Удаление вирусов и троянов. Защита компьютера. › Помощь в удалении вирусов, троянов, рекламы и других зловредов › Вирус блокирует все антивирусные программы — проблема аналогична
- This topic has 6 ответов, 2 участника, and was last updated 16 years назад by
Admin.
-
АвторСообщения
-
19 августа, 2009 в 5:30 пп #17015
Здравствуйте!У меня возникла проблема аналогичная тем,что описанны выше,воспользовавшись указаниями просканировал комп,помогите пожалуйста,вот файл лог:
ComboFix 09-08-18.04 — User 19.08.2009 23:17.2.2 — NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1251.7.1049.18.1022.626 [GMT 6:00]
Running from: c:documents and settingsUser.CRAZYРабочий столComboFix.exe
Command switches used :: c:documents and settingsUser.CRAZYРабочий столWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Антивирус Касперского *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Doctor Web Anti-Virus *On-access scanning enabled* (Outdated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
—- Previous Run
.
C:desktop.ini
c:documents and settingsLocalServiceApplication Datasysproc64sysproc32.sys
c:documents and settingsNetworkServiceApplication Datasysproc64sysproc32.sys
c:documents and settingsUser.CRAZYGooglesetupext.dat
c:program filesMail.RuAgentMradllnewmrasearch.dll
c:restorek-1-3542-4232123213-7676767-8888886Desktop.ini
c:restoreS-1-5-21-1482476501-1644491937-682003330-1013Desktop.ini
c:windowssystem32sysproc64sysproc32.sys
c:windowssystem32sysproc64sysproc86.sys
c:windowswiaservb.logInfected copy of c:windowssystem32mspmsnsv.dll was found and disinfected
Restored copy from — c:windowsRegisteredPackages{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$SystemMsPMSNSv.dll.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Legacy_ASC3360PR
Service_asc3360pr((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.2009-08-15 06:56 . 2009-08-15 07:08
d
w- c:program filesJimBot 0.3.6 RC3
2009-08-13 20:37 . 2009-08-19 16:25
d
w- C:Downloads
2009-08-12 13:01 . 2009-07-10 13:28 1315328 -c—-w- c:windowssystem32dllcachemsoe.dll
2009-08-11 18:39 . 2009-08-19 15:49
d
w- c:documents and settingsUser.CRAZYApplication DataSkype
2009-08-11 18:38 . 2009-08-12 13:06
d
w- c:program filesSkype
2009-08-10 14:15 . 2009-08-19 16:07
d
w- c:program filesРуоф(Финал грация)
2009-08-10 11:07 . 2009-08-10 11:07
d
w- c:documents and settingsUser.CRAZYApplication DataYandex
2009-08-09 13:39 . 2009-08-09 13:39
d
w- c:documents and settingsAll UsersApplication DataSkype
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c—-w- c:windowssystem32dllcachemswebdvd.dll
2009-08-02 07:31 . 2009-08-02 07:36
d
w- c:program filesAntiBK by ergash
2009-08-02 07:30 . 2009-08-02 07:30
d
w- c:program filesAnekdot
2009-07-26 10:08 . 2009-07-26 10:09
d
w- c:documents and settingsUser.CRAZYApplication DataWeather Clock
2009-07-21 05:29 . 2009-07-21 05:29
d
w- c:windowsie8updates
2009-07-20 19:01 . 2009-08-19 12:33
d
w- c:program filesChatICQ.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 17:07 . 2006-01-31 08:49 75070 —-a-w- c:windowssystem32perfc019.dat
2009-08-19 17:07 . 2006-01-31 08:49 442878 —-a-w- c:windowssystem32perfh019.dat
2009-08-19 16:49 . 2009-06-20 05:03
d
w- c:program filesWindows Live Safety Center
2009-08-05 09:01 . 2006-01-31 08:49 204800 —-a-w- c:windowssystem32mswebdvd.dll
2009-07-27 08:01 . 2008-11-11 15:33
d
w- c:program filesLineAge II (Камаель)
2009-07-17 19:03 . 2006-01-31 08:48 58880 —-a-w- c:windowssystem32atl.dll
2009-07-17 02:37 . 2009-06-30 14:29
