- Темы:532
- Сообщений:1553
- ☆☆☆☆☆
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{9D64F819-9380-8473-DAB2-702FCB3D7A3E}\ not found.
Registry key HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{17830fee-7856-11dd-bc5a-0019b9527b1a}\ not found.
Registry key HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{d80c5898-b64e-11dd-bcfd-0019b9527b1a}\ not found.
========== FILES ==========
File/Folder C:Documents and SettingsuserApplication Databpfeed.dll not found.
========== COMMANDS ==========
File delete failed. C:DOCUME~1userLOCALS~1Tempetilqs_vTOd9O65J8yStt7piuac scheduled to be deleted on reboot.
File delete failed. C:DOCUME~1userLOCALS~1Temphpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:DOCUME~1userLOCALS~1TempPerflib_Perfdata_f78.dat scheduled to be deleted on reboot.
File delete failed. C:DOCUME~1userLOCALS~1Temp~DF6852.tmp scheduled to be deleted on reboot.
File delete failed. C:DOCUME~1userLOCALS~1Temp~DF934A.tmp scheduled to be deleted on reboot.
File delete failed. C:DOCUME~1userLOCALS~1Temp~DFA4F0.tmp scheduled to be deleted on reboot.
User’s Temp folder emptied.
User’s Temporary Internet Files folder emptied.
User’s Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:Documents and SettingsLocalServiceLocal SettingsTemporary Internet FilesContent.IE5index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:WINDOWStemp_avast4_Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:WINDOWStempPerflib_Perfdata_664.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:Documents and SettingsuserLocal SettingsApplication DataMozillaFirefoxProfiles4xrq24xz.defaultCache_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:Documents and SettingsuserLocal SettingsApplication DataMozillaFirefoxProfiles4xrq24xz.defaultCache_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:Documents and SettingsuserLocal SettingsApplication DataMozillaFirefoxProfiles4xrq24xz.defaultCache_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:Documents and SettingsuserLocal SettingsApplication DataMozillaFirefoxProfiles4xrq24xz.defaultCache_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:Documents and SettingsuserLocal SettingsApplication DataMozillaFirefoxProfiles4xrq24xz.defaulturlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer — Version 1.0.8.0 log created on 01132009_012615
Files moved on Reboot…
File C:DOCUME~1userLOCALS~1Tempetilqs_vTOd9O65J8yStt7piuac not found!
File C:DOCUME~1userLOCALS~1Temphpodvd09.log not found!
File C:DOCUME~1userLOCALS~1TempPerflib_Perfdata_f78.dat not found!
File C:DOCUME~1userLOCALS~1Temp~DF6852.tmp not found!
File C:DOCUME~1userLOCALS~1Temp~DF934A.tmp not found!
File C:DOCUME~1userLOCALS~1Temp~DFA4F0.tmp not found!
File move failed. C:Documents and SettingsLocalServiceLocal SettingsTemporary Internet FilesContent.IE5index.dat scheduled to be moved on reboot.
File move failed. C:WINDOWStemp_avast4_Webshlock.txt scheduled to be moved on reboot.
File C:WINDOWStempPerflib_Perfdata_664.dat not found!
C:Documents and SettingsuserLocal SettingsApplication DataMozillaFirefoxProfiles4xrq24xz.defaultCache_CACHE_001_ moved successfully.
C:Documents and SettingsuserLocal SettingsApplication DataMozillaFirefoxProfiles4xrq24xz.defaultCache_CACHE_002_ moved successfully.
C:Documents and SettingsuserLocal SettingsApplication DataMozillaFirefoxProfiles4xrq24xz.defaultCache_CACHE_003_ moved successfully.
C:Documents and SettingsuserLocal SettingsApplication DataMozillaFirefoxProfiles4xrq24xz.defaultCache_CACHE_MAP_ moved successfully.
C:Documents and SettingsuserLocal SettingsApplication DataMozillaFirefoxProfiles4xrq24xz.defaulturlclassifier3.sqlite moved successfully.
ComboFix 09-01-11.04 — user 2009-01-13 1:20:06.2 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.894.402 [GMT 5:00]
Running from: c:downloadsComboFix.exe
Command switches used :: c:documents and settingsuserDesktopWindowsXP-KB310994-SP2-Home-BootDisk-RUS.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:windowssystem32java2.sys c:windowssystem32snjava.dll
.
