Созданные ответы форума
-
Сообщения
-
Вот логи с сайта Вирустотал по двум проверенным файлам:
Первый файл:
File size: 503808 bytes
MD5 : ba9df5930b2582c31c0c8e52c94dda48
SHA1 : 5cbf1147900b9688c84edf9fea72ae7d7b71e328
SHA256: 4d5e6bc3bd05477523ad762ed1813254a2367d21929221ff9f4d1fe0cb9f517c
PEInfo: PE Structure information( base data )
entrypointaddress.: 0x3D353
timedatestamp…..: 0x41107EDC (Wed Aug 4 08:14:52 2004)
machinetype…….: 0x14C (Intel I386)( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6F288 0x6F400 6.82 efef82dd9ff143ad282f8cbe68d2d76b
.data 0x71000 0x4D90 0x2000 6.20 baa64d00a5f8a540a38a60d2aff66f30
.rsrc 0x76000 0x96B8 0x9800 4.33 b9607525adba6ca9e2bc8c72ab88832a( 0 imports )
( 0 exports )
TrID : File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
ssdeep: 6144:dYuZlm8LRlBw662R1pqrc7FmxSqVw/T+SN1TrSnmhPnpdcrFIzdFz/N5WjyfTNQe:dVLBhic7Qy1vSneJFDNhp8nY
sigcheck: publisher….: __________ __________
copyright….: (c) __________ __________. ___ _____ ________.
product……: ____________ _______ Microsoft_ Windows_
description..: _________ _____ _ _______ Windows NT
original name: WINLOGON.EXE
internal name: winlogon
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments…..: n/a
signers……: —
signing date.: —
verified…..: Unsigned
PEiD : —
CWSandbox: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=ba9df5930b2582c31c0c8e52c94dda48
RDS : NSRL Reference Data Set
—Второй файл:
File size: 503808 bytes
MD5 : bc260ed748748149db05b29b256a0500
SHA1 : bf512ac3eaef002805a0e90852b1cd0791ec73dc
SHA256: af19c930f984cbd4cd7a5a16e74e4bd86c495b0376ce0a0faeab368e456a80a2
PEInfo: PE Structure information( base data )
entrypointaddress.: 0x103D353
timedatestamp…..: 0x41107EDC (Wed Aug 4 08:14:52 2004)
machinetype…….: 0x14C (Intel I386)( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6F288 0x6F400 6.82 7eb8db68ce03fa8d6e3b254c4b13abfa
.data 0x71000 0x4D90 0x2000 6.21 662eceb591c7df2d6e365ae6b9b2da15
.rsrc 0x76000 0x96B8 0x9800 4.33 b9607525adba6ca9e2bc8c72ab88832a( 0 imports )
( 0 exports )
TrID : File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
ssdeep: 6144:dYuZlm8LRlBw662R1pqrc7FmxSqVw/T+SN1TrSnmhPnpdcbFIzdFz/N5WjyfTNQC:dVLBhic7Qy1vSneJFDNhp87Y
sigcheck: publisher….: __________ __________
copyright….: (c) __________ __________. ___ _____ ________.
product……: ____________ _______ Microsoft_ Windows_
description..: _________ _____ _ _______ Windows NT
original name: WINLOGON.EXE
internal name: winlogon
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments…..: n/a
signers……: —
signing date.: —
verified…..: Unsigned
PEiD : —
CWSandbox: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=bc260ed748748149db05b29b256a0500
RDS : NSRL Reference Data Set
—Теперь к логу от комбофикса. Словил синий экран при последней попытке запуска, поэтому сейчас попробую еще разок.
ComboFix 10-03-04.06 — ANT 06.03.2010 0:53.4.2 — x86
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.1023.543 [GMT 3:00]
Running from: c:documents and settingsANTРабочий столComboFix.exe
Command switches used :: c:documents and settingsANTРабочий столCFScript.txt
AV: Антивирус Касперского *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Resident AV is active.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:documents and settingsANTЊ®Ё ¤®Єг¬Ґвлcc_20100112_1507.reg
c:documents and settingsANTЊ®Ё ¤®Єг¬Ґвлcc_20100113_1824.regc:windowssystem32winlogon.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.2010-03-02 00:46 . 2010-03-02 00:46
d
w- C:rsit
2010-03-01 23:46 . 2010-03-01 23:46
d
w- c:program filesTrend Micro
2010-03-01 22:33 . 2008-03-16 13:30 216064 —sh—r- c:windowssystem32nbDX.dll
2010-03-01 22:33 . 2007-02-21 11:47 31232 —sh—r- c:windowssystem32msfDX.dll
2010-03-01 22:33 . 2006-05-03 10:06 163328 —sh—r- c:windowssystem32flvDX.dll
2010-03-01 22:33 . 2010-03-01 22:33
d
w- c:program fileseRightSoft
2010-02-28 21:47 . 2010-02-28 21:47
d
w- c:documents and settingsANTApplication DataApple Computer
2010-02-27 11:05 . 2010-02-27 11:05
d
w- c:documents and settingsNetworkServiceLocal SettingsApplication DataApple
2010-02-22 22:11 . 2010-02-22 22:11
d
w- c:program filesQuickTime
2010-02-22 22:11 . 2010-02-22 22:11
d
w- c:documents and settingsAll UsersApplication DataApple Computer
2010-02-22 22:11 . 2010-02-22 22:11
d
w- c:program filesCommon FilesApple
2010-02-22 22:10 . 2010-02-22 22:10
d
w- c:documents and settingsANTLocal SettingsApplication DataApple
2010-02-22 22:10 . 2010-02-22 22:10
d
w- c:program filesApple Software Update
2010-02-22 22:10 . 2010-02-22 22:10
d
w- c:documents and settingsAll UsersApplication DataApple
2010-02-22 22:10 . 2010-02-22 22:10
d
w- c:documents and settingsANTLocal SettingsApplication DataApple Computer
2010-02-22 21:51 . 2010-02-22 21:51
d
w- C:Новая папка
2010-02-22 21:50 . 2010-02-22 21:50
d
w- C:Partyman
2010-02-22 21:50 . 2010-02-22 21:50
d
w- c:documents and settingsANTНовая папка
2010-02-22 21:47 . 2010-02-22 21:47
d
w- c:documents and settingsANTHardbass Partyman
2010-02-07 22:33 . 2010-02-07 22:33 109072 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataUpdaterTemporary FilesrollbackpatchAutoPatcheskav9exec9.0.0.736mzvkbd3.dll
2010-02-07 22:33 . 2010-02-07 22:33 80400 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataUpdaterTemporary FilesrollbackpatchAutoPatcheskav9exec9.0.0.736fssync.dll
2010-02-07 22:33 . 2010-02-07 22:33 315408 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataUpdaterTemporary FilesrollbackpatchAutoPatcheskav9exec9.0.0.736sysi3865.1klif.sys
2010-02-07 22:33 . 2010-02-07 22:33 109072 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataUpdaterTemporary FilestemporaryFolderAutoPatcheskav9exec9.0.0.736mzvkbd3.dll
2010-02-07 22:33 . 2010-02-07 22:33 80400 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataUpdaterTemporary FilestemporaryFolderAutoPatcheskav9exec9.0.0.736fssync.dll