d
w- c:program filesWarcraft III
2009-07-13 17:43 . 2006-01-31 08:49 286208 —-a-w- c:windowssystem32wmpdxm.dll
2009-07-03 17:00 . 2006-01-31 08:49 915456 —-a-w- c:windowssystem32wininet.dll
2009-06-25 08:27 . 2006-01-31 08:49 54272 —-a-w- c:windowssystem32wdigest.dll
2009-06-25 08:27 . 2006-01-31 08:49 56832 —-a-w- c:windowssystem32secur32.dll
2009-06-25 08:27 . 2006-01-31 08:49 147456 —-a-w- c:windowssystem32schannel.dll
2009-06-25 08:27 . 2006-01-31 08:49 136192 —-a-w- c:windowssystem32msv1_0.dll
2009-06-25 08:27 . 2006-01-31 08:49 732160 —-a-w- c:windowssystem32lsasrv.dll
2009-06-25 08:27 . 2006-01-31 08:49 301568 —-a-w- c:windowssystem32kerberos.dll
2009-06-24 11:18 . 2006-01-31 08:49 92928 —-a-w- c:windowssystem32driversksecdd.sys
2009-06-21 04:37 . 2009-01-19 17:50
d
w- c:program filesla2
2009-06-21 04:37 . 2006-02-01 07:01
d
w- c:program filesltmoh
2009-06-21 04:36 . 2008-12-04 17:25
d
w- c:program filesThe Incredibles
2009-06-21 04:36 . 2008-11-12 08:52
d
w- c:program filesTeamspeak2_RC2
2009-06-20 04:51 . 2009-06-20 04:51 25792 —-a-w- c:documents and settingsUser.CRAZYLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-06-20 04:51 . 2009-06-20 04:51 133 —-a-w- c:documents and settingsUser.CRAZYLocal SettingsApplication Datafusioncache.dat
2009-06-20 03:42 . 2009-06-20 03:42 721904 —-a-w- c:windowssystem32driverssptd.sys
2009-06-16 14:40 . 2006-01-31 08:49 119808 —-a-w- c:windowssystem32t2embed.dll
2009-06-16 14:40 . 2006-01-31 08:49 81920 —-a-w- c:windowssystem32fontsub.dll
2009-06-15 10:45 . 2006-01-31 08:49 79872 —-a-w- c:windowssystem32telnet.exe
2009-06-10 14:14 . 2006-01-31 08:48 85504 —-a-w- c:windowssystem32avifil32.dll
2009-06-10 06:16 . 2006-01-31 08:49 132096 —-a-w- c:windowssystem32wkssvc.dll
2009-06-10 03:21 . 2006-01-31 06:59 2066432 —-a-w- c:windowssystem32mstscax.dll
2009-06-03 19:11 . 2006-01-31 08:49 1292800 —-a-w- c:windowssystem32quartz.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«TOSCDSPD»=»c:program filesTOSHIBATOSCDSPDtoscdspd.exe» [2005-04-12 147456][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«ATICCC»=»c:program filesATI TechnologiesATI.ACEcli.exe» [2005-08-12 45056]
«SynTPEnh»=»c:program filesSynapticsSynTPSynTPEnh.exe» [2005-12-16 831577]
«THotkey»=»c:program filesToshibaToshiba Appletthotkey.exe» [2006-01-05 352256]
«Tvs»=»c:program filesTOSHIBATvsTvsTray.exe» [2005-11-30 151552]
«SmoothView»=»c:program filesTOSHIBAПрограмма TOSHIBA Zooming UtilitySmoothView.exe» [2005-05-12 270336]
«DLA»=»c:windowsSystem32DLADLACTRLW.EXE» [2005-10-06 122940]
«IntelZeroConfig»=»c:program filesIntelWirelessbinZCfgSvc.exe» [2005-12-05 667718]
«IntelWireless»=»c:program filesIntelWirelessBinifrmewrk.exe» [2005-11-28 602182]
«MAgent»=»c:program filesMail.RuAgentMAgent.exe» [2009-06-21 3110392]
«RTHDCPL»=»RTHDCPL.EXE» — c:windowsRTHDCPL.exe [2005-12-09 15691264]
«AGRSMMSG»=»AGRSMMSG.exe» — c:windowsagrsmmsg.exe [2005-10-15 157835]
«TPSMain»=»TPSMain.exe» — c:windowssystem32TPSMain.exe [2005-08-04 339968]
«NDSTray.exe»=»NDSTray.exe» [BU]
«TFncKy»=»TFncKy.exe» [BU]
«TDispVol»=»TDispVol.exe» — c:windowssystem32TDispVol.exe [2005-09-16 73728][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-14 15360]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Bluetooth Manager.lnk — c:program filesToshibaBluetooth Toshiba StackTosBtMng.exe [2005-12-7 1888256]
Microsoft Office.lnk — c:program filesMicrosoft OfficeOffice10OSA.EXE [2001-2-13 161184]
