- This topic has 1 ответ, 2 участника, and was last updated 15 years, 11 months назад by
.
-
Сообщения
-
Здравствуйте, аналогичная проблема. Только от всплывающих окон избавилась раньше, с помощью dr.web’овской утилиты CureIt. Только недавно заметила в списке программ эти два контента. Скачала комбофикс и сделала все, что было сказано. Вот мой лог-файл. Надеюсь поможете. Заранее спасибо
ComboFix 09-10-30.01 — Alena 31.10.2009 13:52.1.2 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2039.1387 [GMT 2:00]
Running from: c:documents and settingsAlenaРабочий столComboFix.exe
Command switches used :: c:documents and settingsAlenaРабочий столWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: avast! antivirus 4.8.1351 [VPS 091030-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:documents and settingsAlenaApplication DataFieryAds
c:documents and settingsAlenaApplication DataFieryAdsFieryAdsUninstall.exe
c:documents and settingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr0.dat
c:documents and settingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr1.dat
c:windowssystem32ieuinit.inf
c:windowssystem32images
c:windowssystem32imagestoolbarcalendar.gif
c:windowssystem32imagestoolbarcrlogo.gif
c:windowssystem32imagestoolbarexport.gif
c:windowssystem32imagestoolbarexport_over.gif
c:windowssystem32imagestoolbarexportd.gif
c:windowssystem32imagestoolbarFirst.gif
c:windowssystem32imagestoolbarfirst_over.gif
c:windowssystem32imagestoolbarFirstd.gif
c:windowssystem32imagestoolbargotopage.gif
c:windowssystem32imagestoolbargotopage_over.gif
c:windowssystem32imagestoolbargotopaged.gif
c:windowssystem32imagestoolbargrouptree.gif
c:windowssystem32imagestoolbargrouptree_over.gif
c:windowssystem32imagestoolbargrouptreed.gif
c:windowssystem32imagestoolbargrouptreepressed.gif
c:windowssystem32imagestoolbarLast.gif
c:windowssystem32imagestoolbarlast_over.gif
c:windowssystem32imagestoolbarLastd.gif
c:windowssystem32imagestoolbarNext.gif
c:windowssystem32imagestoolbarnext_over.gif
c:windowssystem32imagestoolbarNextd.gif
c:windowssystem32imagestoolbarPrev.gif
c:windowssystem32imagestoolbarprev_over.gif
c:windowssystem32imagestoolbarPrevd.gif
c:windowssystem32imagestoolbarprint.gif
c:windowssystem32imagestoolbarprint_over.gif
c:windowssystem32imagestoolbarprintd.gif
c:windowssystem32imagestoolbarRefresh.gif
c:windowssystem32imagestoolbarrefresh_over.gif
c:windowssystem32imagestoolbarrefreshd.gif
c:windowssystem32imagestoolbarSearch.gif
c:windowssystem32imagestoolbarsearch_over.gif
c:windowssystem32imagestoolbarsearchd.gif
c:windowssystem32imagestoolbarup.gif
c:windowssystem32imagestoolbarup_over.gif
c:windowssystem32imagestoolbarupd.gif
c:windowssystem32imagestreebegindots.gif
c:windowssystem32imagestreebeginminus.gif
c:windowssystem32imagestreebeginplus.gif
c:windowssystem32imagestreeblank.gif
c:windowssystem32imagestreeblankdots.gif
c:windowssystem32imagestreedots.gif
c:windowssystem32imagestreelastdots.gif
c:windowssystem32imagestreelastminus.gif
c:windowssystem32imagestreelastplus.gif
c:windowssystem32imagestreeMagnify.gif
