- This topic has 24 ответа, 2 участника, and was last updated 16 years, 2 months назад by
.
-
Сообщения
-
Нет доступа-к дикам,консоли,учетным записям,зу,выход в интернет.Logfile of random’s system information tool 1.06 (written by random/random)
Run by Admin at 2009-06-29 17:06:28
WIN_XP Service Pack 3
System drive C: has 6 GB (28%) free of 20 GB
Total RAM: 511 MB (55% free)Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:06:39, on 29.06.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: NormalRunning processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32netdde.exe
C:WINDOWSExplorer.EXE
C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe
C:WINDOWSsystem32cisvc.exe
C:WINDOWSsystem32clipsrv.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32imapi.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32tcpsvcs.exe
C:WINDOWSSystem32snmp.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32dmadmin.exe
C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesOperaopera.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:WINDOWSsystem32NOTEPAD.EXE
C:WINDOWSsystem32NOTEPAD.EXE
C:WINDOWSsystem32notepad.exe
C:Program Filestrend microHijackThishijackthis.exe
C:Documents and SettingsAdminРабочий столRSIT.exe
C:Program Filestrend microHijackThisAdmin.exeR0 — HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.mail.ru
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 — HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 — HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 — HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 — HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,AutoConfigURL = 192.168.1.2
R0 — HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Ссылки
R3 — URLSearchHook: (no name) — {83821C2B-32A8-4DD7-B6D4-44309A78E668} — E:Mradllnewmrasearch.dll
R3 — URLSearchHook: Спутник@Mail.Ru — {09900DE8-1DCA-443F-9243-26FF581438AF} — C:Program FilesMail.RuSputnikMailRuSputnik.dll
O2 — BHO: IE to GetRight Helper — {31FF080D-12A3-439A-A2EF-4BA95A3148E8} — C:Program FilesGetRightxx2gr.dll (file missing)
O2 — BHO: Спутник@Mail.Ru — {8984B388-A5BB-4DF7-B274-77B879E179DB} — C:Program FilesMail.RuSputnikMailRuSputnik.dll
O2 — BHO: Google Toolbar Helper — {AA58ED58-01DD-4D91-8333-CF10577473F7} — C:Program FilesGooglegoogletoolbar1.dll
O3 — Toolbar: Спутник@Mail.Ru — {09900DE8-1DCA-443F-9243-26FF581438AF} — C:Program FilesMail.RuSputnikMailRuSputnik.dll
O4 — HKLM..Run: [MSConfig] C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe /auto
O4 — HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 — HKLM..Run: [kav] «C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe»
O4 — HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 — HKUSS-1-5-19..Run: [Punto Switcher] C:Program FilesPunto Switcherps.exe (User ‘?’)
O4 — HKUSS-1-5-19..Run: [VistaIcon] C:Program FilesVistaDriveIconVistaDrv.exe (User ‘?’)
O4 — HKUSS-1-5-19..RunOnce: [ZZZZ1_FirstLogonSetting] %SystemRoot%System32rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFcustom.inf,OnceFirstLogonInstall,0 (User ‘?’)
O4 — HKUSS-1-5-19..RunOnce: [IE7_012] rundll32 advpack.dll,LaunchINFSectionEx IE7int.inf,AfterUserStart,,4,N (User ‘?’)
O4 — HKUSS-1-5-20..Run: [Punto Switcher] C:Program FilesPunto Switcherps.exe (User ‘?’)
O4 — HKUSS-1-5-20..RunOnce: [ZZZZ1_FirstLogonSetting] %SystemRoot%System32rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFcustom.inf,OnceFirstLogonInstall,0 (User ‘?’)
O4 — HKUSS-1-5-21-57989841-2139871995-725345543-500..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe (User ‘?’)
O4 — HKUSS-1-5-18..Run: [Punto Switcher] C:Program FilesPunto Switcherps.exe (User ‘?’)
O4 — HKUSS-1-5-18..RunOnce: [ZZZZ2_FirstLogonSetting] %SystemRoot%System32rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFcustom.inf,NewUserFirstLogonInstall,0 (User ‘?’)
O4 — HKUS.DEFAULT..Run: [Punto Switcher] C:Program FilesPunto Switcherps.exe (User ‘Default user’)
O4 — HKUS.DEFAULT..RunOnce: [ZZZZ2_FirstLogonSetting] %SystemRoot%System32rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFcustom.inf,NewUserFirstLogonInstall,0 (User ‘Default user’)
O9 — Extra button: Веб-Антивирус — {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} — C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0scieplugin.dll
O9 — Extra button: Mail.Ru Агент — {7558B7E5-7B26-4201-BEDB-00D5FF534523} — E:magent.exe
O9 — Extra ‘Tools’ menuitem: Mail.Ru Агент — {7558B7E5-7B26-4201-BEDB-00D5FF534523} — E:magent.exe
O9 — Extra button: Справочные материалы — {92780B25-18CC-41C8-B9BE-3C9C571A8263} — C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 — Extra button: (no name) — {e2e2dd38-d088-4134-82b7-f2ba38496583} — C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 — Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 — {e2e2dd38-d088-4134-82b7-f2ba38496583} — C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 — Extra button: Messenger — {FB5F1910-F110-11d2-BB9E-00C04F795683} — C:Program FilesMessengermsmsgs.exe
O9 — Extra ‘Tools’ menuitem: Windows Messenger — {FB5F1910-F110-11d2-BB9E-00C04F795683} — C:Program FilesMessengermsmsgs.exe
O10 — Unknown file in Winsock LSP: c:windowssystem32nwprovau.dll
O17 — HKLMSystemCCSServicesTcpip..{186459A1-0A8D-4FA8-875F-C2D9741A2840}: NameServer = 80.95.32.19 80.95.32.20
O20 — AppInit_DLLs: mslpadap.dll
O23 — Service: Kaspersky Anti-Virus 6.0 (AVP) — Kaspersky Lab — C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe
O23 — Service: Журнал событий (Eventlog) — Корпорация Майкрософт — C:WINDOWSsystem32services.exe
O23 — Service: Служба COM записи компакт-дисков IMAPI (ImapiService) — Корпорация Майкрософт — C:WINDOWSsystem32imapi.exe
O23 — Service: Служба сетевого DDE (NetDDE) — Корпорация Майкрософт — C:WINDOWSsystem32netdde.exe
O23 — Service: Диспетчер сетевого DDE (NetDDEdsdm) — Корпорация Майкрософт — C:WINDOWSsystem32netdde.exe
O23 — Service: NVIDIA Display Driver Service (NVSvc) — NVIDIA Corporation — C:WINDOWSsystem32nvsvc32.exe
O23 — Service: Plug and Play (PlugPlay) — Корпорация Майкрософт — C:WINDOWSsystem32services.exe
O23 — Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) — Корпорация Майкрософт — C:WINDOWSsystem32sessmgr.exe
O23 — Service: Смарт-карты (SCardSvr) — Корпорация Майкрософт — C:WINDOWSSystem32SCardSvr.exe
O23 — Service: Служба SNMP (SNMP) — Корпорация Майкрософт — C:WINDOWSSystem32snmp.exe
O23 — Service: Журналы и оповещения производительности (SysmonLog) — Корпорация Майкрософт — C:WINDOWSsystem32smlogsvc.exe
O23 — Service: Теневое копирование тома (VSS) — Корпорация Майкрософт — C:WINDOWSSystem32vssvc.exe
O23 — Service: Адаптер производительности WMI (WmiApSrv) — Корпорация Майкрософт — C:WINDOWSsystem32wbemwmiapsrv.exe—
End of file — 7345 bytes======Scheduled tasks folder======
C:WINDOWStasksUser_Feed_Synchronization-{567CECAE-CA91-4173-9C96-3E2C56356C82}.job
C:WINDOWStasksUser_Feed_Synchronization-{BFE786AA-C4C3-4355-BCE7-4C91AB78EB8A}.job======Registry dump======
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{31FF080D-12A3-439A-A2EF-4BA95A3148E8}]
IE to GetRight Helper — C:Program FilesGetRightxx2gr.dll [][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{8984B388-A5BB-4DF7-B274-77B879E179DB}]
MailRuBHO Class — C:Program FilesMail.RuSputnikMailRuSputnik.dll [2009-06-01 676704][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{AA58ED58-01DD-4D91-8333-CF10577473F7}]
&Google — C:Program FilesGooglegoogletoolbar1.dll [2008-08-17 49152][HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
{09900DE8-1DCA-443F-9243-26FF581438AF} — Спутник@Mail.Ru — C:Program FilesMail.RuSputnikMailRuSputnik.dll [2009-06-01 676704][HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
«MSConfig»=C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe [2008-04-14 171008]
«NvCplDaemon»=C:WINDOWSsystem32NvCpl.dll [2006-03-09 7561216]
«kav»=C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe [2006-03-24 139367][HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
«ctfmon.exe»=C:WINDOWSsystem32ctfmon.exe [2008-04-14 15360][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregctfmon.exe]
C:WINDOWSsystem32ctfmon.exe [2008-04-14 15360][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregDAEMON Tools Lite]
D:DAEMON Tools Litedaemon.exe [2008-07-24 490952][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregkav]
C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe [2006-03-24 139367][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregKernelFaultCheck]
C:WINDOWSsystem32dumprep 0 -k [][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMAgent]
E:MAgent.exe [2009-06-01 5603000][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMSMSGS]
C:Program FilesMessengermsmsgs.exe [2008-04-14 1695232][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvCplDaemon]
C:WINDOWSsystem32NvCpl.dll [2006-03-09 7561216][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvMediaCenter]
NvMCTray.dll,NvTaskbarInit [][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregnwiz]
nwiz.exe /install [][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPOWER SERVICE]
C:DATADELETEDPOWER.exe [][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPunto Switcher]
C:Program FilesPunto Switcherps.exe [2007-01-25 201728][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregrundll]
C:Documents and SettingsAdminApplication Dataqrhqk.exe [2009-06-20 23040][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSoundMAX]
C:Program FilesAnalog DevicesSoundMAXSmax4.exe [2005-09-07 716800][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSoundMAXPnP]
C:Program FilesAnalog DevicesCoresmax4pnp.exe [2005-05-21 925696][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregUlead Photo Express Calendar Checker]
C:Program FilesUlead SystemsUlead Photo Express 5 SEcalcheck.exe [2004-01-12 69632][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregVistaIcon]
C:Program FilesVistaDriveIconVistaDrv.exe [2007-07-02 132608][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregЯрлык для страницы свойств High Definition Audio]
C:WINDOWSsystem32HDAShCut.exe [2005-12-26 61952][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupfolderC:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^GetRight.lnk]
C:PROGRA~1GetRightGetRight.exe [2008-06-23 4628752][HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupfolderC:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Ускоренный запуск Adobe Reader.lnk]
C:PROGRA~1AdobeACROBA~2.0ReaderREADER~1.EXE [2005-09-23 29696][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows]
«AppInit_DLLS»=»mslpadap.dll»[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyklogon]
C:WINDOWSsystem32klogon.dll [2006-03-24 28778][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
WPDShServiceObj — {AAA288BA-9A4C-45B0-95D7-94D524869DB5} — C:WINDOWSsystem32wpdshserviceobj.dll [2007-06-18 133632]
UPnPMonitor — {e57ce738-33e8-4c51-8354-bb4de9d215d1} — C:WINDOWSsystem32upnpui.dll [2008-04-14 239616][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa]
«authentication packages»=msv1_0
nwprovau[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootnetworknm]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootnetworknm.sys]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootnetwork{1a3e09be-1e45-494b-9174-d7385b45bbf5}]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
«dontdisplaylastusername»=0
«legalnoticecaption»=
«legalnoticetext»=
«shutdownwithoutlogon»=1
«undockwithoutlogon»=1[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesexplorer]
«NoDriveTypeAutoRun»=145
«NoSharedDocuments»=1
«NoThumbnailCache»=1
«NoSMConfigurePrograms»=1
«EditLevel»=0
«NoRun»=0
«NoClose»=0
«NoCommonGroups»=0[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesexplorer]
«HonorAutoRunSetting»=[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist]
«%windir%system32sessmgr.exe»=»%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019»
«%windir%Network Diagnosticxpnetdiag.exe»=»%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000»
«C:WINDOWSsystem32dpvsetup.exe»=»C:WINDOWSsystem32dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test»
«C:WINDOWSsystem32rundll32.exe»=»C:WINDOWSsystem32rundll32.exe:*:Disabled:Запуск библиотеки DLL как приложения»
«C:Program FilesMetin2_RUmetin2.bin»=»C:Program FilesMetin2_RUmetin2.bin:*:Disabled:metin2»
«C:WINDOWSsystem32mmc.exe»=»C:WINDOWSsystem32mmc.exe:*:Disabled:Консоль управления (MMC)»
«C:Program FilesOperaopera.exe»=»C:Program FilesOperaopera.exe:*:Disabled:Opera Internet Browser»
«C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe»=»C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe:*:Disabled:Kaspersky Anti-Virus»[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicydomainprofileauthorizedapplicationslist]
«%windir%system32sessmgr.exe»=»%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019»
«%windir%Network Diagnosticxpnetdiag.exe»=»%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000»[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{71a87cb4-3714-11dd-99a3-00173127cd81}]
shellopencommand — I:SETUPDATAJune.exe[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{e702ce58-4f4c-11dd-895f-00173127cd81}]
shellopencommand — I:SYSTEMS-1-5-21-1482476501-1644491937-682003330-1013USB.exe======List of files/folders created in the last 1 months======
2009-06-28 20:41:48 —-D—- C:Program Filestrend micro
2009-06-28 20:41:47 —-D—- C:rsit
2009-06-25 20:37:25 —-D—- C:WINDOWSsystem32CatRoot
2009-06-21 15:26:32 —-D—- C:WINDOWSsystem32NtmsData
2009-06-21 12:33:00 —-A—- C:WINDOWSIE4 Error Log.txt
2009-06-20 20:40:06 —-ASH—- C:ver.txt
2009-06-20 15:40:29 —-A—- C:Documents and SettingsAdminApplication Dataqrhqk.exe
2009-06-14 09:32:18 —-D—- C:graphics
2009-06-12 10:22:40 —-D—- C:WINDOWSsystem32%Report%
2009-06-12 10:22:40 —-D—- C:WINDOWSsystem32%Quarantine%
2009-06-12 10:22:40 —-D—- C:WINDOWSsystem32%Backup%
2009-06-11 18:30:54 —-RSHD—- C:NEXT
2009-06-11 16:22:24 —-HDC—- C:WINDOWS$NtUninstallKB961501$
2009-06-11 16:21:34 —-HDC—- C:WINDOWS$NtUninstallKB969898$
2009-06-11 16:10:47 —-HDC—- C:WINDOWS$NtUninstallKB970238$
2009-06-11 16:03:24 —-HDC—- C:WINDOWS$NtUninstallKB968537$
2009-06-03 17:12:37 —-RSHD—- C:SETUP
2009-06-02 09:48:55 —-D—- C:Documents and SettingsAll UsersApplication DatanView_Profiles
2009-06-01 19:23:14 —-D—- C:Program FilesOpera======List of files/folders modified in the last 1 months======
2009-06-29 17:06:05 —-D—- C:WINDOWSTemp
2009-06-29 16:55:00 —-A—- C:WINDOWSSchedLgU.Txt
2009-06-28 21:13:36 —-D—- C:Program FilesMetin2_RU
2009-06-28 20:41:48 —-RD—- C:Program Files
2009-06-28 17:12:07 —-D—- C:WINDOWS
2009-06-28 16:46:50 —-D—- C:WINDOWSsystem32CatRoot2
2009-06-28 16:26:22 —-RSH—- C:boot.ini
2009-06-28 16:26:22 —-A—- C:WINDOWSwin.ini
2009-06-28 16:26:22 —-A—- C:WINDOWSsystem.ini
2009-06-28 16:25:19 —-D—- C:WINDOWSpss
2009-06-28 13:30:04 —-D—- C:WINDOWSsecurity
2009-06-27 15:21:36 —-D—- C:WINDOWSsystem32
2009-06-27 15:16:54 —-HD—- C:WINDOWSsystem32GroupPolicy
2009-06-26 21:36:09 —-D—- C:Documents and SettingsAdminApplication DataGetRight
2009-06-26 21:33:28 —-D—- C:WINDOWSMinidump