“бЄ®аҐл© § ЇгбЄ Adobe Reader.lnk — c:program filesAdobeAcrobat 7.0Readerreader_sl.exe [2004-12-14 177152][HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciessystem]
«DisableTaskMgr»= 1 (0x1)
«DisableRegistryTools»= 1 (0x1)[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«UpdatesDisableNotify»=dword:00000001
«AntiVirusOverride»=dword:00000001
«FirewallOverride»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerSvc]
«AntiVirusOverride»=dword:00000001
«AntiVirusDisableNotify»=dword:00000001
«FirewallDisableNotify»=dword:00000001
«FirewallOverride»=dword:00000001
«UpdatesDisableNotify»=dword:00000001
«UacDisableNotify»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\WINDOWS\system32\TPSMain.exe»=
«c:\WINDOWS\system32\Ati2evxx.exe»=
«c:\Program Files\TOSHIBA\Программа TOSHIBA Zooming Utility\SmoothView.exe»=
«c:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe»=
«c:\WINDOWS\system32\igfxsrvc.exe»=
«c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe»=
«c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe»=
«c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe»=
«c:\Program Files\TOSHIBA\Элементы управления TOSHIBA\TFncKy.exe»=
«c:\WINDOWS\ALCMTR.EXE»=
«c:\Program Files\ATI Technologies\ATI.ACE\cli.exe»=
«c:\Program Files\Microsoft Office\Office10\OSA.EXE»=
«c:\Program Files\Opera\opera.exe»=
«c:\Program Files\Toshiba\Toshiba Applet\thotkey.exe»=
«c:\Program Files\Synaptics\SynTP\SynTPEnh.exe»=
«c:\WINDOWS\system32\SNDVOL32.EXE»=
«c:\Program Files\Mail.Ru\Agent\magent.exe»=
«c:\Program Files\Windows Media Player\wmplayer.exe»=R2 2GIS UpdateClientService;2GIS UpdateClientService;c:program files2gisUpdateClientWin32UpdateClientService.exe [17.09.2008 13:03 1134592]
R3 abp470n5;abp470n5;??c:windowssystem32driversjeiggq.sys —> c:windowssystem32driversjeiggq.sys [?]
S2 gupdate1c9b945b31ea302;Служба Google Update (gupdate1c9b945b31ea302);»c:program filesGoogleUpdateGoogleUpdate.exe» /svc —> c:program filesGoogleUpdateGoogleUpdate.exe [?][HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
«c:windowssystem32rundll32.exe» «c:windowssystem32iedkcs32.dll»,BrandIEActiveSetup SIGNUP
.
Contents of the ‘Scheduled Tasks’ folder
.
— — — — ORPHANS REMOVED — — — —HKCU-Run-WeatherClock — c:documents and settingsUser.CRAZYРабочий столWeather ClockWeatherClock.exe
HKCU-Run-EleFunAnimatedWallpaper — (no file)
HKCU-Run-Weather Clock — (no file)
HKLM-Run-Amazing3DAquariumWallpaper — (no file).
Supplementary Scan
.
uStart Page = hxxp://asterios.tm/index.php?
uInternet Connection Wizard,ShellNext = iexplore
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2Office10EXCEL.EXE/3000
IE: Закачать ВСЕ при помощи Download Master — c:program filesDownload Masterdmieall.htm
IE: Закачать при помощи Download Master — c:program filesDownload Masterdmie.htm
IE: Передать на удаленную закачку DM — c:program filesDownload Masterremdown.htm
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe
IE: {{8DAE90AD-4583-4977-9DD4-4360F7A45C74} — c:program filesDownload Masterdmaster.exe
TCP: {A74FCC24-17A8-4215-A123-A5FFBDEE43E5} = 10.11.245.254
TCP: {AB3A3B21-64E1-407C-8A52-8F3B0CB66CD9} = 217.195.208.2 217.195.211.2
.**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 23:20
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(920)
c:windowssystem32Ati2evxx.dll— — — — — — — > ‘explorer.exe'(4252)
c:windowssystem32WININET.dll
c:windowssystem32TDispVol.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
c:windowssystem32TPwrCfg.DLL
c:windowssystem32TPwrReg.dll
c:windowssystem32TPSTrace.DLL
.
