- This topic has 7 ответов, 2 участника, and was last updated 16 years назад by
.
-
Сообщения
-
Logfile of random’s system information tool 1.06 (written by random/random)
Run by Пользователь at 2009-09-23 00:21:49
Microsoft Windows XP Professional Service Pack 2
System drive C: has 16 GB (42%) free of 38 GB
Total RAM: 511 MB (43% free)======Registry dump======
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
{91397D20-1446-11D4-8AF4-0040CA1127B6} — Яндекс.Бар — C:Program FilesYandexYandexBarIEyndbar.dll [2009-07-24 5586208][HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
«WinampAgent»=C:Program FilesWinampwinampa.exe [2008-01-16 37376]
«adstopper»=C:Program FilesAdStoperAdStopperTrayApp.exe []
«SoundMan»=C:WINDOWSSOUNDMAN.EXE [2006-03-01 577536]
«avgnt»=C:Program FilesAviraAntiVir Desktopavgnt.exe [2009-03-02 209153]
«WinXPService»=C:Documents and SettingsПользовательApplication DataMicrosoftDocument Building Blocks1025Buildindexctfmon.pif []
«sys32_nov»=C:WINDOWSsystem32sys32_nov.exe [2009-09-16 43520]
«Antivirus Pro 2010″=C:Program FilesAntivirusPro_2010AntivirusPro_2010.exe /hide []
«Regedit32″=C:WINDOWSsystem32regedit.exe []
«sysgif32″=C:WINDOWSTempwpv491253178221.exe [2009-09-18 36352]
«LoviVkontakte»=C:Program FilesLoviVkontaktelovivkontakte.exe [2009-09-22 728576]
«braviax»=C:WINDOWSsystem32braviax.exe [2009-09-22 10752][HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce]
«Malwarebytes’ Anti-Malware»=C:Program FilesMalwarebytes’ Anti-Malwarembamgui.exe /install /silent [][HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=C:WINDOWSsystem32ctfmon.exe [2004-08-17 15360]
«YandexOnline»=C:Program FilesYandexOnlineonline.exe -AutoStart []
«sys32_nov»=C:Documents and SettingsПользовательsys32_nov.exe [2009-09-16 43520]
«braviax»= []C:Documents and SettingsAll Users.WINDOWSГлавное менюПрограммыАвтозагрузка
Adobe Reader Speed Launch.lnk — C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exeC:Documents and SettingsПользовательГлавное менюПрограммыАвтозагрузкаikowin32.exe
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows]
«AppInit_DLLS»=»cru629.dat»[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyklogon]
C:WINDOWSsystem32klogon.dll [2007-12-18 219664][HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
«dontdisplaylastusername»=0
«legalnoticecaption»=
«legalnoticetext»=
«shutdownwithoutlogon»=1
«undockwithoutlogon»=1[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesexplorer]
«NoDriveTypeAutoRun»=145
«ForceClassicControlPanel»=1[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist]
«%windir%system32sessmgr.exe»=»%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019»
«C:Program FilesSkypePhoneSkype.exe»=»C:Program FilesSkypePhoneSkype.exe:*:Enabled:Skype»
«C:WINDOWSTempwpv491253178221.exe»=»C:WINDOWSTempwpv491253178221.exe:*:Enabled:services»[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicydomainprofileauthorizedapplicationslist]
«%windir%system32sessmgr.exe»=»%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019»[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{9206290c-9940-11de-8866-000fea045245}]
shellAutoRuncommand — F:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013SYS83.exe
shellopencommand — F:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013SYS83.exe[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{9ee75788-6a5e-11de-884c-000fea045245}]
shellAutopLaycommand — fbhcdl.exe
shellAutoRuncommand — fbhcdl.exe
shellExPLOrEcommand — fbhcdl.exe
shelloPencommand — fbhcdl.exe[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{9ee75789-6a5e-11de-884c-000fea045245}]shellAutoRuncommand — E:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013ine32.exe
shellopencommand — E:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013ine32.exe[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{c13ac6ce-2e79-11de-882e-000fea045245}]
shellAutoRuncommand — F:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013SYS83.exe
shellopencommand — F:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013SYS83.exe======File associations======
.txt — open — «C:Program FilesSTDU ViewerSTDUViewerApp.exe» %1
======List of files/folders created in the last 1 months======
2009-09-23 00:21:49 —-D—- C:Program Filestrend micro
2009-09-23 00:21:48 —-D—- C:rsit
2009-09-22 18:15:33 —-D—- C:Program FilesLoviVkontakte
2009-09-22 17:11:56 —-A—- C:Program FilesCommon Filescawyc.exe
2009-09-20 09:58:18 —-A—- C:WINDOWSruxis.dll
2009-09-20 09:58:18 —-A—- C:WINDOWSjiwyxypy.bat
2009-09-20 09:58:18 —-A—- C:Program FilesCommon Filesykak.dll
2009-09-20 09:58:18 —-A—- C:Program FilesCommon Filesuhadub.vbs
2009-09-20 09:58:18 —-A—- C:Program FilesCommon Fileskuhi.bat
2009-09-20 09:58:18 —-A—- C:Program FilesCommon Filesesaham.com
2009-09-20 09:51:59 —-HD—- C:WINDOWSmsdownld.tmp
2009-09-20 09:51:34 —-D—- C:WINDOWSWBEM
2009-09-20 09:50:26 —-HDC—- C:WINDOWSie8
2009-09-20 09:50:26 —-D—- C:WINDOWSsystem32ru-RU
2009-09-18 16:37:14 —-A—- C:WINDOWSIE4 Error Log.txt
2009-09-17 09:43:34 —-A—- C:WINDOWSsystem32logydylo.dll
2009-09-17 09:43:34 —-A—- C:Program FilesCommon Filespibewa.exe
2009-09-17 09:43:34 —-A—- C:Program FilesCommon Filesjavymosu.vbs
2009-09-17 09:43:34 —-A—- C:Program FilesCommon Filesgyketoxa.exe
2009-09-16 11:35:52 —-A—- C:WINDOWSsystem32uxapurel.bat
2009-09-16 11:35:52 —-A—- C:Program FilesCommon Filesesatuteked.vbs
2009-09-16 11:35:52 —-A—- C:Program FilesCommon Filesekesisyxap.exe
2009-09-16 11:35:52 —-A—- C:Documents and SettingsПользовательApplication Dataguqifa.bat
2009-09-16 11:35:51 —-A—- C:Documents and SettingsAll Users.WINDOWSApplication Dataufomybon.com2009-09-16 11:32:16 —-A—- C:WINDOWSbraviax.exe
2009-09-16 11:17:42 —-A—- C:WINDOWSsystem32wisdstr.exe
2009-09-16 11:17:21 —-A—- C:WINDOWSsystem32braviax.exe
2009-09-16 11:16:28 —-A—- C:WINDOWSsystem32sys32_nov.exe