2009-06-26 15:39:55 —-A—- C:WINDOWSimsins.BAK
2009-06-26 15:33:04 —-SD—- C:WINDOWSDownloaded Program Files
2009-06-26 15:14:24 —-D—- C:Program FilesCommon FilesAhead
2009-06-26 15:13:36 —-D—- C:Program FilesCommon Files
2009-06-26 12:38:49 —-D—- C:Downloads
2009-06-26 12:21:06 —-RSHDC—- C:WINDOWSsystem32dllcache
2009-06-25 21:25:18 —-HD—- C:WINDOWSinf
2009-06-25 20:07:59 —-SHD—- C:System Volume Information
2009-06-25 20:07:59 —-D—- C:WINDOWSsystem32Restore
2009-06-25 19:16:05 —-D—- C:WINDOWSsystem32Macromed
2009-06-25 19:15:49 —-D—- C:Documents and SettingsAdminApplication DataAdobe
2009-06-25 19:15:46 —-D—- C:Program FilesAdobe
2009-06-25 19:15:45 —-D—- C:Program FilesCommon FilesAdobe
2009-06-25 18:58:03 —-D—- C:WINDOWSHelp
2009-06-22 15:09:17 —-A—- C:WINDOWSsystem32secpol.msc
2009-06-21 15:42:57 —-D—- C:Program FilesGoogle
2009-06-21 13:07:39 —-RSHD—- C:SYSTEM
2009-06-20 16:06:14 —-D—- C:WINDOWSsystem32wbem
2009-06-20 16:06:14 —-A—- C:WINDOWSsystem32PerfStringBackup.INI
2009-06-20 14:08:11 —-D—- C:Documents and SettingsAdminApplication DataMra
2009-06-11 16:54:53 —-D—- C:Program FilesInternet Explorer
2009-06-11 16:54:30 —-D—- C:WINDOWSie8updates
2009-06-11 16:52:45 —-HD—- C:WINDOWS$hf_mig$
2009-06-11 16:50:58 —-SHD—- C:WINDOWSInstaller
2009-06-11 16:50:12 —-SHD—- C:Config.Msi
2009-06-11 16:35:16 —-SD—- C:Documents and SettingsAll UsersApplication DataMicrosoft
2009-06-06 15:58:15 —-SD—- C:WINDOWSTasks
2009-06-03 18:15:13 —-D—- C:WINDOWSRegistration
2009-06-02 09:30:30 —-D—- C:Program FilesKaspersky Lab
2009-06-01 09:51:14 —-A—- C:WINDOWSsystem32MRT.exe======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 klif;Klif; ??C:WINDOWSsystem32driversklif.sys []
R1 Tcpip6;Драйвер протокола IPv6 (Microsoft); C:WINDOWSsystem32DRIVERStcpip6.sys [2008-06-20 225856]
R2 cglptnt;cglptnt; ??C:WINDOWSsystem32DRIVERScglptnt.sys []
R2 DgiVecp;Team MFP Comm Driver; C:WINDOWSSystem32DriversDgiVecp.sys [2004-05-17 41984]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS-совместимый транспортный протокол; C:WINDOWSsystem32DRIVERSnwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:WINDOWSsystem32DRIVERSnwlnknb.sys [2004-08-18 63232]
R2 NwlnkSpx;Протокол NWLink SPX/SPXII; C:WINDOWSsystem32DRIVERSnwlnkspx.sys [2004-08-18 55936]
R2 rspndr;Ответчик обнаружения топологии уровня связи; C:WINDOWSsystem32DRIVERSrspndr.sys [2006-12-04 62336]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:WINDOWSsystem32driversADIHdAud.sys [2005-10-06 141312]
R3 AEAudioService;AEAudio Service; C:WINDOWSsystem32driversAEAudio.sys [2005-03-05 127872]
R3 HDAudBus;Драйвер шины Microsoft UAA для High Definition Audio; C:WINDOWSsystem32DRIVERSHDAudBus.sys [2008-04-13 144384]
R3 MTsensor;ATK0110 ACPI UTILITY; C:WINDOWSsystem32DRIVERSASACPI.sys [2006-02-26 5810]
R3 nv;nv; C:WINDOWSsystem32DRIVERSnv4_mini.sys [2006-03-09 3650368]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:WINDOWSsystem32DRIVERSNVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:WINDOWSsystem32DRIVERSnvnetbus.sys [2005-07-29 12928]
R3 SenFiltService;SenFilt Service; C:WINDOWSsystem32driversSenfilt.sys [2005-08-12 393088]
R3 tunmp;Драйвер адаптера минипорта Microsoft Tun; C:WINDOWSsystem32DRIVERStunmp.sys [2008-04-13 12288]
R3 usbehci;Драйвер минипорта Microsoft USB 2.0 расширенного хост-контроллера; C:WINDOWSsystem32DRIVERSusbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 концентратор; C:WINDOWSsystem32DRIVERSusbhub.sys [2008-04-13 59520]
R3 usbohci;Драйвер минипорта Microsoft USB открытого хост-контроллера; C:WINDOWSsystem32DRIVERSusbohci.sys [2008-04-13 17152]
R3 usbstor;Драйвер запоминающих устройств для USB; C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2008-04-13 26368]
S2 nvcap;nVidia WDM Video Capture (universal); C:WINDOWSsystem32DRIVERSnvcap.sys []
S3 a347geks;a347geks; C:WINDOWSsystem32driversa347geks.sys []
S3 CCDECODE;Closed Caption декодер; C:WINDOWSsystem32DRIVERSCCDECODE.sys [2008-04-13 17024]
S3 GT680x;BearPaw 2448TA Plus Usb Scanner; C:WINDOWSSystem32DriversGt680x.sys [2006-06-17 12416]
S3 HdAudAddService;Драйвер функции Microsoft UAA для службы High Definition Audio; C:WINDOWSsystem32driversHdAudio.sys [2005-12-26 145920]
S3 MSTEE;Преобразователь потоков Tee/Sink-to-Sink Microsoft; C:WINDOWSsystem32driversMSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI кодек; C:WINDOWSsystem32DRIVERSNABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft видео или ТВ подключение; C:WINDOWSsystem32DRIVERSNdisIP.sys [2008-04-13 10880]
S3 nm;Драйвер сетевого монитора; C:WINDOWSsystem32DRIVERSNMnt.sys [2008-04-13 40320]
S3 NWRDR;NetWare Rdr; C:WINDOWSsystem32DRIVERSnwrdr.sys [2008-04-13 163584]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:WINDOWSSystem32DriversRootMdm.sys [2004-08-18 5888]
S3 SLIP;BDA Slip De-Framer; C:WINDOWSsystem32DRIVERSSLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:WINDOWSsystem32DRIVERSStreamIP.sys [2008-04-13 15232]
S3 usbprint;Класс принтеров Microsoft USB; C:WINDOWSsystem32DRIVERSusbprint.sys [2008-04-13 25856]
S3 WSTCODEC;World Standard Teletext кодек; C:WINDOWSsystem32DRIVERSWSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation — User-mode Driver Framework Platform Driver; C:WINDOWSsystem32DRIVERSWudfPf.sys [2007-06-18 77568]
S3 WudfRd;Windows Driver Foundation — User-mode Driver Framework Reflector; C:WINDOWSsystem32DRIVERSwudfrd.sys [2007-06-18 82944]
S4 IntelIde;IntelIde; C:WINDOWSsystem32driversIntelIde.sys []======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 6to4;Служба поддержки IPv6; C:WINDOWSsystem32svchost.exe [2008-04-14 14336]
R2 AVP;Kaspersky Anti-Virus 6.0; C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe [2006-03-24 139367]
R2 NVSvc;NVIDIA Display Driver Service; C:WINDOWSsystem32nvsvc32.exe [2006-03-09 143436]
R2 NwSapAgent;Агент SAP; C:WINDOWSsystem32svchost.exe [2008-04-14 14336]
R2 SimpTcp;Простые службы TCP/IP; C:WINDOWSsystem32tcpsvcs.exe [2004-08-18 19456]
R2 SNMP;Служба SNMP; C:WINDOWSSystem32snmp.exe [2008-04-14 32768]
S2 Fax;Fax; C:WINDOWSsystem32fxssvc.exe [2008-04-14 268288]
S2 MDM;Machine Debug Manager; C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE [2003-06-19 322120]
S2 NWCWorkstation;Клиент для сетей NetWare; C:WINDOWSsystem32svchost.exe [2008-04-14 14336]
S3 aspnet_state;ASP.NET State Service; C:WINDOWSMicrosoft.NETFrameworkv2.0.50727aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorsvw.exe [2007-10-24 70144]
S3 ose;Office Source Engine; C:Program FilesCommon FilesMicrosoft SharedSource EngineOSE.EXE [2003-07-28 89136]
S3 SNMPTRAP;Служба ловушек SNMP; C:WINDOWSSystem32snmptrap.exe [2008-04-14 8704]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:Program FilesWindows Media Playerwmpnetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation — User-mode Driver Framework; C:WINDOWSsystem32svchost.exe [2008-04-14 14336]
EOF
Здравствуйте, добро пожаловать на Spyware-ru форум.
Суда по логам, диск I (флешка ?) заражён autorun.inf трояном.
Прочитайте эту инструкцию Flash_Disinfector ещё одно оружие против autorun.inf троянов.* Отключите ваш антивирус.
* Скачайте и запустите Flash_Disinfector.
* По требованию программы вставьте ваш флэш диск или подключите другие внешние устройства хранения информации.Примечание: запускайте программу столько раз, сколько нужно чтобы очистить все ваши подключаемые диски.
Скачайте OTM by OldTimer кликнув по этой ссылке.
Запустите OTM и в большое поле ввода (заголовок этого поля выделен желтым цветом) скопируйте следующий текст.:Processes
explorer.exe
:reg
[-HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregrundll]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows]
"AppInit_DLLS"=""
[-HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{71a87cb4-3714-11dd-99a3-00173127cd81}]
[-HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{e702ce58-4f4c-11dd-895f-00173127cd81}]
:files
C:Documents and SettingsAdminApplication Dataqrhqk.exe
:Commands
[emptytemp]
[start explorer]
[Reboot]Проверьте вставленный скрипт, если слева перед директивами появились пробелы, то удалите их, скрипт должен выглядеть так же как в сообщении. Кликните по кнопке MoveIt!. В процессе работы возможна перезагрузка компьютера.
По-завершении работы программы должен будет показан лог. Если лог не будет показан, то его можно найти в папке C:_OTMMovedFiles.Вставьте в ваше ответное сообщение содержимое этого лога. И приложите свежий RSIT лог (только log.txt).
Доброе утро!Сделал все,как выговорили.Слева в программке отм не чего не было.Вот новые logiAll processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregrundll deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows\»AppInit_DLLS»|»» /E : value set successfully!
Registry key HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{71a87cb4-3714-11dd-99a3-00173127cd81} deleted successfully.
Registry key HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{71a87cb4-3714-11dd-99a3-00173127cd81} not found.
Registry key HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{e702ce58-4f4c-11dd-895f-00173127cd81} deleted successfully.
Registry key HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{e702ce58-4f4c-11dd-895f-00173127cd81} not found.
========== FILES ==========
C:Documents and SettingsAdminApplication Dataqrhqk.exe moved successfully.
========== COMMANDS ==========[EMPTYTEMP]
User: Admin
->Temp folder emptied: 309943851 bytes
->Temporary Internet Files folder emptied: 58134016 bytes
->Java cache emptied: 0 bytes
->Opera cache emptied: 77438122 bytesUser: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytesUser: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:Documents and SettingsLocalServiceLocal SettingsTemporary Internet FilesContent.IE5index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytesUser: NetworkService
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 33170 bytes%systemdrive% .tmp files removed: 0 bytes
C:WINDOWSNV21281904.TMP folder deleted successfully.
C:WINDOWSNV28642848.TMP folder deleted successfully.
C:WINDOWSNV5322844.TMP folder deleted successfully.
C:WINDOWSNV8401408.TMP folder deleted successfully.
%systemroot% .tmp files removed: 2801650 bytes
%systemroot%System32 .tmp files removed: 7566925 bytes
Windows Temp folder emptied: 125889063 bytesRecycleBin emptied: 14179008 bytes
Total Files Cleaned = 568,46 mb
OTM by OldTimer — Version 3.0.0.2 log created on 07012009_073558
OTM by OldTimer — Version 3.0.0.2 log created on 07012009_073551
Files moved on Reboot…
Registry entries deleted on Reboot…
Logfile of random’s system information tool 1.06 (written by random/random)
Run by Admin at 2009-07-01 08:54:38
WIN_XP Service Pack 3
System drive C: has 6 GB (30%) free of 20 GB
Total RAM: 511 MB (62% free)Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:42, on 01.07.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: NormalRunning processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32netdde.exe
C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe
C:Program FilesAnalog DevicesCoresmax4pnp.exe
C:Program FilesAnalog DevicesSoundMAXSmax4.exe
C:Program FilesUlead SystemsUlead Photo Express 5 SEcalcheck.exe
E:MAgent.exe
C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe
C:WINDOWSsystem32cisvc.exe
C:WINDOWSsystem32clipsrv.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32imapi.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32tcpsvcs.exe
C:WINDOWSSystem32snmp.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesPunto Switcherps.exe
C:Program FilesGetRightGetRight.exe
C:WINDOWSSystem32dmadmin.exe
C:WINDOWSexplorer.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:Documents and SettingsAdminРабочий столRSIT.exe
C:Program Filestrend microHijackThisAdmin.exeR0 — HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.mail.ru
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 — HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 — HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 — HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 — HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,AutoConfigURL = 192.168.1.2
R0 — HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Ссылки
R3 — URLSearchHook: (no name) — {83821C2B-32A8-4DD7-B6D4-44309A78E668} — E:Mradllnewmrasearch.dll
R3 — URLSearchHook: Спутник@Mail.Ru — {09900DE8-1DCA-443F-9243-26FF581438AF} — C:Program FilesMail.RuSputnikMailRuSputnik.dll
O2 — BHO: IE to GetRight Helper — {31FF080D-12A3-439A-A2EF-4BA95A3148E8} — C:Program FilesGetRightxx2gr.dll (file missing)
O2 — BHO: Спутник@Mail.Ru — {8984B388-A5BB-4DF7-B274-77B879E179DB} — C:Program FilesMail.RuSputnikMailRuSputnik.dll
O2 — BHO: Google Toolbar Helper — {AA58ED58-01DD-4D91-8333-CF10577473F7} — C:Program FilesGooglegoogletoolbar1.dll
O3 — Toolbar: Спутник@Mail.Ru — {09900DE8-1DCA-443F-9243-26FF581438AF} — C:Program FilesMail.RuSputnikMailRuSputnik.dll
O4 — HKLM..Run: [kav] «C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe»
O4 — HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 — HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
O4 — HKLM..Run: [nwiz] nwiz.exe /install
O4 — HKLM..Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 — HKLM..Run: [SoundMAXPnP] C:Program FilesAnalog DevicesCoresmax4pnp.exe
O4 — HKLM..Run: [SoundMAX] «C:Program FilesAnalog DevicesSoundMAXSmax4.exe» /tray
O4 — HKLM..Run: [Ярлык для страницы свойств High Definition Audio] HDAShCut.exe
O4 — HKLM..Run: [Ulead Photo Express Calendar Checker] C:Program FilesUlead SystemsUlead Photo Express 5 SEcalcheck.exe
O4 — HKLM..Run: [MAgent] E:MAgent.exe -LM
O4 — HKCU..Run: [DAEMON Tools Lite] «D:DAEMON Tools Litedaemon.exe» -autorun
O4 — HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 — HKCU..Run: [MSMSGS] «C:Program FilesMessengermsmsgs.exe» /background
O4 — HKCU..Run: [Punto Switcher] C:Program FilesPunto Switcherps.exe
O4 — HKCU..Run: [POWER SERVICE] C:DATADELETEDPOWER.exe
O4 — HKCU..Run: [VistaIcon] C:Program FilesVistaDriveIconVistaDrv.exe
O4 — HKUSS-1-5-19..Run: [Punto Switcher] C:Program FilesPunto Switcherps.exe (User ‘?’)
O4 — HKUSS-1-5-19..Run: [VistaIcon] C:Program FilesVistaDriveIconVistaDrv.exe (User ‘?’)
O4 — HKUSS-1-5-19..RunOnce: [ZZZZ1_FirstLogonSetting] %SystemRoot%System32rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFcustom.inf,OnceFirstLogonInstall,0 (User ‘?’)
O4 — HKUSS-1-5-19..RunOnce: [IE7_012] rundll32 advpack.dll,LaunchINFSectionEx IE7int.inf,AfterUserStart,,4,N (User ‘?’)
O4 — HKUSS-1-5-20..Run: [Punto Switcher] C:Program FilesPunto Switcherps.exe (User ‘?’)
O4 — HKUSS-1-5-20..RunOnce: [ZZZZ1_FirstLogonSetting] %SystemRoot%System32rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFcustom.inf,OnceFirstLogonInstall,0 (User ‘?’)
O4 — HKUSS-1-5-21-57989841-2139871995-725345543-500..Run: [DAEMON Tools Lite] «D:DAEMON Tools Litedaemon.exe» -autorun (User ‘?’)
O4 — HKUSS-1-5-18..Run: [Punto Switcher] C:Program FilesPunto Switcherps.exe (User ‘?’)
O4 — HKUSS-1-5-18..RunOnce: [ZZZZ2_FirstLogonSetting] %SystemRoot%System32rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFcustom.inf,NewUserFirstLogonInstall,0 (User ‘?’)
