результат ComboFix
ComboFix 09-11-07.02 — Александр 07.11.2009 22:43.3.1 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2047.1547 [GMT 3:00]
Running from: c:documents and settingsАлександрРабочий столComboFix.exe
Command switches used :: c:documents and settingsАлександрРабочий столWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Антивирус Касперского *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.
2009-11-06 12:08 . 2009-11-07 19:40
d
w- c:program filestrend micro
2009-11-06 12:08 . 2009-11-06 12:12
d
w- C:rsit
2009-11-06 10:50 . 2009-11-06 10:50
d
w- c:windowssystem32wbemRepository
2009-11-06 09:04 . 2009-11-06 09:04 42496 —-a-w- c:windowssystem32prppcq.exe
2009-11-06 09:04 . 2009-11-06 09:04 42496 —-a-w- c:windowssystem32nibjr5.exe
2009-11-06 09:04 . 2009-11-06 09:04 42496 —-a-w- c:windowssystem32tek5k.exe
2009-11-06 09:04 . 2009-11-06 09:04 462336 —-a-w- c:windowssystem32el32.dll
2009-11-06 09:04 . 2009-11-06 09:04 44032 —-a-w- c:windowssystem32syschk32.exe
2009-11-06 09:04 . 2009-11-06 09:04 42496 —-a-w- c:windowssystem32n3x1jk.exe
2009-11-02 06:40 . 2009-11-07 12:11
d
w- C:VKLife
2009-11-02 06:37 . 2009-11-02 06:37 4282136 —-a-w- c:program filesVKLife_1.9.exe
2009-10-30 08:17 . 2009-11-06 09:11
d
w- c:program filesFreeSpacer
2009-10-30 08:12 . 2009-10-30 08:12
d
w- c:program filesC
2009-10-30 07:01 . 2009-10-30 07:01
d
w- c:documents and settingsAll UsersApplication DataYandex
2009-10-30 07:01 . 2009-11-05 16:48
d
w- c:program filesYandex
2009-10-30 07:01 . 2009-11-02 06:40
d
w- c:documents and settingsАлександрApplication DataYandex
2009-10-30 07:00 . 2009-11-06 09:40
d
w- c:documents and settingsАлександрLocal SettingsApplication DataYandex
2009-10-30 07:00 . 2009-10-30 07:00 3651368 —-a-w- c:program filesPuntoSwitcherSetup.exe
2009-10-26 12:17 . 2009-10-26 12:17
d—h—w- c:windowsPIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 18:20 . 2008-04-15 12:00 80604 —-a-w- c:windowssystem32perfc019.dat
2009-11-07 18:20 . 2008-04-15 12:00 477906 —-a-w- c:windowssystem32perfh019.dat
2009-11-07 18:17 . 2008-12-14 12:43
d
w- c:documents and settingsAll UsersApplication DataKaspersky Lab
2009-11-07 18:06 . 2008-12-14 12:43 860192 —sha-w- c:windowssystem32driversfidbox2.dat
2009-11-07 18:06 . 2008-12-14 12:43 6116 —sha-w- c:windowssystem32driversfidbox2.idx
2009-11-07 18:06 . 2008-12-14 12:43 3928096 —sha-w- c:windowssystem32driversfidbox.dat
2009-11-07 18:06 . 2008-12-14 12:43 34912 —sha-w- c:windowssystem32driversfidbox.idx
2009-11-07 11:06 . 2008-12-14 13:39
d—h—w- c:program filesOpera AC 3.5.1
2009-11-03 11:27 . 2009-07-20 06:19
d
w- c:documents and settingsАлександрApplication DataSkype
2009-11-03 04:39 . 2009-07-20 06:36
d
w- c:documents and settingsАлександрApplication DataskypePM
2009-11-02 09:18 . 2009-01-16 15:03
d—h—w- c:program filesVKLife
2009-11-02 05:28 . 2009-01-11 10:24
d
w- c:documents and settingsАлександрApplication DataSmart-Shopper
2009-11-02 05:24 . 2008-12-15 08:09
d
w- c:documents and settingsАлександрApplication DataICQ
2009-10-30 08:51 . 2009-07-17 10:25
d
w- c:program filesPinnacle
2009-10-30 08:51 . 2009-03-13 06:04
d
w- c:program filesWindows Media Connect 2
2009-10-30 08:51 . 2008-12-16 13:23
d
w- c:program filesReg Organizer
2009-10-30 08:51 . 2008-12-14 11:40
d
w- c:program filesTotal Commander
2009-10-30 08:51 . 2008-12-15 08:09
d
w- c:program filesICQ6Toolbar
2009-10-30 08:50 . 2008-12-31 22:25
d
w- c:documents and settingsАлександрApplication DataAIMP