2009-09-14 00:45:16 —-D—- C:Documents and SettingsПользовательApplication DataskypePM
2009-09-14 00:43:27 —-D—- C:Program FilesSkype
2009-09-14 00:43:01 —-D—- C:Documents and SettingsAll Users.WINDOWSApplication DataSkype
2009-09-10 21:57:57 —-D—- C:Program FilesFxClub
2009-09-09 20:45:33 —-D—- C:WINDOWSsystem32recover
2009-09-06 15:38:45 —-D—- C:Program FilesAvira
2009-09-06 15:38:45 —-D—- C:Documents and SettingsAll Users.WINDOWSApplication DataAvira
2009-09-06 13:07:21 —-A—- C:WINDOWSsystem32wuweb.dll
2009-09-06 13:07:20 —-D—- C:WINDOWSsystem32SoftwareDistribution
2009-09-06 13:07:20 —-A—- C:WINDOWSsystem32wups.dll
2009-09-06 13:07:20 —-A—- C:WINDOWSsystem32wucltui.dll
2009-09-06 13:07:19 —-A—- C:WINDOWSsystem32wuaueng.dll
2009-09-06 13:07:18 —-A—- C:WINDOWSsystem32wuauclt.exe
2009-09-06 13:07:17 —-A—- C:WINDOWSsystem32wuapi.dll
2009-09-06 13:07:17 —-A—- C:WINDOWSsystem32cdm.dll
2009-09-04 18:13:05 —-D—- C:Program FilesKaspersky Lab
2009-09-04 18:13:05 —-D—- C:Documents and SettingsAll Users.WINDOWSApplication DataKaspersky Lab
2009-09-04 18:08:23 —-D—- C:Documents and SettingsПользовательApplication DataMozilla
2009-09-04 18:08:07 —-D—- C:Documents and SettingsПользовательApplication DataYandex
2009-09-02 18:22:20 —-D—- C:Documents and SettingsПользовательApplication DataAdobeUM
2009-08-25 11:56:32 —-D—- C:Documents and SettingsПользовательApplication DataMy Battle for Middle-earth(tm) II Files======List of files/folders modified in the last 1 months======
2009-09-23 00:21:49 —-RD—- C:Program Files
2009-09-23 00:05:06 —-D—- C:WINDOWSTemp
2009-09-23 00:03:30 —-RSHDC—- C:WINDOWSsystem32dllcache
2009-09-23 00:02:18 —-D—- C:WINDOWSsystem32drivers
2009-09-22 23:57:27 —-A—- C:WINDOWSSchedLgU.Txt
2009-09-22 18:36:43 —-D—- C:WINDOWSsystem32CatRoot2
2009-09-22 17:19:30 —-D—- C:WINDOWSPrefetch
2009-09-22 17:11:56 —-D—- C:WINDOWSsystem32
2009-09-22 17:11:56 —-D—- C:WINDOWS
2009-09-22 17:11:56 —-D—- C:Program FilesCommon Files2009-09-21 19:56:38 —-A—- C:WINDOWSWINCMD.INI
2009-09-21 19:55:26 —-D—- C:MUSIC
2009-09-21 01:22:20 —-A—- C:WINDOWSANS2000.INI
2009-09-20 15:13:55 —-D—- C:Documents and SettingsПользовательApplication DataReal
2009-09-20 09:53:36 —-HD—- C:WINDOWSinf
2009-09-20 09:53:36 —-D—- C:WINDOWSHelp
2009-09-20 09:53:36 —-D—- C:Program FilesInternet Explorer
2009-09-20 09:52:11 —-SHD—- C:Config.Msi
2009-09-20 09:52:10 —-SHD—- C:WINDOWSInstaller
2009-09-20 09:52:05 —-D—- C:Program FilesYandex
2009-09-20 09:51:25 —-D—- C:WINDOWSMedia
2009-09-20 09:43:34 —-D—- C:WINDOWSMinidump
2009-09-19 14:29:46 —-SD—- C:Documents and SettingsПользовательApplication DataMicrosoft
2009-09-18 18:37:45 —-D—- C:Documents and SettingsAll Users.WINDOWSApplication DataGoogle
2009-09-15 00:20:12 —-D—- C:Documents and SettingsПользовательApplication DataSkype
2009-09-09 20:45:34 —-D—- C:Program FilesMP3 Player Utilities 4.13
2009-09-09 20:33:00 —-D—- C:Documents and Settings
2009-09-09 20:27:54 —-D—- C:WINDOWSDebug
2009-09-09 20:18:47 —-D—- C:Games
2009-09-06 15:38:02 —-D—- C:WINDOWSWinSxS
2009-09-06 15:13:09 —-SHD—- C:WINDOWSsystem32lowsec
2009-09-06 13:09:15 —-D—- C:WINDOWSsystem32CatRoot
2009-09-06 13:07:28 —-D—- C:WINDOWSSoftwareDistribution
2009-08-30 13:38:48 —-HD—- C:Program FilesInstallShield Installation Information
2009-08-24 02:32:45 —-RSD—- C:WINDOWSFonts======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK7;Драйвер AMD K7 процессора; C:WINDOWSsystem32DRIVERSamdk7.sys [2004-08-17 41728]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:WINDOWSsystem32driversALCXWDM.SYS [2006-03-20 3960000]
R3 nv;nv; C:WINDOWSsystem32DRIVERSnv4_mini.sys [2004-08-04 1897408]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet адаптер, драйвер для NT; C:WINDOWSsystem32DRIVERSRTL8139.SYS [2004-08-04 20992]
R3 usbehci;Драйвер минипорта Microsoft USB 2.0 расширенного хост-контроллера; C:WINDOWSsystem32DRIVERSusbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 концентратор; C:WINDOWSsystem32DRIVERSusbhub.sys [2004-08-03 57600]
R3 usbohci;Драйвер минипорта Microsoft USB открытого хост-контроллера; C:WINDOWSsystem32DRIVERSusbohci.sys [2004-08-03 17024]
S3 KLIF;KLIF; ??C:WINDOWSsystem32driversklif.sys []S3 USBSTOR;Драйвер запоминающих устройств для USB; C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:WINDOWSsystem32driversIntelIde.sys []======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 LoviVkontakteService;LoviVkontake Service; C:Program FilesLoviVkontakteVkontakteService.exe [2009-09-22 476672]
R2 MDM;Machine Debug Manager; C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE [2003-06-19 322120]
R2 StarWindService;StarWind iSCSI Service; C:Program FilesAlcohol SoftAlcohol 120StarWindStarWindService.exe [2005-04-02 217600]
S3 ose;Office Source Engine; C:Program FilesCommon FilesMicrosoft SharedSource EngineOSE.EXE [2003-07-28 89136]
EOF
Здравствуйте, добро пожаловать на Spyware-ru форум.
Судя по логу компьютер заражён опасным трояном braviax.
Скачайте Win32kDiag с одного из следующих ресурсов 1, 2 or 3.Дважды кликните по файлу Win32kDiag.exe для запуска Win32kDiag.
Откроется черное окошко, когда в нём появится надпись «Finished! Press any key to exit…», нажмите любую клавишу для закрытия окна. На вашем рабочем столе должен появится файл Win32kDiag.txt.Вставьте содержимое файла Win32kDiag.txt в ваш ответ.
Running from: C:Documents and SettingsÐóññêèéÌîè äîêóìåíòûÈÍÅÒvbWin32kDiag.exe
Log file at : C:Documents and SettingsПользовательРабочий столWin32kDiag.txt
WARNING: Could not get backup privileges!
Searching ‘C:WINDOWS’…
Finished!
Скачайте программу Combofix. Закройте все открытые окна и запустите эту программу.
После выполнения будет создан лог файл, пожалуйста вставьте его в ваш ответ.Примечание: перед использованием Combofix обязательно установите Recovery console. Как это сделать будет описано на странице, ссылку на которую я привёл выше.