Completion time: 2009-08-19 23:25
ComboFix-quarantined-files.txt 2009-08-19 17:25Pre-Run: 6 913 736 704 байт свободно
Post-Run: 6 754 074 624 байт свободноCurrent=3 Default=3 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
204 — E O F — 2009-08-15 21:1627 августа, 2009 в 4:53 пп #25328Здравствуйте, добро пожаловать на Spyware-ru форум.
Откройте блокнот (Кликните Пуск, Выполнить, в строке ввода введите notepad и нажмите Enter) и вставьте в него следующий текст:
Driver::
abp470n5
Registry::
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"DisableTaskMgr"=0
"DisableRegistryTools"=0
File::
c:windowssystem32driversjeiggq.sysЗапишите получившийся файл на ваш рабочий стол под именем CFScript
Далее перетащите получившийся файл на иконку Combofix, как показано на картинке ниже.
Сombofix запуститься и выполнит процедуры описанные в созданном нами файле.
По результатам работы Combofix будет создан новый лог, сохраните его на ваш рабочий стол.Прочитайте описание программы Malwarebytes Anti-malware (MBAM).
Скачайте и выполните сканирование вашего компьютера. Удалите всё что будет найдено. В конце работы будет показан лог.Жду от вас MBAM лог + Combofix лог.
27 сентября, 2009 в 10:31 пп #25329Вот лог Malwarebytes Anti-malware
Malwarebytes’ Anti-Malware 1.41
Версия базы данных: 2866
Windows 5.1.2600 Service Pack 328.09.2009 4:25:54
mbam-log-2009-09-28 (04-25-54).txtТип проверки: Быстрая
Проверено объектов: 99529
Прошло времени: 4 minute(s), 10 second(s)Заражено процессов в памяти: 0
Заражено модулей в памяти: 0
Заражено ключей реестра: 0
Заражено значений реестра: 0
Заражено параметров реестра: 3
Заражено папок: 0
Заражено файлов: 0Заражено процессов в памяти:
(Вредоносные программы не обнаружены)Заражено модулей в памяти:
(Вредоносные программы не обнаружены)Заражено ключей реестра:
(Вредоносные программы не обнаружены)Заражено значений реестра:
(Вредоносные программы не обнаружены)Заражено параметров реестра:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterAntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterFirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Заражено папок:
(Вредоносные программы не обнаружены)Заражено файлов:
(Вредоносные программы не обнаружены)27 сентября, 2009 в 10:32 пп #25330+лог от ComboFix
ComboFix 09-09-25.01 — User 28.09.2009 3:58.3.2 — NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1251.7.1049.18.1022.670 [GMT 6:00]
Running from: c:documents and settingsUser.CRAZYРабочий столComboFix.exe
Command switches used :: c:documents and settingsUser.CRAZYРабочий столCFScript.txt
AV: Антивирус Касперского *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Doctor Web Anti-Virus *On-access scanning enabled* (Outdated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore pointFILE ::
«c:windowssystem32driversjeiggq.sys»
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:documents and settingsUser.CRAZYApplication DataMicrosoftClip Organizermstore10.mgc
c:documents and settingsUser.CRAZYApplication DataMicrosoftClip OrganizerOffic10.MGC
c:program filesMail.RuAgentMradllnewmrasearch.dll
c:windowsAlcmtr.exe.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Legacy_ABP470N5
Service_abp470n5((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.2009-09-27 19:20 . 2009-09-27 19:20
d
w- C:Downloads
2009-09-16 17:09 . 2009-09-16 17:09
d-sh—w- c:documents and settingsLocalServiceIETldCache
2009-09-14 14:35 . 2009-09-21 18:33
d
w- c:program filesGarena
2009-09-12 12:39 . 2008-11-03 13:03 7680 —-a-w- c:windowssystem32driversmassfilter.sys
2009-09-12 12:39 . 2008-11-03 13:02 104960 —-a-w- c:windowssystem32driversZTEusbser6k.sys