2009-10-30 08:11 . 2009-10-30 08:11 844547 —-a-w- c:program filesFreeSpacer_setup.rar
2009-10-30 06:41 . 2009-04-15 20:55
d
w- c:program filesICQLite
2009-10-26 12:54 . 2009-01-12 23:35 1 —-a-w- c:documents and settingsАлександрApplication DataOpenOffice.org3useruno_packagescachestamp.sys
2009-10-16 16:31 . 2008-12-14 12:43 95259 —-a-w- c:windowssystem32driversklick.dat
2009-10-16 16:31 . 2008-12-14 12:43 108059 —-a-w- c:windowssystem32driversklin.dat
2009-10-06 08:26 . 2009-08-29 04:49
d
w- c:program filesMicrosoft ActiveSync
2009-10-05 13:05 . 2008-12-14 11:42
d
w- c:program filesWinamp
2009-10-04 05:27 . 2009-09-16 06:48
d
w- c:program filesMuzRu
2009-10-01 16:38 . 2009-09-29 16:57
d
w- c:program filesRadio_W
2009-10-01 16:38 . 2009-09-30 16:53
d
w- c:program filesOpera
2009-09-29 20:36 . 2009-09-29 20:36
d
w- c:program filesTouchStoneSoftware
2009-09-22 14:57 . 2009-09-22 14:57
d
w- c:documents and settingsAll UsersApplication DataNVIDIA
2009-09-20 07:48 . 2008-12-14 10:30 104120 —-a-w- c:documents and settingsАлександрLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-09-15 12:12 . 2009-09-15 12:12
d
w- c:program filesBeeline
2009-09-11 14:19 . 2008-04-15 12:00 136192 —-a-w- c:windowssystem32msv1_0.dll
2009-09-10 16:16 . 2009-09-10 15:38 97792 —-a-w- c:windowsexpmon.exe
2009-09-10 16:16 . 2009-09-10 15:38 706 —-a-w- c:windowssxlib32.dat
2009-09-10 16:16 . 2009-09-10 15:38 1486336 —-a-w- c:windowssxgui32.dll
2009-09-10 16:16 . 2009-09-10 15:38 1213440 —-a-w- c:windowssfxlib32.dll
2009-09-10 16:16 . 2009-09-10 15:38 16896 —-a-w- c:windowssxexp32.dll
2009-09-10 15:04 . 2009-09-10 14:16
d
w- c:program filesRetriever
2009-09-10 14:16 . 2009-09-10 14:16
d
w- c:documents and settingsАлександрApplication DataRetriever
2009-09-10 14:14 . 2009-03-08 15:37
d
w- c:program filesSAMSUNG
2009-09-07 11:23 . 2009-09-07 11:23 6931008
w- c:program filesDJVUCTRL-6.1.4-en-r2013.exe
2009-09-07 11:22 . 2009-09-07 11:20 26739584
w- c:program filesAdbeRdr910_en_US.exe
2009-09-04 21:04 . 2008-04-15 12:00 58880 —-a-w- c:windowssystem32msasn1.dll
2009-08-29 07:58 . 2008-04-15 12:00 916480
w- c:windowssystem32wininet.dll
2009-08-26 08:02 . 2008-04-15 12:00 247326 —-a-w- c:windowssystem32strmdll.dll
2009-08-25 16:15 . 2009-08-25 16:15 109072 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP8DataUpdaterTemporary FilestemporaryFolderAutoPatcheskav8exec8.0.0.506mzvkbd3.dll
2009-08-25 16:15 . 2009-08-25 16:15 59920 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP8DataUpdaterTemporary FilestemporaryFolderAutoPatcheskav8exec8.0.0.506mzvkbd.dll
2009-08-23 05:10 . 2009-08-23 05:10 807693
w- c:program filesYandexBarb.xpi
2009-08-18 19:49 . 2009-08-18 19:49 95232 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}InstallerCommonCustomActionspcswpcsi.exe
2009-08-18 19:49 . 2009-08-18 19:49 8192 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}InstallerCommonCustomActionsUninstCCD.exe
2009-08-18 19:49 . 2009-08-18 19:49 61440 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}InstallerCommonCustomActionsUninstPCSFEMsi.exe
2009-08-18 19:49 . 2009-08-18 19:49 10240 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}InstallerCommonCustomActionsUninstPCS.exe
2009-08-18 19:47 . 2009-08-18 19:49 34045136 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}Nokia_PC_Suite_7_1_30_9_rus_web.exe
2009-07-20 06:03 . 2009-07-20 06:03 2033448
w- c:program filesSkypeSetup.exe
2009-03-17 11:53 . 2009-03-17 11:53 21736 -c—-w- c:program filesvkontakte.css
2009-03-17 11:52 . 2009-03-17 11:52 2440
