[D-Tritus]

Скрытые файлы стали видны, так что часть проблемы решена. Какие нибудь ещё советы для чистки компа посоветуйте пожалуйста?
ComboFix 10-06-18.03 — D-Tritus 20.06.2010 0:26.1.2 — x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2047.1660 [GMT 4:00]
Running from: d:documents and settingsD-TritusРабочий столComboFix.exe
Command switches used :: d:documents and settingsD-TritusРабочий столWindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
AV: Антивирусная система Eset NOD32 2.70 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.
ADS — explorer.exe: deleted 23040 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:program filesCommon Fileskeylog.txt
d:windowssystem3250137551.exe
d:windowssystem329TB5MUs.exe
d:windowssystem32com.run
d:windowssystem32dp1.fne
d:windowssystem32eAPI.fne
d:windowssystem32GmmDGYI.exe
d:windowssystem32Gob73sb.exe
d:windowssystem32IbjxtOm.exe
d:windowssystem32internet.fne
d:windowssystem32KCZXMQP.exe
d:windowssystem32krnln.fnr
d:windowssystem32m8SEJY4.exe
d:windowssystem32MkCWI9h.exe
d:windowssystem32netprotocol.dll
d:windowssystem32og.dll
d:windowssystem32og.edt
d:windowssystem32ONyUHEs.exe
d:windowssystem32RegEx.fnr
d:windowssystem32RonztsC.exe
d:windowssystem32sMlmHnv.exe
d:windowssystem32spec.fne
d:windowssystem32Thumbs.db
d:windowssystem32ul.dll
d:windowssystem32xOAfMvd.exe
d:windowssystem32ZjjrCNt.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-19 12:13 . 2010-06-19 12:13 112640 —-a-w- d:windowssystem32GWJkS41.exe
2010-06-19 10:58 . 2010-06-19 10:58 56112 —-a-w- d:windowssystem32netprotocol.exe
2010-06-19 10:52 . 2010-06-19 10:52 112640 —-a-w- d:windowssystem32eU3jlb7.exe
2010-06-17 19:15 . 2010-06-17 19:26

---

d

---

w- d:program filestrend micro
2010-06-16 20:41 . 2010-06-16 20:48

---

d

---

w- d:documents and settingsD-Tritus.VirtualBox
2010-06-16 20:40 . 2010-02-12 16:34 123280 —-a-w- d:windowssystem32driversVBoxDrv.sys
2010-06-16 20:39 . 2010-02-12 16:34 41680 —-a-w- d:windowssystem32driversVBoxUSBMon.sys
2010-06-16 14:58 . 2004-03-02 13:37 125184

---

w- d:windowssystem32driversimagesrv.sys
2010-06-16 14:58 . 2004-03-02 13:37 5504

---

w- d:windowssystem32driversimagedrv.sys
2010-06-16 14:52 . 2010-06-16 15:04

---

d

---

w- d:program filesUnlocker
2010-06-16 14:37 . 2010-06-16 14:37

---

d

---

w- d:documents and settingsD-TritusLocal SettingsApplication DataStardock
2010-06-15 10:03 . 2010-06-15 10:03 117760 —-a-w- d:windowssystem32XkejZJ4.exe
2010-06-11 04:16 . 2010-06-11 04:16 103936 —-a-w- d:windowssystem32WsGRLex.exe
2010-06-07 16:25 . 2010-06-07 16:25 109056 —-a-w- d:windowssystem32DJqGMiJ.exe
2010-06-05 05:13 . 2010-06-05 05:13 122880 —-a-w- d:windowssystem327vQiSOv.exe
2010-05-27 10:42 . 2010-05-27 10:42 100864 —-a-w- d:windowssystem32JWQzmbl.exe
2010-05-24 13:27 . 2010-05-24 13:27 116224 —-a-w- d:windowssystem32e7qV6or.exe
2010-05-24 11:27 . 2010-05-24 11:27 116224 —-a-w- d:windowssystem32IutT1SQ.exe
2010-05-24 11:26 . 2010-05-24 11:26 116224 —-a-w- d:windowssystem323Nuq3D6.exe
2010-05-21 13:51 . 2010-05-21 13:51 105984 —-a-w- d:windowssystem32Eo8ly5P.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 20:04 . 2009-01-04 18:45