—- Previous Run
.
c:windowsIE4 Error Log.txt
c:windowssystem32msrdo20.dll
c:windowssystem32rdocurs.dll
.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.
2009-01-11 04:32 . 2009-01-11 04:32
C:rsit
2009-01-11 04:32 . 2009-01-11 21:50
c:program filestrend micro
2009-01-11 04:19 . 2009-01-11 04:19
C:_OTMoveIt
2009-01-11 03:40 . 2009-01-11 03:40
c:program filesMalwarebytes’ Anti-Malware
2009-01-11 03:40 . 2009-01-11 03:40
c:documents and settingsuserApplication DataMalwarebytes
2009-01-11 03:40 . 2009-01-11 03:40
c:documents and settingsAll UsersApplication DataMalwarebytes
2009-01-11 03:40 . 2009-01-04 18:41 38,496 —a
c:windowssystem32driversmbamswissarmy.sys
2009-01-11 03:40 . 2009-01-04 18:41 15,504 —a
c:windowssystem32driversmbam.sys
2009-01-11 03:31 . 2009-01-11 03:31
c:windowssystem32xircom
2009-01-11 03:31 . 2009-01-11 03:31
c:windowssystem32restore
2009-01-11 03:31 . 2009-01-11 03:31
c:windowsmsagent
2009-01-11 03:31 . 2009-01-11 03:31
c:program filesmicrosoft frontpage
2009-01-08 18:12 . 2009-01-08 18:14
c:documents and settingsuserApplication DataFreeCall
2009-01-08 18:09 . 2009-01-08 18:09
c:program filesFreeCall.com
2009-01-03 17:08 . 2009-01-03 17:08
c:program filesMSECache
2008-12-28 22:38 . 2008-12-28 22:38
c:program filesMicrosoft Silverlight
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 20:13
d
w c:documents and settingsuserApplication DataQIP.Online
2009-01-12 20:05
d
w c:documents and settingsuserApplication DataskypePM
2009-01-08 14:24
d
w c:documents and settingsuserApplication DataSkype
2009-01-06 19:08
d
w c:program filescitysvyaz
2008-12-28 17:40
d
w c:program filesRambler Assistant
2008-12-26 19:34
d
w c:documents and settingsuserApplication DataMra
2008-12-10 16:48
d
w c:program filesSkype
2008-12-10 16:48
d
w c:program filesCommon FilesSkype
2008-12-10 16:48
d
w c:documents and settingsAll UsersApplication DataSkype
2008-12-09 19:43
d
w c:program filesQIP.Online
2008-12-09 19:38
d
w c:documents and settingsuserApplication DataQIP
2008-12-09 19:37
d
w c:program filesQIP Infium
2008-11-23 21:26
d
w c:documents and settingsuserApplication DataICQ
2008-11-16 14:45
d
w c:documents and settingsAll UsersApplication DataHP Product Assistant
2008-06-04 17:14 86 —-a-w c:windowssystem32configsystemprofileDel712.bat
2008-06-04 17:14 86 —-a-w c:documents and settingsuserDel712.bat
2008-06-04 17:14 86 —-a-w c:documents and settingsDefault UserDel712.bat
2008-06-04 17:14 86 —-a-w c:documents and settingsAdministratorDel712.bat
2008-06-04 17:13 16,384 —sha-w c:windowssystem32configsystemprofileCookiesindex.dat
2008-06-04 17:13 16,384 —sha-w c:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
2008-06-04 17:13 32,768 —sha-w c:windowssystem32configsystemprofileLocal SettingsTemporary Internet FilesContent.IE5index.dat
.