O4 — HKUS.DEFAULT..Run: [Punto Switcher] C:Program FilesPunto Switcherps.exe (User ‘Default user’)
O4 — HKUS.DEFAULT..RunOnce: [ZZZZ2_FirstLogonSetting] %SystemRoot%System32rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFcustom.inf,NewUserFirstLogonInstall,0 (User ‘Default user’)
O4 — Global Startup: GetRight.lnk = C:Program FilesGetRightGetRight.exe
O4 — Global Startup: Ускоренный запуск Adobe Reader.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
O9 — Extra button: Веб-Антивирус — {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} — C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0scieplugin.dll
O9 — Extra button: Mail.Ru Агент — {7558B7E5-7B26-4201-BEDB-00D5FF534523} — E:magent.exe
O9 — Extra ‘Tools’ menuitem: Mail.Ru Агент — {7558B7E5-7B26-4201-BEDB-00D5FF534523} — E:magent.exe
O9 — Extra button: Справочные материалы — {92780B25-18CC-41C8-B9BE-3C9C571A8263} — C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 — Extra button: (no name) — {e2e2dd38-d088-4134-82b7-f2ba38496583} — C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 — Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 — {e2e2dd38-d088-4134-82b7-f2ba38496583} — C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 — Extra button: Messenger — {FB5F1910-F110-11d2-BB9E-00C04F795683} — C:Program FilesMessengermsmsgs.exe
O9 — Extra ‘Tools’ menuitem: Windows Messenger — {FB5F1910-F110-11d2-BB9E-00C04F795683} — C:Program FilesMessengermsmsgs.exe
O10 — Unknown file in Winsock LSP: c:windowssystem32nwprovau.dll
O17 — HKLMSystemCCSServicesTcpip..{186459A1-0A8D-4FA8-875F-C2D9741A2840}: NameServer = 80.95.32.19 80.95.32.20
O20 — AppInit_DLLs: mslpadap.dll
O23 — Service: Kaspersky Anti-Virus 6.0 (AVP) — Kaspersky Lab — C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe
O23 — Service: Журнал событий (Eventlog) — Корпорация Майкрософт — C:WINDOWSsystem32services.exe
O23 — Service: Служба COM записи компакт-дисков IMAPI (ImapiService) — Корпорация Майкрософт — C:WINDOWSsystem32imapi.exe
O23 — Service: Служба сетевого DDE (NetDDE) — Корпорация Майкрософт — C:WINDOWSsystem32netdde.exe
O23 — Service: Диспетчер сетевого DDE (NetDDEdsdm) — Корпорация Майкрософт — C:WINDOWSsystem32netdde.exe
O23 — Service: NVIDIA Display Driver Service (NVSvc) — NVIDIA Corporation — C:WINDOWSsystem32nvsvc32.exe
O23 — Service: Plug and Play (PlugPlay) — Корпорация Майкрософт — C:WINDOWSsystem32services.exe
O23 — Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) — Корпорация Майкрософт — C:WINDOWSsystem32sessmgr.exe
O23 — Service: Смарт-карты (SCardSvr) — Корпорация Майкрософт — C:WINDOWSSystem32SCardSvr.exe
O23 — Service: Служба SNMP (SNMP) — Корпорация Майкрософт — C:WINDOWSSystem32snmp.exe
O23 — Service: Журналы и оповещения производительности (SysmonLog) — Корпорация Майкрософт — C:WINDOWSsystem32smlogsvc.exe
O23 — Service: Теневое копирование тома (VSS) — Корпорация Майкрософт — C:WINDOWSSystem32vssvc.exe
O23 — Service: Адаптер производительности WMI (WmiApSrv) — Корпорация Майкрософт — C:WINDOWSsystem32wbemwmiapsrv.exe—
End of file — 8542 bytes======Scheduled tasks folder======
C:WINDOWStasksUser_Feed_Synchronization-{567CECAE-CA91-4173-9C96-3E2C56356C82}.job
C:WINDOWStasksUser_Feed_Synchronization-{BFE786AA-C4C3-4355-BCE7-4C91AB78EB8A}.job======Registry dump======
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{31FF080D-12A3-439A-A2EF-4BA95A3148E8}]
IE to GetRight Helper — C:Program FilesGetRightxx2gr.dll [][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{8984B388-A5BB-4DF7-B274-77B879E179DB}]
MailRuBHO Class — C:Program FilesMail.RuSputnikMailRuSputnik.dll [2009-06-01 676704][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{AA58ED58-01DD-4D91-8333-CF10577473F7}]
&Google — C:Program FilesGooglegoogletoolbar1.dll [2008-08-17 49152][HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
{09900DE8-1DCA-443F-9243-26FF581438AF} — Спутник@Mail.Ru — C:Program FilesMail.RuSputnikMailRuSputnik.dll [2009-06-01 676704][HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
«kav»=C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe [2006-03-24 139367]
«NvCplDaemon»=C:WINDOWSsystem32NvCpl.dll [2006-03-09 7561216]
«KernelFaultCheck»=C:WINDOWSsystem32dumprep 0 -k []
«nwiz»=nwiz.exe /install []
«NvMediaCenter»=NvMCTray.dll,NvTaskbarInit []
«SoundMAXPnP»=C:Program FilesAnalog DevicesCoresmax4pnp.exe [2005-05-21 925696]
«SoundMAX»=C:Program FilesAnalog DevicesSoundMAXSmax4.exe [2005-09-07 716800]
«Ярлык для страницы свойств High Definition Audio»=C:WINDOWSsystem32HDAShCut.exe [2005-12-26 61952]
«Ulead Photo Express Calendar Checker»=C:Program FilesUlead SystemsUlead Photo Express 5 SEcalcheck.exe [2004-01-12 69632]
«MAgent»=E:MAgent.exe [2009-06-01 5603000][HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
«DAEMON Tools Lite»=D:DAEMON Tools Litedaemon.exe [2008-07-24 490952]
«ctfmon.exe»=C:WINDOWSsystem32ctfmon.exe [2008-04-14 15360]
«MSMSGS»=C:Program FilesMessengermsmsgs.exe [2008-04-14 1695232]
«Punto Switcher»=C:Program FilesPunto Switcherps.exe [2007-01-25 201728]
«POWER SERVICE»=C:DATADELETEDPOWER.exe []
«VistaIcon»=C:Program FilesVistaDriveIconVistaDrv.exe [2007-07-02 132608]C:Documents and SettingsAll UsersГлавное менюПрограммыАвтозагрузка
GetRight.lnk — C:Program FilesGetRightGetRight.exe
Ускоренный запуск Adobe Reader.lnk — C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows]
«AppInit_DLLS»=»mslpadap.dll «[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyklogon]
C:WINDOWSsystem32klogon.dll [2006-03-24 28778][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
WPDShServiceObj — {AAA288BA-9A4C-45B0-95D7-94D524869DB5} — C:WINDOWSsystem32wpdshserviceobj.dll [2007-06-18 133632]
UPnPMonitor — {e57ce738-33e8-4c51-8354-bb4de9d215d1} — C:WINDOWSsystem32upnpui.dll [2008-04-14 239616][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa]
«authentication packages»=msv1_0
nwprovau[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootnetworknm]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootnetworknm.sys]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootnetwork{1a3e09be-1e45-494b-9174-d7385b45bbf5}]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
«dontdisplaylastusername»=0
«legalnoticecaption»=
«legalnoticetext»=
«shutdownwithoutlogon»=1
«undockwithoutlogon»=1[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesexplorer]
«NoDriveTypeAutoRun»=36
«NoSharedDocuments»=1
«NoThumbnailCache»=1
«NoSMConfigurePrograms»=1
«EditLevel»=0
«NoClose»=0
«NoCommonGroups»=0
«NoDriveAutoRun»=FFFFFFFF[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesexplorer]
«HonorAutoRunSetting»=[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist]
«%windir%system32sessmgr.exe»=»%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019»
«%windir%Network Diagnosticxpnetdiag.exe»=»%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000»
«C:WINDOWSsystem32dpvsetup.exe»=»C:WINDOWSsystem32dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test»
«C:WINDOWSsystem32rundll32.exe»=»C:WINDOWSsystem32rundll32.exe:*:Disabled:Запуск библиотеки DLL как приложения»
«C:Program FilesMetin2_RUmetin2.bin»=»C:Program FilesMetin2_RUmetin2.bin:*:Disabled:metin2»
«C:WINDOWSsystem32mmc.exe»=»C:WINDOWSsystem32mmc.exe:*:Disabled:Консоль управления (MMC)»
«C:Program FilesOperaopera.exe»=»C:Program FilesOperaopera.exe:*:Disabled:Opera Internet Browser»
«C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe»=»C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe:*:Disabled:Kaspersky Anti-Virus»[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicydomainprofileauthorizedapplicationslist]
«%windir%system32sessmgr.exe»=»%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019»
«%windir%Network Diagnosticxpnetdiag.exe»=»%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000»======List of files/folders created in the last 1 months======
2009-07-01 07:35:51 —-D—- C:_OTM
2009-06-29 19:40:37 —-D—- C:WINDOWSsystem32%DataRoot%
2009-06-28 20:41:48 —-D—- C:Program Filestrend micro
2009-06-28 20:41:47 —-D—- C:rsit
2009-06-25 20:37:25 —-D—- C:WINDOWSsystem32CatRoot
2009-06-21 15:26:32 —-D—- C:WINDOWSsystem32NtmsData
2009-06-21 12:33:00 —-A—- C:WINDOWSIE4 Error Log.txt
2009-06-20 20:40:06 —-ASH—- C:ver.txt
2009-06-14 09:32:18 —-D—- C:graphics
2009-06-12 10:22:40 —-D—- C:WINDOWSsystem32%Report%
2009-06-12 10:22:40 —-D—- C:WINDOWSsystem32%Quarantine%
2009-06-12 10:22:40 —-D—- C:WINDOWSsystem32%Backup%
2009-06-11 18:30:54 —-RSHD—- C:NEXT
2009-06-11 16:22:24 —-HDC—- C:WINDOWS$NtUninstallKB961501$
2009-06-11 16:21:34 —-HDC—- C:WINDOWS$NtUninstallKB969898$
2009-06-11 16:10:47 —-HDC—- C:WINDOWS$NtUninstallKB970238$
2009-06-11 16:03:24 —-HDC—- C:WINDOWS$NtUninstallKB968537$
2009-06-03 17:12:37 —-RSHD—- C:SETUP
2009-06-02 09:48:55 —-D—- C:Documents and SettingsAll UsersApplication DatanView_Profiles======List of files/folders modified in the last 1 months======
2009-07-01 08:41:00 —-D—- C:WINDOWSTemp
2009-07-01 08:34:19 —-D—- C:Documents and SettingsAdminApplication DataGetRight
2009-07-01 08:12:22 —-D—- C:WINDOWSsystem32
2009-07-01 08:12:22 —-D—- C:WINDOWS
2009-07-01 07:30:00 —-A—- C:WINDOWSSchedLgU.Txt
2009-07-01 06:35:01 —-D—- C:WINDOWSsystem32Macromed
2009-06-30 22:08:10 —-D—- C:Documents and SettingsAdminApplication DataMra
2009-06-30 18:17:13 —-D—- C:Program FilesMetin2_RU
2009-06-30 13:26:01 —-RSH—- C:boot.ini
2009-06-30 13:26:01 —-A—- C:WINDOWSwin.ini
2009-06-30 13:26:01 —-A—- C:WINDOWSsystem.ini
2009-06-30 10:35:25 —-D—- C:WINDOWSpss
2009-06-28 20:41:48 —-RD—- C:Program Files
2009-06-28 16:46:50 —-D—- C:WINDOWSsystem32CatRoot2
2009-06-28 13:30:04 —-D—- C:WINDOWSsecurity
2009-06-27 15:16:54 —-HD—- C:WINDOWSsystem32GroupPolicy
2009-06-26 21:33:28 —-D—- C:WINDOWSMinidump
2009-06-26 15:39:55 —-A—- C:WINDOWSimsins.BAK
2009-06-26 15:33:04 —-SD—- C:WINDOWSDownloaded Program Files
2009-06-26 15:14:24 —-D—- C:Program FilesCommon FilesAhead
2009-06-26 15:13:36 —-D—- C:Program FilesCommon Files
2009-06-26 12:38:49 —-D—- C:Downloads
2009-06-26 12:21:06 —-RSHDC—- C:WINDOWSsystem32dllcache
2009-06-25 21:25:18 —-HD—- C:WINDOWSinf
2009-06-25 20:07:59 —-SHD—- C:System Volume Information
2009-06-25 20:07:59 —-D—- C:WINDOWSsystem32Restore
2009-06-25 19:15:49 —-D—- C:Documents and SettingsAdminApplication DataAdobe
2009-06-25 19:15:46 —-D—- C:Program FilesAdobe
2009-06-25 19:15:45 —-D—- C:Program FilesCommon FilesAdobe
2009-06-25 18:58:03 —-D—- C:WINDOWSHelp
2009-06-22 15:09:17 —-A—- C:WINDOWSsystem32secpol.msc
2009-06-21 15:42:57 —-D—- C:Program FilesGoogle
2009-06-21 13:07:39 —-RSHD—- C:SYSTEM
2009-06-20 16:06:14 —-D—- C:WINDOWSsystem32wbem
2009-06-20 16:06:14 —-A—- C:WINDOWSsystem32PerfStringBackup.INI
2009-06-11 16:54:53 —-D—- C:Program FilesInternet Explorer
2009-06-11 16:54:30 —-D—- C:WINDOWSie8updates
2009-06-11 16:52:45 —-HD—- C:WINDOWS$hf_mig$
2009-06-11 16:50:58 —-SHD—- C:WINDOWSInstaller
2009-06-11 16:50:12 —-SHD—- C:Config.Msi
2009-06-11 16:35:16 —-SD—- C:Documents and SettingsAll UsersApplication DataMicrosoft
2009-06-06 15:58:15 —-SD—- C:WINDOWSTasks
2009-06-03 18:15:13 —-D—- C:WINDOWSRegistration
2009-06-02 09:30:30 —-D—- C:Program FilesKaspersky Lab======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 klif;Klif; ??C:WINDOWSsystem32driversklif.sys []
R1 Tcpip6;Драйвер протокола IPv6 (Microsoft); C:WINDOWSsystem32DRIVERStcpip6.sys [2008-06-20 225856]
R2 cglptnt;cglptnt; ??C:WINDOWSsystem32DRIVERScglptnt.sys []
R2 DgiVecp;Team MFP Comm Driver; C:WINDOWSSystem32DriversDgiVecp.sys [2004-05-17 41984]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS-совместимый транспортный протокол; C:WINDOWSsystem32DRIVERSnwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:WINDOWSsystem32DRIVERSnwlnknb.sys [2004-08-18 63232]
R2 NwlnkSpx;Протокол NWLink SPX/SPXII; C:WINDOWSsystem32DRIVERSnwlnkspx.sys [2004-08-18 55936]
R2 rspndr;Ответчик обнаружения топологии уровня связи; C:WINDOWSsystem32DRIVERSrspndr.sys [2006-12-04 62336]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:WINDOWSsystem32driversADIHdAud.sys [2005-10-06 141312]
R3 AEAudioService;AEAudio Service; C:WINDOWSsystem32driversAEAudio.sys [2005-03-05 127872]
R3 HDAudBus;Драйвер шины Microsoft UAA для High Definition Audio; C:WINDOWSsystem32DRIVERSHDAudBus.sys [2008-04-13 144384]
R3 MTsensor;ATK0110 ACPI UTILITY; C:WINDOWSsystem32DRIVERSASACPI.sys [2006-02-26 5810]
R3 nv;nv; C:WINDOWSsystem32DRIVERSnv4_mini.sys [2006-03-09 3650368]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:WINDOWSsystem32DRIVERSNVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:WINDOWSsystem32DRIVERSnvnetbus.sys [2005-07-29 12928]
R3 SenFiltService;SenFilt Service; C:WINDOWSsystem32driversSenfilt.sys [2005-08-12 393088]
R3 tunmp;Драйвер адаптера минипорта Microsoft Tun; C:WINDOWSsystem32DRIVERStunmp.sys [2008-04-13 12288]
R3 usbehci;Драйвер минипорта Microsoft USB 2.0 расширенного хост-контроллера; C:WINDOWSsystem32DRIVERSusbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 концентратор; C:WINDOWSsystem32DRIVERSusbhub.sys [2008-04-13 59520]
R3 usbohci;Драйвер минипорта Microsoft USB открытого хост-контроллера; C:WINDOWSsystem32DRIVERSusbohci.sys [2008-04-13 17152]
R3 usbstor;Драйвер запоминающих устройств для USB; C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2008-04-13 26368]
S2 nvcap;nVidia WDM Video Capture (universal); C:WINDOWSsystem32DRIVERSnvcap.sys []
S3 aw4i55yq;aw4i55yq; C:WINDOWSsystem32driversaw4i55yq.sys []
S3 CCDECODE;Closed Caption декодер; C:WINDOWSsystem32DRIVERSCCDECODE.sys [2008-04-13 17024]
S3 GT680x;BearPaw 2448TA Plus Usb Scanner; C:WINDOWSSystem32DriversGt680x.sys [2006-06-17 12416]
S3 HdAudAddService;Драйвер функции Microsoft UAA для службы High Definition Audio; C:WINDOWSsystem32driversHdAudio.sys [2005-12-26 145920]
S3 MSTEE;Преобразователь потоков Tee/Sink-to-Sink Microsoft; C:WINDOWSsystem32driversMSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI кодек; C:WINDOWSsystem32DRIVERSNABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft видео или ТВ подключение; C:WINDOWSsystem32DRIVERSNdisIP.sys [2008-04-13 10880]
S3 nm;Драйвер сетевого монитора; C:WINDOWSsystem32DRIVERSNMnt.sys [2008-04-13 40320]
S3 NWRDR;NetWare Rdr; C:WINDOWSsystem32DRIVERSnwrdr.sys [2008-04-13 163584]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:WINDOWSSystem32DriversRootMdm.sys [2004-08-18 5888]
S3 SLIP;BDA Slip De-Framer; C:WINDOWSsystem32DRIVERSSLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:WINDOWSsystem32DRIVERSStreamIP.sys [2008-04-13 15232]
S3 usbprint;Класс принтеров Microsoft USB; C:WINDOWSsystem32DRIVERSusbprint.sys [2008-04-13 25856]
S3 WSTCODEC;World Standard Teletext кодек; C:WINDOWSsystem32DRIVERSWSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation — User-mode Driver Framework Platform Driver; C:WINDOWSsystem32DRIVERSWudfPf.sys [2007-06-18 77568]
S3 WudfRd;Windows Driver Foundation — User-mode Driver Framework Reflector; C:WINDOWSsystem32DRIVERSwudfrd.sys [2007-06-18 82944]
S4 IntelIde;IntelIde; C:WINDOWSsystem32driversIntelIde.sys []======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 6to4;Служба поддержки IPv6; C:WINDOWSsystem32svchost.exe [2008-04-14 14336]
R2 AVP;Kaspersky Anti-Virus 6.0; C:Program FilesKaspersky LabKaspersky Anti-Virus 6.0avp.exe [2006-03-24 139367]
R2 NVSvc;NVIDIA Display Driver Service; C:WINDOWSsystem32nvsvc32.exe [2006-03-09 143436]
R2 NwSapAgent;Агент SAP; C:WINDOWSsystem32svchost.exe [2008-04-14 14336]
R2 SimpTcp;Простые службы TCP/IP; C:WINDOWSsystem32tcpsvcs.exe [2004-08-18 19456]
R2 SNMP;Служба SNMP; C:WINDOWSSystem32snmp.exe [2008-04-14 32768]
S2 Fax;Fax; C:WINDOWSsystem32fxssvc.exe [2008-04-14 268288]
S2 MDM;Machine Debug Manager; C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE [2003-06-19 322120]
S2 NWCWorkstation;Клиент для сетей NetWare; C:WINDOWSsystem32svchost.exe [2008-04-14 14336]
S3 aspnet_state;ASP.NET State Service; C:WINDOWSMicrosoft.NETFrameworkv2.0.50727aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorsvw.exe [2007-10-24 70144]
S3 ose;Office Source Engine; C:Program FilesCommon FilesMicrosoft SharedSource EngineOSE.EXE [2003-07-28 89136]
S3 SNMPTRAP;Служба ловушек SNMP; C:WINDOWSSystem32snmptrap.exe [2008-04-14 8704]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:Program FilesWindows Media Playerwmpnetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation — User-mode Driver Framework; C:WINDOWSsystem32svchost.exe [2008-04-14 14336]
EOF
Скачайте программу Combofix. Закройте все открытые окна и запустите эту программу.