2009-09-12 12:39 . 2008-11-03 13:01 104960 —-a-w- c:windowssystem32driversZTEusbnmea.sys
2009-09-12 12:39 . 2008-11-03 13:01 104960 —-a-w- c:windowssystem32driversZTEusbmdm6k.sys
2009-09-12 12:39 . 2009-09-12 12:39
d
w- c:program filesZTEMF626
2009-09-12 03:51 . 2009-06-21 21:48 153088 -c—-w- c:windowssystem32dllcachetriedit.dll
2009-09-11 20:03 . 2009-09-12 12:39
d
w- c:windowssystem32SupportAppXL
2009-09-08 05:38 . 2009-09-08 06:24
d
w- c:documents and settingsUser.CRAZYApplication DataSAMSUNG
2009-09-08 05:20 . 2005-12-22 06:24 11188 —-a-w- c:windowssystem32driverssscdwhnt.sys
2009-09-08 05:20 . 2005-12-22 06:24 11188 —-a-w- c:windowssystem32driverssscdwh.sys
2009-09-08 05:20 . 2005-12-22 06:24 137884 —-a-w- c:windowssystem32driverssscdmdm.sys
2009-09-08 05:20 . 2005-12-22 06:24 11877 —-a-w- c:windowssystem32driverssscdcmnt.sys
2009-09-08 05:20 . 2005-12-22 06:24 11877 —-a-w- c:windowssystem32driverssscdcm.sys
2009-09-08 05:20 . 2005-12-22 06:24 10864 —-a-w- c:windowssystem32driverssscdmdfl.sys
2009-09-08 05:20 . 2005-12-22 06:24 80272 —-a-w- c:windowssystem32driverssscdbus.sys.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 19:56 . 2008-11-11 15:33
d
w- c:program filesLineAge II (Камаель)
2009-09-26 17:18 . 2009-08-10 14:15
d
w- c:program filesРуоф(Финал грация)
2009-09-25 09:30 . 2009-01-19 17:50
d
w- c:program filesla2
2009-09-21 20:42 . 2009-06-30 14:29
d
w- c:program filesWarcraft III
2009-09-20 18:40 . 2009-08-11 18:39
d
w- c:documents and settingsUser.CRAZYApplication DataSkype
2009-09-20 06:14 . 2008-12-16 06:10
d
w- c:program filesQIP
2009-09-18 20:16 . 2009-03-24 16:40
d
w- c:program filesOpera
2009-09-12 12:39 . 2006-02-01 06:42
d—h—w- c:program filesInstallShield Installation Information
2009-08-24 17:46 . 2008-11-02 13:02
d
w- c:documents and settingsUser.CRAZYApplication DataMra
2009-08-23 06:24 . 2009-06-20 04:51 25792 —-a-w- c:documents and settingsUser.CRAZYLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-08-23 05:23 . 2006-01-31 08:49 84482 —-a-w- c:windowssystem32perfc019.dat
2009-08-23 05:23 . 2006-01-31 08:49 484908 —-a-w- c:windowssystem32perfh019.dat
2009-08-23 05:17 . 2009-08-23 05:17
d
w- c:program filesMSBuild
2009-08-23 05:17 . 2009-08-23 05:17
d
w- c:program filesReference Assemblies
2009-08-19 17:39 . 2009-08-19 17:39
d
w- c:documents and settingsUser.CRAZYApplication DataMalwarebytes
2009-08-19 17:39 . 2009-08-19 17:39
d
w- c:documents and settingsAll UsersApplication DataMalwarebytes
2009-08-19 16:49 . 2009-06-20 05:03
d
w- c:program filesWindows Live Safety Center
2009-08-15 07:08 . 2009-08-15 06:56
d
w- c:program filesJimBot 0.3.6 RC3
2009-08-12 13:06 . 2009-08-11 18:38
d
w- c:program filesSkype
2009-08-10 11:07 . 2009-08-10 11:07
d
w- c:documents and settingsUser.CRAZYApplication DataYandex
2009-08-09 13:39 . 2009-08-09 13:39
d
w- c:documents and settingsAll UsersApplication DataSkype
2009-08-05 09:01 . 2006-01-31 08:49 204800 —-a-w- c:windowssystem32mswebdvd.dll
2009-08-02 07:36 . 2009-08-02 07:31
d
w- c:program filesAntiBK by ergash
2009-08-02 07:30 . 2009-08-02 07:30
d
w- c:program filesAnekdot
2009-07-17 19:03 . 2006-01-31 08:48 58880 —-a-w- c:windowssystem32atl.dll
2009-07-13 17:43 . 2006-01-31 08:49 286208 —-a-w- c:windowssystem32wmpdxm.dll
2009-07-03 17:00 . 2006-01-31 08:49 915456 —-a-w- c:windowssystem32wininet.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«TOSCDSPD»=»c:program filesTOSHIBATOSCDSPDtoscdspd.exe» [2005-04-12 147456][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«ATICCC»=»c:program filesATI TechnologiesATI.ACEcli.exe» [2005-08-12 45056]