2010-02-07 22:33 . 2010-02-07 22:33 315408 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataUpdaterTemporary FilestemporaryFolderAutoPatcheskav9exec9.0.0.736sysi3865.1klif.sys
2010-02-07 22:22 . 2010-02-07 22:22 108059 —-a-w- c:windowssystem32driversklin.dat
2010-02-07 22:22 . 2010-02-07 22:22 95259 —-a-w- c:windowssystem32driversklick.dat
2010-02-07 22:20 . 2010-03-05 22:04
d
w- c:documents and settingsAll UsersApplication DataKaspersky Lab.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 22:05 . 2008-07-06 08:46
d
w- c:documents and settingsANTApplication DataSkype
2010-03-05 09:24 . 2008-07-06 08:49
d
w- c:documents and settingsANTApplication DataskypePM
2010-03-01 15:28 . 2010-03-01 15:20
d
w- c:program filesSecurity Task Manager
2010-03-01 15:28 . 2010-03-01 15:20
d
w- c:documents and settingsAll UsersApplication DataSecTaskMan
2010-02-28 23:35 . 2007-03-24 15:12
d
w- c:program filesCommon FilesAdobe
2010-02-27 23:51 . 2007-04-30 19:16
d
w- c:documents and settingsANTApplication DataCanon
2010-02-25 20:45 . 2007-11-25 08:37
d—a-w- c:documents and settingsAll UsersApplication DataTEMP
2010-02-23 10:04 . 2007-05-11 19:56 1157544 —-a-w- c:documents and settingsLocalServiceLocal SettingsApplication DataFontCache3.0.0.0.dat
2010-02-21 22:43 . 2008-04-13 13:59
d
w- c:program filesBengal
2010-02-20 15:02 . 2008-11-06 18:42
d
w- c:program filesATI
2010-02-20 14:58 . 2007-04-10 21:23
d
w- c:program filesATI Technologies
2010-02-18 22:38 . 2008-05-11 21:06
d
w- c:program filesKaspersky Lab
2010-02-18 22:37 . 2009-04-17 20:20 119808 -csha-w- c:program filesThumbs.db
2010-02-07 21:56 . 2008-05-11 20:59
d
w- c:documents and settingsAll UsersApplication DataKaspersky Lab Setup Files
2010-02-07 20:00 . 2007-08-15 17:43
d
w- c:program filesGoogle
2010-01-22 07:36 . 2008-07-27 21:30
d
w- c:documents and settingsANTApplication DatauTorrent
2010-01-13 15:42 . 2009-10-14 22:01
d
w- c:program filesDrWeb
2010-01-13 15:39 . 2007-03-24 13:16
d—h—w- c:program filesInstallShield Installation Information
2010-01-13 15:08 . 2009-03-03 20:03 1324 —-a-w- c:windowssystem32d3d9caps.dat
2010-01-12 12:06 . 2010-01-12 12:06
d
w- c:program filesCCleaner
2010-01-12 11:18 . 2010-01-12 11:18
d
w- c:program filesAvira
2010-01-11 21:11 . 2008-11-11 23:15
d
w- c:program filesQIP Infium
2009-12-23 17:18 . 2009-12-23 17:18 4286 —-a-r- c:documents and settingsANTApplication DataMicrosoftInstaller{744CC3A3-431B-4FCB-A1FC-B115AB5BB359}ARPPRODUCTICON.exe
2009-12-23 17:18 . 2009-12-23 17:18 40960 —-a-r- c:documents and settingsANTApplication DataMicrosoftInstaller{744CC3A3-431B-4FCB-A1FC-B115AB5BB359}Zemble.exe_744CC3A3431B4FCBA1FCB115AB5BB359.exe
2009-12-23 10:35 . 2009-12-23 10:34 231817 —-a-w- c:program filesUninst.isu
2009-12-14 13:37 . 2009-12-14 13:37 36864 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}InstallerCommonCustomActionsSleep.exe
2009-12-14 13:37 . 2009-12-14 13:37 3351812 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}InstallerCommonCustomActionsmsxml6Exec.exe
2009-12-14 13:37 . 2009-12-14 13:37 3203453 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}InstallerCommonCustomActionsvcredistExec.exe
2009-12-10 22:16 . 2001-10-20 16:00 528974 —-a-w- c:windowssystem32perfh019.dat
2009-12-10 22:16 . 2001-10-20 16:00 101150 —-a-w- c:windowssystem32perfc019.dat
2009-12-09 23:27 . 2009-12-09 23:27 95232 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}InstallerCommonCustomActionspcswpcsi.exe
2009-12-09 23:27 . 2009-12-09 23:27 8192 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}InstallerCommonCustomActionsUninstCCD.exe
2009-12-09 23:27 . 2009-12-09 23:27 61440 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}InstallerCommonCustomActionsUninstPCSFEMsi.exe
2009-12-09 23:27 . 2009-12-09 23:27 10240 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}InstallerCommonCustomActionsUninstPCS.exe
2009-12-09 23:25 . 2009-12-09 23:27 34045136 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}Nokia_PC_Suite_7_1_30_9_rus_web.exe
2009-08-04 17:56 . 2009-09-24 09:20 416 -c—a-w- c:program filesfile_id.diz
2007-09-18 10:49 . 2009-04-17 20:20 36153 -c—a-w- c:program filesscrdoc_r.htm
2007-09-18 10:42 . 2009-04-17 20:20 22683 -c—a-w- c:program filesscrdoc_e.htm
2007-09-18 09:40 . 2009-04-17 20:20 960 -c—a-w- c:program filesReadme_E.txt
2007-09-18 09:38 . 2009-04-17 20:20 30208 -c—a-w- c:program filesReadme_R.doc
2007-09-18 09:38 . 2009-04-17 20:20 931 -c—a-w- c:program filesReadme_R.txt
2007-09-18 09:07 . 2009-04-17 20:20 2245 -c—a-w- c:program filesbrowse_r.htm
2007-09-18 09:06 . 2009-04-17 20:20 2170 -c—a-w- c:program filesbrowse_e.htm
2007-09-18 09:04 . 2009-04-17 20:20 18116 -c—a-w- c:program filesscreen_e.htm
2007-09-18 09:04 . 2009-04-17 20:20 23243 -c—a-w- c:program filesscreen_r.htm
2007-09-17 17:41 . 2009-04-17 20:20 5229 -c—a-w- c:program filesstd_rutw.png
2007-09-17 17:41 . 2009-04-17 20:20 4713 -c—a-w- c:program filesstd_ukr.png
2007-09-17 17:41 . 2009-04-17 20:20 4625 -c—a-w- c:program filesstd_ru.png
2007-09-17 17:41 . 2009-04-17 20:20 4594 -c—a-w- c:program filesyazhert.png
2007-09-17 17:41 . 2009-04-17 20:20 4897 -c—a-w- c:program filesyaschert.png
2007-09-17 17:41 . 2009-04-17 20:20 4830 -c—a-w- c:program filesyashert3.png
2007-09-17 17:41 . 2009-04-17 20:20 4727 -c—a-w- c:program filesyawert2.png
2007-09-17 17:41 . 2009-04-17 20:20 4688 -c—a-w- c:program filesyashert2.png
2007-09-17 17:41 . 2009-04-17 20:20 4593 -c—a-w- c:program filesyashert.png
2007-09-17 17:41 . 2009-04-17 20:20 4571 -c—a-w- c:program filesstudent.png
2007-09-17 17:41 . 2009-04-17 20:20 4558 -c—a-w- c:program filesyawert.png
2007-09-17 17:41 . 2009-04-17 20:20 4538 -c—a-w- c:program filesyazh_ukr.png
2007-09-17 17:40 . 2009-04-17 20:20 4923 -c—a-w- c:program filesyazhert3.png