После выполнения будет создан лог файл, пожалуйста вставьте его в ваш ответ.Примечание: перед использованием Combofix обязательно установите Recovery console. Как это сделать будет описано на странице, ссылку на которую я привёл выше.
Добрый день!После выполнения работы ComboFix.exe была удалена заставка из загрузки qrhqk.exe.Но я по прежнему не могу управлять дисками,учетными записями,консолью.Вот loq.omboFix 09-07-03.03 — Admin 04.07.2009 13:40.3 — NTFSx86
Running from: c:documents and settingsAdminРабочий столComboFix.exeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.2009-07-04 07:28 . 2009-07-04 07:28
d
w- C:_OTM
2009-07-02 09:36 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Datazifhh.exe
2009-07-02 09:36 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Databhomf.exe
2009-07-02 09:31 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Datafemfb.exe
2009-06-29 15:40 . 2009-06-29 15:40
d
w- c:windowssystem32%DataRoot%
2009-06-28 16:41 . 2009-06-29 08:51
d
w- c:program filestrend micro
2009-06-28 08:30 . 2009-06-28 08:30 220 —-a-w- C:ScreenSaveActive.reg
2009-06-28 08:30 . 2009-06-28 08:30 226 —-a-w- C:ScreenSaverIsSecure.reg
2009-06-28 08:30 . 2009-06-28 08:30 222 —-a-w- C:PowerOffTimeOut.reg
2009-06-28 08:29 . 2009-06-28 08:29 226 —-a-w- C:ScreenSaveTimeOut.reg
2009-06-25 16:37 . 2009-06-25 17:18
d
w- c:windowssystem32CatRoot
2009-06-21 11:26 . 2009-07-04 09:30
d
w- c:windowssystem32NtmsData
2009-06-19 07:06 . 2009-06-19 07:06
d-sh—w- c:documents and settingsNetworkServiceIETldCache
2009-06-14 05:32 . 2009-06-14 05:32
d
w- C:graphics
2009-06-12 06:22 . 2009-06-12 06:22
d
w- c:windowssystem32%Report%
2009-06-12 06:22 . 2009-06-12 06:22
d
w- c:windowssystem32%Quarantine%
2009-06-12 06:22 . 2009-06-12 06:22
d
w- c:windowssystem32%Backup%
2009-06-11 14:30 . 2009-06-11 14:30
d-sh—r- C:NEXT
2009-06-11 04:23 . 2009-04-30 21:16 12800 -c—-w- c:windowssystem32dllcachexpshims.dll
2009-06-11 04:23 . 2009-04-30 21:16 246272 -c—-w- c:windowssystem32dllcacheieproxy.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 09:54 . 2008-06-10 16:53 1003040 —sha-w- c:windowssystem32driversfidbox2.dat
2009-07-04 09:32 . 2008-09-08 17:50
d
w- c:documents and settingsAdminApplication DataGetRight
2009-07-04 09:04 . 2008-06-11 15:54 77168 —-a-w- c:documents and settingsAdminLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-07-04 09:00 . 2008-06-10 16:53 98996 —sha-w- c:windowssystem32driversfidbox2.idx
2009-07-04 08:59 . 2008-06-10 16:53 651884 —sha-w- c:windowssystem32driversfidbox.idx
2009-07-04 08:59 . 2008-06-10 16:53 48559648 —sha-w- c:windowssystem32driversfidbox.dat
2009-07-04 08:06 . 2008-08-17 19:59
d
w- c:program filesGoogle
2009-07-03 19:53 . 2008-08-02 11:22
d
w- c:documents and settingsAdminApplication DataMra
2009-07-03 12:07 . 2009-05-10 20:24
d
w- c:program filesMetin2_RU
2009-06-26 11:14 . 2008-06-10 16:05
d
w- c:program filesCommon FilesAhead
2009-06-25 15:15 . 2008-07-04 06:20
d
w- c:program filesCommon FilesAdobe
2009-06-20 12:06 . 2004-08-18 12:00 78258 —-a-w- c:windowssystem32perfc019.dat
2009-06-20 12:06 . 2004-08-18 12:00 452866 —-a-w- c:windowssystem32perfh019.dat
2009-06-02 05:48 . 2009-06-02 05:48
d
w- c:documents and settingsAll UsersApplication DatanView_Profiles
2009-06-02 05:30 . 2008-06-10 16:53
d
w- c:program filesKaspersky Lab
2009-06-01 15:23 . 2009-06-01 15:23
d
w- c:program filesOpera
2009-05-29 12:59 . 2009-05-29 12:43 103680 —-a-w- c:windowsmemtest86+-2.11.iso.zip
2009-05-29 10:01 . 2009-05-29 10:01 655728 —-a-w- c:windowsWindowsXP-KB958644-x86-RUS.exe
2009-05-29 07:36 . 2008-06-10 15:57
d
w- c:program filesThe KMPlayer
2009-05-29 07:31 . 2009-05-26 07:07
d—h—w- c:program filesInstallShield Installation Information
2009-05-27 18:46 . 2009-05-27 18:46
d
w- c:program filesMicrosoft Silverlight
2009-05-27 05:26 . 2009-05-27 05:26 1878888 —-a-w- c:documents and settingsAdminApplication DataOperaOpera 9.5 alphaprofilecache4temporary_downloadinstall_flash_player.exe
2009-05-26 12:29 . 2009-05-26 12:29
d
w- c:documents and settingsAdminApplication DataAdobeUM
2009-05-26 10:04 . 2009-05-26 10:04
d
w- c:program filesAnalog Devices
2009-05-25 13:09 . 2008-06-10 15:39 86327 —-a-w- c:windowspchealthhelpctrOfflineCacheindex.dat
2009-05-25 11:55 . 2008-07-04 06:23
d
w- c:program filese-Life Pal
2009-05-25 11:18 . 2008-06-10 16:01
d
w- c:program filesLClock
2009-05-25 08:50 . 2008-09-08 17:49
d
w- c:program filesGetRight
2009-05-16 14:32 . 2009-05-16 09:00 126976 —-a-w- c:windowssystem32mslpadap.dll
2009-05-13 05:05 . 2007-12-21 19:48 915456 —-a-w- c:windowssystem32wininet.dll
2009-05-10 08:32 . 2009-05-10 08:23
d
w- c:program filesFarlandsLite
2009-05-07 15:33 . 2004-08-18 12:00 346624 —-a-w- c:windowssystem32localspl.dll
2009-04-19 19:51 . 2007-12-21 19:18 1847296 —-a-w- c:windowssystem32win32k.sys
2009-04-15 14:53 . 2007-12-21 19:17 585216 —-a-w- c:windowssystem32rpcrt4.dll
2009-04-14 19:18 . 2009-04-14 19:18 5301432 —-a-w- c:documents and settingsAdminApplication DataMraUpdatemagentsetup.exe
.((((((((((((((((((((((((((((( SnapShot@2009-07-04_08.08.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-04 09:30 . 2009-07-04 09:30 16384 c:windowsTempPerflib_Perfdata_480.dat
+ 2008-06-10 19:30 . 2008-04-14 16:10 75264 c:windowssystem32storprop.dll
— 2008-06-10 19:30 . 2008-04-14 16:10 75264 c:windowssystem32storprop.dll
+ 2009-07-04 09:26 . 2006-03-09 07:29 81920 c:windowssystem32ReinstallBackups021DriverFilesnvwddi.dll
+ 2009-07-04 09:26 . 2006-03-09 07:29 86016 c:windowssystem32ReinstallBackups021DriverFilesnvmctray.dll
+ 2009-07-04 09:26 . 2006-03-09 07:29 35840 c:windowssystem32ReinstallBackups021DriverFilesnvcod.dll
+ 2009-07-04 09:26 . 2006-03-09 07:29 98304 c:windowssystem32ReinstallBackups021DriverFilesnvapi.dll
+ 2006-03-09 07:29 . 2007-07-13 07:34 81920 c:windowssystem32nvwddi.dll
— 2006-03-09 07:29 . 2006-03-09 07:29 81920 c:windowssystem32nvwddi.dll
+ 2008-06-10 19:29 . 2007-07-13 07:34 81920 c:windowssystem32nvmctray.dll
— 2008-06-10 19:33 . 2006-03-09 07:29 45056 c:windowssystem32nvmccsrs.dll
+ 2008-06-10 19:33 . 2007-07-13 07:34 45056 c:windowssystem32nvmccsrs.dll
+ 2008-06-10 19:29 . 2007-07-13 07:34 37376 c:windowssystem32nvcodins.dll
+ 2008-06-10 19:29 . 2007-07-13 07:34 37376 c:windowssystem32nvcod.dll
+ 2009-07-04 09:26 . 2006-03-09 07:29 143436 c:windowssystem32ReinstallBackups021DriverFilesnvsvc32.exe
+ 2009-07-04 09:26 . 2006-03-09 07:29 286720 c:windowssystem32ReinstallBackups021DriverFilesnvnt4cpl.dll
+ 2009-07-04 09:26 . 2006-03-09 07:29 229376 c:windowssystem32ReinstallBackups021DriverFilesnvmccs.dll
+ 2009-07-04 09:26 . 2006-03-09 07:29 573440 c:windowssystem32ReinstallBackups021DriverFilesnvhwvid.dll
+ 2006-03-09 07:29 . 2007-07-13 07:34 315392 c:windowssystem32nvwrsru.dll
— 2006-03-09 07:29 . 2006-03-09 07:29 315392 c:windowssystem32nvwrsru.dll
+ 2009-05-26 07:21 . 2007-07-13 07:34 356352 c:windowssystem32nvusmb.exe
+ 2009-05-26 07:21 . 2007-07-13 07:34 356352 c:windowssystem32nvunrm.exe
+ 2008-07-02 09:55 . 2007-07-13 07:34 356352 c:windowssystem32NVUNINST.EXE
+ 2008-07-02 09:56 . 2007-07-13 07:34 356352 c:windowssystem32nvuide.exe
+ 2008-06-10 19:29 . 2007-07-13 07:34 155716 c:windowssystem32nvsvc32.exe
+ 2006-03-09 07:29 . 2007-07-13 07:34 466944 c:windowssystem32nvshell.dll
— 2006-03-09 07:29 . 2006-03-09 07:29 466944 c:windowssystem32nvshell.dll
+ 2008-06-10 19:33 . 2007-07-13 07:34 270336 c:windowssystem32nvrsru.dll
+ 2006-03-09 07:29 . 2007-07-13 07:34 286720 c:windowssystem32nvnt4cpl.dll
— 2006-03-09 07:29 . 2006-03-09 07:29 286720 c:windowssystem32nvnt4cpl.dll
+ 2008-06-10 15:50 . 2007-07-13 07:34 188416 c:windowssystem32nvmccss.dll
+ 2008-06-10 19:29 . 2007-07-13 07:34 229376 c:windowssystem32nvmccs.dll
— 2008-06-10 19:29 . 2006-03-09 07:29 229376 c:windowssystem32nvmccs.dll
+ 2008-06-10 19:33 . 2007-07-13 07:34 147456 c:windowssystem32nvcolor.exe
— 2008-06-10 19:33 . 2006-03-09 07:29 147456 c:windowssystem32nvcolor.exe
— 2006-03-09 07:29 . 2006-03-09 07:29 442368 c:windowssystem32nvappbar.exe
+ 2006-03-09 07:29 . 2007-07-13 07:34 442368 c:windowssystem32nvappbar.exe
+ 2008-06-10 19:29 . 2007-07-13 07:34 360448 c:windowssystem32nvapi.dll
+ 2006-03-09 07:29 . 2007-07-13 07:34 425984 c:windowssystem32keystone.exe
— 2006-03-09 07:29 . 2006-03-09 07:29 425984 c:windowssystem32keystone.exe
+ 2009-07-04 09:26 . 2006-03-09 07:29 5419008 c:windowssystem32ReinstallBackups021DriverFilesnvoglnt.dll
+ 2009-07-04 09:26 . 2006-03-09 07:29 7561216 c:windowssystem32ReinstallBackups021DriverFilesnvcpl.dll
+ 2009-07-04 09:26 . 2006-03-09 07:29 3650368 c:windowssystem32ReinstallBackups021DriverFilesnv4_mini.sys
+ 2009-07-04 09:26 . 2006-03-09 07:29 3968512 c:windowssystem32ReinstallBackups021DriverFilesnv4_disp.dll
+ 2006-03-09 07:29 . 2007-07-13 07:34 1626112 c:windowssystem32nwiz.exe
+ 2008-06-10 15:50 . 2007-07-13 07:34 2334720 c:windowssystem32nvwss.dll
+ 2006-03-09 07:29 . 2007-07-13 07:34 1019904 c:windowssystem32nvwimg.dll
— 2006-03-09 07:29 . 2006-03-09 07:29 1019904 c:windowssystem32nvwimg.dll
+ 2006-03-09 07:29 . 2007-07-13 07:34 1703936 c:windowssystem32nvwdmcpl.dll
+ 2008-06-10 15:50 . 2007-07-13 07:34 3522560 c:windowssystem32nvvitvs.dll
+ 2008-06-10 19:29 . 2007-07-13 07:34 6729728 c:windowssystem32nvoglnt.dll
+ 2008-06-10 15:50 . 2007-07-13 07:34 1146880 c:windowssystem32nvmobls.dll
+ 2006-03-09 07:29 . 2007-07-13 07:34 1474560 c:windowssystem32nview.dll
+ 2008-06-10 15:50 . 2007-07-13 07:34 3330048 c:windowssystem32nvgames.dll
+ 2006-03-09 07:29 . 2007-07-13 07:34 1339392 c:windowssystem32nvdspsch.exe
— 2006-03-09 07:29 . 2006-03-09 07:29 1339392 c:windowssystem32nvdspsch.exe
+ 2008-06-10 15:50 . 2007-07-13 07:34 6238208 c:windowssystem32nvdisps.dll
+ 2008-06-10 19:29 . 2007-07-13 07:34 8466432 c:windowssystem32nvcpl.dll
+ 2008-06-10 19:29 . 2007-07-13 07:34 5694848 c:windowssystem32nv4_disp.dll
+ 2008-06-10 19:29 . 2007-07-13 07:34 6807744 c:windowssystem32driversnv4_mini.sys
.
