- This topic has 1 ответ, 2 участника, and was last updated 16 years, 3 months назад by
.
-
Сообщения
-
ComboFix 09-02-02.04 — Admin 2009-02-03 23:34:22.4 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.1.1049.18.1023.437 [GMT 3:00]
Running from: c:documents and settingsAdminРабочий столComboFix.exe
Command switches used :: c:documents and settingsAdminРабочий столCFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090203-0] *On-access scanning disabled* (Updated)
* Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:documents and settingsAll UsersApplication Datamvvlib.dll
c:windowssystem32stu2.exe
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:documents and settingsAdminLocal SettingsTemporary Internet Files0EB9F12C_6E6B_4c03_AEBA_8C04CFA98AA4.jpg
c:documents and settingsAdminLocal SettingsTemporary Internet Files15913497_F86C_4218_8817_F50940D1E1B2.jpg
c:documents and settingsAdminLocal SettingsTemporary Internet Files29887DDE_00B9_4011_9CF7_59511F1ECC1B.jpg
c:documents and settingsAdminLocal SettingsTemporary Internet Files35B7DFFA_884F_4fbc_8E60_DA601BDC7BF7.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files362FD6E8_8CDA_4c2a_A8AA-BDA22B321711.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files3DF04940_9866_4241_A998_0CDDFAFD147A.jpg
c:documents and settingsAdminLocal SettingsTemporary Internet Files426500D7_0FF3_426c_828D_065DBAEA0581.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files478BD4AE_2691_438d_BDCA_3485DC022700.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files5C6C645F_BAA8_4149_BFEB_2031230FF0FD.jpg
c:documents and settingsAdminLocal SettingsTemporary Internet Files61EA7D69_19D4_421a_A899_0DF4D58CD119.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files777FDAFB_83CF_4960_AA71_4E5D7BCD8E57.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files8DA878D5_E80B_4721_B75A_17EFFAF1A700.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files98F6DF79_7171_452d_9C26_C0193E12DBDF.gif
c:documents and settingsAdminLocal SettingsTemporary Internet FilesA2B240D6_0386_419e_91C5_3F7D90437CD0.gif
c:documents and settingsAdminLocal SettingsTemporary Internet FilesC75CEF8D_5AF4_4563_8594_C45A45E14E63.gif
c:documents and settingsAdminLocal SettingsTemporary Internet FilesE21285C1_40E6_435c_A69F_3387E7BD89CB.jpg
c:documents and settingsAdminLocal SettingsTemporary Internet FilesE9A4D648_ED73_4ea7_88B2_18332DBA4F3E.gif.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.2009-01-31 14:14 . 2009-02-03 20:58
d
c:program filesRambler Assistant
2009-01-31 14:14 . 2009-02-02 17:23d
c:program filesICQ6.5
2009-01-31 14:14 . 2009-01-31 14:14d
c:documents and settingsAdminApplication Datarambler.ru
2009-01-31 14:14 . 2009-02-02 17:09d
c:documents and settingsAdminApplication DataICQ
2009-01-31 11:15 . 2009-01-31 11:17d
c:windowssystem32XPSViewer
2009-01-31 11:14 . 2009-01-31 11:14d
c:windowssystem32xlive
2009-01-31 11:14 . 2009-01-31 11:14d
c:program filesReference Assemblies
2009-01-31 11:14 . 2009-01-31 11:14d
c:program filesMicrosoft Games for Windows — LIVE
2009-01-31 11:14 . 2006-06-29 13:07 22,752 —a
c:windowssystem32spupdsvc.exe
2009-01-31 11:14 . 2006-06-29 13:07 14,048
c:windowssystem32spmsg2.dll
2009-01-31 11:13 . 2009-01-31 11:13d
c:windowsLogs
2009-01-26 19:00 . 2009-01-26 19:00d
c:program filesCommon FilesAdobe
2009-01-26 18:46 . 2009-01-26 18:46 16,131 —a
C:a_6b42045f.jpg
2009-01-25 11:37 . 2009-01-25 11:37d