---

d

---

w- d:documents and settingsD-TritusApplication DataSkype
2010-06-19 20:04 . 2008-10-08 16:59

---

d

---

w- d:documents and settingsD-TritusApplication DatauTorrent
2010-06-19 11:09 . 2009-01-21 14:33

---

d

---

w- d:documents and settingsD-TritusApplication DataICQ
2010-06-13 20:12 . 2009-04-30 17:37

---

d

---

w- d:program filesEset
2010-06-13 17:07 . 2008-09-04 16:33 72000 —-a-w- d:documents and settingsD-TritusLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-06-13 17:02 . 2001-10-20 13:00 85314 —-a-w- d:windowssystem32perfc019.dat
2010-06-13 17:02 . 2001-10-20 13:00 488014 —-a-w- d:windowssystem32perfh019.dat
2010-06-06 07:04 . 2009-09-16 19:09

---

d

---

w- d:documents and settingsD-TritusApplication DataOpenOffice.org2
2010-06-03 17:08 . 2009-09-16 19:10 1 —-a-w- d:documents and settingsD-TritusApplication DataOpenOffice.org2useruno_packagescachestamp.sys
2010-05-08 12:28 . 2009-02-23 08:23 225280 —-a-w- d:documents and settingsD-TritusApplication DataGRETECHGomPlayerGrLauncherTempSetup.exe
2010-05-07 11:46 . 2009-09-16 18:40

---

d

---

w- d:documents and settingsAll UsersApplication DataMicrosoft Help
2010-05-07 11:33 . 2010-05-07 11:27

---

d

---

w- d:program filesIEAK6
2010-05-07 11:24 . 2010-05-07 11:24

---

d

---

w- d:program filesMSXML 4.0
2010-05-07 11:17 . 2010-05-07 11:17

---

d

---

w- d:program filesMicrosoft Visual Studio .NET 2003
2010-05-07 11:17 . 2009-09-16 18:57

---

d

---

w- d:program filesMicrosoft.NET
2010-05-07 11:14 . 2010-05-07 11:14 131 —-a-w- d:documents and settingsD-TritusLocal SettingsApplication Datafusioncache.dat
2010-05-06 16:33 . 2009-11-30 11:57

---

d

---

w- d:program filesNero
2010-05-04 06:47 . 2008-09-25 17:10 525816 —-a-w- d:documents and settingsD-TritusApplication DataMraUpdategames.dll
2010-05-03 09:01 . 2010-04-14 17:12

---

d

---

w- d:documents and settingsD-TritusApplication DataDownload Master
2010-04-30 14:39 . 2008-09-05 13:06

---

d—h—w- d:program filesInstallShield Installation Information
2010-04-26 17:55 . 2010-04-26 17:55 43602 —-a-w- d:windowssystem32xvid-uninstall.exe
2010-04-26 17:05 . 2010-04-26 17:04

---

d

---

w- d:documents and settingsD-TritusApplication DataStaffCop
.

---

Sigcheck

---

[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . d:windowsServicePackFilesi386tcpip.sys
[-] 2008-04-13 . 99BD46C2C790E52363DD1021DDCA3E8F . 361344 . . [5.1.2600.5512] . . d:windowssystem32driverstcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«Ярлык для страницы свойств High Definition Audio»=»HDAShCut.exe» [2005-12-26 61952]
«NvCplDaemon»=»d:windowssystem32NvCpl.dll» [2008-10-07 13574144]
«OrderReminder»=»d:program filesHewlett-PackardOrderReminderOrderReminder.exe» [2005-03-18 98304]
«NvMediaCenter»=»d:windowssystem32NvMcTray.dll» [2008-10-07 86016]
«LifeCam»=»d:program filesMicrosoft LifeCamLifeExp.exe» [2007-05-17 279912]
«VX1000″=»d:windowsvVX1000.exe» [2007-04-10 709992]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»d:windowssystem32CTFMON.EXE» [2008-04-14 15360]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogon]
«Userinit»=»d:windowssystem32userinit.exe,d:docume~1D-TritusLOCALS~1Tempdas41A.tmp,d:windowssystem3250137551.exe,\?globalrootsystemrootsystem32ZSJU6rm.exe,\?globalrootsystemrootsystem32F1csm5U.exe,\?globalrootsystemrootsystem32xOAfMvd.exe,»