ComboFix 09-10-01.01 — Пользователь 02.10.2009 19:30.1.1 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.511.184 [GMT 4:00]
Running from: c:documents and settingsРусскийМои документыИНЕТComboFix.exe
AV: Антивирусная защита Касперского для Я.Онлайн *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Doctor Web Anti-Virus *On-access scanning enabled* (Updated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B}WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:documents and settingsПользовательApplication Dataatilac.dll
c:documents and settingsПользовательApplication Dataehirelize.lib
c:documents and settingsПользовательApplication Dataenydyvyby._dl
c:documents and settingsПользовательApplication Dataijogodisom.dl
c:documents and settingsПользовательApplication Dataivip._dl
c:documents and settingsПользовательApplication DataMicrosoftClip Organizermstore10.mgc
c:documents and settingsПользовательApplication DataMicrosoftClip OrganizerOffic10.MGC
c:documents and settingsПользовательApplication DataMicrosoftDocument Building Blocks1025Buildindex14101435.INS
c:documents and settingsПользовательApplication DataMicrosoftDocument Building Blocks1025Buildindex16263294.INS
c:documents and settingsПользовательApplication DataMicrosoftDocument Building Blocks1025Buildindex48171491.INS
c:documents and settingsПользовательApplication DataMicrosoftDocument Building Blocks1025Buildindex49258879.INS
c:documents and settingsПользовательApplication DataMicrosoftDocument Building Blocks1025Buildindex592996.INS
c:documents and settingsПользовательApplication DataMicrosoftDocument Building Blocks1025Buildindex71793066.INS
c:documents and settingsПользовательApplication DataMicrosoftDocument Building Blocks1025Buildindex77446506.INS
c:documents and settingsПользовательApplication DataMicrosoftDocument Building Blocks1025Buildindex82562790.INS
c:documents and settingsПользовательApplication DataMicrosoftDocument Building Blocks1025Buildindex8272202.INS
c:documents and settingsПользовательApplication DataMicrosoftDocument Building Blocks1025Buildindex87432872.INS
c:documents and settingsПользовательApplication DataMicrosoftDocument Building Blocks1025Buildindexreclick32.dll
c:documents and settingsПользовательApplication Datanunitaqe.dl
c:documents and settingsПользовательApplication Datapenexu.ban
c:documents and settingsПользовательApplication Dataqaronecen.ban
c:documents and settingsПользовательApplication Datatole.dll
c:documents and settingsПользовательApplication Datauruju._sy
c:documents and settingsПользовательApplication Datausody.bin
c:documents and settingsПользовательApplication Datawiaserva.log
c:documents and settingsПользовательApplication Dataycaty.dl
c:documents and settingsПользовательApplication Dataysozese.scr
c:documents and settingsПользовательCookiescyxawi.pif
c:documents and settingsПользовательCookiesepefujy.com
c:documents and settingsПользовательCookiesfekuzopan.sys
c:documents and settingsПользовательCookieskyseba.bat
c:documents and settingsПользовательCookiesluxidyse.dat
c:documents and settingsПользовательCookiesobycowu.bin
c:documents and settingsПользовательCookiespiputad.com
c:documents and settingsПользовательCookiesurel.pif
c:documents and settingsПользовательCookiesvaxate.pif
c:documents and settingsПользовательCookieszigin.scr
c:documents and settingsПользовательdelself.bat
c:documents and settingsПользовательLocal SettingsApplication Dataamyvogocy.ban
c:documents and settingsПользовательLocal SettingsApplication Dataluzebaridy.pif
c:documents and settingsПользовательLocal SettingsApplication Dataohocygid._dl
c:documents and settingsПользовательLocal SettingsApplication Dataqyzyhovuc.bin
c:documents and settingsПользовательLocal SettingsApplication Datavixajopej._sy
c:documents and settingsПользовательLocal SettingsApplication Datawonif.exe
c:documents and settingsПользовательLocal SettingsApplication Datawufobomo.scr
c:documents and settingsПользовательLocal SettingsApplication Dataxigikik.exe
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesbewixa.scr
c:documents and settingsПользовательLocal SettingsTemporary Internet Filescymo.ban
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesemequn.db
c:documents and settingsПользовательLocal SettingsTemporary Internet Fileshamopiwuru.pif
c:documents and settingsПользовательLocal SettingsTemporary Internet Fileshopex.ban
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesjadadypawu.com
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesjaluvu.dl
c:documents and settingsПользовательLocal SettingsTemporary Internet Fileskehuzywyne.com
c:documents and settingsПользовательLocal SettingsTemporary Internet Fileskixiso.pif
c:documents and settingsПользовательLocal SettingsTemporary Internet Fileskucat.pif
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesmagadyk.bin
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesolivaryko.dat
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesqedosora.inf
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesrarizojiq.sys
c:documents and settingsПользовательLocal SettingsTemporary Internet Filessepizofus._sy
c:documents and settingsПользовательLocal SettingsTemporary Internet Filestidawucam.db
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesubuhykod.sys
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesukiqysypu.bat
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesveviqi.inf
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesxevenax.vbs
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesyguse.ban
c:documents and settingsПользовательLocal SettingsTemporary Internet Filesysorikuvyn.scr
c:documents and settingsПользовательoashdihasidhasuidhiasdhiashdiuasdhasd
c:documents and settingsAll Users.WINDOWSДокументыbyzum.ban
c:documents and settingsAll Users.WINDOWSДокументыdukomug.pif
c:documents and settingsAll Users.WINDOWSДокументыepop.com
c:documents and settingsAll Users.WINDOWSДокументыeqysuja.com
c:documents and settingsAll Users.WINDOWSДокументыgata.scr
c:documents and settingsAll Users.WINDOWSДокументыkaxyregija.bin