c:documents and settingsAdminApplication DataNero
2009-01-25 11:33 . 2009-01-25 11:33d
c:program filesNero
2009-01-25 11:33 . 2009-01-25 11:33d
c:program filesCommon FilesNero
2009-01-25 11:33 . 2008-06-24 13:45 3,036,456 —a
c:windowssystem32BCGCBPRO860u80.dll
2009-01-25 11:33 . 2006-03-17 12:45 1,757,184 —a
c:windowssystem32imagX7.dll
2009-01-25 11:33 . 2006-03-17 12:45 802,816 —a
c:windowssystem32imagXRA7.dll
2009-01-25 11:33 . 2006-03-17 12:45 497,296 —a
c:windowssystem32imagXpr7.dll
2009-01-25 11:33 . 2006-03-17 15:49 368,640 —a
c:windowssystem32TwnLib4.dll
2009-01-25 11:33 . 2006-03-17 12:45 258,048 —a
c:windowssystem32imagXR7.dll
2009-01-25 11:33 . 2008-06-08 09:30 206,120 —a
c:windowssystem32BCGCBProResRUS.nls
2009-01-25 11:33 . 2008-06-06 14:54 193,832 —a
c:windowssystem32NeroBurnRights.cpl
2009-01-25 11:33 . 2008-06-24 13:45 33,576 —a
c:windowssystem32BCGPOleAcc.dll
2009-01-20 23:57 . 2009-01-20 23:57 254,106 —a
C:htr.jpg
2009-01-20 23:54 . 2009-01-20 23:54 317,674 —a
C:brabus_jpg_3dcar.jpg
2009-01-20 23:38 . 2009-01-20 23:38 35,934 —a
C:Dragster_70_Render-1.jpg
2009-01-20 23:36 . 2009-01-20 23:36 108,734 —a
C:Resize_of_027_3.jpg
2009-01-20 23:23 . 2009-01-20 23:23 62,729 —a
C:metro62.gif
2009-01-19 16:24 . 2009-01-19 16:24 1,336,560 —a
C:CCleaner.exe
2009-01-18 21:59 . 2009-01-18 21:59 141,688 —a
C:audi_pickup_arg-1_s.jpg
2009-01-18 21:57 . 2009-01-18 21:57 142,889 —a
C:rfsfrew.jpg
2009-01-18 21:55 . 2009-01-18 21:55 850,075 —a
C:main.jpg
2009-01-18 21:53 . 2009-01-18 21:53 81,202 —a
C:big_paganizondar_04.jpg
2009-01-18 21:53 . 2009-01-18 21:53 56,431 —a
C:volvo-sc90-concept-6-lg.jpg
2009-01-18 21:52 . 2009-01-18 21:52 68,533 —a
C:big_paganizondar_03.jpg
2009-01-18 21:52 . 2009-01-18 21:52 68,047 —a
C:big_paganizondar_02.jpg
2009-01-18 21:51 . 2009-01-18 21:51 54,631 —a
C:19.jpg
2009-01-18 21:49 . 2009-01-18 21:49 100,497 —a
C:dodge.jpg
2009-01-18 21:49 . 2009-01-18 21:49 81,733 —a
C:GT-R.jpg
2009-01-18 13:49 . 2009-01-18 13:49 322,048 —a
c:documents and settingsAll UsersApplication Datawbklib.dll
2009-01-17 11:51 . 2008-08-19 20:15 26,368 —a—c— c:windowssystem32dllcacheusbstor.sys
2009-01-16 23:08 . 2009-01-16 23:08 73,133 —a
C:j2iGWr6rRjQf.jpg
2009-01-16 23:07 . 2009-01-16 23:07 71,476 —a
C:m1rsgS3ymdpB.jpg
2009-01-16 10:36 . 2009-01-16 10:36d
c:documents and settingsAdminApplication DataCodemasters
2009-01-15 23:33 . 2009-01-15 23:33 195,846 —a
C:d.jpg
2009-01-15 23:30 . 2009-01-15 23:30 153,264 —a
C:sdfasesdvfsde.jpg
2009-01-15 12:44 . 2006-10-26 19:56 32,592 —a
c:windowssystem32msonpmon.dll
2009-01-15 12:42 . 2009-01-31 11:16d
c:program filesMSBuild
2009-01-15 12:42 . 2009-01-15 12:42d
c:program filesMicrosoft Works
2009-01-15 12:41 . 2009-01-15 12:41d
c:program filesMicrosoft.NET
2009-01-15 12:39 . 2009-01-15 12:39d
c:program filesMicrosoft Visual Studio 8
2009-01-15 12:39 . 2009-01-15 12:47d
c:documents and settingsAll UsersApplication DataMicrosoft Help
2009-01-15 12:38 . 2009-01-15 12:38dr-h
C:MSOCache
2009-01-15 12:35 . 2009-01-15 12:35 356,645 —a
C:ЗАЯ Т.jpg
2009-01-15 12:34 . 2009-01-15 12:34 200,901 —a
C:ЗАЯ СТ.jpg
2009-01-15 12:33 . 2009-01-15 12:33 331,990 —a
C:ЗАЯ СТАРАЯ.jpg
2009-01-15 12:32 . 2009-01-15 12:32 173,255 —a
C:.jpg
2009-01-15 12:21 . 2009-01-15 23:34d
c:program filesСтудия Эффектов
2009-01-15 12:06 . 2009-01-15 12:06 394 —a
c:windowsODBC.INI
2009-01-15 12:04 . 2009-01-15 12:46d
c:windowsShellNew
2009-01-14 17:56 . 2009-01-14 17:56d
c:program filesAdvanced Registry Optimizer