2007-09-17 17:40 . 2009-04-17 20:20 4580 -c—a-w- c:program filesyazhert2.png
2007-09-17 17:40 . 2009-04-17 20:20 4556 -c—a-w- c:program filesyayuertj.png
2007-09-17 17:24 . 2009-04-17 20:20 4846 -c—a-w- c:program filesalphabet.png
2007-04-08 15:57 . 2009-04-17 20:20 50350 -c—a-w- c:program filescvtnonus.js
2007-04-06 13:41 . 2009-04-17 20:20 49567 -c—a-w- c:program filescvt.js
2007-04-06 13:18 . 2009-04-17 20:20 12188 -c—a-w- c:program filescvtnon_e.js
2006-10-03 08:35 . 2009-04-17 20:20 9191 -c—a-w- c:program filesvOpera_r.htm
2006-10-02 13:59 . 2009-04-17 20:20 268 -c—a-w- c:program filesardn1.png
2006-10-02 13:59 . 2009-04-17 20:20 274 -c—a-w- c:program filessmile.png
2006-10-02 11:03 . 2009-04-17 20:20 459 -c—a-w- c:program filesgo_e.png
2006-10-02 11:03 . 2009-04-17 20:20 456 -c—a-w- c:program filesgo_r.png
2006-10-02 11:03 . 2009-04-17 20:20 2673 -c—a-w- c:program filescyr-late.png
2006-10-02 11:03 . 2009-04-17 20:20 2542 -c—a-w- c:program filescyr-lat.png
2006-10-02 11:03 . 2009-04-17 20:20 1389 -c—a-w- c:program filesmain_r.png
2006-10-02 11:03 . 2009-04-17 20:20 1369 -c—a-w- c:program filesmain_e.png
2006-09-14 15:43 . 2009-04-17 20:20 318 -c—a-w- c:program filesvkb.ico
2006-04-07 09:14 . 2009-04-17 20:20 4670 -c—a-w- c:program filesutil.js
2009-10-05 15:34 . 2010-01-11 21:11 118000 —-a-w- c:program filesmozilla firefoxcomponentsqippipe.dll
2006-05-03 10:06 . 2010-03-01 22:33 163328 —sh—r- c:windowssystem32flvDX.dll
2009-11-30 07:23 . 2009-06-19 21:22 3140 —sha-w- c:windowssystem32KGyGaAvL.sys
2007-02-21 11:47 . 2010-03-01 22:33 31232 —sh—r- c:windowssystem32msfDX.dll
2008-03-16 13:30 . 2010-03-01 22:33 216064 —sh—r- c:windowssystem32nbDX.dll
.
Sigcheck
[-] 2004-08-03 . C1783498EDB152656303B5D5BCABD86C . 359040 . . [5.1.2600.2180] . . c:windowssystem32dllcachetcpip.sys
[-] 2004-08-03 . C1783498EDB152656303B5D5BCABD86C . 359040 . . [5.1.2600.2180] . . c:windowssystem32driverstcpip.sys[-] 2007-03-24 . BC260ED748748149DB05B29B256A0500 . 503808 . . [5.1.2600.2180] . . c:windowssystem32winlogon.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-03-04_19.27.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-24 12:49 . 2010-03-05 19:43 32768 c:windowssystem32configsystemprofileLocal SettingsTemporary Internet FilesContent.IE5index.dat
— 2007-03-24 12:49 . 2010-02-26 07:48 32768 c:windowssystem32configsystemprofileLocal SettingsTemporary Internet FilesContent.IE5index.dat
+ 2007-03-24 12:49 . 2010-03-05 19:43 32768 c:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
— 2007-03-24 12:49 . 2010-02-26 07:48 32768 c:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
+ 2010-03-05 22:03 . 2009-04-30 12:01 109080 c:windowstemplogishrdLVPrcInj01.dll
— 2010-03-04 19:26 . 2009-04-30 12:01 109080 c:windowstemplogishrdLVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks]
«{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}»= «c:program filesWinamp Toolbarwinamptb.dll» [2008-03-19 1267040][HKEY_CLASSES_ROOTclsid{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOTWINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOTTypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOTWINAMPTB.AOLTBSearch]c:documents and settingsANTѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Punto Switcher.lnk — c:program filesYandexPunto Switcherpunto.exe [2009-9-30 831272]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Logitech SetPoint.lnk — c:program filesLogitechSetPointSetPoint.exe [2007-5-15 450560][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogon]
«UIHost»=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionimage file execution optionsavp.com]
«Debugger»=ntsd -d[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdf01000.sys]
@=»Driver»[HKLM~startupfolderC:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Logitech Desktop Messenger.lnk]
path=c:documents and settingsAll UsersГлавное менюПрограммыАвтозагрузкаLogitech Desktop Messenger.lnk
backup=c:windowspssLogitech Desktop Messenger.lnkCommon Startup[HKLM~startupfolderC:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Logitech SetPoint.lnk]
path=c:documents and settingsAll UsersГлавное менюПрограммыАвтозагрузкаLogitech SetPoint.lnk
backup=c:windowspssLogitech SetPoint.lnkCommon Startup[HKLM~startupfolderC:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Ускоренный запуск Adobe Reader.lnk]
backup=c:windowspssУскоренный запуск Adobe Reader.lnkCommon Startup[HKLM~startupfolderC:^Documents and Settings^ANT^Главное меню^Программы^Автозагрузка^Adobe Gamma.lnk]
backup=c:windowspssAdobe Gamma.lnkStartup[HKLM~startupfolderC:^Documents and Settings^ANT^Главное меню^Программы^Автозагрузка^Total Commander.lnk]
backup=c:windowspssTotal Commander.lnkStartup[HKLM~startupfolderC:^Documents and Settings^ANT^Главное меню^Программы^Автозагрузка^Yahoo! Widget Engine.lnk]
backup=c:windowspssYahoo! Widget Engine.lnkStartup[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAcronis Scheduler2 Service]
2005-11-28 12:01 118784 -c—a-w- c:program filesCommon FilesAcronisSchedule2schedhlp.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAlcmtr]
2005-05-03 10:43 69632 -c—a-w- c:windowsALCMTR.EXE[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAlcWzrd]
2005-05-04 02:01 2805248 -c—a-w- c:windowsALCWZRD.EXE[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregASUS Probe]
2002-12-06 13:07 617984 -c—a-w- c:program filesASUSAsus ProbeAsusProb.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAtiPTA]
2006-02-22 00:05 344064 -c—a-w- c:windowssystem32atiptaxx.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregctfmon.exe]
2004-08-17 13:04 15360
w- c:windowssystem32ctfmon.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTSysVol]