— Snapshot reset to current date —
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«DAEMON Tools Lite»=»d:daemon tools litedaemon.exe» [2008-07-24 490952]
«ctfmon.exe»=»c:windowssystem32ctfmon.exe» [2008-04-14 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2008-04-14 1695232]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2007-01-25 201728]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2007-07-02 132608][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«kav»=»c:program filesKaspersky LabKaspersky Anti-Virus 6.0avp.exe» [2006-03-24 139367]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2007-07-13 8466432]
«MAgent»=»E:MAgent.exe» [2009-06-01 5603000]
«Ulead Photo Express Calendar Checker»=»c:program filesUlead SystemsUlead Photo Express 5 SEcalcheck.exe» [2004-01-12 69632]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2005-05-21 925696]
«nwiz»=»nwiz.exe» — c:windowssystem32nwiz.exe [2007-07-13 1626112]
«NvMediaCenter»=»NvMCTray.dll» — c:windowssystem32nvmctray.dll [2007-07-13 81920]
«Ярлык для страницы свойств High Definition Audio»=»HDAShCut.exe» — c:windowssystem32hdashcut.exe [2005-12-26 61952][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2007-01-25 201728]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2007-07-02 132608][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«ZZZZ2_FirstLogonSetting»=»advpack.dll» — c:windowssystem32advpack.dll [2009-03-08 128512]
«IE7_012″=»advpack.dll» — c:windowssystem32advpack.dll [2009-03-08 128512][HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)
«EditLevel»= 0 (0x0)
«NoCommonGroups»= 0 (0x0)[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«UpdatesOverride»=dword:00000001
«AntiVirusDisableNotify»=dword:00000001
«AntiVirusOverride»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\WINDOWS\system32\dpvsetup.exe»=
«c:\Program Files\Metin2_RU\metin2.bin»=
«c:\WINDOWS\system32\mmc.exe»=
«c:\Program Files\Opera\opera.exe»=
«c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«6225:TCP»= 6225:TCP:oadcica[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
«AllowInboundEchoRequest»= 1 (0x1)
«AllowInboundTimestampRequest»= 1 (0x1)
«AllowInboundMaskRequest»= 1 (0x1)
«AllowInboundRouterRequest»= 1 (0x1)
«AllowOutboundParameterProblem»= 0 (0x0)R2 ilvdxc;Driver Manager;c:windowssystem32svchost.exe [2008-04-14 14336]
S2 cglptnt;cglptnt;c:windowssystem32DRIVERScglptnt.sys [2007-09-06 7888]
S2 NwSapAgent;Агент SAP;c:windowssystem32svchost.exe [2008-04-14 14336]HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost — NetSvcs
ilvdxc[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
«c:windowssystem32rundll32.exe» «c:windowssystem32iedkcs32.dll»,BrandIEActiveSetup SIGNUP[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{67KLN5J0-4OPM-33WE-AAX5-34KC2A3453431}]
c:setupDATAJune.exe
.
Contents of the ‘Scheduled Tasks’ folder2009-07-04 c:windowsTasksUser_Feed_Synchronization-{567CECAE-CA91-4173-9C96-3E2C56356C82}.job
— c:windowssystem32msfeedssync.exe [2008-06-10 00:31]2009-07-04 c:windowsTasksUser_Feed_Synchronization-{BFE786AA-C4C3-4355-BCE7-4C91AB78EB8A}.job
— c:windowssystem32msfeedssync.exe [2008-06-10 00:31]
.
.
Supplementary Scan
.
uStart Page = http://www.mail.ru
uInternet Settings,ProxyOverride =
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — E:magent.exe
.**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 13:54
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS.DefaultSoftwareMicrosoftInternet ExplorerUser Preferences]
@Denied: (2) (LocalSystem)
«88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,01,89,51,31,b6,22,49,81,69,23,
«2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,01,89,51,31,b6,22,49,81,69,23,[HKEY_USERSS-1-5-21-57989841-2139871995-725345543-500SoftwareMicrosoftInternet ExplorerUser Preferences]
@Denied: (2) (Administrator)
«88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e3,fe,6e,5f,00,37,45,bb,51,d3,
«2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e3,fe,6e,5f,00,37,45,bb,51,d3,[HKEY_USERSS-1-5-21-57989841-2139871995-725345543-500SoftwareMicrosoftSystemCertificatesAddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(808)
c:windowssystem32klogon.dll— — — — — — — > ‘explorer.exe'(2328)
c:windowssystem32WININET.dll
c:program filesPunto Switchercorrect.dll
c:windowssystem32wpdshserviceobj.dll
c:windowssystem32webcheck.dll
c:windowssystem32portabledevicetypes.dll
c:windowssystem32portabledeviceapi.dll
.
Completion time: 2009-07-04 13:59
ComboFix-quarantined-files.txt 2009-07-04 09:59
ComboFix2.txt 2009-07-04 08:46
ComboFix3.txt 2009-07-04 08:13Pre-Run: 5 511 241 728 байт свободно
Post-Run: 5 500 358 656 байт свободно258 — E O F — 2009-06-11 12:55
Откройте блокнот (Кликните Пуск, Выполнить, в строке ввода введите notepad и нажмите Enter) и вставьте в него следующий текст:
Driver::
ilvdxc
NetSvc::
ilvdxc
Registry::
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"6225:TCP"=-
[-HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{67KLN5J0-4OPM-33WE-AAX5-34KC2A3453431}]
RegLock::
[HKEY_USERS.DefaultSoftwareMicrosoftInternet ExplorerUser Preferences]
[HKEY_USERSS-1-5-21-57989841-2139871995-725345543-500SoftwareMicrosoftInternet ExplorerUser Preferences]
File::
c:documents and settingsAdminApplication Datazifhh.exe
c:documents and settingsAdminApplication Databhomf.exe
c:documents and settingsAdminApplication Datafemfb.exeЗапишите получившийся файл на ваш рабочий стол под именем CFScript
Далее перетащите получившийся файл на иконку Combofix, как показано на картинке ниже.
Сombofix запуститься и выполнит процедуры описанные в созданном нами файле.
По результатам работы Combofix будет создан новый лог, его и вставьте в свой следующий ответ.Здравствуйте!Создал файл CFScrit на рабочем столе.Не знаю получилось или нет .Ярлыки на рабочем столе не перемещаются,тлоько работают на два клика- открытие.попробывал несколько раз вот лог.ComboFix 09-07-05.01 — Admin 06.07.2009 8:24.6 — NTFSx86
Running from: c:documents and settingsAdminРабочий столComboFix.exeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:data
C:restore
C:System.
((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.2009-07-04 07:28 . 2009-07-04 07:28
d
w- C:_OTM
2009-07-02 09:36 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Datazifhh.exe
2009-07-02 09:36 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Databhomf.exe
2009-07-02 09:31 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Datafemfb.exe
2009-06-29 15:40 . 2009-06-29 15:40
d
w- c:windowssystem32%DataRoot%
2009-06-28 16:41 . 2009-06-29 08:51
d
w- c:program filestrend micro
2009-06-28 08:30 . 2009-06-28 08:30 220 —-a-w- C:ScreenSaveActive.reg
2009-06-28 08:30 . 2009-06-28 08:30 226 —-a-w- C:ScreenSaverIsSecure.reg
2009-06-28 08:30 . 2009-06-28 08:30 222 —-a-w- C:PowerOffTimeOut.reg
2009-06-28 08:29 . 2009-06-28 08:29 226 —-a-w- C:ScreenSaveTimeOut.reg
2009-06-25 16:37 . 2009-06-25 17:18
d
w- c:windowssystem32CatRoot
2009-06-21 11:26 . 2009-07-06 03:55
d
w- c:windowssystem32NtmsData
2009-06-19 07:06 . 2009-06-19 07:06
d-sh—w- c:documents and settingsNetworkServiceIETldCache
2009-06-14 05:32 . 2009-06-14 05:32
d
w- C:graphics
2009-06-12 06:22 . 2009-06-12 06:22
d
w- c:windowssystem32%Report%
2009-06-12 06:22 . 2009-06-12 06:22
d
w- c:windowssystem32%Quarantine%
2009-06-12 06:22 . 2009-06-12 06:22
d
w- c:windowssystem32%Backup%
2009-06-11 14:30 . 2009-06-11 14:30
d-sh—r- C:NEXT
2009-06-11 04:23 . 2009-04-30 21:16 12800 -c—-w- c:windowssystem32dllcachexpshims.dll
2009-06-11 04:23 . 2009-04-30 21:16 246272 -c—-w- c:windowssystem32dllcacheieproxy.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 03:57 . 2008-09-08 17:50
d
w- c:documents and settingsAdminApplication DataGetRight
2009-07-05 20:50 . 2008-06-10 16:53 1025056 —sha-w- c:windowssystem32driversfidbox2.dat
2009-07-05 20:50 . 2008-06-10 16:53 100148 —sha-w- c:windowssystem32driversfidbox2.idx
2009-07-05 20:50 . 2008-06-10 16:53 651884 —sha-w- c:windowssystem32driversfidbox.idx
2009-07-05 20:50 . 2008-06-10 16:53 48559648 —sha-w- c:windowssystem32driversfidbox.dat
2009-07-05 20:48 . 2008-08-02 11:22
d
w- c:documents and settingsAdminApplication DataMra
2009-07-05 17:04 . 2009-05-10 20:24
d
w- c:program filesMetin2_RU
2009-07-04 09:04 . 2008-06-11 15:54 77168 —-a-w- c:documents and settingsAdminLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-07-04 08:06 . 2008-08-17 19:59
d
w- c:program filesGoogle
2009-06-26 11:14 . 2008-06-10 16:05
d
w- c:program filesCommon FilesAhead
2009-06-25 15:15 . 2008-07-04 06:20
d
w- c:program filesCommon FilesAdobe
2009-06-20 12:06 . 2004-08-18 12:00 78258 —-a-w- c:windowssystem32perfc019.dat
2009-06-20 12:06 . 2004-08-18 12:00 452866 —-a-w- c:windowssystem32perfh019.dat
2009-06-02 05:48 . 2009-06-02 05:48
d
w- c:documents and settingsAll UsersApplication DatanView_Profiles
2009-06-02 05:30 . 2008-06-10 16:53
d
w- c:program filesKaspersky Lab
2009-06-01 15:23 . 2009-06-01 15:23
d
w- c:program filesOpera
2009-05-29 12:59 . 2009-05-29 12:43 103680 —-a-w- c:windowsmemtest86+-2.11.iso.zip
2009-05-29 10:01 . 2009-05-29 10:01 655728 —-a-w- c:windowsWindowsXP-KB958644-x86-RUS.exe
2009-05-29 07:36 . 2008-06-10 15:57
d
w- c:program filesThe KMPlayer
2009-05-29 07:31 . 2009-05-26 07:07
d—h—w- c:program filesInstallShield Installation Information
2009-05-27 18:46 . 2009-05-27 18:46
d
w- c:program filesMicrosoft Silverlight
2009-05-27 05:26 . 2009-05-27 05:26 1878888 —-a-w- c:documents and settingsAdminApplication DataOperaOpera 9.5 alphaprofilecache4temporary_downloadinstall_flash_player.exe
2009-05-26 12:29 . 2009-05-26 12:29
d
w- c:documents and settingsAdminApplication DataAdobeUM
2009-05-26 10:04 . 2009-05-26 10:04
d
w- c:program filesAnalog Devices
2009-05-25 13:09 . 2008-06-10 15:39 86327 —-a-w- c:windowspchealthhelpctrOfflineCacheindex.dat
2009-05-25 11:55 . 2008-07-04 06:23
d
w- c:program filese-Life Pal
2009-05-25 11:18 . 2008-06-10 16:01
d
w- c:program filesLClock
2009-05-25 08:50 . 2008-09-08 17:49
d
w- c:program filesGetRight
2009-05-16 14:32 . 2009-05-16 09:00 126976 —-a-w- c:windowssystem32mslpadap.dll
2009-05-13 05:05 . 2007-12-21 19:48 915456 —-a-w- c:windowssystem32wininet.dll
2009-05-10 08:32 . 2009-05-10 08:23
d
w- c:program filesFarlandsLite
2009-05-07 15:33 . 2004-08-18 12:00 346624 —-a-w- c:windowssystem32localspl.dll
2009-04-19 19:51 . 2007-12-21 19:18 1847296 —-a-w- c:windowssystem32win32k.sys
2009-04-15 14:53 . 2007-12-21 19:17 585216 —-a-w- c:windowssystem32rpcrt4.dll
2009-04-14 19:18 . 2009-04-14 19:18 5301432 —-a-w- c:documents and settingsAdminApplication DataMraUpdatemagentsetup.exe
.((((((((((((((((((((((((((((( SnapShot_2009-07-04_09.54.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-06 03:55 . 2009-07-06 03:55 16384 c:windowsTempPerflib_Perfdata_7d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«DAEMON Tools Lite»=»d:daemon tools litedaemon.exe» [2008-07-24 490952]
«ctfmon.exe»=»c:windowssystem32ctfmon.exe» [2008-04-14 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2008-04-14 1695232]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2007-01-25 201728]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2007-07-02 132608][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«kav»=»c:program filesKaspersky LabKaspersky Anti-Virus 6.0avp.exe» [2006-03-24 139367]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2007-07-13 8466432]
«MAgent»=»E:MAgent.exe» [2009-06-01 5603000]
«Ulead Photo Express Calendar Checker»=»c:program filesUlead SystemsUlead Photo Express 5 SEcalcheck.exe» [2004-01-12 69632]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2005-05-21 925696]
«nwiz»=»nwiz.exe» — c:windowssystem32nwiz.exe [2007-07-13 1626112]
«NvMediaCenter»=»NvMCTray.dll» — c:windowssystem32nvmctray.dll [2007-07-13 81920]
«Ярлык для страницы свойств High Definition Audio»=»HDAShCut.exe» — c:windowssystem32hdashcut.exe [2005-12-26 61952][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2007-01-25 201728]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2007-07-02 132608][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«ZZZZ2_FirstLogonSetting»=»advpack.dll» — c:windowssystem32advpack.dll [2009-03-08 128512]
«IE7_012″=»advpack.dll» — c:windowssystem32advpack.dll [2009-03-08 128512][HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)
«EditLevel»= 0 (0x0)
«NoCommonGroups»= 0 (0x0)[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«UpdatesOverride»=dword:00000001
«AntiVirusOverride»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\WINDOWS\system32\dpvsetup.exe»=
«c:\Program Files\Metin2_RU\metin2.bin»=
«c:\WINDOWS\system32\mmc.exe»=
«c:\Program Files\Opera\opera.exe»=
«c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«6225:TCP»= 6225:TCP:oadcica[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
«AllowInboundEchoRequest»= 1 (0x1)
«AllowInboundTimestampRequest»= 1 (0x1)
«AllowInboundMaskRequest»= 1 (0x1)
«AllowInboundRouterRequest»= 1 (0x1)
«AllowOutboundParameterProblem»= 0 (0x0)R2 ilvdxc;Driver Manager;c:windowssystem32svchost.exe [2008-04-14 14336]
S2 cglptnt;cglptnt;c:windowssystem32DRIVERScglptnt.sys [2007-09-06 7888]
S2 NwSapAgent;Агент SAP;c:windowssystem32svchost.exe [2008-04-14 14336]HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost — NetSvcs
ilvdxc[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
«c:windowssystem32rundll32.exe» «c:windowssystem32iedkcs32.dll»,BrandIEActiveSetup SIGNUP[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{67KLN5J0-4OPM-33WE-AAX5-34KC2A3453431}]
c:setupDATAJune.exe
.
Contents of the ‘Scheduled Tasks’ folder2009-07-06 c:windowsTasksUser_Feed_Synchronization-{567CECAE-CA91-4173-9C96-3E2C56356C82}.job
— c:windowssystem32msfeedssync.exe [2008-06-10 00:31]2009-07-06 c:windowsTasksUser_Feed_Synchronization-{BFE786AA-C4C3-4355-BCE7-4C91AB78EB8A}.job
— c:windowssystem32msfeedssync.exe [2008-06-10 00:31]
.
.
Supplementary Scan
.
uStart Page = http://www.mail.ru
uInternet Settings,ProxyOverride =
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — E:magent.exe
TCP: {186459A1-0A8D-4FA8-875F-C2D9741A2840} = 80.95.32.19 80.95.32.20
.**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 08:38
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS.DefaultSoftwareMicrosoftInternet ExplorerUser Preferences]
@Denied: (2) (LocalSystem)
«88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,01,89,51,31,b6,22,49,81,69,23,
«2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,01,89,51,31,b6,22,49,81,69,23,[HKEY_USERSS-1-5-21-57989841-2139871995-725345543-500SoftwareMicrosoftInternet ExplorerUser Preferences]
@Denied: (2) (Administrator)
«88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e3,fe,6e,5f,00,37,45,bb,51,d3,
«2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e3,fe,6e,5f,00,37,45,bb,51,d3,[HKEY_USERSS-1-5-21-57989841-2139871995-725345543-500SoftwareMicrosoftSystemCertificatesAddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(816)
c:windowssystem32klogon.dll— — — — — — — > ‘explorer.exe'(404)
c:windowssystem32WININET.dll
c:program filesPunto Switchercorrect.dll
c:windowssystem32wpdshserviceobj.dll
c:windowssystem32webcheck.dll
c:windowssystem32portabledevicetypes.dll
c:windowssystem32portabledeviceapi.dll
.
Completion time: 2009-07-06 8:44
ComboFix-quarantined-files.txt 2009-07-06 04:44
ComboFix2.txt 2009-07-05 16:06
ComboFix3.txt 2009-07-05 15:29
ComboFix4.txt 2009-07-04 10:00
ComboFix5.txt 2009-07-06 04:06Pre-Run: 5 399 535 616 байт свободно
Post-Run: 5 390 487 552 байт свободно205 — E O F — 2009-06-11 12:55
Ярлыки на рабочем столе не перемещаются,тлоько работают на два клика
Что значит не перемещаются ? Что происходит если навести стрелку мыши на иконку, нажать левую клавишу мыши и попытаться перетащить иконку ?
Не чего не происходит иконка как стоит на месте как замороженная и так все ярлыки не могу перемещать на рабочем столе,могу их только открывать кликнув два раза
Кликните Пуск, Выполнить, введите
cmdи нажмите Enter.