2009-01-14 17:56 . 2009-01-14 17:56d
c:documents and settingsAdminApplication DataSammsoft
2009-01-14 16:54 . 2009-01-14 16:54 19,403 —a
C:0399019.jpg.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 11:14
d—h—w c:program filesInstallShield Installation Information
2009-01-25 09:52
d
w c:documents and settingsAll UsersApplication DataAlawarWrapper
2009-01-14 15:15
d
w c:program filesAlwil Software
2001-06-01 05:26 16,384 —sha-w c:windowssystem32configsystemprofileCookiesindex.dat
2001-06-01 05:26 16,384 —sha-w c:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
2001-06-01 05:26 32,768 —sha-w c:windowssystem32configsystemprofileLocal SettingsTemporary Internet FilesContent.IE5index.dat
.
Sigcheck
2008-08-19 19:23 579072 23b7d3f3f5ec8feea75ec381c71cbd5e c:windowssystem32user32.dll2008-08-19 19:23 952832 40b6ea7c0d015c1c7589d6c522e6788c c:windowssystem32wininet.dll
2008-08-19 19:20 361600 6a104ba98d99d53ab0c91825ce659fc6 c:windowssystem32driverstcpip.sys
2008-08-19 19:22 1721344 62ea07edf5e3f3ff34eff9bf7619bc64 c:windowsexplorer.exe
2008-08-19 19:21 30208 b8b35f99dadaa5459fba639f20045fe2 c:windowssystem32ctfmon.exe
2008-08-19 19:23 80584 12c93b7a07d53f41af31e3ae2276328d c:windowssystem32wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks]
«{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}»= «c:program filesWinamp Toolbarwinamptb.dll» [2008-07-16 1266992][HKEY_CLASSES_ROOTclsid{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOTWINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOTTypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOTWINAMPTB.AOLTBSearch][HKEY_LOCAL_MACHINE~Browser Helper Objects{757C3BA9-39A6-4257-A4E5-933E838219C8}]
2009-01-18 13:49 322048 —a
c:documents and settingsAll UsersApplication Datawbklib.dll[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-08-19 30208]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096]
«Orb»=»c:program filesWinamp RemotebinOrbTray.exe» [2008-04-01 507904]
«Steam»=»c:gamesteam.exe» [2001-06-07 1410296]
«AROReminder»=»c:program filesAdvanced Registry Optimizeraro.exe» [2008-08-22 2084480]
«ICQ»=»c:program filesICQ6.5ICQ.exe» [2008-11-30 172792][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«MAgent»=»c:program filesMail.RuAgentMAgent.exe» [2001-06-01 5598392]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2008-10-07 13574144]
«SW20″=»c:windowssystem32sw20.exe» [2006-12-15 208896]
«SW24″=»c:windowssystem32sw24.exe» [2006-12-15 69632]
«WinSys2″=»c:windowssystem32winsys2.exe» [2006-04-29 208896]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2008-10-07 86016]
«WinampAgent»=»c:program filesWinampwinampa.exe» [2008-08-04 36352]
«avast!»=»c:progra~1ALWILS~1Avast4ashDisp.exe» [2008-11-26 81000]
«GrooveMonitor»=»c:program filesMicrosoft OfficeOffice12GrooveMonitor.exe» [2006-10-27 31016]
«SoundMan»=»SOUNDMAN.EXE» [2006-08-03 c:windowsSOUNDMAN.EXE]
«nwiz»=»nwiz.exe» [2008-10-07 c:windowssystem32nwiz.exe][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-08-19 30208]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«ZZZZ2_FirstLogonSetting»=»advpack.dll» [2008-08-19 c:windowssystem32advpack.dll]
«IE7_012″=»advpack.dll» [2008-08-19 c:windowssystem32advpack.dll][HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«FirewallOverride»=dword:00000001
«UpdatesDisableNotify»=dword:00000001
«UpdatesOverride»=dword:00000001
«AntiVirusDisableNotify»=dword:00000001