c:documents and settingsAll Users.WINDOWSДокументыmabypetedo.sys
c:documents and settingsAll Users.WINDOWSДокументыocacyredo.sys
c:documents and settingsAll Users.WINDOWSДокументыonupyjy.pif
c:documents and settingsAll Users.WINDOWSДокументыrytexow.scr
c:documents and settingsAll Users.WINDOWSДокументыuqoruvi.scr
c:documents and settingsAll Users.WINDOWSДокументыyzugale.sys
c:documents and settingsAll Users.WINDOWSДокументыzibu.com
c:documents and settingsAll Users.WINDOWSApplication Dataatogoxesec.inf
c:documents and settingsAll Users.WINDOWSApplication Dataaxaxy.reg
c:documents and settingsAll Users.WINDOWSApplication Databyquhe.sys
c:documents and settingsAll Users.WINDOWSApplication Datadecefac.reg
c:documents and settingsAll Users.WINDOWSApplication Dataivetepele.dl
c:documents and settingsAll Users.WINDOWSApplication Datajupimeva.scr
c:documents and settingsAll Users.WINDOWSApplication Datakazasab.pif
c:documents and settingsAll Users.WINDOWSApplication Datakekubyw.scr
c:documents and settingsAll Users.WINDOWSApplication DataMicrosoftNetworkDownloaderqmgr0.dat
c:documents and settingsAll Users.WINDOWSApplication DataMicrosoftNetworkDownloaderqmgr1.dat
c:documents and settingsAll Users.WINDOWSApplication Datamydoryfe.com
c:documents and settingsAll Users.WINDOWSApplication Dataniqag.reg
c:documents and settingsAll Users.WINDOWSApplication Datapuwyty.com
c:documents and settingsAll Users.WINDOWSApplication Dataufomybon.com
c:documents and settingsAll Users.WINDOWSApplication Dataunuqoxek.pif
c:documents and settingsAll Users.WINDOWSApplication Dataycerejyha.reg
c:documents and settingsAll Users.WINDOWS„®Єг¬Ґвлapyt.vbs
c:documents and settingsAll Users.WINDOWS„®Єг¬Ґвлmuqy.vbs
c:documents and settingsAll Users.WINDOWS„®Єг¬Ґвлnucuhicis.vbs
c:documents and settingsAll Users.WINDOWS„®Єг¬Ґвлymowypy.vbs
c:documents and settingsЏ®«м§®ў ⥫мApplication Dataguqifa.bat
c:documents and settingsЏ®«м§®ў ⥫мApplication Dataorydub.vbs
c:documents and settingsЏ®«м§®ў ⥫мApplication Datauvyz.reg
c:documents and settingsЏ®«м§®ў ⥫мLocal SettingsApplication Dataivutigotyk.vbs
c:documents and settingsЏ®«м§®ў ⥫мLocal SettingsApplication Dataqotegawyd.reg
c:program filesCommon Filesadojubakuq.reg
c:program filesCommon Filesahebiwap.inf
c:program filesCommon Filesbexozero.bat
c:program filesCommon Filescawyc.exe
c:program filesCommon Filesekesisyxap.exe
c:program filesCommon Filesesaham.com
c:program filesCommon Filesesatuteked.vbs
c:program filesCommon Filesexaki.bat
c:program filesCommon Fileseziwalup.exe
c:program filesCommon Filesgisoty.scr
c:program filesCommon Filesgyketoxa.exe
c:program filesCommon Fileshefuv.inf
c:program filesCommon Fileshyji.bin
c:program filesCommon Filesjavymosu.vbs
c:program filesCommon Filesjowatalys.ban
c:program filesCommon Fileskuhi.bat
c:program filesCommon Filesmesyfum.sys
c:program filesCommon Filesometo.bin
c:program filesCommon Filespibewa.exe
c:program filesCommon Filesqenicifa.bin
c:program filesCommon Filesuhadub.vbs
c:program filesCommon Filesuhetodudo.dl
c:program filesCommon Filesuraxiv.sys
c:program filesCommon Filesvatyzo.dll
c:program filesCommon Filesvyxa.exe
c:program filesCommon Filesxojebofu.pif
c:program filesCommon Filesykak.dll
c:program filesCommon Filesytucusizu.bat
c:program filesInternet ExplorerConnection Wizardicwsetup.exe
c:recyclerS-1-5-21-1482476501-1644491937-682003330-1013
c:recyclerS-1-5-21-1993962763-926492609-839522115-1004
c:windowsa3kebook.ini
c:windowsakebook.ini
c:windowsANS2000.INI
c:windowsatozyk.dll
c:windowsaviv._dl
c:windowsdarygej.ban
c:windowsduniwisa.pif
c:windowsehejaqufa.bin
c:windowsejomi.dl
c:windowsfacipesoki.bat
c:windowsfikeg.dll
c:windowsjiwyxypy.bat
c:windowsjujejijiku.scr
c:windowskoduka.inf
c:windowsnuneh.bin
c:windowsoryqizato.dl
c:windowspebyrice.inf
c:windowspetola.bat
c:windowsruxis.dll
c:windowssystem32ajytonoby.reg
c:windowssystem32akovodyryn.dl
c:windowssystem32avoditypis._dl
c:windowssystem32epymevi.inf
c:windowssystem32gygakifa.ban
c:windowssystem32ieuinit.inf
c:windowssystem32logydylo.dll
c:windowssystem32lowsec
c:windowssystem32lowseclocal.ds
c:windowssystem32lowsecuser.ds
c:windowssystem32lowsecuser.ds.lll
c:windowssystem32omym.dll
c:windowssystem32oqepy.sys
c:windowssystem32pevab.scr
c:windowssystem32qetahiti.dll
c:windowssystem32rojekez._dl
c:windowssystem32sasukiguz.vbs
c:windowssystem32siqiv.bin
c:windowssystem32totewe.ban
c:windowssystem32uxapurel.bat
c:windowssystem32vawyz.pif
c:windowssystem32webmin
c:windowssystem32xulehus.reg
c:windowssystem32ysid.bin
c:windowsukofifuc.reg
c:windowsulad.dl
c:windowsvahigemax.dl
c:windowsxedom.bin
c:windowsygami.dl
c:windowsykyvoluki.ban
c:windowsypyqy.scr
BITS: Possible infected sites
hxxp://soft.export.yandex.ru
hxxp://download.yandex.ru
Infected copy of c:windowssystem32userinit.exe was found and disinfected
Restored copy from — c:windowssystem32dllcacheuserinit.exe.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Legacy_WIN32X((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.2009-09-28 10:14 . 2009-10-02 14:03
d
w- c:windowssystem32i
2009-09-28 02:31 . 2009-10-01 00:02
d
w- c:program filesSdelaiMebe
2009-09-27 07:55 . 2009-09-27 07:55
d
w- c:program filesMetaTrader 4 at FOREX.com
2009-09-25 14:08 . 2009-09-29 11:46 105080 —-a-w- c:windowssystem32driversdwprot.sys
2009-09-25 14:07 . 2009-09-25 14:07
d
w- c:program filesCommon FilesDoctor Web
2009-09-25 14:07 . 2009-09-25 14:07
d
w- c:documents and settingsAll Users.WINDOWSApplication DataDoctor Web
2009-09-25 14:07 . 2009-10-02 15:28
d
w- c:program filesDrWeb
2009-09-25 10:19 . 2009-09-25 14:26
d
w- c:documents and settingsПользовательDoctorWeb
2009-09-24 16:15 . 2009-09-24 16:15
d
w- c:documents and settingsПользовательLocal SettingsApplication DataOpera
2009-09-24 16:15 . 2009-09-24 16:15
d
w- c:documents and settingsПользовательApplication DataOpera
2009-09-24 16:15 . 2009-09-24 16:15
d
w- c:program filesOpera
2009-09-24 13:52 . 2009-09-24 13:52
d-sh—w- c:documents and settingsПользовательIECompatCache
2009-09-23 14:32 . 2009-09-23 14:32 142592 —-a-w- c:windowssystem32driverssp_rsdrv2.sys
