Созданные ответы форума
-
Сообщения
-
Здравствуйте.Вообще у меня сейчас не стоит не одного антивируснки,но когдато был доктор веб и касперский.
Вот лог:ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/30 01:45
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================Drivers
Name: dump_atapi.sys
Image Path: C:WINDOWSSystem32Driversdump_atapi.sys
Address: 0xAA7A7000 Size: 98304 File Visible: No Signed: —
Status: —Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xF7B8E000 Size: 8192 File Visible: No Signed: —
Status: —Name: jeiggq.sys
Image Path: C:WINDOWSsystem32driversjeiggq.sys
Address: 0xF7B8C000 Size: 5184 File Visible: No Signed: —
Status: —Name: PCI_PNP4036
Image Path: DriverPCI_PNP4036
Address: 0x00000000 Size: 0 File Visible: No Signed: —
Status: —Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xA787E000 Size: 49152 File Visible: No Signed: —
Status: —Name: sphv.sys
Image Path: sphv.sys
Address: 0xF7534000 Size: 1052672 File Visible: No Signed: —
Status: —Name: sptd
Image Path: Driversptd
Address: 0x00000000 Size: 0 File Visible: No Signed: —
Status: —Hidden/Locked Files
Path: C:hiberfil.sys
Status: Locked to the Windows API!Path: c:documents and settingsuser.crazyapplication dataoperaoperaglobal_history.dat
Status: Size mismatch (API: 167377, Raw: 167354)Path: C:Documents and SettingsUser.CRAZYLocal SettingsTemporary Internet FilesContent.IE56WECTJDKWMPac69e14e-df62-4b68-b57a-b0fd843ae4a6[1]..jpg
Status: Visible to the Windows API, but not on disk.Path: C:Documents and SettingsUser.CRAZYLocal SettingsTemporary Internet FilesContent.IE5FANY9B8KWMP2df5b2b1-461b-4183-abfc-50bdc023efeb[1]..jpg
Status: Visible to the Windows API, but not on disk.Path: C:Documents and SettingsUser.CRAZYLocal SettingsApplication DataOperaOperacacheopr00OR2
Status: Visible to the Windows API, but not on disk.Path: C:Documents and SettingsUser.CRAZYLocal SettingsApplication DataOperaOperacacheopr00OR3
Status: Visible to the Windows API, but not on disk.Path: c:documents and settingsuser.crazylocal settingsapplication dataoperaoperaopcachedcache4.url
Status: Size mismatch (API: 31122, Raw: 30873)SSDT
#: 041 Function Name: NtCreateKey
Status: Hooked by «sphv.sys» at address 0xf75350e0#: 071 Function Name: NtEnumerateKey
Status: Hooked by «sphv.sys» at address 0xf7553ca4#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by «sphv.sys» at address 0xf7554032#: 119 Function Name: NtOpenKey
Status: Hooked by «sphv.sys» at address 0xf75350c0#: 160 Function Name: NtQueryKey
Status: Hooked by «sphv.sys» at address 0xf755410a#: 177 Function Name: NtQueryValueKey
Status: Hooked by «sphv.sys» at address 0xf7553f8a#: 247 Function Name: NtSetValueKey
Status: Hooked by «sphv.sys» at address 0xf755419cStealth Objects
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x873661f8 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x87313500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8713a500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x86f26500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x871a3500 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x873d61f8 Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x868df1f8 Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x868df1f8 Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x868df1f8 Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x868df1f8 Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x868df1f8 Size: 121Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x868df1f8 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x871a4500 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x868d41f8 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_CREATE]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_CLOSE]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_READ]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_CLEANUP]
Process: System Address: 0x86dd4500 Size: 121Object: Hidden Code [Driver: Cdfsఈ䵃慖, IRP_MJ_PNP]
Process: System Address: 0x86dd4500 Size: 121==EOF==
+лог от ComboFix
ComboFix 09-09-25.01 — User 28.09.2009 3:58.3.2 — NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1251.7.1049.18.1022.670 [GMT 6:00]
Running from: c:documents and settingsUser.CRAZYРабочий столComboFix.exe
Command switches used :: c:documents and settingsUser.CRAZYРабочий столCFScript.txt
AV: Антивирус Касперского *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Doctor Web Anti-Virus *On-access scanning enabled* (Outdated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore pointFILE ::
«c:windowssystem32driversjeiggq.sys»
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:documents and settingsUser.CRAZYApplication DataMicrosoftClip Organizermstore10.mgc
c:documents and settingsUser.CRAZYApplication DataMicrosoftClip OrganizerOffic10.MGC
c:program filesMail.RuAgentMradllnewmrasearch.dll
c:windowsAlcmtr.exe.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Legacy_ABP470N5
Service_abp470n5((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.2009-09-27 19:20 . 2009-09-27 19:20
d
w- C:Downloads
2009-09-16 17:09 . 2009-09-16 17:09
d-sh—w- c:documents and settingsLocalServiceIETldCache
2009-09-14 14:35 . 2009-09-21 18:33
d
w- c:program filesGarena
2009-09-12 12:39 . 2008-11-03 13:03 7680 —-a-w- c:windowssystem32driversmassfilter.sys
2009-09-12 12:39 . 2008-11-03 13:02 104960 —-a-w- c:windowssystem32driversZTEusbser6k.sys
2009-09-12 12:39 . 2008-11-03 13:01 104960 —-a-w- c:windowssystem32driversZTEusbnmea.sys
2009-09-12 12:39 . 2008-11-03 13:01 104960 —-a-w- c:windowssystem32driversZTEusbmdm6k.sys
2009-09-12 12:39 . 2009-09-12 12:39
d
w- c:program filesZTEMF626
2009-09-12 03:51 . 2009-06-21 21:48 153088 -c—-w- c:windowssystem32dllcachetriedit.dll
2009-09-11 20:03 . 2009-09-12 12:39
d
w- c:windowssystem32SupportAppXL
2009-09-08 05:38 . 2009-09-08 06:24
d
w- c:documents and settingsUser.CRAZYApplication DataSAMSUNG
2009-09-08 05:20 . 2005-12-22 06:24 11188 —-a-w- c:windowssystem32driverssscdwhnt.sys
2009-09-08 05:20 . 2005-12-22 06:24 11188 —-a-w- c:windowssystem32driverssscdwh.sys
2009-09-08 05:20 . 2005-12-22 06:24 137884 —-a-w- c:windowssystem32driverssscdmdm.sys
2009-09-08 05:20 . 2005-12-22 06:24 11877 —-a-w- c:windowssystem32driverssscdcmnt.sys
2009-09-08 05:20 . 2005-12-22 06:24 11877 —-a-w- c:windowssystem32driverssscdcm.sys
2009-09-08 05:20 . 2005-12-22 06:24 10864 —-a-w- c:windowssystem32driverssscdmdfl.sys
2009-09-08 05:20 . 2005-12-22 06:24 80272 —-a-w- c:windowssystem32driverssscdbus.sys.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 19:56 . 2008-11-11 15:33