Введите
"%userprofile%Рабочий столComboFix.exe" "%userprofile%Рабочий столCFScript.txt"и нажмите Enter.
Программа Combofix и скрипт ранее нами созданный должны находиться на рабочем столе.
Получившийся Combofix лог вставьте в ваше следующее сообщение.
Вставил CFScript.txt и ComboFix.exe в команднаю строку ярлыки так и не перемещаются.»%userprofile%Рабочий столComboFix.exe» «%userprofile%Рабочий столCFScript.txt»ComboFix 09-07-05.01 — Admin 12.07.2009 22:03.7 — NTFSx86
Running from: c:documents and settingsAdminРабочий столComboFix.exe
Command switches used :: c:documents and settingsAdminРабочий столCFScript.txtWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.2009-07-04 07:28 . 2009-07-04 07:28
d
w- C:_OTM
2009-07-02 09:36 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Datazifhh.exe
2009-07-02 09:36 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Databhomf.exe
2009-07-02 09:31 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Datafemfb.exe
2009-06-29 15:40 . 2009-06-29 15:40
d
w- c:windowssystem32%DataRoot%
2009-06-28 16:41 . 2009-06-29 08:51
d
w- c:program filestrend micro
2009-06-28 08:30 . 2009-06-28 08:30 220 —-a-w- C:ScreenSaveActive.reg
2009-06-28 08:30 . 2009-06-28 08:30 226 —-a-w- C:ScreenSaverIsSecure.reg
2009-06-28 08:30 . 2009-06-28 08:30 222 —-a-w- C:PowerOffTimeOut.reg
2009-06-28 08:29 . 2009-06-28 08:29 226 —-a-w- C:ScreenSaveTimeOut.reg
2009-06-25 16:37 . 2009-06-25 17:18
d
w- c:windowssystem32CatRoot
2009-06-21 11:26 . 2009-07-12 05:53
d
w- c:windowssystem32NtmsData
2009-06-19 07:06 . 2009-06-19 07:06
d-sh—w- c:documents and settingsNetworkServiceIETldCache
2009-06-14 05:32 . 2009-06-14 05:32
d
w- C:graphics.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-12 18:17 . 2008-06-10 16:53 1117472 —sha-w- c:windowssystem32driversfidbox2.dat
2009-07-12 17:54 . 2008-08-02 11:22
d
w- c:documents and settingsAdminApplication DataMra
2009-07-12 06:03 . 2009-05-10 20:24
d
w- c:program filesMetin2_RU
2009-07-12 05:55 . 2008-09-08 17:50
d
w- c:documents and settingsAdminApplication DataGetRight
2009-07-11 20:44 . 2008-06-10 16:53 108692 —sha-w- c:windowssystem32driversfidbox2.idx
2009-07-11 20:44 . 2008-06-10 16:53 651884 —sha-w- c:windowssystem32driversfidbox.idx
2009-07-11 20:44 . 2008-06-10 16:53 48559648 —sha-w- c:windowssystem32driversfidbox.dat
2009-07-04 09:04 . 2008-06-11 15:54 77168 —-a-w- c:documents and settingsAdminLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-07-04 08:06 . 2008-08-17 19:59
d
w- c:program filesGoogle
2009-06-26 11:14 . 2008-06-10 16:05
d
w- c:program filesCommon FilesAhead
2009-06-25 15:15 . 2008-07-04 06:20
d
w- c:program filesCommon FilesAdobe
2009-06-20 12:06 . 2004-08-18 12:00 78258 —-a-w- c:windowssystem32perfc019.dat
2009-06-20 12:06 . 2004-08-18 12:00 452866 —-a-w- c:windowssystem32perfh019.dat
2009-06-02 05:48 . 2009-06-02 05:48
d
w- c:documents and settingsAll UsersApplication DatanView_Profiles
2009-06-02 05:30 . 2008-06-10 16:53
d
w- c:program filesKaspersky Lab
2009-06-01 15:23 . 2009-06-01 15:23
d
w- c:program filesOpera
2009-05-29 12:59 . 2009-05-29 12:43 103680 —-a-w- c:windowsmemtest86+-2.11.iso.zip
2009-05-29 10:01 . 2009-05-29 10:01 655728 —-a-w- c:windowsWindowsXP-KB958644-x86-RUS.exe
2009-05-29 07:36 . 2008-06-10 15:57
d
w- c:program filesThe KMPlayer
2009-05-29 07:31 . 2009-05-26 07:07
d—h—w- c:program filesInstallShield Installation Information
2009-05-27 18:46 . 2009-05-27 18:46
d
w- c:program filesMicrosoft Silverlight
2009-05-27 05:26 . 2009-05-27 05:26 1878888 —-a-w- c:documents and settingsAdminApplication DataOperaOpera 9.5 alphaprofilecache4temporary_downloadinstall_flash_player.exe
2009-05-26 12:29 . 2009-05-26 12:29
d
w- c:documents and settingsAdminApplication DataAdobeUM
2009-05-26 10:04 . 2009-05-26 10:04
d
w- c:program filesAnalog Devices
2009-05-25 13:09 . 2008-06-10 15:39 86327 —-a-w- c:windowspchealthhelpctrOfflineCacheindex.dat
2009-05-25 11:55 . 2008-07-04 06:23
d
w- c:program filese-Life Pal
2009-05-25 11:18 . 2008-06-10 16:01
d
w- c:program filesLClock
2009-05-25 08:50 . 2008-09-08 17:49
d
w- c:program filesGetRight
2009-05-16 14:32 . 2009-05-16 09:00 126976 —-a-w- c:windowssystem32mslpadap.dll
2009-05-13 05:05 . 2007-12-21 19:48 915456 —-a-w- c:windowssystem32wininet.dll
2009-05-07 15:33 . 2004-08-18 12:00 346624 —-a-w- c:windowssystem32localspl.dll
2009-04-19 19:51 . 2007-12-21 19:18 1847296 —-a-w- c:windowssystem32win32k.sys
2009-04-15 14:53 . 2007-12-21 19:17 585216 —-a-w- c:windowssystem32rpcrt4.dll
2009-04-14 19:18 . 2009-04-14 19:18 5301432 —-a-w- c:documents and settingsAdminApplication DataMraUpdatemagentsetup.exe
.((((((((((((((((((((((((((((( SnapShot_2009-07-04_09.54.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 05:53 . 2009-07-12 05:53 16384 c:windowsTempPerflib_Perfdata_3cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«DAEMON Tools Lite»=»d:daemon tools litedaemon.exe» [2008-07-24 490952]
«ctfmon.exe»=»c:windowssystem32ctfmon.exe» [2008-04-14 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2008-04-14 1695232]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2007-01-25 201728]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2007-07-02 132608][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«kav»=»c:program filesKaspersky LabKaspersky Anti-Virus 6.0avp.exe» [2006-03-24 139367]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2007-07-13 8466432]
«MAgent»=»E:MAgent.exe» [2009-06-01 5603000]
«Ulead Photo Express Calendar Checker»=»c:program filesUlead SystemsUlead Photo Express 5 SEcalcheck.exe» [2004-01-12 69632]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2005-05-21 925696]
«nwiz»=»nwiz.exe» — c:windowssystem32nwiz.exe [2007-07-13 1626112]
«NvMediaCenter»=»NvMCTray.dll» — c:windowssystem32nvmctray.dll [2007-07-13 81920]
«Ярлык для страницы свойств High Definition Audio»=»HDAShCut.exe» — c:windowssystem32hdashcut.exe [2005-12-26 61952][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2007-01-25 201728]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2007-07-02 132608][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«ZZZZ2_FirstLogonSetting»=»advpack.dll» — c:windowssystem32advpack.dll [2009-03-08 128512]
«IE7_012″=»advpack.dll» — c:windowssystem32advpack.dll [2009-03-08 128512][HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)
«EditLevel»= 0 (0x0)
«NoCommonGroups»= 0 (0x0)[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«UpdatesOverride»=dword:00000001
«AntiVirusOverride»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\WINDOWS\system32\dpvsetup.exe»=
«c:\Program Files\Metin2_RU\metin2.bin»=
«c:\WINDOWS\system32\mmc.exe»=
«c:\Program Files\Opera\opera.exe»=
«c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«6225:TCP»= 6225:TCP:oadcica[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
«AllowInboundEchoRequest»= 1 (0x1)
«AllowInboundTimestampRequest»= 1 (0x1)
«AllowInboundMaskRequest»= 1 (0x1)
«AllowInboundRouterRequest»= 1 (0x1)
«AllowOutboundParameterProblem»= 0 (0x0)R2 ilvdxc;Driver Manager;c:windowssystem32svchost.exe [2008-04-14 14336]
S2 cglptnt;cglptnt;c:windowssystem32DRIVERScglptnt.sys [2007-09-06 7888]
S2 NwSapAgent;Агент SAP;c:windowssystem32svchost.exe [2008-04-14 14336]HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost — NetSvcs
ilvdxc[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
«c:windowssystem32rundll32.exe» «c:windowssystem32iedkcs32.dll»,BrandIEActiveSetup SIGNUP[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{67KLN5J0-4OPM-33WE-AAX5-34KC2A3453431}]
c:setupDATAJune.exe
.
Contents of the ‘Scheduled Tasks’ folder2009-07-12 c:windowsTasksUser_Feed_Synchronization-{567CECAE-CA91-4173-9C96-3E2C56356C82}.job
— c:windowssystem32msfeedssync.exe [2008-06-10 00:31]2009-07-12 c:windowsTasksUser_Feed_Synchronization-{BFE786AA-C4C3-4355-BCE7-4C91AB78EB8A}.job
— c:windowssystem32msfeedssync.exe [2008-06-10 00:31]
.
.
Supplementary Scan
.
uStart Page = http://www.mail.ru
uInternet Settings,ProxyOverride =
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — E:magent.exe
TCP: {186459A1-0A8D-4FA8-875F-C2D9741A2840} = 80.95.32.19 80.95.32.20
.**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 22:18
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS.DefaultSoftwareMicrosoftInternet ExplorerUser Preferences]
@Denied: (2) (LocalSystem)
«88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,01,89,51,31,b6,22,49,81,69,23,
«2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,01,89,51,31,b6,22,49,81,69,23,[HKEY_USERSS-1-5-21-57989841-2139871995-725345543-500SoftwareMicrosoftInternet ExplorerUser Preferences]
@Denied: (2) (Administrator)
«88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e3,fe,6e,5f,00,37,45,bb,51,d3,
«2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e3,fe,6e,5f,00,37,45,bb,51,d3,[HKEY_USERSS-1-5-21-57989841-2139871995-725345543-500SoftwareMicrosoftSystemCertificatesAddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(816)
c:windowssystem32klogon.dll— — — — — — — > ‘explorer.exe'(2552)
c:windowssystem32WININET.dll
c:windowssystem32nview.dll
c:windowssystem32nvwddi.dll
c:program filesPunto Switchercorrect.dll
c:windowssystem32wpdshserviceobj.dll
c:windowssystem32webcheck.dll
c:windowssystem32portabledevicetypes.dll
c:windowssystem32portabledeviceapi.dll
.
Completion time: 2009-07-12 22:24
ComboFix-quarantined-files.txt 2009-07-12 18:24
ComboFix2.txt 2009-07-06 04:44
ComboFix3.txt 2009-07-05 16:06
ComboFix4.txt 2009-07-05 15:29
ComboFix5.txt 2009-07-12 18:01Pre-Run: 5 428 477 952 байт свободно
Post-Run: 5 416 349 696 байт свободно195 — E O F — 2009-06-11 12:55
Вставил CFScript.txt и ComboFix.exe в команднаю строку ярлыки так и не перемещаются.ComboFix 09-07-05.01 — Admin 12.07.2009 22:03.7 — NTFSx86
Running from: c:documents and settingsAdminРабочий столComboFix.exe
Command switches used :: c:documents and settingsAdminРабочий столCFScript.txtWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.2009-07-04 07:28 . 2009-07-04 07:28
d
w- C:_OTM
2009-07-02 09:36 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Datazifhh.exe
2009-07-02 09:36 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Databhomf.exe
2009-07-02 09:31 . 2009-06-20 11:35 23040 —-a-w- c:documents and settingsAdminApplication Datafemfb.exe
2009-06-29 15:40 . 2009-06-29 15:40
d
w- c:windowssystem32%DataRoot%
2009-06-28 16:41 . 2009-06-29 08:51
d
w- c:program filestrend micro
2009-06-28 08:30 . 2009-06-28 08:30 220 —-a-w- C:ScreenSaveActive.reg
2009-06-28 08:30 . 2009-06-28 08:30 226 —-a-w- C:ScreenSaverIsSecure.reg
2009-06-28 08:30 . 2009-06-28 08:30 222 —-a-w- C:PowerOffTimeOut.reg
2009-06-28 08:29 . 2009-06-28 08:29 226 —-a-w- C:ScreenSaveTimeOut.reg
2009-06-25 16:37 . 2009-06-25 17:18
d
w- c:windowssystem32CatRoot
2009-06-21 11:26 . 2009-07-12 05:53
d
w- c:windowssystem32NtmsData
2009-06-19 07:06 . 2009-06-19 07:06
d-sh—w- c:documents and settingsNetworkServiceIETldCache
2009-06-14 05:32 . 2009-06-14 05:32
d
w- C:graphics.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-12 18:17 . 2008-06-10 16:53 1117472 —sha-w- c:windowssystem32driversfidbox2.dat
2009-07-12 17:54 . 2008-08-02 11:22
d
w- c:documents and settingsAdminApplication DataMra
2009-07-12 06:03 . 2009-05-10 20:24
d
w- c:program filesMetin2_RU
2009-07-12 05:55 . 2008-09-08 17:50
d
w- c:documents and settingsAdminApplication DataGetRight
2009-07-11 20:44 . 2008-06-10 16:53 108692 —sha-w- c:windowssystem32driversfidbox2.idx
2009-07-11 20:44 . 2008-06-10 16:53 651884 —sha-w- c:windowssystem32driversfidbox.idx
2009-07-11 20:44 . 2008-06-10 16:53 48559648 —sha-w- c:windowssystem32driversfidbox.dat
2009-07-04 09:04 . 2008-06-11 15:54 77168 —-a-w- c:documents and settingsAdminLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-07-04 08:06 . 2008-08-17 19:59
d
w- c:program filesGoogle
2009-06-26 11:14 . 2008-06-10 16:05
d
w- c:program filesCommon FilesAhead
2009-06-25 15:15 . 2008-07-04 06:20
d
w- c:program filesCommon FilesAdobe
2009-06-20 12:06 . 2004-08-18 12:00 78258 —-a-w- c:windowssystem32perfc019.dat
2009-06-20 12:06 . 2004-08-18 12:00 452866 —-a-w- c:windowssystem32perfh019.dat
2009-06-02 05:48 . 2009-06-02 05:48
d
w- c:documents and settingsAll UsersApplication DatanView_Profiles
2009-06-02 05:30 . 2008-06-10 16:53
d
w- c:program filesKaspersky Lab
2009-06-01 15:23 . 2009-06-01 15:23
d
w- c:program filesOpera
2009-05-29 12:59 . 2009-05-29 12:43 103680 —-a-w- c:windowsmemtest86+-2.11.iso.zip
2009-05-29 10:01 . 2009-05-29 10:01 655728 —-a-w- c:windowsWindowsXP-KB958644-x86-RUS.exe
2009-05-29 07:36 . 2008-06-10 15:57
d
w- c:program filesThe KMPlayer
2009-05-29 07:31 . 2009-05-26 07:07
d—h—w- c:program filesInstallShield Installation Information
2009-05-27 18:46 . 2009-05-27 18:46
d
w- c:program filesMicrosoft Silverlight
2009-05-27 05:26 . 2009-05-27 05:26 1878888 —-a-w- c:documents and settingsAdminApplication DataOperaOpera 9.5 alphaprofilecache4temporary_downloadinstall_flash_player.exe
2009-05-26 12:29 . 2009-05-26 12:29
d
w- c:documents and settingsAdminApplication DataAdobeUM
2009-05-26 10:04 . 2009-05-26 10:04
d
w- c:program filesAnalog Devices
2009-05-25 13:09 . 2008-06-10 15:39 86327 —-a-w- c:windowspchealthhelpctrOfflineCacheindex.dat
2009-05-25 11:55 . 2008-07-04 06:23
d
w- c:program filese-Life Pal
2009-05-25 11:18 . 2008-06-10 16:01
d
w- c:program filesLClock
2009-05-25 08:50 . 2008-09-08 17:49
d
w- c:program filesGetRight
2009-05-16 14:32 . 2009-05-16 09:00 126976 —-a-w- c:windowssystem32mslpadap.dll
2009-05-13 05:05 . 2007-12-21 19:48 915456 —-a-w- c:windowssystem32wininet.dll
2009-05-07 15:33 . 2004-08-18 12:00 346624 —-a-w- c:windowssystem32localspl.dll
2009-04-19 19:51 . 2007-12-21 19:18 1847296 —-a-w- c:windowssystem32win32k.sys
2009-04-15 14:53 . 2007-12-21 19:17 585216 —-a-w- c:windowssystem32rpcrt4.dll
2009-04-14 19:18 . 2009-04-14 19:18 5301432 —-a-w- c:documents and settingsAdminApplication DataMraUpdatemagentsetup.exe
.((((((((((((((((((((((((((((( SnapShot_2009-07-04_09.54.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 05:53 . 2009-07-12 05:53 16384 c:windowsTempPerflib_Perfdata_3cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«DAEMON Tools Lite»=»d:daemon tools litedaemon.exe» [2008-07-24 490952]
«ctfmon.exe»=»c:windowssystem32ctfmon.exe» [2008-04-14 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2008-04-14 1695232]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2007-01-25 201728]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2007-07-02 132608][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«kav»=»c:program filesKaspersky LabKaspersky Anti-Virus 6.0avp.exe» [2006-03-24 139367]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2007-07-13 8466432]
«MAgent»=»E:MAgent.exe» [2009-06-01 5603000]
«Ulead Photo Express Calendar Checker»=»c:program filesUlead SystemsUlead Photo Express 5 SEcalcheck.exe» [2004-01-12 69632]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2005-05-21 925696]
«nwiz»=»nwiz.exe» — c:windowssystem32nwiz.exe [2007-07-13 1626112]
«NvMediaCenter»=»NvMCTray.dll» — c:windowssystem32nvmctray.dll [2007-07-13 81920]
«Ярлык для страницы свойств High Definition Audio»=»HDAShCut.exe» — c:windowssystem32hdashcut.exe [2005-12-26 61952][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2007-01-25 201728]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2007-07-02 132608][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«ZZZZ2_FirstLogonSetting»=»advpack.dll» — c:windowssystem32advpack.dll [2009-03-08 128512]
«IE7_012″=»advpack.dll» — c:windowssystem32advpack.dll [2009-03-08 128512][HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)
«EditLevel»= 0 (0x0)
«NoCommonGroups»= 0 (0x0)[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«UpdatesOverride»=dword:00000001
«AntiVirusOverride»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\WINDOWS\system32\dpvsetup.exe»=
«c:\Program Files\Metin2_RU\metin2.bin»=
«c:\WINDOWS\system32\mmc.exe»=
«c:\Program Files\Opera\opera.exe»=
«c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«6225:TCP»= 6225:TCP:oadcica[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
«AllowInboundEchoRequest»= 1 (0x1)
«AllowInboundTimestampRequest»= 1 (0x1)
«AllowInboundMaskRequest»= 1 (0x1)
«AllowInboundRouterRequest»= 1 (0x1)
«AllowOutboundParameterProblem»= 0 (0x0)R2 ilvdxc;Driver Manager;c:windowssystem32svchost.exe [2008-04-14 14336]
S2 cglptnt;cglptnt;c:windowssystem32DRIVERScglptnt.sys [2007-09-06 7888]
S2 NwSapAgent;Агент SAP;c:windowssystem32svchost.exe [2008-04-14 14336]HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost — NetSvcs
ilvdxc[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
«c:windowssystem32rundll32.exe» «c:windowssystem32iedkcs32.dll»,BrandIEActiveSetup SIGNUP[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{67KLN5J0-4OPM-33WE-AAX5-34KC2A3453431}]
c:setupDATAJune.exe
.