«SynTPEnh»=»c:program filesSynapticsSynTPSynTPEnh.exe» [2005-12-16 831577]
«THotkey»=»c:program filesToshibaToshiba Appletthotkey.exe» [2006-01-05 352256]
«Tvs»=»c:program filesTOSHIBATvsTvsTray.exe» [2005-11-30 151552]
«SmoothView»=»c:program filesTOSHIBAПрограмма TOSHIBA Zooming UtilitySmoothView.exe» [2005-05-12 270336]
«DLA»=»c:windowsSystem32DLADLACTRLW.EXE» [2005-10-06 122940]
«IntelZeroConfig»=»c:program filesIntelWirelessbinZCfgSvc.exe» [2005-12-05 667718]
«IntelWireless»=»c:program filesIntelWirelessBinifrmewrk.exe» [2005-11-28 671814]
«MAgent»=»c:program filesMail.RuAgentMAgent.exe» [2009-08-24 7975608]
«autodetect»=»c:windowssystem32SupportAppXLAutoDect.exe» [2009-03-16 91648]
«RTHDCPL»=»RTHDCPL.EXE» — c:windowsRTHDCPL.exe [2005-12-09 15691264]
«AGRSMMSG»=»AGRSMMSG.exe» — c:windowsagrsmmsg.exe [2005-10-15 157835]
«TPSMain»=»TPSMain.exe» — c:windowssystem32TPSMain.exe [2005-08-04 339968]
«NDSTray.exe»=»NDSTray.exe» [BU]
«TFncKy»=»TFncKy.exe» [BU]
«TDispVol»=»TDispVol.exe» — c:windowssystem32TDispVol.exe [2005-09-16 73728]
«CFSServ.exe»=»CFSServ.exe» [BU][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-14 15360]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Bluetooth Manager.lnk — c:program filesToshibaBluetooth Toshiba StackTosBtMng.exe [2005-12-7 1888256]
Microsoft Office.lnk — c:program filesMicrosoft OfficeOffice10OSA.EXE [2001-2-13 161184]
“бЄ®аҐл© § ЇгбЄ Adobe Reader.lnk — c:program filesAdobeAcrobat 7.0Readerreader_sl.exe [2004-12-14 177152][HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciessystem]
«DisableTaskMgr»= 1 (0x1)
«DisableRegistryTools»= 1 (0x1)[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001
«FirewallOverride»=dword:00000001
«UpdatesDisableNotify»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerSvc]
«AntiVirusOverride»=dword:00000001
«AntiVirusDisableNotify»=dword:00000001
«FirewallDisableNotify»=dword:00000001
«FirewallOverride»=dword:00000001
«UpdatesDisableNotify»=dword:00000001
«UacDisableNotify»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\WINDOWS\system32\TPSMain.exe»=
«c:\WINDOWS\system32\Ati2evxx.exe»=
«c:\Program Files\TOSHIBA\Программа TOSHIBA Zooming Utility\SmoothView.exe»=
«c:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe»=
«c:\WINDOWS\system32\igfxsrvc.exe»=
«c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe»=
«c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe»=
«c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe»=
«c:\Program Files\TOSHIBA\Элементы управления TOSHIBA\TFncKy.exe»=
«c:\Program Files\ATI Technologies\ATI.ACE\cli.exe»=
«c:\Program Files\Microsoft Office\Office10\OSA.EXE»=
«c:\Program Files\Opera\opera.exe»=
«c:\Program Files\Toshiba\Toshiba Applet\thotkey.exe»=
«c:\Program Files\Synaptics\SynTP\SynTPEnh.exe»=
«c:\WINDOWS\system32\SNDVOL32.EXE»=
«c:\Program Files\Mail.Ru\Agent\magent.exe»=
«c:\Program Files\Windows Media Player\wmplayer.exe»=
«c:\Program Files\TOSHIBA\Tvs\TvsTray.exe»=
«c:\WINDOWS\system32\wuauclt.exe»=
«c:\WINDOWS\system32\SupportAppXL\AutoDect.exe»=
«c:\Program Files\2gis\UpdateClientWin32\UpdateClientService.exe»=
«c:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe»=
«c:\WINDOWS\AGRSMMSG.exe»=
«c:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=
«c:\Program Files\ZTEMF626\USB-модем Билайн\UIMain.exe»=R2 2GIS UpdateClientService;2GIS UpdateClientService;c:program files2gisUpdateClientWin32UpdateClientService.exe [17.09.2008 13:03 1212416]
S2 gupdate1c9b945b31ea302;Служба Google Update (gupdate1c9b945b31ea302);»c:program filesGoogleUpdateGoogleUpdate.exe» /svc —> c:program filesGoogleUpdateGoogleUpdate.exe [?]
