2″= serwvdrv.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusDisableNotify»=dword:00000001
«UpdatesDisableNotify»=dword:00000001
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)
«DisableUnicastResponsesToMulticastBroadcast»= 0 (0x0)
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«c:\WINDOWS\Network Diagnostic\xpnetdiag.exe»=
«c:\WINDOWS\system32\sessmgr.exe»=
«c:\Program Files\FlashGet 1.9.4\flashget.exe»=
R2 acssrv;Agnitum Client Security Service;c:progra~1AGNITU~1.250acs.exe [2008-12-25 1267016]
S1 epfwtdir;epfwtdir;c:windowssystem32DRIVERSepfwtdir.sys [2007-11-14 30728]
S1 SandBox;SandBox;c:windowssystem32driversSandBox.sys [2008-12-24 703904]
S2 ekrn;Eset Service;c:program filesESETESET NOD32 Antivirusekrn.exe [2007-11-14 455936]
S2 MBAMService;MBAMService;c:program filesMalwarebytes Anti-Malware 1.36mbamservice.exe [2009-04-06 179856]
S3 afw;Agnitum firewall driver;c:windowssystem32DRIVERSafw.sys [2008-06-20 30864]
S3 afwcore;afwcore;c:windowssystem32driversafwcore.sys [2008-12-17 257176]
S3 ASWFilt;ASWFilt;c:windowssystem32FiltASWFilt.dll [2008-12-24 34080]
S3 MBAMProtector;MBAMProtector;c:windowssystem32driversmbam.sys [2009-04-06 15504]
— Other Services/Drivers In Memory —
*Deregistered* — uphcleanhlp
[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{67KLN5J0-4OPM-00WE-AAX5-14KC2A323342}]
c:systemFILESARMY.exe
.
.
Supplementary Scan
.
uStart Page = hxxp://samlab.ws/
IE: &Закачать все при помощи FlashGet — c:program filesFlashGet 1.9.4jc_all.htm
IE: &Закачать при помощи FlashGet — c:program filesFlashGet 1.9.4jc_link.htm
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~1OFFICE11EXCEL.EXE/3000
IE: Закачать ВСЕ при помощи Download Master — c:program filesDownload Master 5.5.10.1163dmieall.htm
IE: Закачать при помощи Download Master — c:program filesDownload Master 5.5.10.1163dmie.htm
IE: {{8DAE90AD-4583-4977-9DD4-4360F7A45C74} — c:program filesDownload Master 5.5.10.1163dmaster.exe
TCP: {0BC48D16-C5DC-4A00-9515-C6DD09D7924A} = 10.0.0.200
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 23:13
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(764)
c:windowssystem32SETUPAPI.dll
c:windowssystem32Ati2evxx.dll
c:windowssystem32cscui.dll
c:windowssystem32COMRes.dll
— — — — — — — > ‘lsass.exe'(836)
c:windowssystem32relog_ap.dll
c:windowssystem32setupapi.dll
— — — — — — — > ‘explorer.exe'(2564)
c:windowssystem32SHDOCVW.dll
c:windowssystem32COMRes.dll
c:windowsSystem32cscui.dll
c:windowssystem32msi.dll
c:windowssystem32SETUPAPI.dll
c:windowssystem32wpdshserviceobj.dll
c:windowssystem32portabledevicetypes.dll
c:windowssystem32portabledeviceapi.dll
c:windowssystem32credui.dll
c:windowssystem32MSVCP60.dll
.
Other Running Processes
.
c:windowssystem32ati2evxx.exe
c:windowssystem32ati2evxx.exe
c:program filesCommon FilesAcronisSchedule2schedul2.exe
c:program filesNeroNero8Nero BackItUpNBService.exe
c:program filesAlcohol 120% retail 1.9.7.6022StarWindStarWindServiceAE.exe
c:windowssystem32uphclean.exe
c:program filesESETESET NOD32 Antivirusegui.exe
c:windowssystem32wscntfy.exe
c:windowssystem32imapi.exe
.
**************************************************************************
.
Completion time: 2009-05-05 23:14 — machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 17:14
Pre-Run: 43 789 975 552 байт свободно
Post-Run: 43 737 808 896 байт свободно
WindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT=»Microsoft Windows Recovery Console» /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS=»Microsoft Windows XP Professional RU» /execute /fastdetect /usepmtimer
210 — E O F — 2009-05-02 10:20