«AntiVirusOverride»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\WINDOWS\system32\lxdncoms.exe»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\lxdnpswx.exe»=
«c:\WINDOWS\system32\spool\drivers\w32x86\3\lxdnjswx.exe»=
«c:\Program Files\Winamp Remote\bin\Orb.exe»=
«c:\Program Files\Winamp Remote\bin\OrbTray.exe»=
«c:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe»=
«c:\Program Files\uTorrent\utorrent.exe»=
«c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE»=
«c:\Program Files\Microsoft Office\Office12\GROOVE.EXE»=
«c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE»=
«c:\Program Files\ICQ6.5\ICQ.exe»=R1 aswSP;avast! Self Protection;c:windowssystem32driversaswSP.sys [2009-01-14 111184]
R2 aswFsBlk;aswFsBlk;c:windowssystem32driversaswFsBlk.sys [2009-01-14 20560]
R2 lxdn_device;lxdn_device;c:windowssystem32lxdncoms.exe -service —> c:windowssystem32lxdncoms.exe -service [?]— Other Services/Drivers In Memory —
*NewlyCreated* — WUAUSERV
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{2a2abf3a-e46a-11dd-a675-001617bda0d3}]
ShellAutoRuncommand — c:windowssystem32RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycledctfmon.exe
ShellOpen(0)command — Recycledctfmon.exe
.
.
Supplementary Scan
.
uStart Page = hxxp://www.rambler.ru/ri6
mStart Page = hxxp://mail.ru
IE: &AOL Toolbar Search — c:documents and settingsAll UsersApplication DataAOLieToolbarresourcesen-USlocalsearch.html
IE: &Winamp Search — c:documents and settingsAll UsersApplication DataWinamp ToolbarieToolbarresourcesen-USlocalsearch.html
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~1Office12EXCEL.EXE/3000
IE: Добавить в Rambler-Закладки — c:program filesRambler AssistantramblertoolbarU0.dll/zakladki.htm
IE: Найти с помощью Рамблера — c:program filesRambler AssistantramblertoolbarU0.dll/search.htm
IE: Перевести с помощью словарей Рамблера — c:program filesRambler AssistantramblertoolbarU0.dll/dic.htm
IE: Поиск@Mail.Ru — c:program filesMail.RuSputnikMailRuSputnik.dll/282
IE: Словари@Mail.Ru — c:program filesMail.RuSputnikMailRuSputnik.dll/283
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 23:35:17
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(684)
c:windowssystem32SETUPAPI.dll
c:windowssystem32cscui.dll— — — — — — — > ‘lsass.exe'(740)
c:windowssystem32setupapi.dll
.
Completion time: 2009-02-03 23:36:01
ComboFix-quarantined-files.txt 2009-02-03 20:35:59
ComboFix2.txt 2009-02-03 20:17:01Pre-Run: 49 908 469 760 байт свободно
Post-Run: 49,895,403,520 байт свободноCurrent=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
229Здравствуйте, добро пожаловать на Spyware-ru форум.
Откройте блокнот (Кликните Пуск, Выполнить, в строке ввода введите notepad и нажмите Enter) и вставьте в него следующий текст:
Registry::
[-HKEY_LOCAL_MACHINE~Browser Helper Objects{757C3BA9-39A6-4257-A4E5-933E838219C8}]
[-HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{2a2abf3a-e46a-11dd-a675-001617bda0d3}]
File::
c:Recycledctfmon.exe
c:documents and settingsAll UsersApplication Datawbklib.dllЗапишите получившийся файл на ваш рабочий стол под именем CFScript
Далее перетащите получившийся файл на иконку Combofix, как показано на картинке ниже.
Сombofix запуститься и выполнит процедуры описанные в созданном нами файле.
По результатам работы Combofix будет создан новый лог, его и вставьте в свой следующий ответ.
И конечно-же проверьте InternetExplorer в работе.
- Для ответа в этой теме необходимо авторизоваться.