S3 GarenaPEngine;GarenaPEngine;??c:docume~1USER~1.CRALOCALS~1TempCIPA.tmp —> c:docume~1USER~1.CRALOCALS~1TempCIPA.tmp [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:windowssystem32driversmassfilter.sys [12.09.2009 18:39 7680]— Other Services/Drivers In Memory —
*NewlyCreated* — ABP470N5
[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
«c:windowssystem32rundll32.exe» «c:windowssystem32iedkcs32.dll»,BrandIEActiveSetup SIGNUP
.
.
Supplementary Scan
.
uStart Page = hxxp://asterios.tm/index.php?
uInternet Connection Wizard,ShellNext = iexplore
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2Office10EXCEL.EXE/3000
IE: Закачать ВСЕ при помощи Download Master — c:program filesDownload Masterdmieall.htm
IE: Закачать при помощи Download Master — c:program filesDownload Masterdmie.htm
IE: Передать на удаленную закачку DM — c:program filesDownload Masterremdown.htm
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe
IE: {{8DAE90AD-4583-4977-9DD4-4360F7A45C74} — c:program filesDownload Masterdmaster.exe
TCP: {A74FCC24-17A8-4215-A123-A5FFBDEE43E5} = 10.11.245.254
TCP: {AB3A3B21-64E1-407C-8A52-8F3B0CB66CD9} = 217.118.83.8 217.118.66.244
.
— — — — ORPHANS REMOVED — — — —AddRemove-JimBot 0.3.6 — c:program filesJimBot 0.3.6
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-28 04:07
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(832)
c:windowssystem32Ati2evxx.dll— — — — — — — > ‘explorer.exe'(2172)
c:windowssystem32WININET.dll
c:windowssystem32TDispVol.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
c:windowssystem32TPwrCfg.DLL
c:windowssystem32TPwrReg.dll
c:windowssystem32TPSTrace.DLL
.
Other Running Processes
.
c:windowssystem32ati2evxx.exe
c:program filesIntelWirelessBinEvtEng.exe
c:program filesIntelWirelessBinS24EvMon.exe
c:program filesToshibaConfigFreeCFSvcs.exe
c:program filesCommon FilesMicrosoft SharedVS7Debugmdm.exe
c:program filesIntelWirelessBinRegSrvc.exe
c:program filesToshibaTOSHIBA AppletTAPPSRV.exe
c:windowssystem32ati2evxx.exe
c:program filesSynapticsSynTPToshiba.exe
c:program filesToshibaConfigFreeNDSTray.exe
c:program filesToshibac:program filesToshibac:windowssystem32TDispVol.exe
c:windowssystem32TPSBattM.exe
c:program filesZTEMF626USB-c:program filesToshibaConfigFreeCFSServ.exe
c:program filesToshibaBluetooth Toshiba StackTosA2dp.exe
c:program filesToshibaBluetooth Toshiba StackTosBtHSP.exe
.
**************************************************************************
.
Completion time: 2009-09-27 4:10 — machine was rebooted
ComboFix-quarantined-files.txt 2009-09-27 22:10Pre-Run: 3 866 918 912 байт свободно
Post-Run: 3 999 662 080 байт свободноCurrent=3 Default=3 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
225 — E O F — 2009-09-13 13:5729 сентября, 2009 в 5:52 пп #25331Судя по Combofix логу у вас несколько антивирусных программ. Советую оставить только одну.
Сделаем дополнительную проверку.
Скачайте RootRepeal кликнув по этой ссылке или этой ссылке и распакуйте на ваш рабочий стол.
Кликните по файлу RootRepeal.exe для запуска программы.
Откройте вкладку Report, затем кликните Scan. Откроется окно с запросом что включать в лог, выберите пункты перечисленные ниже и кликните OK.
* Drivers
* Files
* Processes
* SSDT
* Stealth Objects
* Hidden Services
На следующем этапе появится запрос о том, какой диск сканировать, выберите C: и кликните OK снова, после этого запустится процесс сканирования. Когда сканирование закончится кликните Save Report для сохранения лога.Жду от вас содержимое получившегося лога.