Contents of the ‘Scheduled Tasks’ folder2009-07-12 c:windowsTasksUser_Feed_Synchronization-{567CECAE-CA91-4173-9C96-3E2C56356C82}.job
— c:windowssystem32msfeedssync.exe [2008-06-10 00:31]2009-07-12 c:windowsTasksUser_Feed_Synchronization-{BFE786AA-C4C3-4355-BCE7-4C91AB78EB8A}.job
— c:windowssystem32msfeedssync.exe [2008-06-10 00:31]
.
.
Supplementary Scan
.
uStart Page = http://www.mail.ru
uInternet Settings,ProxyOverride =
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — E:magent.exe
TCP: {186459A1-0A8D-4FA8-875F-C2D9741A2840} = 80.95.32.19 80.95.32.20
.**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 22:18
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS.DefaultSoftwareMicrosoftInternet ExplorerUser Preferences]
@Denied: (2) (LocalSystem)
«88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,01,89,51,31,b6,22,49,81,69,23,
«2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,01,89,51,31,b6,22,49,81,69,23,[HKEY_USERSS-1-5-21-57989841-2139871995-725345543-500SoftwareMicrosoftInternet ExplorerUser Preferences]
@Denied: (2) (Administrator)
«88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e3,fe,6e,5f,00,37,45,bb,51,d3,
«2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81″=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e3,fe,6e,5f,00,37,45,bb,51,d3,[HKEY_USERSS-1-5-21-57989841-2139871995-725345543-500SoftwareMicrosoftSystemCertificatesAddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(816)
c:windowssystem32klogon.dll— — — — — — — > ‘explorer.exe'(2552)
c:windowssystem32WININET.dll
c:windowssystem32nview.dll
c:windowssystem32nvwddi.dll
c:program filesPunto Switchercorrect.dll
c:windowssystem32wpdshserviceobj.dll
c:windowssystem32webcheck.dll
c:windowssystem32portabledevicetypes.dll
c:windowssystem32portabledeviceapi.dll
.
Completion time: 2009-07-12 22:24
ComboFix-quarantined-files.txt 2009-07-12 18:24
ComboFix2.txt 2009-07-06 04:44
ComboFix3.txt 2009-07-05 16:06
ComboFix4.txt 2009-07-05 15:29
ComboFix5.txt 2009-07-12 18:01Pre-Run: 5 428 477 952 байт свободно
Post-Run: 5 416 349 696 байт свободно195 — E O F — 2009-06-11 12:55
В момент запуска скрипт CFScript.txt находился на рабочем столе ? Судя по логу он не выполнился.
Попробуйте его создать снова (не забудьте вставить в него содержимое, что я выкладывал ранее), сохраните на рабочий стол. И запустите Combofix снова, как было сказано в моём предыдущем сообщении.ComboFix 09-07-14.08 — Admin 18.07.2009 14:16.8.1 — NTFSx86
Running from: c:documents and settingsAdminРабочий столComboFix.exe
Command switches used :: c:documents and settingsAdminРабочий столCFScript.txtWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
«c:documents and settingsAdminApplication Databhomf.exe»
«c:documents and settingsAdminApplication Datafemfb.exe»
«c:documents and settingsAdminApplication Datazifhh.exe»
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:documents and settingsAdminApplication Databhomf.exe
c:documents and settingsAdminApplication Datafemfb.exe
c:documents and settingsAdminApplication Datazifhh.exe.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Legacy_ILVDXC
Service_ilvdxc((((((((((((((((((((((((( Files Created from 2009-06-18 to 2009-07-18 )))))))))))))))))))))))))))))))
.2009-07-04 07:28 . 2009-07-04 07:28
d
w- C:_OTM
2009-06-29 15:40 . 2009-06-29 15:40
d
w- c:windowssystem32%DataRoot%
2009-06-28 16:41 . 2009-06-29 08:51
d
w- c:program filestrend micro
2009-06-28 08:30 . 2009-06-28 08:30 220 —-a-w- C:ScreenSaveActive.reg
2009-06-28 08:30 . 2009-06-28 08:30 226 —-a-w- C:ScreenSaverIsSecure.reg
2009-06-28 08:30 . 2009-06-28 08:30 222 —-a-w- C:PowerOffTimeOut.reg
2009-06-28 08:29 . 2009-06-28 08:29 226 —-a-w- C:ScreenSaveTimeOut.reg
2009-06-25 16:37 . 2009-06-25 17:18
d
w- c:windowssystem32CatRoot
2009-06-21 11:26 . 2009-07-18 09:29
d
w- c:windowssystem32NtmsData
2009-06-19 07:06 . 2009-06-19 07:06
d-sh—w- c:documents and settingsNetworkServiceIETldCache.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 10:35 . 2008-09-08 17:50
d
w- c:documents and settingsAdminApplication DataGetRight
2009-07-18 10:31 . 2008-06-10 16:53 1150752 —sha-w- c:windowssystem32driversfidbox2.dat
2009-07-18 10:30 . 2008-06-10 16:53 113060 —sha-w- c:windowssystem32driversfidbox2.idx
2009-07-18 10:30 . 2008-06-10 16:53 651884 —sha-w- c:windowssystem32driversfidbox.idx
2009-07-18 10:30 . 2008-06-10 16:53 48559648 —sha-w- c:windowssystem32driversfidbox.dat
2009-07-17 18:52 . 2008-08-02 11:22
d
w- c:documents and settingsAdminApplication DataMra
2009-07-17 16:54 . 2009-05-10 20:24
d
w- c:program filesMetin2_RU
2009-07-04 09:04 . 2008-06-11 15:54 77168 —-a-w- c:documents and settingsAdminLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-07-04 08:06 . 2008-08-17 19:59
d
w- c:program filesGoogle
2009-06-26 11:14 . 2008-06-10 16:05
d
w- c:program filesCommon FilesAhead
2009-06-25 15:15 . 2008-07-04 06:20
d
w- c:program filesCommon FilesAdobe
2009-06-20 12:06 . 2004-08-18 12:00 78258 —-a-w- c:windowssystem32perfc019.dat
2009-06-20 12:06 . 2004-08-18 12:00 452866 —-a-w- c:windowssystem32perfh019.dat
2009-06-02 05:48 . 2009-06-02 05:48
d
w- c:documents and settingsAll UsersApplication DatanView_Profiles
2009-06-02 05:30 . 2008-06-10 16:53
d
w- c:program filesKaspersky Lab
2009-06-01 15:23 . 2009-06-01 15:23
d
w- c:program filesOpera
2009-05-29 12:59 . 2009-05-29 12:43 103680 —-a-w- c:windowsmemtest86+-2.11.iso.zip
2009-05-29 10:01 . 2009-05-29 10:01 655728 —-a-w- c:windowsWindowsXP-KB958644-x86-RUS.exe
2009-05-29 07:36 . 2008-06-10 15:57
d
w- c:program filesThe KMPlayer
2009-05-29 07:31 . 2009-05-26 07:07
d—h—w- c:program filesInstallShield Installation Information
2009-05-27 18:46 . 2009-05-27 18:46
d
w- c:program filesMicrosoft Silverlight
2009-05-27 05:26 . 2009-05-27 05:26 1878888 —-a-w- c:documents and settingsAdminApplication DataOperaOpera 9.5 alphaprofilecache4temporary_downloadinstall_flash_player.exe
2009-05-26 12:29 . 2009-05-26 12:29
d
w- c:documents and settingsAdminApplication DataAdobeUM
2009-05-26 10:04 . 2009-05-26 10:04
d
w- c:program filesAnalog Devices
2009-05-25 13:09 . 2008-06-10 15:39 86327 —-a-w- c:windowspchealthhelpctrOfflineCacheindex.dat
2009-05-25 11:55 . 2008-07-04 06:23
d
w- c:program filese-Life Pal
2009-05-25 11:18 . 2008-06-10 16:01
d
w- c:program filesLClock
2009-05-25 08:50 . 2008-09-08 17:49
d
w- c:program filesGetRight
2009-05-16 14:32 . 2009-05-16 09:00 126976 —-a-w- c:windowssystem32mslpadap.dll
2009-05-13 05:05 . 2007-12-21 19:48 915456 —-a-w- c:windowssystem32wininet.dll
2009-05-07 15:33 . 2004-08-18 12:00 346624 —-a-w- c:windowssystem32localspl.dll
2009-04-19 19:51 . 2007-12-21 19:18 1847296 —-a-w- c:windowssystem32win32k.sys
.
Sigcheck
[-] 2004-08-18 12:00 14336 5DB0AE95BF08D5A63C167648F1314C07 c:windows$NtServicePackUninstall$svchost.exe
[-] 2008-04-14 16:11 14336 E948A9079D0E6350BE92D4D3E0077F81 c:windowsServicePackFilesi386svchost.exe
[-] 2008-04-14 16:11 14336 E948A9079D0E6350BE92D4D3E0077F81 c:windowssystem32svchost.exe[-] 2007-12-21 19:24 578560 196B409A7C1C39A5A0F7566C2741FAD1 c:windows$NtServicePackUninstall$user32.dll
[-] 2008-04-14 16:10 579072 A9CDF92EA1CFFB67448EF26F5DF21A6F c:windowsServicePackFilesi386user32.dll
[-] 2008-04-14 16:10 579072 A9CDF92EA1CFFB67448EF26F5DF21A6F c:windowssystem32user32.dll[-] 2004-08-18 12:00 82944 0B6185E58290D4E5944F6FB9BF6562A1 c:windows$NtServicePackUninstall$ws2_32.dll
[-] 2008-04-14 16:10 82432 5E2915645A0D139519A99F0F95437D96 c:windowsServicePackFilesi386ws2_32.dll
[-] 2008-04-14 16:10 82432 5E2915645A0D139519A99F0F95437D96 c:windowssystem32ws2_32.dll[-] 2009-03-03 00:16 828416 B1F222F07D53E0A45DEADCBEC7AF3336 c:windows$hf_mig$KB963027-IE7SP3QFEwininet.dll
[-] 2009-05-13 05:09 915456 5CE4E5300A2AD2ABBF3E1028B78FDE25 c:windows$hf_mig$KB969897-IE8SP3QFEwininet.dll
[-] 2008-06-23 15:41 827904 04B0920B661877A10E3409FAF1900810 c:windowsie7updatesKB963027-IE7wininet.dll
[-] 2009-03-03 00:16 828416 B1F222F07D53E0A45DEADCBEC7AF3336 c:windowsie8wininet.dll
[-] 2009-03-08 00:34 914944 6CE32F7778061CCC5814D5E0F282D369 c:windowsie8updatesKB969897-IE8wininet.dll
[-] 2008-04-14 16:10 666624 BD953FC6D28126E19882944944E39904 c:windowsServicePackFilesi386wininet.dll
[-] 2009-05-13 05:05 915456 6026DFFED0787AC7540FD1554338BC17 c:windowsSoftwareDistributionDownloadb04aa9f2c0f154067d5d7b8a659f2a3bSP3GDRwininet.dll
[-] 2009-05-13 05:09 915456 5CE4E5300A2AD2ABBF3E1028B78FDE25 c:windowsSoftwareDistributionDownloadb04aa9f2c0f154067d5d7b8a659f2a3bSP3QFEwininet.dll
[-] 2009-05-13 05:05 915456 6026DFFED0787AC7540FD1554338BC17 c:windowssystem32wininet.dll
[-] 2009-05-13 05:05 915456 6026DFFED0787AC7540FD1554338BC17 c:windowssystem32dllcachewininet.dll[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:windows$hf_mig$KB951748SP3GDRtcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:windows$hf_mig$KB951748SP3QFEtcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:windows$NtServicePackUninstall$tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:windowsServicePackFilesi386tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:windowssystem32dllcachetcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:windowssystem32driverstcpip.sys[-] 2004-08-18 12:00 503808 BA9DF5930B2582C31C0C8E52C94DDA48 c:windows$NtServicePackUninstall$winlogon.exe
[-] 2008-04-14 16:11 509440 B3B5D5855127E240C88451030AAEE76E c:windowsServicePackFilesi386winlogon.exe
[-] 2008-04-14 16:11 509440 B3B5D5855127E240C88451030AAEE76E c:windowssystem32winlogon.exe[-] 2007-12-21 19:18 182656 BC84C4F67D0E880B0C46DC0CE2B8CBAA c:windows$NtServicePackUninstall$ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:windowsServicePackFilesi386ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:windowssystem32driversndis.sys[-] 2004-08-18 12:00 29056 4448006B6BC60E6C027932CFC38D6855 c:windows$NtServicePackUninstall$ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:windowsServicePackFilesi386ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:windowssystem32driversip6fw.sys[-] 2009-02-09 11:18 2067968 F94532F9047E2D94B5CC2125487EBB8D c:windows$hf_mig$KB956572SP3QFEntkrnlpa.exe
[-] 2008-08-14 15:26 2067840 D06434874D29A427B642702B06FA36E2 c:windows$hf_mig$KB956841SP3QFEntkrnlpa.exe
[-] 2007-12-21 19:20 2061184 B683F99750E5C450A03DB3F01648BD4A c:windows$NtServicePackUninstall$ntkrnlpa.exe
[-] 2009-02-10 15:09 2067840 32136AF697E44465D73FA014F459C037 c:windowsDriver Cachei386ntkrnlpa.exe
[-] 2008-04-14 15:50 2067712 B732BB0B17FE6547FC1F5C770549391E c:windowsServicePackFilesi386ntkrnlpa.exe
[-] 2009-02-10 15:09 2067840 32136AF697E44465D73FA014F459C037 c:windowssystem32ntkrnlpa.exe
[-] 2009-02-10 15:09 2067840 32136AF697E44465D73FA014F459C037 c:windowssystem32dllcachentkrnlpa.exe[-] 2009-02-10 15:18 2190976 5BA788BE01A673A0A5176486CE432DF2 c:windows$hf_mig$KB956572SP3QFEntoskrnl.exe
[-] 2008-08-14 15:26 2190976 73E4452E6A88F91C2C847A2264E85891 c:windows$hf_mig$KB956841SP3QFEntoskrnl.exe
[-] 2007-12-21 19:17 2183936 32FF36DB045A32F606F1EEEC98C78954 c:windows$NtServicePackUninstall$ntoskrnl.exe
[-] 2009-02-09 11:26 2190848 71724D6DC686B1597DE3631F09B3E5C7 c:windowsDriver Cachei386ntoskrnl.exe
[-] 2008-04-14 15:51 2190848 DBD9F0B1A0D346EBBCF20940B86941C5 c:windowsServicePackFilesi386ntoskrnl.exe
[-] 2009-02-09 11:26 2190848 71724D6DC686B1597DE3631F09B3E5C7 c:windowssystem32ntoskrnl.exe
[-] 2009-02-09 11:26 2190848 71724D6DC686B1597DE3631F09B3E5C7 c:windowssystem32dllcachentoskrnl.exe[-] 2008-04-14 16:10 1034240 847C01CA71883702CC7445364DD9D097 c:windowsexplorer.exe
[-] 2007-12-21 19:23 1720832 907712EC5AE77486FC4DB8DD917C731A c:windows$NtServicePackUninstall$explorer.exe
[-] 2008-04-14 16:10 1034240 847C01CA71883702CC7445364DD9D097 c:windowsServicePackFilesi386explorer.exe
[-] 2008-04-14 16:10 1034240 847C01CA71883702CC7445364DD9D097 c:windowssystem32dllcacheexplorer.exe[-] 2009-02-09 11:18 111104 0AF0D6AF45220ADB9C30B33CFEC41831 c:windows$hf_mig$KB956572SP3QFEservices.exe
[-] 2004-08-18 12:00 108544 394BE1D5B35B031A94AE51C6F05E3967 c:windows$NtServicePackUninstall$services.exe
[-] 2008-04-14 16:11 109056 AE5D25E59BC5D193ADD3DBF01864BDC5 c:windowsServicePackFilesi386services.exe
[-] 2009-02-09 11:25 111104 94824EEFEBE244036335E644EB5FF3AC c:windowssystem32services.exe