Sigcheck
2007-12-30 19:42 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:windowssystem32user32.dll
2007-12-30 19:45 825344 0e5d918f87efa7d2424d66b499c7eb04 c:windowssystem32wininet.dll
2007-12-30 19:46 360704 f0fe2fcd1632ad924d4c268e0dab5959 c:windowssystem32driverstcpip.sys
2007-12-30 19:53 2062336 5cf9911d32a07860dab935adf265b8a9 c:windowssystem32ntkrnlpa.exe
2007-12-30 19:42 2185472 9a8f4f15f3a85f2b67525425f24df7f6 c:windowssystem32ntoskrnl.exe
2007-12-30 19:38 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:windowsexplorer.exe
2007-12-30 19:42 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:windowssystem32spoolsv.exe
2007-12-30 19:42 295424 c33e6f5fd9209f4543b5c0d37ceb742c c:windowssystem32termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks]
«{83821C2B-32A8-4DD7-B6D4-44309A78E668}»= «c:program filesMail.RuAgentMradllnewmrasearch.dll» [2009-01-07 46584]
[HKEY_CLASSES_ROOTclsid{83821c2b-32a8-4dd7-b6d4-44309a78e668}]
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2004-08-04 15360]
«swg»=»c:program filesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe» [2008-10-10 68856]
«QIP.Online»=»c:program filesQIP.Onlineqiponline.exe» [2008-11-26 3454976]
«Skype»=»c:program filesSkypePhoneSkype.exe» [2008-11-07 21633320]
«FreeCall»=»c:program filesFreeCall.comFreeCallFreeCall.exe» [2008-09-01 9109296]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«SigmatelSysTrayApp»=»c:program filesSigmaTelC-Major AudioWDMstsystra.exe» [2007-05-10 405504]
«avast!»=»c:progra~1ALWILS~1Avast4ashDisp.exe» [2008-11-26 81000]
«StartCCC»=»c:program filesATI TechnologiesATI.ACECore-StaticCLIStart.exe» [2008-01-21 61440]
«SynTPEnh»=»c:program filesSynapticsSynTPSynTPEnh.exe» [2006-03-08 761947]
«DellSupportCenter»=»c:program filesDell Support Centerbinsprtcmd.exe» [2008-08-13 206064]
«MAgent»=»c:program filesMail.RuAgentMAgent.exe» [2009-01-07 5598392]
«RemoteControl»=»c:program filesCyberLinkPowerDVDPDVDServ.exe» [2007-02-07 71216]
«LanguageShortcut»=»c:program filesCyberLinkPowerDVDLanguageLanguage.exe» [2007-02-07 54832]
«SMSTray»=»c:program filesSamsungEmoDioSMSTray.exe» [2008-06-23 479232]
«HP Software Update»=»c:program filesHPHP Software UpdateHPWuSchd2.exe» [2007-05-08 54840]
«dscactivate»=»c:program filesDell Support Centergs_agentcustomdsca.exe» [2008-03-11 16384]
«citysvyaz»=»c:program filescitysvyazcitysvyaz.exe» [2008-10-28 2076672]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce]
«WIAWizardMenu»=»c:windowssystem32sti_ci.dll» [2004-08-04 136704]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2004-08-04 15360]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«nltide_3″=»advpack.dll» [2007-12-30 c:windowssystem32advpack.dll]
c:documents and settingsAll UsersStart MenuProgramsStartup
HP Digital Imaging Monitor.lnk — c:program filesHPDigital Imagingbinhpqtra08.exe [2005-05-11 282624]
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«ForceClassicControlPanel»= 1 (0x1)
«NoResolveTrack»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)
[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMHelp»= 1 (0x1)
«ForceClassicControlPanel»= 1 (0x1)
«NoResolveTrack»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)
[hkey_local_machinesoftwaremicrosoftwindowscurrentversionexplorerShellExecuteHooks]
«{88485281-8b4b-4f8d-9ede-82e29a064277}»= «c:progra~1MarkAnyCONTEN~1MACSMA~1.DLL» [2004-11-23 192512]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
«AppInit_DLLs»=prio.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«msacm.divxa32″= msaud32_divx.acm
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)
«DisableUnicastResponsesToMulticastBroadcast»= 0 (0x0)
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\FlashGet\flashget.exe»=
«c:\Program Files\ICQ6\ICQ.exe»=
«c:\Program Files\FreeCall.com\FreeCall\FreeCall.exe»=
R0 atiide;atiide;c:windowssystem32driversatiide.sys [2008-06-04 3456]
R1 aswSP;avast! Self Protection;c:windowssystem32driversaswSP.sys [2008-06-08 111184]
R1 prio;prio driver;c:windowssystem32driversprio.sys [2005-11-28 29184]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:program filesCyberLinkPowerDVD000.fcl [2006-11-02 15:51:58 13560]
R4 aswFsBlk;aswFsBlk;c:windowssystem32driversaswFsBlk.sys [2008-06-08 20560]
S4 Plu2160;Plu2160; [x]
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{dabc8bbf-9b76-11dd-bca8-0019b9527b1a}]
shellexploreCommand — boot.exe
shellopenCommand — boot.exe
.