c:windowssystem32imagestreeminus.gif
c:windowssystem32imagestreeminusbox.gif
c:windowssystem32imagestreeplus.gif
c:windowssystem32imagestreeplusbox.gif
c:windowssystem32imagestreesingleminus.gif
c:windowssystem32imagestreesingleplus.gif
BITS: Possible infected sites
hxxp://soft.export.yandex.ru
hxxp://download.yandex.ru
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Legacy_R_SERVER
Service_r_server((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))
.2009-10-28 15:16 . 2009-10-28 15:18
d
w- c:program filesFoxit Software
2009-10-28 12:16 . 2009-10-28 12:16
d
w- c:program filesMicrosoft ActiveSync
2009-10-28 12:13 . 2009-10-28 12:13
d
r- C:MSOCache
2009-10-28 11:39 . 2007-04-09 09:23 28040 —-a-w- c:windowssystem32mdimon.dll
2009-10-28 11:36 . 2009-10-28 11:36
d
w- c:program filesMicrosoft Works
2009-10-28 11:35 . 2009-10-07 21:54
d
w- c:program filesMicrosoft.NET
2009-10-07 21:57 . 2009-10-07 21:57
d
w- c:windowssystem32js
2009-10-07 21:57 . 2009-10-07 21:57
d
w- c:windowssystem32html
2009-10-07 21:57 . 2009-10-07 21:57
d
w- c:windowssystem32css
2009-10-07 21:30 . 2009-10-07 21:31
d
w- c:program filesMicrosoft Web Designer Tools
2009-10-07 21:28 . 2009-10-07 21:28
d
w- c:documents and settingsAlenaLocal SettingsApplication DataMicrosoft Help
2009-10-07 21:28 . 2009-10-07 21:48
d
w- c:documents and settingsAll UsersApplication DataMicrosoft Help
2009-10-07 21:27 . 2009-10-07 22:03 317200 —-a-w- c:documents and settingsLocalServiceLocal SettingsApplication DataFontCache3.0.0.0.dat
2009-10-07 21:27 . 2009-10-07 21:41
d
w- c:program filesMSBuild
2009-10-07 21:26 . 2009-10-07 21:26
d
w- c:windowssystem32XPSViewer
2009-10-07 21:26 . 2009-10-07 21:26
d
w- c:program filesReference Assemblies
2009-10-07 21:26 . 2006-06-29 10:07 14048
w- c:windowssystem32spmsg2.dll
2009-10-07 21:16 . 2009-10-08 10:17
d
w- c:documents and settingsAlenaApplication DataCMedia.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 10:42 . 2009-05-13 18:12
d
w- c:program filesPivim Multibar
2009-10-31 10:22 . 2009-03-22 16:59
d
w- c:program filesASUS
2009-10-31 10:22 . 2009-03-22 16:50
d—h—w- c:program filesInstallShield Installation Information
2009-10-31 10:02 . 2009-03-26 17:24
d
w- c:documents and settingsAlenaApplication DataSkype
2009-10-31 01:29 . 2009-03-23 15:33
d
w- c:documents and settingsAlenaApplication DatauTorrent
2009-10-30 20:38 . 2009-03-22 17:58
d
w- c:program filesAIMP2
2009-10-25 08:17 . 2008-04-15 12:00 97964 —-a-w- c:windowssystem32perfc019.dat
2009-10-25 08:17 . 2008-04-15 12:00 522344 —-a-w- c:windowssystem32perfh019.dat
2009-10-14 00:55 . 2009-04-16 20:53
d
w- c:program filesFree Music Zilla
2009-10-07 22:20 . 2009-03-22 17:01 69928 —-a-w- c:documents and settingsAlenaLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-10-07 21:57 . 2009-10-07 21:38
d
w- c:program filesMicrosoft Visual Studio 9.0
2009-10-07 21:57 . 2009-10-07 21:57
d
w- c:program filesBusiness Objects
2009-10-07 21:56 . 2009-10-07 21:52
d
w- c:program filesMicrosoft SQL Server
2009-10-07 21:53 . 2009-10-07 21:53
d
w- c:program filesMSXML 6.0