2009-09-23 14:32 . 2009-09-29 06:19
d
w- c:documents and settingsПользовательApplication DataSpyware Terminator
2009-09-23 14:32 . 2009-10-02 14:08
d
w- c:documents and settingsAll Users.WINDOWSApplication DataSpyware Terminator
2009-09-23 14:32 . 2009-09-29 03:32
d
w- c:program filesSpyware Terminator
2009-09-23 08:51 . 2009-09-23 08:51 15784 —-a-w- c:windowssystem32ekyfawe.com
2009-09-23 08:50 . 2009-09-23 08:50 19732 —-a-w- c:documents and settingsПользовательLocal SettingsApplication Datacilygo.dat
2009-09-23 08:50 . 2009-09-23 08:50 19520 —-a-w- c:documents and settingsПользовательLocal SettingsApplication Datafijoweda.dat
2009-09-23 08:49 . 2009-09-23 08:49 15124 —-a-w- c:documents and settingsПользовательLocal SettingsApplication Dataivutigotyk.vbs
2009-09-22 20:21 . 2009-09-22 20:21
d
w- c:program filestrend micro
2009-09-22 20:21 . 2009-09-22 20:22
d
w- C:rsit
2009-09-20 05:58 . 2009-09-20 05:58 14819 —-a-w- c:documents and settingsПользовательLocal SettingsApplication Dataqotegawyd.reg
2009-09-20 05:56 . 2009-09-20 05:56
d-sh—w- c:documents and settingsПользовательPrivacIE
2009-09-20 05:55 . 2009-09-20 05:55
d-sh—w- c:documents and settingsПользовательIETldCache
2009-09-20 05:51 . 2009-09-20 05:52
d—h—w- c:windowsmsdownld.tmp
2009-09-20 05:50 . 2009-10-02 14:54
d
w- c:windowssystem32ru-RU
2009-09-20 05:50 . 2004-08-17 10:04 81920 —-a-w- c:windowssystem32ieencode.dll
2009-09-20 05:50 . 2004-08-17 10:04 81920 —-a-w- c:windowssystem32dllcacheieencode.dll
2009-09-19 10:29 . 2009-09-19 10:29
d
w- c:documents and settingsПользовательLocal SettingsApplication DataIdentities
2009-09-16 07:35 . 2009-09-16 07:35 17541 —-a-w- c:program filesCommon Filespojotajih.dat
2009-09-16 07:35 . 2009-09-16 07:35 17412 —-a-w- c:program filesCommon Filesudahykef.dat
2009-09-13 20:45 . 2009-09-13 20:45 56 —ha-w- c:windowssystem32ezsidmv.dat
2009-09-13 20:45 . 2009-09-14 20:00
d
w- c:documents and settingsПользовательApplication DataskypePM
2009-09-13 20:43 . 2009-09-15 14:46
d
w- c:documents and settingsAll Users.WINDOWSApplication DataSkype
2009-09-10 17:57 . 2009-10-02 15:00
d
w- c:program filesFxClub
2009-09-09 16:45 . 2009-09-09 16:45
d
w- c:windowssystem32recover
2009-09-09 16:30 . 2009-10-02 11:41
d—h—r- c:documents and settingsПользовательRecent
2009-09-06 11:38 . 2009-07-28 12:33 55656 —-a-w- c:windowssystem32driversavgntflt.sys
2009-09-06 09:07 . 2004-08-17 10:04 120320 —-a-w- c:windowssystem32wuweb.dll
2009-09-06 09:07 . 2008-10-16 10:08 34328 -c—a-w- c:windowssystem32dllcachewups.dll
2009-09-06 09:07 . 2008-10-16 10:08 34328 —-a-w- c:windowssystem32wups.dll
2009-09-06 09:07 . 2004-08-17 10:04 113152 —-a-w- c:windowssystem32wucltui.dll
2009-09-06 09:07 . 2004-08-17 10:04 1134592 —-a-w- c:windowssystem32wuaueng.dll
2009-09-06 09:07 . 2004-08-17 10:05 111616 —-a-w- c:windowssystem32wuauclt.exe
2009-09-06 09:07 . 2004-08-17 10:04 431104 —-a-w- c:windowssystem32wuapi.dll
2009-09-06 09:07 . 2004-08-17 10:04 66560 —-a-w- c:windowssystem32cdm.dll
2009-09-04 15:33 . 2009-09-20 05:52 5314592 —sha-w- c:windowssystem32driversfidbox.dat
2009-09-04 15:33 . 2009-09-20 05:52 19744 —sha-w- c:windowssystem32driversfidbox2.dat
2009-09-04 14:14 . 2009-09-04 14:14 91700 —-a-w- c:windowssystem32driversklin.dat
2009-09-04 14:14 . 2009-09-04 14:14 85860 —-a-w- c:windowssystem32driversklick.dat
2009-09-04 14:13 . 2009-09-06 12:23
d
w- c:documents and settingsAll Users.WINDOWSApplication DataKaspersky Lab
2009-09-04 14:13 . 2009-09-04 14:13
d
w- c:program filesKaspersky Lab
2009-09-04 14:08 . 2009-09-04 14:08
d
w- c:documents and settingsПользовательApplication DataMozilla
2009-09-04 14:08 . 2009-10-02 15:01
d
w- c:documents and settingsПользовательApplication DataYandex
2009-09-04 14:08 . 2009-09-20 05:52
d
w- c:documents and settingsПользовательLocal SettingsApplication DataYandex.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 15:37 . 2009-04-19 13:54 3670016 —ha-w- c:documents and settingsПользовательNTUSER.DAT
2009-10-02 15:01 . 2008-12-04 18:06
d
w- c:program filesYandex
2009-10-02 15:01 . 2009-09-04 14:08
d
w- c:documents and settingsПользовательApplication DataYandex
2009-09-29 06:19 . 2009-09-23 14:32
d
w- c:documents and settingsПользовательApplication DataSpyware Terminator
2009-09-24 16:15 . 2009-09-24 16:15
d
w- c:documents and settingsПользовательApplication DataOpera
2009-09-23 08:51 . 2009-09-23 08:51 12392 —-a-w- c:documents and settingsПользовательApplication Dataorydub.vbs
2009-09-23 08:50 . 2009-09-23 08:50 19732 —-a-w- c:documents and settingsПользовательLocal SettingsApplication Datacilygo.dat
2009-09-23 08:50 . 2009-09-23 08:50 19520 —-a-w- c:documents and settingsПользовательLocal SettingsApplication Datafijoweda.dat
2009-09-23 08:49 . 2009-09-23 08:49 19160 —-a-w- c:program filesCommon Filesmalenyrab._sy
2009-09-23 08:49 . 2009-09-23 08:49 15124 —-a-w- c:documents and settingsПользовательLocal SettingsApplication Dataivutigotyk.vbs
2009-09-22 13:11 . 2009-09-22 13:11 16890 —-a-w- c:program filesCommon Filesypogyb.db
2009-09-22 13:11 . 2009-09-22 13:11 16221 —-a-w- c:documents and settingsПользовательApplication Datauvyz.reg
2009-09-20 11:13 . 2009-04-26 16:59
d
w- c:documents and settingsПользовательApplication DataReal
2009-09-20 05:58 . 2009-09-20 05:58 14819 —-a-w- c:documents and settingsПользовательLocal SettingsApplication Dataqotegawyd.reg
2009-09-20 05:52 . 2009-09-04 15:33 2900 —sha-w- c:windowssystem32driversfidbox2.idx
2009-09-20 05:52 . 2009-09-04 15:33 19844 —sha-w- c:windowssystem32driversfidbox.idx
2009-09-19 10:29 . 2009-04-19 13:54
d-s—w- c:documents and settingsПользовательApplication DataMicrosoft
2009-09-16 07:35 . 2009-09-16 07:35 13745 —-a-w- c:program filesCommon Filesyqobo.lib
2009-09-16 07:35 . 2009-09-16 07:35 10737 —-a-w- c:documents and settingsПользовательApplication Dataguqifa.bat
2009-09-14 20:20 . 2009-04-28 11:02
d
w- c:documents and settingsПользовательApplication DataSkype
2009-09-14 20:00 . 2009-09-13 20:45
d
w- c:documents and settingsПользовательApplication DataskypePM
2009-09-09 16:45 . 2009-01-14 18:52
d
w- c:program filesMP3 Player Utilities 4.13