2005-10-31 07:51 57344 -c—-w- c:program filesCreativeSBAudigySurround MixerCTSysVol.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregDAEMON Tools Lite]
2008-04-01 09:39 486856 —-a-w- c:program filesDAEMON Tools Litedaemon.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregDAEMON Tools-1033]
2004-08-22 13:05 81920 —-a-w- E:daemon.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregH/PC Connection Agent]
2005-01-04 08:50 405583 —-a-w- c:program filesMicrosoft ActiveSyncwcescomm.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregHigh Definition Audio Property Page Shortcut]
2005-01-07 14:07 61952 -c—-w- c:windowssystem32HdAShCut.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLanguageShortcut]
2006-05-18 07:29 49152 -c—a-w- c:program filesCyberLinkPowerDVDLanguageLanguage.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLClock]
2004-09-19 21:27 65536 -c—a-w- c:program filesLClockLClock.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLDM]
2008-10-29 19:53 66864 -c—a-w- c:program filesLogitechDesktop Messenger8876480ProgramLogitechDesktopMessenger.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLogitech Hardware Abstraction Layer]
2005-05-20 10:46 28160 —-a-w- c:windowsKHALMNPR.Exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLogitech Vid]
2009-06-02 04:59 5451536 —-a-w- c:program filesLogitechLogitech VidVid.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMSMSGS]
2004-08-17 13:17 1667584
w- c:program filesMessengermsmsgs.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregmsnmsgr]
2009-02-06 14:50 3885408 —-a-w- c:program filesWindows LiveMessengermsnmsgr.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNeroFilterCheck]
2001-07-09 07:50 155648 -c—a-w- c:windowssystem32NeroCheck.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregOpwareSE2]
2003-05-08 07:00 49152 -c—a-w- c:program filesScanSoftOmniPageSE2.0opwareSE2.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregP17Helper]
2005-05-03 11:38 64512 -c—a-r- c:windowssystem32P17.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPC Suite Tray]
2009-06-25 12:12 1414144 —-a-w- c:program filesNokiaNokia PC Suite 7PCSuite.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuickTime Task]
2010-02-15 15:50 417792 —-a-w- c:program filesQuickTimeQTTask.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSoundMan]
2005-05-03 10:43 90112 -c—a-w- c:windowsSOUNDMAN.EXE[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregStartCCC]
2008-08-01 12:23 61440 -c—a-w- c:program filesATI TechnologiesATI.ACECore-StaticCLIStart.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSunJavaUpdateSched]
2007-03-13 23:43 83608 -c—a-w- c:program filesJavajre1.6.0_01binjusched.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregswg]
2007-11-12 18:09 68856 -c—a-w- c:program filesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregTrueImageMonitor.exe]
2005-11-28 12:01 1005302 -c—a-w- c:program filesAcronisTrueImageTrueImageMonitor.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregUpdReg]
2000-05-10 22:00 90112 -c—-w- c:windowsUpdreg.EXE[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregWinampAgent]
2008-01-15 21:54 37376 -c—a-w- c:program filesWinampwinampa.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\totalcmd\TOTALCMD.EXE»=
«c:\Program Files\FlylinkDC++\FlylinkDC.exe»=
«c:\Program Files\SiSoftware\SiSoftware Sandra Pro Business XI.SP2\Win32\RpcDataSrv.exe»=
«c:\Program Files\SiSoftware\SiSoftware Sandra Pro Business XI.SP2\RpcSandraSrv.exe»=
«c:\Program Files\QIP\qip.exe»=
«c:\Program Files\Total Commander\Totalcmd.exe»=
«c:\WINDOWS\system32\PnkBstrA.exe»=
«c:\WINDOWS\system32\PnkBstrB.exe»=
«c:\Program Files\Messenger\msmsgs.exe»=
«c:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 7.0.1.325\Russian\setup.exe»=
«e:\Cropp\psp\uTorrent.exe»=
«c:\Program Files\QIP Infium\infium.exe»=
«c:\Program Files\Microsoft ActiveSync\wcescomm.exe»=
«c:\Program Files\Microsoft ActiveSync\WCESMgr.exe»=
«c:\Program Files\VideoLAN\VLC\vlc.exe»=
«c:\Program Files\Windows Live\Messenger\msnmsgr.exe»=
«c:\Program Files\Mozilla Firefox\firefox.exe»=
«c:\Program Files\Skype\Plugin Manager\skypePM.exe»=
«e:\QUAKElll\quake3.exe»=
«c:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe»=
«c:\Program Files\Logitech\Logitech Vid\Vid.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«9844:TCP»= 9844:TCP:fxqtzmrR0 klbg;Kaspersky Lab Boot Guard Driver;c:windowssystem32driversklbg.sys [14.10.2009 21:18 36880]
R0 sptd;sptd;c:windowssystem32driverssptd.sys [25.03.2007 8:35 717296]
R1 atitray;atitray;c:program filesRadeon Omega Driversv3.8.330ATI Tray Toolsatitray.sys [14.11.2005 1:43 14336]
R2 ICQ Service;ICQ Service;c:program filesICQ6ToolbarICQ Service.exe [13.12.2008 0:46 222456]
R2 LogWatch;Event Log Watch;i:ca_licLogWatNT.exe [23.02.2005 15:56 53248]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:windowssystem32driversklim5.sys [14.09.2009 14:42 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:windowssystem32driversklmouflt.sys [02.10.2009 19:39 19472]
R3 PhTVTune;VideoWonder ProTV WDM TVTuner;c:windowssystem32driversSilicon.sys [24.03.2007 23:49 21888]
R3 Tetris;Tetris driver;c:windowssystem32driversTetris.sys [30.08.2007 14:32 48928]
S0 d347bus;d347bus;c:windowssystem32driversd347bus.sys [26.05.2007 18:38 155136]
S0 d347prt;d347prt;c:windowssystem32driversd347prt.sys [26.05.2007 18:38 5248]
S2 gupdate1c995afc65ce744;Google Update Service (gupdate1c995afc65ce744);c:program filesGoogleUpdateGoogleUpdate.exe [23.02.2009 15:10 133104]
S3 Irbis64_Service;Irbis64_Service;c:irbis64service_64.exe c:irbis64 —> c:irbis64service_64.exe c:irbis64 [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:windowssystem32driversnmwcdnsu.sys [10.12.2009 2:28 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:windowssystem32driversnmwcdnsuc.sys [10.12.2009 2:28 8320]
.