d
w- c:program filesLineAge II (Камаель)
2009-09-26 17:18 . 2009-08-10 14:15
d
w- c:program filesРуоф(Финал грация)
2009-09-25 09:30 . 2009-01-19 17:50
d
w- c:program filesla2
2009-09-21 20:42 . 2009-06-30 14:29
d
w- c:program filesWarcraft III
2009-09-20 18:40 . 2009-08-11 18:39
d
w- c:documents and settingsUser.CRAZYApplication DataSkype
2009-09-20 06:14 . 2008-12-16 06:10
d
w- c:program filesQIP
2009-09-18 20:16 . 2009-03-24 16:40
d
w- c:program filesOpera
2009-09-12 12:39 . 2006-02-01 06:42
d—h—w- c:program filesInstallShield Installation Information
2009-08-24 17:46 . 2008-11-02 13:02
d
w- c:documents and settingsUser.CRAZYApplication DataMra
2009-08-23 06:24 . 2009-06-20 04:51 25792 —-a-w- c:documents and settingsUser.CRAZYLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-08-23 05:23 . 2006-01-31 08:49 84482 —-a-w- c:windowssystem32perfc019.dat
2009-08-23 05:23 . 2006-01-31 08:49 484908 —-a-w- c:windowssystem32perfh019.dat
2009-08-23 05:17 . 2009-08-23 05:17
d
w- c:program filesMSBuild
2009-08-23 05:17 . 2009-08-23 05:17
d
w- c:program filesReference Assemblies
2009-08-19 17:39 . 2009-08-19 17:39
d
w- c:documents and settingsUser.CRAZYApplication DataMalwarebytes
2009-08-19 17:39 . 2009-08-19 17:39
d
w- c:documents and settingsAll UsersApplication DataMalwarebytes
2009-08-19 16:49 . 2009-06-20 05:03
d
w- c:program filesWindows Live Safety Center
2009-08-15 07:08 . 2009-08-15 06:56
d
w- c:program filesJimBot 0.3.6 RC3
2009-08-12 13:06 . 2009-08-11 18:38
d
w- c:program filesSkype
2009-08-10 11:07 . 2009-08-10 11:07
d
w- c:documents and settingsUser.CRAZYApplication DataYandex
2009-08-09 13:39 . 2009-08-09 13:39
d
w- c:documents and settingsAll UsersApplication DataSkype
2009-08-05 09:01 . 2006-01-31 08:49 204800 —-a-w- c:windowssystem32mswebdvd.dll
2009-08-02 07:36 . 2009-08-02 07:31
d
w- c:program filesAntiBK by ergash
2009-08-02 07:30 . 2009-08-02 07:30
d
w- c:program filesAnekdot
2009-07-17 19:03 . 2006-01-31 08:48 58880 —-a-w- c:windowssystem32atl.dll
2009-07-13 17:43 . 2006-01-31 08:49 286208 —-a-w- c:windowssystem32wmpdxm.dll
2009-07-03 17:00 . 2006-01-31 08:49 915456 —-a-w- c:windowssystem32wininet.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«TOSCDSPD»=»c:program filesTOSHIBATOSCDSPDtoscdspd.exe» [2005-04-12 147456][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«ATICCC»=»c:program filesATI TechnologiesATI.ACEcli.exe» [2005-08-12 45056]
«SynTPEnh»=»c:program filesSynapticsSynTPSynTPEnh.exe» [2005-12-16 831577]
«THotkey»=»c:program filesToshibaToshiba Appletthotkey.exe» [2006-01-05 352256]
«Tvs»=»c:program filesTOSHIBATvsTvsTray.exe» [2005-11-30 151552]
«SmoothView»=»c:program filesTOSHIBAПрограмма TOSHIBA Zooming UtilitySmoothView.exe» [2005-05-12 270336]
«DLA»=»c:windowsSystem32DLADLACTRLW.EXE» [2005-10-06 122940]
«IntelZeroConfig»=»c:program filesIntelWirelessbinZCfgSvc.exe» [2005-12-05 667718]
«IntelWireless»=»c:program filesIntelWirelessBinifrmewrk.exe» [2005-11-28 671814]
«MAgent»=»c:program filesMail.RuAgentMAgent.exe» [2009-08-24 7975608]
«autodetect»=»c:windowssystem32SupportAppXLAutoDect.exe» [2009-03-16 91648]
«RTHDCPL»=»RTHDCPL.EXE» — c:windowsRTHDCPL.exe [2005-12-09 15691264]