w- c:program filesТекстовый документ OpenDocument.odt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE~Browser Helper Objects{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-03 07:19 325000
w- c:program filesAskBarDisbarbinaskBar.dll
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{3041d03e-fd4b-44e0-b742-2d9b88305f98}»= «c:program filesAskBarDisbarbinaskBar.dll» [2008-10-03 325000]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2009-07-24 5586208]
[HKEY_CLASSES_ROOTclsid{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOTTypeLib{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar]
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{3041D03E-FD4B-44E0-B742-2D9B88305F98}»= «c:program filesAskBarDisbarbinaskBar.dll» [2008-10-03 325000]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2009-07-24 5586208]
[HKEY_CLASSES_ROOTclsid{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOTTypeLib{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar]
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2008-04-14 1695232]
«PC Suite Tray»=»c:program filesNokiaNokia PC Suite 7PCSuite.exe» [2009-06-25 1414144]
«H/PC Connection Agent»=»c:program filesMicrosoft ActiveSyncWcescomm.exe» [2006-11-13 1289000]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2006-10-22 7700480]
«MAgent»=»c:program filesMail.RuAgentMAgent.exe» [2009-02-04 5600952]
«AVP»=»c:program filesKaspersky LabKaspersky Anti-Virus 2009avp.exe» [2009-07-21 208616]
«Easy-PrintToolBox»=»c:program filesCanonEasy-PrintToolBoxBJPSMAIN.EXE» [2004-01-14 409600]
«QuickTime Task»=»c:program filesQuickTimeQTTask.exe» [2008-09-06 413696]
«iTunesHelper»=»c:program filesiTunesiTunesHelper.exe» [2008-09-08 289576]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2006-10-22 86016]
«NBKeyScan»=»c:program filesNeroNero8Nero BackItUpNBKeyScan.exe» [2008-12-02 2221352]
«NeroFilterCheck»=»c:program filesCommon FilesNeroLibNeroCheck.exe» [2008-11-06 570664]
«expmon»=»c:windowsexpmon.exe» [2009-09-10 97792]
«nwiz»=»nwiz.exe» — c:windowssystem32nwiz.exe [2006-10-22 1622016]
«RTHDCPL»=»RTHDCPL.EXE» — c:windowsRTHDCPL.EXE [2007-01-30 16116224]
«SkyTel»=»SkyTel.EXE» — c:windowsSkyTel.exe [2006-05-16 2879488]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-15 15360]
c:documents and settingsЂ«ҐЄб ¤аѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
FlylinkDC++.lnk — c:flylinkdc++FlylinkDC.exe [2009-3-18 3060224]
password.url [2009-6-2 64]
c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Adobe Reader Speed Launch.lnk — c:program filesAdobeAcrobat 7.0Readerreader_sl.exe [2005-9-23 29696]
ImageMixer HDD Camera Monitor.lnk — c:program filesPIXELAImageMixer3HDDCameraMonitor.exe [2009-7-17 2117632]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\Total Commander\Totalcmd.exe»=
«c:\Program Files\QIP\qip.exe»=
«c:\Program Files\Mail.Ru\Agent\magent.exe»=
«c:\Program Files\Bonjour\mDNSResponder.exe»=
«c:\Program Files\iTunes\iTunes.exe»=
«c:\FlylinkDC++\FlylinkDC.exe»=
«c:\Program Files\ICQLite\ICQ.exe»=
«c:\Program Files\Pinnacle\Studio 12\Programs\RM.exe»=
«c:\Program Files\Pinnacle\Studio 12\Programs\Studio.exe»=
«c:\Program Files\Pinnacle\Studio 12\Programs\umi.exe»=
«c:program filesMicrosoft ActiveSyncrapimgr.exe»= c:program filesMicrosoft ActiveSyncrapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
«c:program filesMicrosoft ActiveSyncwcescomm.exe»= c:program filesMicrosoft ActiveSyncwcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