Contents of the ‘Scheduled Tasks’ folder2010-02-27 c:windowsTasksAppleSoftwareUpdate.job
— c:program filesApple Software UpdateSoftwareUpdate.exe [2008-07-30 09:34]2010-03-05 c:windowsTasksGoogleUpdateTaskMachineCore.job
— c:program filesGoogleUpdateGoogleUpdate.exe [2009-02-23 12:10]2010-03-05 c:windowsTasksGoogleUpdateTaskMachineUA.job
— c:program filesGoogleUpdateGoogleUpdate.exe [2009-02-23 12:10]
.
.
Supplementary Scan
.
uStart Page = start.qip.ru
uDefault_Search_URL = hxxp://search.qip.ru
mStart Page = hxxp://www.windowsxlive.net
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: SoftwareMicrosoftInternet ExplorerSearchUrl; ValueType: string; ValueName: ‘; ValueData: ‘; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: &Winamp Search — c:documents and settingsAll UsersApplication DataWinamp ToolbarieToolbarresourcesen-USlocalsearch.html
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List — c:program filesCanonEasy-WebPrintResource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print — c:program filesCanonEasy-WebPrintResource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview — c:program filesCanonEasy-WebPrintResource.dll/RC_Preview.html
IE: Easy-WebPrint Print — c:program filesCanonEasy-WebPrintResource.dll/RC_Print.html
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE574} — c:program filesPRMT6PRMTIEprmtie5.htm
TCP: {C1380026-0D59-45CF-8C48-951ED4EF6577} = 80.70.224.2,80.70.224.4
TCP: {C50B6EB1-B17D-44BC-90A4-3C050E5DA265} = 80.70.224.2,80.70.224.4
TCP: {E1814A5A-5CDA-40C8-806C-396411C24554} = 80.70.224.2,80.70.224.4
Handler: bwfile-8876480 — {9462A756-7B47-47BC-8C80-C34B9B80B32B} — c:program filesLogitechDesktop Messenger8876480ProgramGAPlugProtocol-8876480.dll
FF — ProfilePath — c:documents and settingsANTApplication DataMozillaFirefoxProfilesso4gyn3i.default
FF — prefs.js: browser.search.selectedEngine — QIP Search
FF — prefs.js: browser.startup.homepage — hxxp://active.mns.ru
FF — prefs.js: keyword.URL — hxxp://search.qip.ru/search?from=FF&query=
FF — component: c:program filesMozilla Firefoxcomponentsqippipe.dll
FF — component: c:program filesMozilla Firefoxextensionslinkfilter@kaspersky.rucomponentsKavLinkFilter.dll
FF — plugin: c:program filesGoogleGoogle Earthpluginnpgeplugin.dll
FF — plugin: c:program filesGoogleUpdate1.2.183.17npGoogleOneClick8.dll
FF — plugin: c:program filesMozilla Firefoxpluginsnpqtplugin8.dll
FF — plugin: c:program filesMozilla Firefoxpluginsnpvlc.dll
FF — plugin: c:program filesQuickTimePluginsnpqtplugin8.dll
.**************************************************************************
scanning hidden processes …scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files:**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(1568)
c:windowssystem32Ati2evxx.dll— — — — — — — > ‘lsass.exe'(1624)
c:windowssystem32relog_ap.dll— — — — — — — > ‘explorer.exe'(4808)
c:windowsTEMPlogishrdLVPrcInj01.dll
c:program filesYandexPunto Switcherpshook.dll
c:program filesLogitechSetPointlgscroll.dll
c:windowssystem32WPDShServiceObj.dll
c:program filesNokiaNokia PC Suite 7PhoneBrowser.dll
c:program filesNokiaNokia PC Suite 7NGSCM.DLL
c:program filesNokiaNokia PC Suite 7LangPhoneBrowser_rus.nlr
c:program filesNokiaNokia PC Suite 7ResourcePhoneBrowser_Nokia.ngr
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
Other Running Processes
.
c:windowssystem32Ati2evxx.exe
c:windowssystem32Ati2evxx.exe
c:program filesCommon FilesAcronisSchedule2schedul2.exe
c:program filesKaspersky LabKaspersky Anti-Virus 2010avp.exe
c:windowssystem32CTsvcCDA.exe
c:program filesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
c:program filesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
c:program filesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe
c:windowssystem32PnkBstrA.exe
c:program filesCyberLinkShared filesRichVideo.exe
c:program filesMicrosoft SQL Server90Sharedsqlbrowser.exe
c:program filesMicrosoft SQL Server90Sharedsqlwriter.exe
c:windowssystem32wscntfy.exe
c:program filesCommon FilesInstallShieldUpdateServiceissch.exe
c:program filesLogitechLogitech WebCam SoftwareLWS.exe
c:program filesKaspersky LabKaspersky Anti-Virus 2010avp.exe
c:program filesAdobeReader 9.0ReaderReader_sl.exe
c:program filesSkypePhoneSkype.exe
c:program filesCommon FilesLogishrdLQCVFXCOCIManager.exe
c:program filesCommon FilesLogitechKHALKHALMNPR.EXE
c:program filesPC Connectivity SolutionServiceLayer.exe
c:program filesPC Connectivity SolutionTransportsNclIrSrv.exe
c:program filesPC Connectivity SolutionTransportsNclRSSrv.exe
c:program filesPC Connectivity SolutionTransportsNclMSBTSrv.exe
c:program filesPC Connectivity SolutionTransportsNclUSBSrv.exe
c:program filesSkypePlugin ManagerskypePM.exe
c:windowssystem32wbemwmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-03-06 01:09:11 — machine was rebooted
ComboFix-quarantined-files.txt 2010-03-05 22:08
ComboFix2.txt 2010-03-05 21:32
ComboFix3.txt 2010-03-04 19:32Pre-Run: 1 579 368 448 байт свободно
Post-Run: 1 556 131 840 байт свободно— — End Of File — — 51576F0948ACAA06F0024C742DD6A48A
Спасибо за оперативность!!!))) Вот что в файле:
Том в устройстве C имеет метку Система
Серийный номер тома: BE56-8CB1Содержимое папки C:QooboxQuarantineCWINDOWSsystem32
17.08.2004 16:05 503 808 winlogon.bak.vir
1 файлов 503 808 байтСодержимое папки C:WINDOWSsystem32
24.03.2007 16:49 503 808 winlogon.exe
1 файлов 503 808 байтComboFix 10-03-04.01 — ANT 04.03.2010 22:15:58.1.2 — x86
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.1023.647 [GMT 3:00]
Running from: c:documents and settingsANTРабочий столComboFix.exe
Command switches used :: c:documents and settingsANTРабочий столWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Антивирус Касперского *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Resident AV is active.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:documents and settingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr0.dat
c:documents and settingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr1.dat
c:documents and settingsANTApplication DataMicrosoftInternet ExplorerqiPSearchbar.dll
c:documents and settingsANTЊ®Ё ¤®Єг¬Ґвлcc_20100112_1507.reg
c:documents and settingsANTЊ®Ё ¤®Єг¬Ґвлcc_20100113_1824.reg
c:program filesFieryAds
C:Thumbs.db
c:windowsEventSystem.log
c:windowssystem32914366171.dat
c:windowssystem32AVSredirect.dll
c:windowssystem32Chip.dll
c:windowssystem32Data
c:windowssystem32eebbecbf1_z.dll
c:windowssystem32lowsec
c:windowssystem32lowseclocal.ds
c:windowssystem32lowsecuser.ds
c:windowssystem32mswmpdat.tlb
c:windowssystem32noruns.reg
c:windowssystem32Pvt.tmp
c:windowssystem32Thumbs.db
c:windowssystem32VB6KO.DLL
c:windowssystem32winlogon.bak
c:windowssystem32winview.ocx
c:windowssystem32wmcache.nld
c:windowswiaservim.log
E:install.exe
E:Uninstall.exe
BITS: Possible infected sites
hxxp://soft.export.yandex.ru
c:windowssystem32winlogon.exe . . . is infected!!.