«AGRSMMSG»=»AGRSMMSG.exe» — c:windowsagrsmmsg.exe [2005-10-15 157835]
«TPSMain»=»TPSMain.exe» — c:windowssystem32TPSMain.exe [2005-08-04 339968]
«NDSTray.exe»=»NDSTray.exe» [BU]
«TFncKy»=»TFncKy.exe» [BU]
«TDispVol»=»TDispVol.exe» — c:windowssystem32TDispVol.exe [2005-09-16 73728]
«CFSServ.exe»=»CFSServ.exe» [BU][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-14 15360]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Bluetooth Manager.lnk — c:program filesToshibaBluetooth Toshiba StackTosBtMng.exe [2005-12-7 1888256]
Microsoft Office.lnk — c:program filesMicrosoft OfficeOffice10OSA.EXE [2001-2-13 161184]
“бЄ®аҐл© § ЇгбЄ Adobe Reader.lnk — c:program filesAdobeAcrobat 7.0Readerreader_sl.exe [2004-12-14 177152][HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciessystem]
«DisableTaskMgr»= 1 (0x1)
«DisableRegistryTools»= 1 (0x1)[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001
«FirewallOverride»=dword:00000001
«UpdatesDisableNotify»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerSvc]
«AntiVirusOverride»=dword:00000001
«AntiVirusDisableNotify»=dword:00000001
«FirewallDisableNotify»=dword:00000001
«FirewallOverride»=dword:00000001
«UpdatesDisableNotify»=dword:00000001
«UacDisableNotify»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\WINDOWS\system32\TPSMain.exe»=
«c:\WINDOWS\system32\Ati2evxx.exe»=
«c:\Program Files\TOSHIBA\Программа TOSHIBA Zooming Utility\SmoothView.exe»=
«c:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe»=
«c:\WINDOWS\system32\igfxsrvc.exe»=
«c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe»=
«c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe»=
«c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe»=
«c:\Program Files\TOSHIBA\Элементы управления TOSHIBA\TFncKy.exe»=
«c:\Program Files\ATI Technologies\ATI.ACE\cli.exe»=
«c:\Program Files\Microsoft Office\Office10\OSA.EXE»=
«c:\Program Files\Opera\opera.exe»=
«c:\Program Files\Toshiba\Toshiba Applet\thotkey.exe»=
«c:\Program Files\Synaptics\SynTP\SynTPEnh.exe»=
«c:\WINDOWS\system32\SNDVOL32.EXE»=
«c:\Program Files\Mail.Ru\Agent\magent.exe»=
«c:\Program Files\Windows Media Player\wmplayer.exe»=
«c:\Program Files\TOSHIBA\Tvs\TvsTray.exe»=
«c:\WINDOWS\system32\wuauclt.exe»=
«c:\WINDOWS\system32\SupportAppXL\AutoDect.exe»=
«c:\Program Files\2gis\UpdateClientWin32\UpdateClientService.exe»=
«c:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe»=
«c:\WINDOWS\AGRSMMSG.exe»=
«c:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=
«c:\Program Files\ZTEMF626\USB-модем Билайн\UIMain.exe»=R2 2GIS UpdateClientService;2GIS UpdateClientService;c:program files2gisUpdateClientWin32UpdateClientService.exe [17.09.2008 13:03 1212416]
S2 gupdate1c9b945b31ea302;Служба Google Update (gupdate1c9b945b31ea302);»c:program filesGoogleUpdateGoogleUpdate.exe» /svc —> c:program filesGoogleUpdateGoogleUpdate.exe [?]
S3 GarenaPEngine;GarenaPEngine;??c:docume~1USER~1.CRALOCALS~1TempCIPA.tmp —> c:docume~1USER~1.CRALOCALS~1TempCIPA.tmp [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:windowssystem32driversmassfilter.sys [12.09.2009 18:39 7680]— Other Services/Drivers In Memory —
*NewlyCreated* — ABP470N5
[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
«c:windowssystem32rundll32.exe» «c:windowssystem32iedkcs32.dll»,BrandIEActiveSetup SIGNUP
.