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\QIP\qip.exe»=
«c:\Program Files\Garena\Garena.exe»=
«d:\WINDOWS\system32\PnkBstrA.exe»=
«d:\WINDOWS\system32\PnkBstrB.exe»=
«c:\Program Files\uTorrent\utorrent.exe»=
«c:\Program Files\ICQ6.5\ICQ.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«d:\Program Files\Microsoft LifeCam\LifeCam.exe»=
«d:\Program Files\Microsoft LifeCam\LifeExp.exe»=
«c:\Program Files\Opera\opera.exe»=
«d:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE»=
«d:\Program Files\Microsoft Office\Office12\GROOVE.EXE»=
«d:\Program Files\Microsoft Office\Office12\ONENOTE.EXE»=
«c:\D-Tritus\Games\STEAM\SteamApps\common\left 4 dead\left4dead.exe»=
«c:\D-Tritus\Games\STEAM\SteamApps\yoshito_kikuchi\counter-strike source\hl2.exe»=
«c:\D-Tritus\Games\STEAM\SteamApps\yoshito_kikuchi\day of defeat source\hl2.exe»=
«c:\Program Files\SkyPe\Phone\Skype.exe»=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«1645:TCP»= 1645:TCP:cjgqbb
«16448:TCP»= 16448:TCP

R0 UP55bus;UP55bus;d:windowssystem32driversUP55bus.sys [19.04.2009 20:26 155136]
R0 UP55prt;UP55prt;d:windowssystem32driversUP55prt.sys [19.04.2009 20:26 5248]
R1 appdrv01;Application Driver (01);d:windowssystem32driversappdrv01.sys [03.03.2010 23:33 3468904]
R1 nod32drv;nod32drv;d:windowssystem32driversnod32drv.sys [30.04.2009 21:37 15424]
R1 VBoxDrv;VirtualBox Service;d:windowssystem32driversVBoxDrv.sys [17.06.2010 0:40 123280]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;d:windowssystem32driversVBoxUSBMon.sys [17.06.2010 0:39 41680]
R3 netmonzMP;netmonzMP;d:windowssystem32driversnetmonz.sys [17.08.2009 10:17 18432]
R3 SAA713x;Behold TV WDM Capture (SAA713x);d:windowssystem32driverssaa713x.sys [11.10.2008 22:55 153472]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;d:windowssystem32driversVBoxNetAdp.sys [12.02.2010 20:34 99152]
R3 VBoxNetFlt;VBoxNetFlt Service;d:windowssystem32driversVBoxNetFlt.sys [12.02.2010 20:34 110096]
S2 appdrvrem01;Application Driver Auto Removal Service (01);d:windowsSystem32appdrvrem01.exe svc —> d:windowsSystem32appdrvrem01.exe svc [?]
S2 kudgt;Time Center;d:windowssystem32svchost.exe -k netsvcs [17.08.2004 17:05 14336]
S3 block_reader;MPR DRV;??c:program filesMulti Password Recoveryblock_reader.sys —> c:program filesMulti Password Recoveryblock_reader.sys [?]
S3 GarenaPEngine;GarenaPEngine;??d:docume~1D-TritusLOCALS~1TempLKE2306.tmp —> d:docume~1D-TritusLOCALS~1TempLKE2306.tmp [?]
S3 netmonz;NetmonZ Service;d:windowssystem32driversnetmonz.sys [17.08.2009 10:17 18432]
S3 npggsvc;nProtect GameGuard Service;d:windowssystem32GameMon.des -service —> d:windowssystem32GameMon.des -service [?]
S3 scramby_out;Scramby Output;d:windowssystem32driversscramby_out.sys [08.08.2007 9:31 23840]
S3 wpwoavjuo;wpwoavjuo;??d:documents and settingsD-TritusРабочий столgliderwpwoavjuo.sys —> d:documents and settingsD-TritusРабочий столgliderwpwoavjuo.sys [?]
S4 sptd;sptd;d:windowssystem32driverssptd.sys [06.11.2008 23:35 717296]