((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.2010-03-02 00:46 . 2010-03-02 00:46
d
w- C:rsit
2010-03-01 23:46 . 2010-03-01 23:46
d
w- c:program filesTrend Micro
2010-03-01 22:33 . 2008-03-16 13:30 216064 —sh—r- c:windowssystem32nbDX.dll
2010-03-01 22:33 . 2007-02-21 11:47 31232 —sh—r- c:windowssystem32msfDX.dll
2010-03-01 22:33 . 2006-05-03 10:06 163328 —sh—r- c:windowssystem32flvDX.dll
2010-03-01 22:33 . 2010-03-01 22:33
d
w- c:program fileseRightSoft
2010-02-28 21:47 . 2010-02-28 21:47
d
w- c:documents and settingsANTApplication DataApple Computer
2010-02-27 11:05 . 2010-02-27 11:05
d
w- c:documents and settingsNetworkServiceLocal SettingsApplication DataApple
2010-02-22 22:11 . 2010-02-22 22:11
d
w- c:program filesQuickTime
2010-02-22 22:11 . 2010-02-22 22:11
d
w- c:documents and settingsAll UsersApplication DataApple Computer
2010-02-22 22:11 . 2010-02-22 22:11
d
w- c:program filesCommon FilesApple
2010-02-22 22:10 . 2010-02-22 22:10
d
w- c:documents and settingsANTLocal SettingsApplication DataApple
2010-02-22 22:10 . 2010-02-22 22:10
d
w- c:program filesApple Software Update
2010-02-22 22:10 . 2010-02-22 22:10
d
w- c:documents and settingsAll UsersApplication DataApple
2010-02-22 22:10 . 2010-02-22 22:10
d
w- c:documents and settingsANTLocal SettingsApplication DataApple Computer
2010-02-22 21:51 . 2010-02-22 21:51
d
w- C:Новая папка
2010-02-22 21:50 . 2010-02-22 21:50
d
w- C:Partyman
2010-02-22 21:50 . 2010-02-22 21:50
d
w- c:documents and settingsANTНовая папка
2010-02-22 21:47 . 2010-02-22 21:47
d
w- c:documents and settingsANTHardbass Partyman
2010-02-07 22:33 . 2010-02-07 22:33 109072 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataUpdaterTemporary FilesrollbackpatchAutoPatcheskav9exec9.0.0.736mzvkbd3.dll
2010-02-07 22:33 . 2010-02-07 22:33 80400 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataUpdaterTemporary FilesrollbackpatchAutoPatcheskav9exec9.0.0.736fssync.dll
2010-02-07 22:33 . 2010-02-07 22:33 315408 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataUpdaterTemporary FilesrollbackpatchAutoPatcheskav9exec9.0.0.736sysi3865.1klif.sys
2010-02-07 22:33 . 2010-02-07 22:33 109072 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataUpdaterTemporary FilestemporaryFolderAutoPatcheskav9exec9.0.0.736mzvkbd3.dll
2010-02-07 22:33 . 2010-02-07 22:33 80400 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataUpdaterTemporary FilestemporaryFolderAutoPatcheskav9exec9.0.0.736fssync.dll
2010-02-07 22:33 . 2010-02-07 22:33 315408 —-a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP9DataUpdaterTemporary FilestemporaryFolderAutoPatcheskav9exec9.0.0.736sysi3865.1klif.sys
2010-02-07 22:22 . 2010-02-07 22:22 108059 —-a-w- c:windowssystem32driversklin.dat
2010-02-07 22:22 . 2010-02-07 22:22 95259 —-a-w- c:windowssystem32driversklick.dat
2010-02-07 22:20 . 2010-03-04 19:27
d
w- c:documents and settingsAll UsersApplication DataKaspersky Lab.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 19:28 . 2008-07-06 08:46
d
w- c:documents and settingsANTApplication DataSkype
2010-03-04 18:06 . 2008-07-06 08:49
d
w- c:documents and settingsANTApplication DataskypePM
2010-03-01 15:28 . 2010-03-01 15:20
d
w- c:program filesSecurity Task Manager
2010-03-01 15:28 . 2010-03-01 15:20
d
w- c:documents and settingsAll UsersApplication DataSecTaskMan
2010-02-28 23:35 . 2007-03-24 15:12
d
w- c:program filesCommon FilesAdobe
2010-02-27 23:51 . 2007-04-30 19:16
d
w- c:documents and settingsANTApplication DataCanon
2010-02-25 20:45 . 2007-11-25 08:37
d—a-w- c:documents and settingsAll UsersApplication DataTEMP
2010-02-23 10:04 . 2007-05-11 19:56 1157544 —-a-w- c:documents and settingsLocalServiceLocal SettingsApplication DataFontCache3.0.0.0.dat
2010-02-21 22:43 . 2008-04-13 13:59
d
w- c:program filesBengal
2010-02-20 15:02 . 2008-11-06 18:42
d
w- c:program filesATI
2010-02-20 14:58 . 2007-04-10 21:23
d
w- c:program filesATI Technologies
2010-02-18 22:38 . 2008-05-11 21:06
d
w- c:program filesKaspersky Lab
2010-02-18 22:37 . 2009-04-17 20:20 119808 -csha-w- c:program filesThumbs.db
2010-02-07 21:56 . 2008-05-11 20:59
d
w- c:documents and settingsAll UsersApplication DataKaspersky Lab Setup Files
2010-02-07 20:00 . 2007-08-15 17:43
d
w- c:program filesGoogle
2010-01-22 07:36 . 2008-07-27 21:30
d
w- c:documents and settingsANTApplication DatauTorrent
2010-01-13 15:42 . 2009-10-14 22:01
d
w- c:program filesDrWeb
2010-01-13 15:39 . 2007-03-24 13:16
d—h—w- c:program filesInstallShield Installation Information
2010-01-13 15:08 . 2009-03-03 20:03 1324 —-a-w- c:windowssystem32d3d9caps.dat
2010-01-12 12:06 . 2010-01-12 12:06
d
w- c:program filesCCleaner
2010-01-12 11:18 . 2010-01-12 11:18
d
w- c:program filesAvira
2010-01-11 21:11 . 2008-11-11 23:15
d
w- c:program filesQIP Infium
2009-12-23 17:18 . 2009-12-23 17:18 4286 —-a-r- c:documents and settingsANTApplication DataMicrosoftInstaller{744CC3A3-431B-4FCB-A1FC-B115AB5BB359}ARPPRODUCTICON.exe