Жду от вас содержимое получившегося лога.
29 сентября, 2009 в 7:59 пп #25332Здравствуйте.Вообще у меня сейчас не стоит не одного антивируснки,но когдато был доктор веб и касперский.
Вот лог:ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/30 01:45
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================Drivers
Name: dump_atapi.sys
Image Path: C:WINDOWSSystem32Driversdump_atapi.sys
Address: 0xAA7A7000 Size: 98304 File Visible: No Signed: —
Status: —Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xF7B8E000 Size: 8192 File Visible: No Signed: —
Status: —Name: jeiggq.sys
Image Path: C:WINDOWSsystem32driversjeiggq.sys
Address: 0xF7B8C000 Size: 5184 File Visible: No Signed: —
Status: —Name: PCI_PNP4036
Image Path: DriverPCI_PNP4036
Address: 0x00000000 Size: 0 File Visible: No Signed: —
Status: —Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xA787E000 Size: 49152 File Visible: No Signed: —
Status: —Name: sphv.sys
Image Path: sphv.sys
Address: 0xF7534000 Size: 1052672 File Visible: No Signed: —
Status: —Name: sptd
Image Path: Driversptd
Address: 0x00000000 Size: 0 File Visible: No Signed: —
Status: —Hidden/Locked Files
Path: C:hiberfil.sys
Status: Locked to the Windows API!Path: c:documents and settingsuser.crazyapplication dataoperaoperaglobal_history.dat
Status: Size mismatch (API: 167377, Raw: 167354)Path: C:Documents and SettingsUser.CRAZYLocal SettingsTemporary Internet FilesContent.IE56WECTJDKWMPac69e14e-df62-4b68-b57a-b0fd843ae4a6[1]..jpg
Status: Visible to the Windows API, but not on disk.Path: C:Documents and SettingsUser.CRAZYLocal SettingsTemporary Internet FilesContent.IE5FANY9B8KWMP2df5b2b1-461b-4183-abfc-50bdc023efeb[1]..jpg
Status: Visible to the Windows API, but not on disk.Path: C:Documents and SettingsUser.CRAZYLocal SettingsApplication DataOperaOperacacheopr00OR2
Status: Visible to the Windows API, but not on disk.Path: C:Documents and SettingsUser.CRAZYLocal SettingsApplication DataOperaOperacacheopr00OR3
Status: Visible to the Windows API, but not on disk.Path: c:documents and settingsuser.crazylocal settingsapplication dataoperaoperaopcachedcache4.url
Status: Size mismatch (API: 31122, Raw: 30873)SSDT
#: 041 Function Name: NtCreateKey
Status: Hooked by «sphv.sys» at address 0xf75350e0#: 071 Function Name: NtEnumerateKey
Status: Hooked by «sphv.sys» at address 0xf7553ca4#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by «sphv.sys» at address 0xf7554032#: 119 Function Name: NtOpenKey
Status: Hooked by «sphv.sys» at address 0xf75350c0#: 160 Function Name: NtQueryKey
Status: Hooked by «sphv.sys» at address 0xf755410a#: 177 Function Name: NtQueryValueKey
Status: Hooked by «sphv.sys» at address 0xf7553f8a#: 247 Function Name: NtSetValueKey
Status: Hooked by «sphv.sys» at address 0xf755419cStealth Objects
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x868df1f8 Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x868df1f8 Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x868df1f8 Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x868df1f8 Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x868df1f8 Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x868df1f8 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_CREATE]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_CLOSE]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_READ]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_CLEANUP]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_PNP]
Process: System Address: 0x86dd4500 Size: 121==EOF==
2 октября, 2009 в 3:16 пп #25333Откройте блокнот (Кликните Пуск, Выполнить, в строке ввода введите notepad и нажмите Enter) и вставьте в него следующий текст:
Driver::
jeiggq.sys
File::
C:WINDOWSsystem32driversjeiggq.sysЗапишите получившийся файл на ваш рабочий стол под именем CFScript
Далее перетащите получившийся файл на иконку Combofix, как показано на картинке ниже.
Сombofix запуститься и выполнит процедуры описанные в созданном нами файле.
По результатам работы Combofix будет создан новый лог, его и вставьте в свой следующий ответ. И ещё приложите свежий RootRepeal лог. -
АвторСообщения
- Для ответа в этой теме необходимо авторизоваться.