2009-10-07 21:52 . 2009-10-07 21:52
d
w- c:program filesMicrosoft Device Emulator
2009-10-07 21:50 . 2009-10-07 21:50
d
w- c:program filesMicrosoft Synchronization Services
2009-10-07 21:50 . 2009-10-07 21:50
d
w- c:program filesMicrosoft SQL Server Compact Edition
2009-10-07 21:44 . 2009-10-07 21:38
d
w- c:program filesCommon FilesMerge Modules
2009-10-07 21:44 . 2009-10-07 21:44
d
w- c:documents and settingsAll UsersApplication DataPreEmptive Solutions
2009-10-07 21:41 . 2009-10-07 21:38
d
w- c:program filesHTML Help Workshop
2009-10-07 21:38 . 2009-10-07 21:38
d
w- c:program filesMicrosoft SDKs
2009-10-07 21:38 . 2009-10-07 21:38
d
w- c:program filesCE Remote Tools
2009-10-07 21:16 . 2009-10-07 21:16 87371 —-a-w- c:documents and settingsAlenaApplication Datafieryads.dat
2009-09-30 22:20 . 2009-09-30 22:19
d
w- c:documents and settingsAlenaApplication DataU3
2009-09-29 23:48 . 2009-03-22 17:03
d
w- c:documents and settingsAll UsersApplication DataSymantec
2009-09-29 23:48 . 2009-03-22 17:02
d
w- c:program filesCommon FilesSymantec Shared
2009-09-29 23:46 . 2009-06-24 21:20
d
w- c:program filesPokerStars
2009-09-29 23:04 . 2009-09-29 23:03
d
w- c:program filesRadmin
2009-09-24 19:08 . 2009-09-24 17:15
d
w- c:program filesCA
2009-09-15 11:42 . 2009-09-15 11:35
d
w- c:documents and settingsAlenaApplication DataNokia
2009-09-15 11:37 . 2009-09-15 11:35
d
w- c:documents and settingsAlenaApplication DataPC Suite
2009-09-15 11:36 . 2009-09-15 11:36 0 —ha-w- c:windowssystem32driversMsft_Kernel_ccdcmb_01007.Wdf
2009-09-15 11:36 . 2009-09-15 11:36 0 —ha-w- c:windowssystem32driversMsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-09-15 11:35 . 2009-09-15 11:35
d
w- c:documents and settingsAll UsersApplication DataPC Suite
2009-09-15 11:35 . 2009-09-15 11:34
d
w- c:program filesDIFX
2009-09-15 11:35 . 2009-09-15 11:35
d
w- c:program filesCommon FilesPCSuite
2009-09-15 11:35 . 2009-09-15 11:35
d
w- c:program filesCommon FilesNokia
2009-09-15 11:35 . 2009-09-15 11:34
d
w- c:program filesNokia
2009-09-15 11:34 . 2009-09-15 11:34
d
w- c:program filesPC Connectivity Solution
2009-09-15 11:29 . 2009-09-15 11:29
d
w- c:documents and settingsAll UsersApplication DataInstallations
2009-09-02 21:00 . 2009-09-02 21:00
d
w- c:program filesPunto Switcher
2009-08-17 16:10 . 2009-03-22 17:22 1279456 —-a-w- c:windowssystem32aswBoot.exe
2009-08-17 16:06 . 2009-03-22 17:22 93392 —-a-w- c:windowssystem32driversaswmon.sys
2009-08-17 16:06 . 2009-03-22 17:22 94160 —-a-w- c:windowssystem32driversaswmon2.sys
2009-08-17 16:05 . 2009-03-22 17:22 114768 —-a-w- c:windowssystem32driversaswSP.sys
2009-08-17 16:05 . 2009-03-22 17:22 20560 —-a-w- c:windowssystem32driversaswFsBlk.sys
2009-08-17 16:04 . 2009-03-22 17:22 51376 —-a-w- c:windowssystem32driversaswTdi.sys
2009-08-17 16:04 . 2009-03-22 17:22 23152 —-a-w- c:windowssystem32driversaswRdr.sys
2009-08-17 16:03 . 2009-03-22 17:22 26944 —-a-w- c:windowssystem32driversaavmker4.sys
2009-08-17 16:02 . 2009-03-22 17:22 97480 —-a-w- c:windowssystem32AvastSS.scr
2009-03-24 00:30 . 2009-03-24 00:30 952 —sha-w- c:windowssystem32KGyGaAvL.sys