— — — — ORPHANS REMOVED — — — —
HKLM-Run-RocketDock — c:program filesRocketDockRocketDock.exe
.
Supplementary Scan
.
uStart Page = hxxp://www.yandex.ru/
uDefault_Search_URL = hxxp://search.qip.ru
uSearchURL,(Default) = hxxp://search.qip.ru/search?query=%s&from=IE
IE: &Highlight — c:windowsWEBhighlight.htm
IE: &Links List — c:windowsWEBurllist.htm
IE: &Web Search — c:windowsWEBselsearch.htm
IE: &Закачать все при помощи FlashGet — c:program filesFlashGetjc_all.htm
IE: &Закачать при помощи FlashGet — c:program filesFlashGetjc_link.htm
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~1OFFICE11EXCEL.EXE/3000
IE: Open Frame in &New Window — c:windowsWEBfrm2new.htm
IE: Zoom &In — c:windowsWEBzoomin.htm
IE: Zoom O&ut — c:windowsWEBzoomout.htm
IE: Добавить в Rambler-Закладки — c:program filesRambler AssistantramblertoolbarU1.dll/zakladki.htm
IE: Найти с помощью Рамблера — c:program filesRambler AssistantramblertoolbarU1.dll/search.htm
IE: Перевести с помощью словарей Рамблера — c:program filesRambler AssistantramblertoolbarU1.dll/dic.htm
IE: Поиск@Mail.Ru — c:program filesMail.RuSputnikMailRuSputnik.dll/282
IE: Словари@Mail.Ru — c:program filesMail.RuSputnikMailRuSputnik.dll/283
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe
TCP: {9A9A03F4-D68A-4659-9150-200B579A10DC} = 212.33.225.211 212.33.224.131
TCP: {C7D304A0-AA78-4B7D-A1C9-4CBB7D8A9906} = 212.120.160.139,212.120.160.130
FF — ProfilePath — c:documents and settingsuserApplication DataMozillaFirefoxProfiles4xrq24xz.default
FF — prefs.js: browser.search.selectedEngine — QIP Search
FF — prefs.js: browser.startup.homepage — hxxp://www.yandex.ru/?clid=40795
FF — component: c:program filesMozilla Firefoxextensions{B13721C7-F507-4982-B2E5-502A71474FED}componentsNPComponent.dll
FF — plugin: c:program filesK-Lite Codec PackRealbrowserpluginsnppl3260.dll
FF — plugin: c:program filesK-Lite Codec PackRealbrowserpluginsnprpjplug.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 01:29:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINESystemControlSet001Services{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
«ImagePath»=»??c:program filesCyberLinkPowerDVD000.fcl»
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(728)
c:windowssystem32Ati2evxx.dll
.
Other Running Processes
.
c:windowssystem32ati2evxx.exe
c:windowssystem32ati2evxx.exe
c:program filesAlwil SoftwareAvast4aswUpdSv.exe
c:program filesAlwil SoftwareAvast4ashServ.exe
c:program filesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
c:program filesCyberLinkShared filesRichVideo.exe
c:program filesDell Support Centerbinsprtsvc.exe
c:program filesAlwil SoftwareAvast4ashMaiSv.exe
c:program filesAlwil SoftwareAvast4ashWebSv.exe
c:windowsNOTEPAD.EXE
c:program filesATI TechnologiesATI.ACECore-StaticMOM.exe
c:program filesHPDigital Imagingbinhpqste08.exe
c:program filescitysvyazCitySvyazClient.exe
c:program filesSkypePlugin ManagerskypePM.exe
c:program filesMozilla Firefoxfirefox.exe
c:program filesATI TechnologiesATI.ACECore-StaticCCC.exe
.
**************************************************************************
.
Completion time: 2009-01-13 1:34:07 — machine was rebooted [user]
ComboFix-quarantined-files.txt 2009-01-12 20:34:04
Pre-Run: 8,760,397,824 bytes free
Post-Run: 8,751,067,136 байт свободно
211
:)и это сделано)