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost — NetSvcs
kudgt
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.battlefieldheroes.com/
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~1Office12EXCEL.EXE/3000
IE: Закачать ВСЕ при помощи Download Master — c:program filesDownload Masterdmieall.htm
IE: Закачать при помощи Download Master — c:program filesDownload Masterdmie.htm
IE: Передать на удаленную закачку DM — c:program filesDownload Masterremdown.htm
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesmagent.exe
LSP: d:windowssystem32imon.dll
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} — hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab
FF — ProfilePath — d:documents and settingsD-TritusApplication DataMozillaFirefoxProfilesla6f387d.default
FF — plugin: c:program filesOperaprogrampluginsnpdm.dll
FF — plugin: c:program filesOperaprogrampluginsnpdsplay.dll
FF — plugin: c:program filesOperaprogrampluginsNPJPI150_06.dll
FF — plugin: c:program filesOperaprogrampluginsNPOFF12.DLL
FF — plugin: c:program filesOperaprogrampluginsNPOFF12.DLL
FF — plugin: c:program filesOperaprogrampluginsnpqtplugin.dll
FF — plugin: c:program filesOperaprogrampluginsnpqtplugin2.dll
FF — plugin: c:program filesOperaprogrampluginsnpqtplugin3.dll
FF — plugin: c:program filesOperaprogrampluginsnpqtplugin4.dll
FF — plugin: c:program filesOperaprogrampluginsnpqtplugin5.dll
FF — plugin: c:program filesOperaprogrampluginsnpqtplugin6.dll
FF — plugin: c:program filesOperaprogrampluginsnpqtplugin7.dll
FF — plugin: c:program filesOperaprogrampluginsNPSWF32.dll
FF — plugin: c:program filesOperaprogrampluginsnpwmsdrm.dll
FF — plugin: d:documents and settingsD-TritusApplication DataMozillaFirefoxProfilesla6f387d.defaultextensionsbattlefieldheroespatcher@ea.complatformWINNT_x86-msvcpluginsnpBFHUpdater.dll

—- FIREFOX POLICIES —-
c:program filesFireFoxgreprefsall.js — pref(«ui.use_native_colors», true);
c:program filesFireFoxgreprefsall.js — pref(«network.auth.force-generic-ntlm», false);
c:program filesFireFoxgreprefsall.js — pref(«svg.smil.enabled», false);
c:program filesFireFoxgreprefssecurity-prefs.js — pref(«security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref», true);
c:program filesFireFoxgreprefssecurity-prefs.js — pref(«security.ssl.renego_unrestricted_hosts», «»);
c:program filesFireFoxgreprefssecurity-prefs.js — pref(«security.ssl.treat_unsafe_negotiation_as_broken», false);
c:program filesFireFoxgreprefssecurity-prefs.js — pref(«security.ssl.require_safe_negotiation», false);
c:program filesFireFoxdefaultspreffirefox.js — pref(«extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name», «chrome://browser/locale/browser.properties»);
c:program filesFireFoxdefaultspreffirefox.js — pref(«extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description», «chrome://browser/locale/browser.properties»);
c:program filesFireFoxdefaultspreffirefox.js — pref(«plugins.update.notifyUser», false);
.
— — — — ORPHANS REMOVED — — — —

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} — (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-20 00:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A35BAE0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
DriverDisk -> CLASSPNP.SYS @ 0xf763bf28
DriverACPI -> ACPI.sys @ 0xf7588cb8
Driveratapi -> 0x8a35bae0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b9
DeviceHarddisk0DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b9
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7880bd4
PacketIndicateHandler -> NDIS.sys @ 0xf788ca21
SendHandler -> NDIS.sys @ 0xf7880d44
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

— — — — — — — > ‘lsass.exe'(1340)
d:windowssystem32imon.dll
d:program filesEsetpr_imon.dll
.
Completion time: 2010-06-20 00:32:03
ComboFix-quarantined-files.txt 2010-06-19 20:32

Pre-Run: 508 268 544 байт свободно
Post-Run: 473 071 616 байт свободно

WindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
[boot loader]
timeout=2
default=signature(29c929c8)disk(0)rdisk(0)partition(2)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT=»Microsoft Windows Recovery Console» /cmdcons
signature(29c929c8)disk(0)rdisk(0)partition(2)WINDOWS=»Microsoft Windows XP Professional RU» /noexecute=optin /fastdetect
signature(29c929c8)disk(0)rdisk(0)partition(1)WINDOWS=»Microsoft Windows XP Professional RU» /noexecute=optin /fastdetect

— — End Of File — — E264E39F2DFAF7D2A89FDE62D41592CF

[Автор]

Сообщения