.
Supplementary Scan
.
uStart Page = hxxp://asterios.tm/index.php?
uInternet Connection Wizard,ShellNext = iexplore
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2Office10EXCEL.EXE/3000
IE: Закачать ВСЕ при помощи Download Master — c:program filesDownload Masterdmieall.htm
IE: Закачать при помощи Download Master — c:program filesDownload Masterdmie.htm
IE: Передать на удаленную закачку DM — c:program filesDownload Masterremdown.htm
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe
IE: {{8DAE90AD-4583-4977-9DD4-4360F7A45C74} — c:program filesDownload Masterdmaster.exe
TCP: {A74FCC24-17A8-4215-A123-A5FFBDEE43E5} = 10.11.245.254
TCP: {AB3A3B21-64E1-407C-8A52-8F3B0CB66CD9} = 217.118.83.8 217.118.66.244
.
— — — — ORPHANS REMOVED — — — —AddRemove-JimBot 0.3.6 — c:program filesJimBot 0.3.6
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-28 04:07
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(832)
c:windowssystem32Ati2evxx.dll— — — — — — — > ‘explorer.exe'(2172)
c:windowssystem32WININET.dll
c:windowssystem32TDispVol.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
c:windowssystem32TPwrCfg.DLL
c:windowssystem32TPwrReg.dll
c:windowssystem32TPSTrace.DLL
.
Other Running Processes
.
c:windowssystem32ati2evxx.exe
c:program filesIntelWirelessBinEvtEng.exe
c:program filesIntelWirelessBinS24EvMon.exe
c:program filesToshibaConfigFreeCFSvcs.exe
c:program filesCommon FilesMicrosoft SharedVS7Debugmdm.exe
c:program filesIntelWirelessBinRegSrvc.exe
c:program filesToshibaTOSHIBA AppletTAPPSRV.exe
c:windowssystem32ati2evxx.exe
c:program filesSynapticsSynTPToshiba.exe
c:program filesToshibaConfigFreeNDSTray.exe
c:program filesToshibac:program filesToshibac:windowssystem32TDispVol.exe
c:windowssystem32TPSBattM.exe
c:program filesZTEMF626USB-c:program filesToshibaConfigFreeCFSServ.exe
c:program filesToshibaBluetooth Toshiba StackTosA2dp.exe
c:program filesToshibaBluetooth Toshiba StackTosBtHSP.exe
.
**************************************************************************
.
Completion time: 2009-09-27 4:10 — machine was rebooted
ComboFix-quarantined-files.txt 2009-09-27 22:10Pre-Run: 3 866 918 912 байт свободно
Post-Run: 3 999 662 080 байт свободноCurrent=3 Default=3 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
225 — E O F — 2009-09-13 13:57Вот лог Malwarebytes Anti-malware
Malwarebytes’ Anti-Malware 1.41
Версия базы данных: 2866
Windows 5.1.2600 Service Pack 328.09.2009 4:25:54
mbam-log-2009-09-28 (04-25-54).txtТип проверки: Быстрая
Проверено объектов: 99529
Прошло времени: 4 minute(s), 10 second(s)Заражено процессов в памяти: 0
Заражено модулей в памяти: 0
Заражено ключей реестра: 0
Заражено значений реестра: 0
Заражено параметров реестра: 3
Заражено папок: 0
Заражено файлов: 0Заражено процессов в памяти:
(Вредоносные программы не обнаружены)Заражено модулей в памяти:
(Вредоносные программы не обнаружены)Заражено ключей реестра:
(Вредоносные программы не обнаружены)Заражено значений реестра:
(Вредоносные программы не обнаружены)Заражено параметров реестра:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterAntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterFirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Заражено папок:
(Вредоносные программы не обнаружены)Заражено файлов:
(Вредоносные программы не обнаружены)