2009-09-04 14:08 . 2009-09-04 14:08
d
w- c:documents and settingsПользовательApplication DataMozilla
2009-09-02 14:22 . 2009-09-02 14:22
d
w- c:documents and settingsПользовательApplication DataAdobeUM
2009-08-30 09:38 . 2008-08-25 14:22
d—h—w- c:program filesInstallShield Installation Information
2009-08-26 19:19 . 2009-04-23 15:28 65312 —-a-w- c:documents and settingsПользовательLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-08-25 07:56 . 2009-08-25 07:56
d
w- c:documents and settingsПользовательApplication DataMy Battle for Middle-earth(tm) II Files
2009-08-23 17:38 . 2009-08-23 17:38
d
w- c:documents and settingsПользовательApplication DataHelp
2009-08-21 21:06 . 2009-08-21 21:06
d
w- c:documents and settingsПользовательApplication DataMy Battle for Middle-earth Files
2009-08-21 17:11 . 2009-05-29 12:45
d
w- c:documents and settingsAll Users.WINDOWSApplication Data2DBoy
2009-08-14 13:56 . 2009-08-14 13:56
d
w- c:program filesAlcohol Soft
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«SpywareTerminatorUpdate»=»c:program filesSpyware TerminatorSpywareTerminatorUpdate.exe» [2009-09-23 3055616][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«WinampAgent»=»c:program filesWinampwinampa.exe» [2008-01-15 37376]
«SpywareTerminator»=»c:progra~1SPYWAR~1SpywareTerminatorShield.exe» [2009-09-23 2171904]
«SpIDerAgent»=»c:program filesDrWebSpIDerAgent.exe» [2009-06-01 447728]
«SpIDerMail»=»c:program filesDrWebspiderml.exe» [2009-06-30 644336]
«SpIDerNT»=»c:progra~1DrWebspiderui.exe» [2009-08-17 231840]
«SoundMan»=»SOUNDMAN.EXE» — c:windowssoundman.exe [2006-03-01 577536][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2004-08-17 15360]c:documents and settingsAll Users.WINDOWSѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Adobe Reader Speed Launch.lnk — c:program filesAdobeAcrobat 7.0Readerreader_sl.exe [2005-9-23 29696][HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«ForceClassicControlPanel»= 1 (0x1)[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolsession manager]
BootExecute REG_MULTI_SZ autocheck autochk /p ??E:autocheck autochk *[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=R0 DwProt;DrWeb Protection;c:windowssystem32driversdwprot.sys [25.09.2009 18:08 105080]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:windowssystem32driverssp_rsdrv2.sys [23.09.2009 18:32 142592]
R2 DrWebEngine;Dr.Web ® Scanning Engine (DrWebEngine);c:program filesCommon FilesDoctor WebScanning Enginedwengine.exe [27.08.2009 19:06 869688]
R2 SPIDER;SpIDer Guard File System Monitor;c:progra~1DrWebspider.sys [17.08.2009 17:47 306464]
R2 SPIDERNT;SpIDer Guard for Windows;c:progra~1DrWebspidernt.exe [17.08.2009 17:47 231328]
S2 BitSrv;Bit Service;c:windowsSystem32BtSrv.exe —> c:windowsSystem32BtSrv.exe [?]
S2 LoviVkontakteService;LoviVkontake Service;c:program filesLoviVkontakteVkontakteService.exe —> c:program filesLoviVkontakteVkontakteService.exe [?]
.
Contents of the ‘Scheduled Tasks’ folder2009-09-25 c:windowsTasksDr.Web Daily scan.job
— c:program filesDrWebDrWeb32w.exe [2009-08-18 16:42]2009-10-02 c:windowsTasksDr.Web Update.job
— c:program filesDrWebDrWebUpW.exe [2009-08-18 13:19]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.yandex.ru/?clid=40316
mStart Page = hxxp://www.google.com
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
IE: Add to AMV Converter… — c:program filesMP3 Player Utilities 4.13AMVConvertergrab.html
IE: MediaManager tool grab multimedia file — c:program filesMP3 Player Utilities 4.13MediaManagergrab.html
LSP: c:program filesDrWebdrwebsp.dll
.
— — — — ORPHANS REMOVED — — — —WebBrowser-{91397D20-1446-11D4-8AF4-0040CA1127B6} — (no file)
AddRemove-{A7AA93B6-6909-4073-B4EC-45CCDEFD4665} — c:gamesNHL08unwise.exe**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 19:41
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
**************************************************************************
.
Other Running Processes
.
c:program filesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
c:program filesSpyware Terminatorsp_rsser.exe
c:program filesAlcohol SoftAlcohol 120StarWindStarWindService.exe
c:windowssystem32wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-02 19:45 — machine was rebooted
ComboFix-quarantined-files.txt 2009-10-02 15:45Pre-Run: 9 454 452 736 байт свободно
Post-Run: 10 476 949 504 байт свободноCurrent=44 Default=44 Failed=43 LastKnownGood=45 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45
379Combofix выполнил большую часть работы, но нужно ещё немного потрудится.
Откройте блокнот (Кликните Пуск, Выполнить, в строке ввода введите notepad и нажмите Enter) и вставьте в него следующий текст:File::
c:windowssystem32ekyfawe.com
c:documents and settingsПользовательLocal SettingsApplication Datacilygo.dat
c:documents and settingsПользовательLocal SettingsApplication Datafijoweda.dat
c:documents and settingsПользовательLocal SettingsApplication Dataivutigotyk.vbs
c:documents and settingsПользовательLocal SettingsApplication Dataqotegawyd.reg
c:program filesCommon Filespojotajih.dat
c:program filesCommon Filesudahykef.dat
c:documents and settingsПользовательApplication Dataorydub.vbs
c:program filesCommon Filesmalenyrab._sy
c:program filesCommon Filesypogyb.db
c:documents and settingsПользовательApplication Datauvyz.reg
c:program filesCommon Filesyqobo.lib
c:documents and settingsПользовательApplication Dataguqifa.batЗапишите получившийся файл на ваш рабочий стол под именем CFScript
Далее перетащите получившийся файл на иконку Combofix, как показано на картинке ниже.
Сombofix запуститься и выполнит процедуры описанные в созданном нами файле.
По результатам работы Combofix будет создан новый лог, его и вставьте в свой следующий ответ.PUSHD «C:32788R22FWJFW»
SET «Comspec=C:WINDOWSsystem32cmd.execf»
IF NOT EXIST C:WINDOWSsystem32cmd.exe GOTO Not_NT
VER 1>OsVer
GREP.cfxxe -F «5.1.2» OsVer 1>XP.mac
IF 0 == 0 GOTO NT
GREP.cfxxe -isq «ProductType.*WinNT» WinNT00 || GOTO Not_NT
SET «Ver_CF=09-10-01.01»
IF NOT EXIST NircmdB.exe COPY /Y Nircmd.cfxxe NircmdB.exe
‘Є®ЇЁа®ў ® д ©«®ў: 1.PEV UZIP Licensepv_5_2_2.zip .