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionexplorershelliconoverlayidentifiersADSMOverlayIcon1]
@=»{A8D448F4-0431-45AC-9F5E-E1B434AB2249}»
[HKEY_CLASSES_ROOTCLSID{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 14:08 143360 —-a-w- c:program filesASUSASUS Data Security ManagerOverlayIconShlExt1.dll[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}»=»c:program filesCommon FilesAheadLibNMBgMonitor.exe» [2007-03-12 153136]
«PC Suite Tray»=»c:program filesNokiaNokia PC Suite 7PCSuite.exe» [2009-06-25 1414144]
«QIP2005″=»c:program filesQIPqip.exe» [2009-02-12 3276288][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«IgfxTray»=»c:windowssystem32igfxtray.exe» [2007-08-10 141848]
«HotKeysCmds»=»c:windowssystem32hkcmd.exe» [2007-08-10 166424]
«Persistence»=»c:windowssystem32igfxpers.exe» [2007-08-10 137752]
«SynTPEnh»=»c:program filesSynapticsSynTPSynTPEnh.exe» [2006-05-25 786521]
«ACU»=»c:program filesAtherosACU.exe» [2007-05-03 376921]
«Power_Gear»=»c:program filesASUSPower4 GearBatteryLife.exe» [2006-07-26 90112]
«avast!»=»c:progra~1ALWILS~1Avast4ashDisp.exe» [2009-08-17 81000]
«ATKHOTKEY»=»c:program filesATK HotkeyHcontrol.exe» [2007-06-29 225280]
«RTHDCPL»=»RTHDCPL.EXE» — c:windowsRTHDCPL.exe [2006-11-14 16270848][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-15 15360]c:documents and settingsAlenaѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Punto Switcher.lnk — c:program filesPunto Switcherpunto.exe [2009-9-2 831272]
Total Commander.lnk — c:program filesTotal CommanderTotalcmd.exe [2005-7-11 838400][HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoCookiesForDCFNA»= B593[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdf01000.sys]
@=»Driver»[HKLM~startupfolderC:^Documents and Settings^Alena^Главное меню^Программы^Автозагрузка^WireNote.lnk]
path=c:documents and settingsAlenaГлавное менюПрограммыАвтозагрузкаWireNote.lnk
backup=c:windowspssWireNote.lnkStartup[HKLM~startupfolderC:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Adobe Reader Speed Launch.lnk]
path=c:documents and settingsAll UsersГлавное менюПрограммыАвтозагрузкаAdobe Reader Speed Launch.lnk
backup=c:windowspssAdobe Reader Speed Launch.lnkCommon Startup[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
«LanmanServer»=2 (0x2)
«lanmanworkstation»=2 (0x2)[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\Total Commander\Totalcmd.exe»=
«c:\Program Files\QIP\qip.exe»=
«c:\Program Files\uTorrent\utorrent.exe»=
«c:\Program Files\Free Music Zilla\FMZilla.exe»=
«c:\Program Files\WiredPlane\WireNote\WireNote.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=R1 aswSP;avast! Self Protection;c:windowssystem32driversaswSP.sys [22.03.2009 19:22 114768]
R2 aswFsBlk;aswFsBlk;c:windowssystem32driversaswFsBlk.sys [22.03.2009 19:22 20560]
R2 LogWatch;Event Log Watch;c:program filesCASharedComponentsCA_LICLogWatNT.exe [23.02.2005 21:56 53248]— Other Services/Drivers In Memory —
*NewlyCreated* — CLASSPNP_2
*NewlyCreated* — MBR
*Deregistered* — CLASSPNP_2
*Deregistered* — mbr
.