2009-12-23 17:18 . 2009-12-23 17:18 40960 —-a-r- c:documents and settingsANTApplication DataMicrosoftInstaller{744CC3A3-431B-4FCB-A1FC-B115AB5BB359}Zemble.exe_744CC3A3431B4FCBA1FCB115AB5BB359.exe
2009-12-23 10:35 . 2009-12-23 10:34 231817 —-a-w- c:program filesUninst.isu
2009-12-14 13:37 . 2009-12-14 13:37 36864 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}InstallerCommonCustomActionsSleep.exe
2009-12-14 13:37 . 2009-12-14 13:37 3351812 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}InstallerCommonCustomActionsmsxml6Exec.exe
2009-12-14 13:37 . 2009-12-14 13:37 3203453 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}InstallerCommonCustomActionsvcredistExec.exe
2009-12-10 22:16 . 2001-10-20 16:00 528974 —-a-w- c:windowssystem32perfh019.dat
2009-12-10 22:16 . 2001-10-20 16:00 101150 —-a-w- c:windowssystem32perfc019.dat
2009-12-09 23:27 . 2009-12-09 23:27 95232 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}InstallerCommonCustomActionspcswpcsi.exe
2009-12-09 23:27 . 2009-12-09 23:27 8192 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}InstallerCommonCustomActionsUninstCCD.exe
2009-12-09 23:27 . 2009-12-09 23:27 61440 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}InstallerCommonCustomActionsUninstPCSFEMsi.exe
2009-12-09 23:27 . 2009-12-09 23:27 10240 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}InstallerCommonCustomActionsUninstPCS.exe
2009-12-09 23:25 . 2009-12-09 23:27 34045136 —-a-w- c:documents and settingsAll UsersApplication DataInstallations{3D39E775-DDDA-4327-B747-0BDC5F191331}Nokia_PC_Suite_7_1_30_9_rus_web.exe
2009-08-04 17:56 . 2009-09-24 09:20 416 -c—a-w- c:program filesfile_id.diz
2007-09-18 10:49 . 2009-04-17 20:20 36153 -c—a-w- c:program filesscrdoc_r.htm
2007-09-18 10:42 . 2009-04-17 20:20 22683 -c—a-w- c:program filesscrdoc_e.htm
2007-09-18 09:40 . 2009-04-17 20:20 960 -c—a-w- c:program filesReadme_E.txt
2007-09-18 09:38 . 2009-04-17 20:20 30208 -c—a-w- c:program filesReadme_R.doc
2007-09-18 09:38 . 2009-04-17 20:20 931 -c—a-w- c:program filesReadme_R.txt
2007-09-18 09:07 . 2009-04-17 20:20 2245 -c—a-w- c:program filesbrowse_r.htm
2007-09-18 09:06 . 2009-04-17 20:20 2170 -c—a-w- c:program filesbrowse_e.htm
2007-09-18 09:04 . 2009-04-17 20:20 18116 -c—a-w- c:program filesscreen_e.htm
2007-09-18 09:04 . 2009-04-17 20:20 23243 -c—a-w- c:program filesscreen_r.htm
2007-09-17 17:41 . 2009-04-17 20:20 5229 -c—a-w- c:program filesstd_rutw.png
2007-09-17 17:41 . 2009-04-17 20:20 4713 -c—a-w- c:program filesstd_ukr.png
2007-09-17 17:41 . 2009-04-17 20:20 4625 -c—a-w- c:program filesstd_ru.png
2007-09-17 17:41 . 2009-04-17 20:20 4594 -c—a-w- c:program filesyazhert.png
2007-09-17 17:41 . 2009-04-17 20:20 4897 -c—a-w- c:program filesyaschert.png
2007-09-17 17:41 . 2009-04-17 20:20 4830 -c—a-w- c:program filesyashert3.png
2007-09-17 17:41 . 2009-04-17 20:20 4727 -c—a-w- c:program filesyawert2.png
2007-09-17 17:41 . 2009-04-17 20:20 4688 -c—a-w- c:program filesyashert2.png
2007-09-17 17:41 . 2009-04-17 20:20 4593 -c—a-w- c:program filesyashert.png
2007-09-17 17:41 . 2009-04-17 20:20 4571 -c—a-w- c:program filesstudent.png
2007-09-17 17:41 . 2009-04-17 20:20 4558 -c—a-w- c:program filesyawert.png
2007-09-17 17:41 . 2009-04-17 20:20 4538 -c—a-w- c:program filesyazh_ukr.png
2007-09-17 17:40 . 2009-04-17 20:20 4923 -c—a-w- c:program filesyazhert3.png
2007-09-17 17:40 . 2009-04-17 20:20 4580 -c—a-w- c:program filesyazhert2.png
2007-09-17 17:40 . 2009-04-17 20:20 4556 -c—a-w- c:program filesyayuertj.png
2007-09-17 17:24 . 2009-04-17 20:20 4846 -c—a-w- c:program filesalphabet.png
2007-04-08 15:57 . 2009-04-17 20:20 50350 -c—a-w- c:program filescvtnonus.js
2007-04-06 13:41 . 2009-04-17 20:20 49567 -c—a-w- c:program filescvt.js
2007-04-06 13:18 . 2009-04-17 20:20 12188 -c—a-w- c:program filescvtnon_e.js
2006-10-03 08:35 . 2009-04-17 20:20 9191 -c—a-w- c:program filesvOpera_r.htm
2006-10-02 13:59 . 2009-04-17 20:20 268 -c—a-w- c:program filesardn1.png
2006-10-02 13:59 . 2009-04-17 20:20 274 -c—a-w- c:program filessmile.png
2006-10-02 11:03 . 2009-04-17 20:20 459 -c—a-w- c:program filesgo_e.png
2006-10-02 11:03 . 2009-04-17 20:20 456 -c—a-w- c:program filesgo_r.png
2006-10-02 11:03 . 2009-04-17 20:20 2673 -c—a-w- c:program filescyr-late.png
2006-10-02 11:03 . 2009-04-17 20:20 2542 -c—a-w- c:program filescyr-lat.png
2006-10-02 11:03 . 2009-04-17 20:20 1389 -c—a-w- c:program filesmain_r.png
2006-10-02 11:03 . 2009-04-17 20:20 1369 -c—a-w- c:program filesmain_e.png
2006-09-14 15:43 . 2009-04-17 20:20 318 -c—a-w- c:program filesvkb.ico
2006-04-07 09:14 . 2009-04-17 20:20 4670 -c—a-w- c:program filesutil.js
2009-10-05 15:34 . 2010-01-11 21:11 118000 —-a-w- c:program filesmozilla firefoxcomponentsqippipe.dll
2006-05-03 10:06 . 2010-03-01 22:33 163328 —sh—r- c:windowssystem32flvDX.dll
2009-11-30 07:23 . 2009-06-19 21:22 3140 —sha-w- c:windowssystem32KGyGaAvL.sys
2007-02-21 11:47 . 2010-03-01 22:33 31232 —sh—r- c:windowssystem32msfDX.dll
2008-03-16 13:30 . 2010-03-01 22:33 216064 —sh—r- c:windowssystem32nbDX.dll
.