[-] 2009-02-09 11:25 111104 94824EEFEBE244036335E644EB5FF3AC c:windowssystem32dllcacheservices.exe[-] 2004-08-18 12:00 13312 1952DDC36E60C313CD6ACBD07D4548D6 c:windows$NtServicePackUninstall$lsass.exe
[-] 2008-04-14 16:10 13312 17C1AC326238EFADF17A0612AFD822AD c:windowsServicePackFilesi386lsass.exe
[-] 2008-04-14 16:10 13312 17C1AC326238EFADF17A0612AFD822AD c:windowssystem32lsass.exe[-] 2007-12-21 19:23 30208 ACC544D628A758A445DF844269E803A7 c:windows$NtServicePackUninstall$ctfmon.exe
[-] 2008-04-14 16:10 15360 B5DC70BB43A14093E00C5A735CC5DFD4 c:windowsServicePackFilesi386ctfmon.exe
[-] 2008-04-14 16:10 15360 B5DC70BB43A14093E00C5A735CC5DFD4 c:windowssystem32ctfmon.exe[-] 2007-12-21 19:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:windows$NtServicePackUninstall$spoolsv.exe
[-] 2008-04-14 16:11 57856 0139187CDD1B598B6CBB235517117832 c:windowsServicePackFilesi386spoolsv.exe
[-] 2008-04-14 16:11 57856 0139187CDD1B598B6CBB235517117832 c:windowssystem32spoolsv.exe[-] 2004-08-18 12:00 25088 B5F1A73EDAB83FA2DB9662E10E027587 c:windows$NtServicePackUninstall$userinit.exe
[-] 2008-04-14 16:11 26624 4F88778DD0CD6B99FCDA408E16B36AE7 c:windowsServicePackFilesi386userinit.exe
[-] 2008-04-14 16:11 26624 4F88778DD0CD6B99FCDA408E16B36AE7 c:windowssystem32userinit.exe[-] 2004-08-18 12:00 295936 FBE10ED076D1E87782778A6CD2AB7085 c:windows$NtServicePackUninstall$termsrv.dll
[-] 2008-04-14 16:10 295936 804A741E1806E8C33C8C642781896C0D c:windowsServicePackFilesi386termsrv.dll
[-] 2008-04-14 16:10 295936 804A741E1806E8C33C8C642781896C0D c:windowssystem32termsrv.dll[-] 2009-03-21 14:00 997888 B6D7F9BD6A4EC30F22025BA670211AB8 c:windows$hf_mig$KB959426SP3QFEkernel32.dll
[-] 2007-12-21 19:17 992256 386376D4516F7922C5AFE1752B6DED84 c:windows$NtServicePackUninstall$kernel32.dll
[-] 2008-04-14 16:10 995840 D612EE36F95DA6D1179F7567B2B77D77 c:windowsServicePackFilesi386kernel32.dll
[-] 2009-03-21 14:09 995840 7A163D793AF7208E13B0F33864D36438 c:windowssystem32kernel32.dll
[-] 2009-03-21 14:09 995840 7A163D793AF7208E13B0F33864D36438 c:windowssystem32dllcachekernel32.dll[-] 2004-08-18 12:00 17408 604F22705C12080012968D72D97C6D64 c:windows$NtServicePackUninstall$powrprof.dll
[-] 2008-04-14 16:10 17408 DDDB63DB4C327CA3996AD326C1A8B8D4 c:windowsServicePackFilesi386powrprof.dll
[-] 2008-04-14 16:10 17408 DDDB63DB4C327CA3996AD326C1A8B8D4 c:windowssystem32powrprof.dll[-] 2004-08-18 12:00 110080 318492C9327EDBBD7FAD35FB3DF65CC3 c:windows$NtServicePackUninstall$imm32.dll
[-] 2008-04-14 16:10 110080 A9690FD601E9F5102F0D3388DF6081BD c:windowsServicePackFilesi386imm32.dll
[-] 2008-04-14 16:10 110080 A9690FD601E9F5102F0D3388DF6081BD c:windowssystem32imm32.dll[-] 2007-12-21 20:32 1548288 9E62E0CDEC5617D03A1598040E73A70B c:windows$NtServicePackUninstall$sfcfiles.dll
[-] 2008-04-14 16:10 1571840 4379CA978CB35BB2458156B2B6CB35DF c:windowsServicePackFilesi386sfcfiles.dll
[-] 2008-04-14 16:10 1571840 4379CA978CB35BB2458156B2B6CB35DF c:windowssystem32sfcfiles.dll[-] 2004-08-18 12:00 171008 7A2CF119A6D8C946CC0426E0F6EEE733 c:windows$NtServicePackUninstall$appmgmts.dll
[-] 2008-04-14 16:10 171008 49CD07F6A6D14430D773D83E7E60BB07 c:windowsServicePackFilesi386appmgmts.dll
[-] 2008-04-14 16:10 171008 49CD07F6A6D14430D773D83E7E60BB07 c:windowssystem32appmgmts.dll
[-] 2008-04-14 16:10 171008 49CD07F6A6D14430D773D83E7E60BB07 c:windowssystem32dllcacheappmgmts.dll[-] 2004-08-18 12:00 24832 84C85813DDB595F97A9F95DA3EDBF81B c:windows$NtServicePackUninstall$kbdclass.sys
[-] 2008-04-14 15:47 24832 2B0018DE01BFB628D0A49A301F34B46F c:windowsServicePackFilesi386kbdclass.sys
[-] 2008-04-14 15:47 24832 2B0018DE01BFB628D0A49A301F34B46F c:windowssystem32driverskbdclass.sys[-] 2007-12-21 19:23 855040 6168D52CBC1A7F1467915BBB8EE33D86 c:windows$NtServicePackUninstall$comres.dll
[-] 2008-04-14 16:10 797696 F40029071D0DA1013E2CF72EDD07198C c:windowsServicePackFilesi386comres.dll
[-] 2008-04-14 16:10 797696 F40029071D0DA1013E2CF72EDD07198C c:windowssystem32comres.dll[-] 2004-08-18 12:00 22016 37A519EA77EA438BA4B7A996F92D6B7E c:windows$NtServicePackUninstall$lpk.dll
[-] 2008-04-14 16:10 22016 C50FAD9307F12333FFBE0B80066AB045 c:windowsServicePackFilesi386lpk.dll
[-] 2008-04-14 16:10 22016 C50FAD9307F12333FFBE0B80066AB045 c:windowssystem32lpk.dll[-] 2004-08-18 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:windowssystem32dllcachebeep.sys
[-] 2004-08-18 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:windowssystem32driversbeep.sys[-] 2004-08-18 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:windowssystem32dllcachenull.sys
[-] 2004-08-18 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:windowssystem32driversnull.sys[-] 2007-12-21 19:17 927504 452A6521AAAFBE11DAA5CAD9B1E86052 c:windows$NtServicePackUninstall$mfc40u.dll
[-] 2008-04-14 16:10 927504 21B8BD18B4FF64AB41B858F282C5BC81 c:windowsServicePackFilesi386mfc40u.dll
[-] 2008-04-14 16:10 927504 21B8BD18B4FF64AB41B858F282C5BC81 c:windowssystem32mfc40u.dll[-] 2009-02-09 10:57 401408 F70CC57608BF3CC9F89222A9E515DCCF c:windows$hf_mig$KB956572SP3QFErpcss.dll
[-] 2007-12-21 19:17 398848 92B68A397C659302891E4FEF60366721 c:windows$NtServicePackUninstall$rpcss.dll
[-] 2008-04-14 16:10 399360 7567F54A2957F1281DCB0ED169A22148 c:windowsServicePackFilesi386rpcss.dll
[-] 2009-02-09 10:54 401408 293D96B9A523C8D3A5F3EE448405388E c:windowssystem32rpcss.dll
[-] 2009-02-09 10:54 401408 293D96B9A523C8D3A5F3EE448405388E c:windowssystem32dllcacherpcss.dll[-] 2004-08-18 12:00 33792 A69AA08A453B9BAF7782A98EF57AF3D1 c:windows$NtServicePackUninstall$msgsvc.dll
[-] 2008-04-14 16:10 33792 1CEA42E9B7DC30FC313C8277EBDC8FCF c:windowsServicePackFilesi386msgsvc.dll
[-] 2008-04-14 16:10 33792 1CEA42E9B7DC30FC313C8277EBDC8FCF c:windowssystem32msgsvc.dll[-] 2007-12-21 19:16 617472 BA0065C83F4E340C8FD05EECF199A48E c:windows$NtServicePackUninstall$comctl32.dll
[-] 2004-08-18 12:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:windowsI386ASMS6000MSFTWINDOWSCOMMONCONTROLSCOMCTL32.DLL
[-] 2008-04-14 16:10 617472 E464083934A22C7E0EDE8A8FFA90D26C c:windowsServicePackFilesi386comctl32.dll
[-] 2008-04-14 16:10 617472 E464083934A22C7E0EDE8A8FFA90D26C c:windowssystem32comctl32.dll
[-] 2004-08-18 12:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:windowsWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70acomctl32.dll
[-] 2006-08-25 04:53 1054208 D9C17E4F0DADD879313011B674960883 c:windowsWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03comctl32.dll
[-] 2008-04-14 16:08 1054208 FF63BB56C05EA817124D4E18162FCE46 c:windowsWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83comctl32.dll[-] 2004-08-18 12:00 11776 CEA8D1DA7696ACBFC69A3823BCF1C738 c:windowssystem32driversacpiec.sys
[-] 2004-08-18 12:00 5120 F5F629B5CE930A832A7404A91121DB7C c:windows$NtServicePackUninstall$sfc.dll
[-] 2008-04-14 16:10 5120 86E2562942CE84CBC59FCE8011245D7A c:windowsServicePackFilesi386sfc.dll
[-] 2008-04-14 16:10 5120 86E2562942CE84CBC59FCE8011245D7A c:windowssystem32sfc.dll[-] 2004-08-18 12:00 436736 2105738264B4DDAEB24C2B3851D6427B c:windows$NtServicePackUninstall$ntmssvc.dll
[-] 2008-04-14 16:10 436736 8E6A3AAC5A889AD59479A05A990E8ED3 c:windowsServicePackFilesi386ntmssvc.dll
[-] 2008-04-14 16:10 436736 8E6A3AAC5A889AD59479A05A990E8ED3 c:windowssystem32ntmssvc.dll[-] 2004-08-18 12:00 89088 2320D8107BAF5284381F70E28751104A c:windows$NtServicePackUninstall$rasauto.dll
[-] 2008-04-14 16:10 88576 C7F1C27D7CD10B86079CB62800974880 c:windowsServicePackFilesi386rasauto.dll
[-] 2008-04-14 16:10 88576 C7F1C27D7CD10B86079CB62800974880 c:windowssystem32rasauto.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-07-04_09.54.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-18 10:33 . 2009-07-18 10:33 16384 c:windowsTempPerflib_Perfdata_504.dat
+ 2009-07-18 09:29 . 2009-07-18 09:29 16384 c:windowsTempPerflib_Perfdata_2c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«DAEMON Tools Lite»=»d:daemon tools litedaemon.exe» [2008-07-24 490952]
«ctfmon.exe»=»c:windowssystem32ctfmon.exe» [2008-04-14 15360]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2008-04-14 1695232]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2007-01-25 201728]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2007-07-02 132608][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«kav»=»c:program filesKaspersky LabKaspersky Anti-Virus 6.0avp.exe» [2006-03-24 139367]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2007-07-13 8466432]
«MAgent»=»E:MAgent.exe» [2009-06-01 5603000]
«Ulead Photo Express Calendar Checker»=»c:program filesUlead SystemsUlead Photo Express 5 SEcalcheck.exe» [2004-01-12 69632]
«SoundMAXPnP»=»c:program filesAnalog DevicesCoresmax4pnp.exe» [2005-05-21 925696]
«nwiz»=»nwiz.exe» — c:windowssystem32nwiz.exe [2007-07-13 1626112]
«NvMediaCenter»=»NvMCTray.dll» — c:windowssystem32nvmctray.dll [2007-07-13 81920]
«Ярлык для страницы свойств High Definition Audio»=»HDAShCut.exe» — c:windowssystem32hdashcut.exe [2005-12-26 61952][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2007-01-25 201728]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2007-07-02 132608][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«ZZZZ2_FirstLogonSetting»=»advpack.dll» — c:windowssystem32advpack.dll [2009-03-08 128512]
«IE7_012″=»advpack.dll» — c:windowssystem32advpack.dll [2009-03-08 128512][HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)
«EditLevel»= 0 (0x0)
«NoCommonGroups»= 0 (0x0)[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoThumbnailCache»= 1 (0x1)
«NoSMConfigurePrograms»= 1 (0x1)[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«UpdatesOverride»=dword:00000001
«AntiVirusOverride»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\WINDOWS\system32\dpvsetup.exe»=
«c:\Program Files\Metin2_RU\metin2.bin»=
«c:\WINDOWS\system32\mmc.exe»=
«c:\Program Files\Opera\opera.exe»=
«c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
«AllowInboundEchoRequest»= 1 (0x1)
«AllowInboundTimestampRequest»= 1 (0x1)
«AllowInboundMaskRequest»= 1 (0x1)
«AllowInboundRouterRequest»= 1 (0x1)
«AllowOutboundParameterProblem»= 0 (0x0)S2 cglptnt;cglptnt;c:windowssystem32DRIVERScglptnt.sys [2007-09-06 7888]
S2 NwSapAgent;Агент SAP;c:windowssystem32svchost.exe [2008-04-14 14336][HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
«c:windowssystem32rundll32.exe» «c:windowssystem32iedkcs32.dll»,BrandIEActiveSetup SIGNUP
.
Contents of the ‘Scheduled Tasks’ folder2009-07-18 c:windowsTasksUser_Feed_Synchronization-{567CECAE-CA91-4173-9C96-3E2C56356C82}.job
— c:windowssystem32msfeedssync.exe [2008-06-10 00:31]2009-07-18 c:windowsTasksUser_Feed_Synchronization-{BFE786AA-C4C3-4355-BCE7-4C91AB78EB8A}.job
— c:windowssystem32msfeedssync.exe [2008-06-10 00:31]
.
.
Supplementary Scan
.
uStart Page = http://www.mail.ru
uInternet Settings,ProxyOverride =
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — E:magent.exe
TCP: {186459A1-0A8D-4FA8-875F-C2D9741A2840} = 80.95.32.19 80.95.32.20
.**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-18 14:35
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERSS-1-5-21-57989841-2139871995-725345543-500SoftwareMicrosoftSystemCertificatesAddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(804)
c:windowssystem32cscdll.dll
c:windowssystem32klogon.dll— — — — — — — > ‘explorer.exe'(3104)
c:windowssystem32WININET.dll
c:windowssystem32nview.dll
c:program filesPunto Switchercorrect.dll
c:windowssystem32wpdshserviceobj.dll
c:windowssystem32webcheck.dll
c:windowssystem32portabledevicetypes.dll
c:windowssystem32portabledeviceapi.dll
.
Other Running Processes
.
c:windowssystem32scardsvr.exe
c:windowssystem32netdde.exe
c:windowssystem32clipsrv.exe
c:windowssystem32imapi.exe
c:windowssystem32nvsvc32.exe
c:windowssystem32tcpsvcs.exe
c:windowssystem32snmp.exe
c:windowssystem32rundll32.exe
c:windowssystem32rundll32.exe
c:windowssystem32wscntfy.exe
c:program filesOperaopera.exe
.
**************************************************************************
.
Completion time: 2009-07-18 14:45 — machine was rebooted
ComboFix-quarantined-files.txt 2009-07-18 10:45
ComboFix2.txt 2009-07-12 18:24
ComboFix3.txt 2009-07-06 04:44
ComboFix4.txt 2009-07-05 16:06
ComboFix5.txt 2009-07-18 10:13Pre-Run: 5 315 592 192 байт свободно
Post-Run: 5 246 828 544 байт свободно334 — E O F — 2009-06-11 12:55
- Для ответа в этой теме необходимо авторизоваться.