.
Supplementary Scan
.
uStart Page = hxxp://www.daemon-search.com/startpage
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
IE: E&xport to Microsoft Excel — c:progra~1MICROS~2Office10EXCEL.EXE/3000
TCP: {F974528F-9A7B-4070-B37D-A3A8C3C4DF78} = 10.7.1.23 10.7.1.24
FF — ProfilePath — c:documents and settingsAlenaApplication DataMozillaFirefoxProfiles76am8va8.default
FF — prefs.js: browser.search.defaulturl — hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF — prefs.js: browser.search.selectedEngine — Kinopoisk.ru
FF — plugin: c:program filesK-Lite Codec PackRealbrowserpluginsnppl3260.dll
FF — plugin: c:program filesK-Lite Codec PackRealbrowserpluginsnprpjplug.dll—- FIREFOX POLICIES —-
c:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl3.rsa_seed_sha», true);
.
— — — — ORPHANS REMOVED — — — —ShellIconOverlayIdentifiers-{6B830884-20E3-4AB6-B672-2629F0F72071} — (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-31 14:01
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
C:ADSM_PData_0150
scan completed successfully
hidden files: 1**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync04.sys atapi.sys spvg.sys >>UNKNOWN [0x8A731938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.netatapi.sys @ 0x0 0x0 bytes
Driveratapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xB9DCAB40 atapi.sys
Driveratapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xB9DCAB40 atapi.sys
Driveratapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xB9DCAB40 atapi.sys
Driveratapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xB9E1FA7C sfsync04.sys
Driveratapi [ IRP_MJ_POWER ] 0xA73C != 0xB9DCAB40 atapi.sys
Driveratapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xB9DCAB40 atapi.sys
Driveratapi IRP hooks detected !**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘explorer.exe'(3476)
c:program filesPunto Switcherpshook.dll
c:program filesASUSASUS Data Security ManagerOverlayIconShlExt.dll
c:program filesASUSASUS Data Security ManagerOverlayIconShlExt1.dll
.
Other Running Processes
.
c:program filesASUSASUS Data Security ManagerADSMSrv.exe
c:program filesAlwil SoftwareAvast4aswUpdSv.exe
c:program filesATKGFNEXGFNEXSrv.exe
c:program filesAlwil SoftwareAvast4ashServ.exe
c:windowssystem32acs.exe
c:program filesBorlandInterBasebinibguard.exe
c:program filesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
c:program filesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe
c:program filesASUSNB ProbeSPMspmgr.exe
c:program filesMicrosoft SQL Server90Sharedsqlwriter.exe
c:program filesToshibaBluetooth Toshiba StackTosBtSrv.exe
c:windowssystem32wdfmgr.exe
c:program filesAlwil SoftwareAvast4ashMaiSv.exe
c:program filesAlwil SoftwareAvast4ashWebSv.exe
c:program filesBorlandInterBasebinibserver.exe
c:windowssystem32wscntfy.exe
c:windowssystem32igfxsrvc.exe
c:program filesCommon FilesAheadLibNMIndexingService.exe
c:program filesCommon FilesAheadLibNMIndexStoreSvr.exe
c:program filesPC Connectivity SolutionServiceLayer.exe
c:program filesPC Connectivity SolutionTransportsNclUSBSrv.exe
c:program filesPC Connectivity SolutionTransportsNclRSSrv.exe
.
**************************************************************************
.
Completion time: 2009-10-31 14:04 — machine was rebooted
ComboFix-quarantined-files.txt 2009-10-31 12:04Pre-Run: 31 825 850 368 байт свободно
Post-Run: 31 811 006 464 байт свободноWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT=»Microsoft Windows Recovery Console» /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS=»Microsoft Windows XP Professional RU» /noexecute=optin /fastdetect— — End Of File — — 0061E244C16BA63F08AC0FDFF9FCA3F2
- Для ответа в этой теме необходимо авторизоваться.