«c:program filesMicrosoft ActiveSyncWCESMgr.exe»= c:program filesMicrosoft ActiveSyncWCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
«c:\Program Files\Opera AC 3.5.1\Opera.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«26675:TCP»= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 klbg;Kaspersky Lab Boot Guard Driver;c:windowssystem32driversklbg.sys [29.01.2008 17:29 33808]
R0 sojubus;sojubus;c:windowssystem32driverssojubus.sys [05.10.2003 10:41 123520]
R0 sojuscsi;sojuscsi;c:windowssystem32driverssojuscsi.sys [28.09.2003 10:57 5504]
R2 ICQ Service;ICQ Service;c:program filesICQ6ToolbarICQ Service.exe [15.12.2008 11:09 222456]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:windowssystem32driversklim5.sys [30.04.2008 17:06 24592]
— Other Services/Drivers In Memory —
*NewlyCreated* — MBR
*Deregistered* — mbr
*Deregistered* — PROCEXP113
[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
«c:program filesCommon FilesLightScribeLSRunOnce.exe»
.
Contents of the ‘Scheduled Tasks’ folder
2009-11-07 c:windowsTasksSystemCheck.job
— c:windowssystem32syschk32.exe [2009-11-06 09:04]
2009-11-07 c:windowsTasksUser_Feed_Synchronization-{05194BE9-0D53-44A0-9F25-873B3ECF0FBD}.job
— c:windowssystem32msfeedssync.exe [2007-08-13 00:31]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.yandex.ru?clid=41279
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.qip.ru/search?query=%s&from=IE
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
IE: Поиск@Mail.Ru — c:program filesMail.RuSputnikMailRuSputnik.dll/282
IE: Словари@Mail.Ru — c:program filesMail.RuSputnikMailRuSputnik.dll/283
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe
TCP: {2CE21B57-E379-4C74-BFA3-AA3BF9BE54B9} = 91.144.150.3 91.144.148.3
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 22:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A2132D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
Driveratapi -> 0x8a2132d0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use «Recovery Console» command «fixmbr» to clear infection !
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERSS-1-5-21-1275210071-1844823847-1177238915-1003Software%s (%s)«Щ0x >:xz|8xn9xz|8xCStringList*рі/xЯ0x!A:xoЮ0xn9xz|8xCMapPtrToPtrRUS_SettingsBCGCommandManager]
«CommandsWithoutImages»=hex:00,00
«MenuUserImages»=hex:00,00
[HKEY_USERSS-1-5-21-1275210071-1844823847-1177238915-1003Software%s (%s)«Щ0x >:xz|8xn9xz|8xCStringList*рі/xЯ0x!A:xoЮ0xn9xz|8xCMapPtrToPtrRUS_SettingsBCGControlBarVersion]
«Major»=dword:00000008
«Minor»=dword:0000003c
[HKEY_USERSS-1-5-21-1275210071-1844823847-1177238915-1003Software%s (%s)«Щ0x >:xz|8xn9xz|8xCStringList*рі/xЯ0x!A:xoЮ0xn9xz|8xCMapPtrToPtrRUS_SettingsBCGToolbarParameters]
«Tooltips»=dword:00000001
«ShortcutKeys»=dword:00000001
«LargeIcons»=dword:00000001
«MenuAnimation»=dword:00000000
«RecentlyUsedMenus»=dword:00000001
«MenuShadows»=dword:00000001
«ShowAllMenusAfterDelay»=dword:00000001
«Look2000″=dword:00000001
«CommandsUsage»=hex:00,00,00,00,00,00
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘explorer.exe'(3056)
c:windowssystem32WININET.dll
c:progra~1WINDOW~2wmpband.dll
c:windowssystem32webcheck.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
Completion time: 2009-11-07 22:51
ComboFix-quarantined-files.txt 2009-11-07 19:51
ComboFix2.txt 2009-11-07 19:02
ComboFix3.txt 2009-11-07 09:29
Pre-Run: 9 558 020 096 байт свободно
Post-Run: 9 540 943 872 байт свободно
— — End Of File — — 9179D603BA621DA7E47A141EE3E9401A