MOVE /Y PV.exe PV.cfxxe
ЌҐ г¤ Ґвбп ©вЁ гЄ § л© д ©«.IF NOT EXIST PEV.cfxxe COPY /Y PEV.exe PEV.cfxxe
‘Є®ЇЁа®ў ® д ©«®ў: 1.SED «/^PATH=/I!d; s///; s/x22//g» Oripath 1>OriPath00
PEV -rtf -s+901 .OriPath00 && (
SED -r «s/x22//g; s/(.{900}).*/1/; s/;[^;]*$//» OriPath00 1>OriPath01
FOR /F «TOKENS=*» %G IN (OriPath01) DO @SET «PATH=C:32788R22FWJFW;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSsystem32wbem;%G»
)IF NOT EXIST OriPath01 FOR /F «TOKENS=*» %G IN (OriPath00) DO SET «SET «PATH=C:32788R22FWJFW;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSsystem32wbem;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSystem32Wbem»
«PV» Ґ пў«пҐвбп ўгв॥© Ё«Ё ўҐиҐ©
Є®¬ ¤®©, ЁбЇ®«пҐ¬®© Їа®Ја ¬¬®© Ё«Ё Ї ЄҐвл¬ д ©«®¬.PEV -rtf —c:##5# .* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe } 1>temp00 && (
PV -o%f * 1>temp01
PEV -tf -t!o —files:temp01 —c:##5#b#f# 1>temp02
GREP -Fif temp00 temp02 1>temp03
SED «/.* /!d; s///» temp03 1>temp04
SED «:a; $!N; s/n/x22 x22/; ta; s/.*/x22&x22/» temp04 1>temp05
FOR /F «TOKENS=*» %G IN (temp05) DO @NIRCMD KILLPROCESS %G
)
’ҐЄгй п Є®¤®ў п бва Ёж : 1251CALL :MDCheck
Не удается найти C:32788R22FWJFWmd5sum00.pifPEV -rtf -md5FB5C3358C448CAFFFBAE064DF79B05E2 .md5sum.pif || CALL :MDFaiL ChkSum_Fail
.md5sum.pifPEV -tf —files:files.pif —c:##5#b#f# 1>mdCheck00.dat
GREP -vs «^!MD5:» mdCheck00.dat 1>mdCheck0a.dat
GREP -Fvf md5sum.pif mdCheck0a.dat 1>mdCheck01.dat && CALL :MDFaiL
GOTO :EOF
=============================================
ALLUSERSPROFILE=C:Documents and SettingsAll Users.WINDOWS
APPDATA=C:Documents and SettingsПользовательApplication Data
cfExt=cfxxe
CFLDR=32788R22FWJFW
Chksum=FB5C3358C448CAFFFBAE064DF79B05E2
CLIENTNAME=ConsoleCommand switches used=Command switches used
CommonProgramFiles=C:Program FilesCommon Files
Completion time=Completion time
COMPUTERNAME=FBE34716FAC349F
ComSpec=C:WINDOWSsystem32cmd.execf
Connecting to=Connecting to
Connecting to ComboFix servers=Connecting to ComboFix servers
Cryptography Services Error=Cryptography Services Error
Disclaimer=The following websites are not in any way affiliated to ComboFix:~n~n http://www.combofix.org/~n http://www.combofixdownload.com/~n~nIf you have purchased anything from them, I suggest you instruct your~nfinanciers to cancel the transaction.~n~n
~n~nA guide on proper ComboFix usage may be found at:~nhttp://www.bleepingcomputer.com/combofix/how-to-use-combofix~n~nComboFix is meant for private use. It should never be used in an~nunsupervised environment. If infections are found, it will automatically~nreboot the machine to complete the removal process. Please ensure all~nopened windows are closed before proceeding.~n~nThis software is provided ‘as is’, without warranty of any kind. All~nimplied warranties are expressly disclaimed. If you do not agree to the~nabove terms, please click No to exit» «DISCLAIMER OF WARRANTY ON SOFTWARE.
DLLs Loaded Under Running Processes=DLLs Loaded Under Running Processes
Drivers/Services=Drivers/Services
Fail2Delete=failed to delete
File Associations=File Associations
File Replicators=File Replicators
Files Infected — Patched=Files Infected — Patched
FIREFOX POLICIES=FIREFOX POLICIES
FP_NO_HOST_CHECK=NO
hidden files=hidden files
HOMEDRIVE=C:
HOMEPATH=Documents and SettingsПользователь
is infected=is infected
is missing=is missing
KMD=CF973.exe
Line1=Please wait.
Line10=ComboFix has detected the presence of rootkit activity and needs to reboot the machine~nKindly note down on paper, the name of each file. We may need it later~n~n%~G» «Rootkit !!
Line10A=ComboFix has detected the presence of rootkit activity and needs to reboot the machine» «Rootkit !!
Line11=Scanning for infected files . . .
Line12=This typically doesn’t take more than 10 minutes
Line13=However, scan times for badly infected machines may easily double
Line14=%G …… driver unloaded successfully.
Line15=Rootkit driver %G is still present. A rootkit scan is required
Line16=ComboFix has changed your clock settings.
Line17=Do not change it back. It shall be restored laterLine18=ComboFix encountered a terminal error!! Please upload this file — C:ComboFix_error.dat
Line19=to: http://www.bleepingcomputer.com/submit-malware.php?channel=4
Line2=ComboFix is preparing to run.
Line20=Preparing Log Report.
Line21=Do not run any programs until ComboFix has finished
Line22=No new files created in this timespan
Line23=*Note* empty entries ^& legit default entries are not shown
Line24=Contents of the ‘Scheduled Tasks’ folder
Line25=Almost done . . This window will close in a short while
Line26=Please wait a few seconds for the report log to pop up
Line27=ComboFix’s log shall be located at C:COMBOFIX.TXT
Line28=Rebooting Windows . . . Please wait
Line29=Please allow ComboFix to reboot the machine.
Line3=You need Administrative privileges to run this tool» «Not Admin !!
Line30=Overlay aborted … Please run ComboFix once more
Line31=Date Error: ~%CurrDate.yyyy-MM-dd%~n~nCheck your settings» «DATE ERROR
Line32=C:WINDOWSsystem32HAL.DLL is missing !!~n~nIt’s IMPORTANT that you DO NOT reboot/shutdown the machine~n~nPost to the forums for immediate help. Do not click OK until further instructed» «CRITICAL WARNING !!
Line33=ComboFix needs to submit malware files for further analysis.~n~nPlease ensure that you’re connected to the internet before clicking OK» «Submit Files for further analysis
Line34=Submit malware to Bleeping Computer for analysis.
Line35=Copy/Paste the filepath below into the box above and click Send.
Line36=Infected copy of %~1 was found and disinfected
Line36A=Restored copy from — %~2
Line37=%~1 . . . is infected!!
Line38=((((((((((((((((((((((((( Files Created from %thirty% to %dateX% )))))))))))))))))))))))))))))))
Line39=(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
Line4=C:WINDOWSregedit.exe is missing~n~nCopy one from another machine» «Terminal Error — Missing file
Line40=Webserver appears to be temporarily inaccessible.~nFor your convenience, ComboFix created a submissions form located at:~n~n* C:CF-Submit.htm~n~nPlease use that to manually upload it later. » «Upload Failed!!
Line41=((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
Line42=((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
Line43=Deleting Files:
Line43A=Deleting Folders:
Line44=- REDUCED FUNCTIONALITY MODE —
Line45=SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
Line46=scanning hidden processes …
Line47=scanning hidden autostart entries …
Line48=scanning hidden files … Line49=— Snapshot reset to current date —
Line5=Current date is ~%CurrDate.yyyy-MM-dd%. ComboFix has expired~n~nClick ‘Yes’ to run in REDUCED FUNCTIONALITY mode~n~nClick ‘No’ to exit» «Version_%ver_CF%
Line50=ComboFix is uninstalled» «Info
Line51=Will only install the Recovery Console for Windows XP
Line52=Boot Partition cannot be enumerated correctly
Line53=%BootDir%Boot.ini is not correctly formated
Line54=This machine already has the Recovery Console installed.~n~nAborting operations
Line55=Please click ‘YES’ in the End User License Agreement (EULA) dialog that follows …» «Installing the Recovery Console
Line56=Installation file — %~G — cannot be found
Line57=You didn’t select YES~n~nInstallation is aborted
Line58=Contents of %BootDir%cmdcons are not in order.~n~nPlease disable your security programs before trying again
Line59=Congratulations!!! The Microsoft Recovery Console was successfully installed.~n~nOn each restart of the machine, a black screen will offer you the option to boot into recovery console mode.~nFor normal use, just ignore the black screen. Windows shall boot normally in 2 seconds~n~nClick ‘Yes’ to continue scanning for malware» «Info
Line6=Were you trying to run CFScript?~n~nThe name, CFScript appears to be incorrectly spelt» «CFScript Name Error
Line60=Click ‘Yes’ to continue scanning for malware~n~nClick ‘No’ to exit» «What’s next ?
Line62=There’s a newer version of ComboFix available.~n~nWould you like to update ComboFix?» «Update
Line63=— WARNING !! —~n~nA critical update is required.~n~nComboFix shall now update itself.~n~n— WARNING !! —» «Mandatory Update
Line64=Failed to download updated copy.~n~nWill continue with existing copy» «Failed Download
Line65=ComboFix shall now restart» «Updated
Line66=Interference detected~n~nPlease perform a Rootkit Scan» «Abort!
Line67=You cannot rename ComboFix as %FileName%~n~nPlease use another name, preferbaly made up of alphanumeric characters
Line68=%cd% not in expected location~n~n Inform sUBs now!!
Line69=ComboFix effected repairs on missing C:WINDOWSsystem32hal.dll
Line7=Attempting to create a new System Restore point
Line70=This machine does not have the ‘Microsoft Windows recovery console’ installed~n~nWithout it, ComboFix shall not attempt the fixing of some serious infections.~n~nClick ‘Yes’ to have ComboFix download/install it.~n~nNOTE: this requires an active internet connection.» «Microsoft Windows Recovery Console
Line71=Click ‘Yes’ if this is a WINDOWS XP *HOME EDITION* machine» «XP Home Edition
Line72=Failed to download required files. Aborting … ~n~nShall continue scanning for malware
Line73=Internal error! Failed to enumerate download path. ~n~nAborting … Shall continue scanning for malware
Line74=You do not appear to be connected to the internet. Kindly connect before clicking ‘OK’
Line75=The following files were trying to attach to ComboFix. They shall be disabled~nKindly note down on paper, the name of each file. We may need it later~n~n%~G» «Parasites found !!
Line76=ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix’s running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking ‘OK’.» «Warning !!
Line77=%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk» «Warning !!Line78=%~1 was missing
Line79=%~1 . . . is missing!!
Line8=Rich text formats (RTF) are unacceptable !!~n~nPlease save CFScript commands as a textfile, using Notepad.exe» «ERROR — Script format is incorrect
Line80=!! ALERT !! It is NOT SAFE to continue!~n~nThe contents of the ComboFix package has been compromised.~nPlease download a fresh copy from:~n~nhttp://www.bleepingcomputer.com/combofix/how-to-use-combofix~n~nNote: You may be infected with a file patching virus ‘Virut'» «Error
Line81=ComboFix’s script appears tampered. It is not safe to continue.~nComboFix shall now exit. Please inform the forum helper that’s aiding~nyou. Unless further instructed to do so, do not run ComboFix again.» «Failed Verification
Line82=Webserver appears to be temporarily inaccessible.~nFor your convenience, a zipped file has been created at:~n~nC:CFCollect.zip~n~nPlease upload the file to BleepingComputer~n~nDo not forget to fill in the ‘Comments’ section» «Upload Failed!!
Line83=NETSVCS REQUIRES REPAIRS — current entries shown
Line84=http://download.bleepingcomputer.com/sUBs/ComboFix.exe~nhttp://www.forospyware.com/sUBs/ComboFix.exe~n~nComboFix.exe may be downloaded from any of the above sites. If you~nhave downloaded from some other site, there’s a likely chance that it~nmay be tainted. For peace of mind, I suggest that you delete the current~ncopy and get a fresh one.» «Caution
Line85=Manual Fix is required for restoring CommonStartup
Line9=Rootkit driver %G is present. … attempting disinfection
Line90=ComboFix needs to perform a deeper scan
Line91=This should not take more than 10-15 minutes
Line92=Infected HTML files detected.
Line93=ComboFix will now attempt to disinfect
Line94=This is going to take some time
Line95=Disinfection complete !!! … continuing Log Report preparation
Line96=Recovery in Progress . . .
Line97=WARNING !! Do not manually reboot the machine yourself
LOCKED REGISTRY KEYS=LOCKED REGISTRY KEYS
LOGONSERVER=\FBE34716FAC349F
machine was rebooted=machine was rebooted
not completed=not completed
NUMBER_OF_PROCESSORS=1
ORPHANS REMOVED=ORPHANS REMOVED
OS=Windows_NT
Other Running Processes=Other Running Processes
Other Services/Drivers In Memory=Other Services/Drivers In Memory
Path=C:32788R22FWJFW;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSsystem32wbem;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSystem32Wbem
PATHEXT=.cfxxe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
Possible infected sites=Possible infected sites
Post-Run=Post-Run
Pre-Run=Pre-RunPrevious Run=Previous Run
PROCESS=PROCESS
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:Program Files
PROMPT=$
Qrntn=C:QooboxQuarantine
RecoveryConsole=WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
Resident AV is active=Resident AV is active
RestorePoint= * Created a new restore point
RKEY_=hklmsoftwaremicrosoftwindows ntcurrentversionwindows
Running from=Running from
scan completed successfully=scan completed successfully
SESSIONNAME=Console
sfxcmd=»C:Documents and SettingsРусскийМои документыИНЕТComboFix.exe» «C:Documents and SettingsПользовательРабочий столCFScript.txt»
sfxname=C:Documents and SettingsРусскийМои документыИНЕТComboFix.exe
Stage=Completed Stage_
Supplementary Scan=Supplementary Scan
SYSTEM=C:WINDOWSsystem32
SystemDrive=C:
SystemRoot=C:WINDOWS
TEMP=C:DOCUME~186C2~1LOCALS~1Temp
The following files were disabled during the run=The following files were disabled during the run
TMP=C:DOCUME~186C2~1LOCALS~1Temp
Upload was successful=Upload was successful
Uploading files to server=Uploading files to server
USERDOMAIN=FBE34716FAC349F
USERNAME=Пользователь
USERPROFILE=C:Documents and SettingsПользователь
Ver_CF=09-10-01.01
windir=C:WINDOWS=============================================
IF NOT DEFINED sfxname GOTO END
GREP -F temp01 && CALL :Aux
GREP -Fi «C:WINDOWSsystem32userinit.exe» Userinit00 || (SWREG ADD «hklmsoftwaremicrosoftwindows ntcurrentversionwinlogon» /v Userinit /d «C:WINDOWSsystem32userinit.exe,» )
Userinit REG_SZ C:WINDOWSsystem32userinit.exe,SET SfxCmd 1>SET00
SED -r «/SfxCmd=/I!d; s///; s/s*$//; s/^(x22[^x22]*x22|[^x22]S*) +//; s/^x22*C:\Documents and Settings\Русский\Мои документы\ИНЕТ\ComboFix.exex22*//I; s/^([^x22]S*)/@SET SfxCmd=x221x22/; s/^(x22.*)/@SET SfxCmd=1/» SET00 1>sfx.cmd
DEL /A/F SET00
ATTRIB +R «C:Documents and SettingsРусскийМои документыИНЕТComboFix.exe»
@SET SfxCmd=»C:Documents and SettingsПользовательРабочий столCFScript.txt»CALL sfx.cmd
CALL AV.cmd
SET /a AVCount+=1
NIRCMD EXEC HIDE PV -d9000 -kf CSCRIPT.EXE
CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs
- Для ответа в этой теме необходимо авторизоваться.