Sigcheck
[-] 2004-08-03 . C1783498EDB152656303B5D5BCABD86C . 359040 . . [5.1.2600.2180] . . c:windowssystem32dllcachetcpip.sys
[-] 2004-08-03 . C1783498EDB152656303B5D5BCABD86C . 359040 . . [5.1.2600.2180] . . c:windowssystem32driverstcpip.sys[-] 2007-03-24 . BC260ED748748149DB05B29B256A0500 . 503808 . . [5.1.2600.2180] . . c:windowssystem32winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks]
«{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}»= «c:program filesWinamp Toolbarwinamptb.dll» [2008-03-19 1267040][HKEY_CLASSES_ROOTclsid{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOTWINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOTTypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOTWINAMPTB.AOLTBSearch][HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«DAEMON Tools Lite»=»c:program filesDAEMON Tools Litedaemon.exe» [2008-04-01 486856]
«Skype»=»c:program filesSkypePhoneSkype.exe» [2009-10-09 25623336]
«PC Suite Tray»=»c:program filesNokiaNokia PC Suite 7PCSuite.exe» [2009-06-25 1414144][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«Logitech Hardware Abstraction Layer»=»KHALMNPR.EXE» [2005-05-20 28160]
«ISUSPM Startup»=»c:program filesCommon FilesInstallShieldUpdateServiceisuspm.exe» [2005-08-11 249856]
«ISUSScheduler»=»c:program filesCommon FilesInstallShieldUpdateServiceissch.exe» [2005-08-11 81920]
«LogitechQuickCamRibbon»=»c:program filesLogitechLogitech WebCam SoftwareLWS.exe» [2009-05-08 2780432]
«NevoDRM»=»c:program filesИгры от NevoSoftNevoDRMNevoDRM.exe» [2008-12-01 111616]
«QuickTime Task»=»c:program filesQuickTimeQTTask.exe» [2010-02-15 417792]
«AVP»=»c:program filesKaspersky LabKaspersky Anti-Virus 2010avp.exe» [2009-10-20 340456]
«Adobe Reader Speed Launcher»=»c:program filesAdobeReader 9.0ReaderReader_sl.exe» [2009-12-21 35760]
«Adobe ARM»=»c:program filesCommon FilesAdobeARM1.0AdobeARM.exe» [2009-12-11 948672][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2004-08-17 15360]c:documents and settingsANTѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Punto Switcher.lnk — c:program filesYandexPunto Switcherpunto.exe [2009-9-30 831272]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Logitech SetPoint.lnk — c:program filesLogitechSetPointSetPoint.exe [2007-5-15 450560][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogon]
«UIHost»=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionimage file execution optionsavp.com]
«Debugger»=ntsd -d[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdf01000.sys]
@=»Driver»[HKLM~startupfolderC:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Logitech Desktop Messenger.lnk]
path=c:documents and settingsAll UsersГлавное менюПрограммыАвтозагрузкаLogitech Desktop Messenger.lnk
backup=c:windowspssLogitech Desktop Messenger.lnkCommon Startup[HKLM~startupfolderC:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Logitech SetPoint.lnk]
path=c:documents and settingsAll UsersГлавное менюПрограммыАвтозагрузкаLogitech SetPoint.lnk
backup=c:windowspssLogitech SetPoint.lnkCommon Startup[HKLM~startupfolderC:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Ускоренный запуск Adobe Reader.lnk]
backup=c:windowspssУскоренный запуск Adobe Reader.lnkCommon Startup[HKLM~startupfolderC:^Documents and Settings^ANT^Главное меню^Программы^Автозагрузка^Adobe Gamma.lnk]
backup=c:windowspssAdobe Gamma.lnkStartup[HKLM~startupfolderC:^Documents and Settings^ANT^Главное меню^Программы^Автозагрузка^Total Commander.lnk]
backup=c:windowspssTotal Commander.lnkStartup[HKLM~startupfolderC:^Documents and Settings^ANT^Главное меню^Программы^Автозагрузка^Yahoo! Widget Engine.lnk]
backup=c:windowspssYahoo! Widget Engine.lnkStartup
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregBlaero Start Orb
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRecSche
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRemoteControl
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRoboForm
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregScanRegistry
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSIM
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregStyler
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregViOrb
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregVista Sidebar
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregViStart
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregVisualTooltip
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregWinDVRCtrl[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAcronis Scheduler2 Service]
2005-11-28 12:01 118784 -c—a-w- c:program filesCommon FilesAcronisSchedule2schedhlp.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAlcmtr]
2005-05-03 10:43 69632 -c—a-w- c:windowsALCMTR.EXE[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAlcWzrd]
2005-05-04 02:01 2805248 -c—a-w- c:windowsALCWZRD.EXE[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregASUS Probe]
2002-12-06 13:07 617984 -c—a-w- c:program filesASUSAsus ProbeAsusProb.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAtiPTA]
2006-02-22 00:05 344064 -c—a-w- c:windowssystem32atiptaxx.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregctfmon.exe]
2004-08-17 13:04 15360
w- c:windowssystem32ctfmon.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTSysVol]
2005-10-31 07:51 57344 -c—-w- c:program filesCreativeSBAudigySurround MixerCTSysVol.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregDAEMON Tools Lite]
2008-04-01 09:39 486856 —-a-w- c:program filesDAEMON Tools Litedaemon.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregDAEMON Tools-1033]
2004-08-22 13:05 81920 —-a-w- E:daemon.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregH/PC Connection Agent]
2005-01-04 08:50 405583 —-a-w- c:program filesMicrosoft ActiveSyncwcescomm.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregHigh Definition Audio Property Page Shortcut]
2005-01-07 14:07 61952 -c—-w- c:windowssystem32HdAShCut.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLanguageShortcut]
2006-05-18 07:29 49152 -c—a-w- c:program filesCyberLinkPowerDVDLanguageLanguage.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLClock]
2004-09-19 21:27 65536 -c—a-w- c:program filesLClockLClock.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLDM]
2008-10-29 19:53 66864 -c—a-w- c:program filesLogitechDesktop Messenger8876480ProgramLogitechDesktopMessenger.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLogitech Hardware Abstraction Layer]
2005-05-20 10:46 28160 —-a-w- c:windowsKHALMNPR.Exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLogitech Vid]
2009-06-02 04:59 5451536 —-a-w- c:program filesLogitechLogitech VidVid.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMSMSGS]
2004-08-17 13:17 1667584
w- c:program filesMessengermsmsgs.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregmsnmsgr]
2009-02-06 14:50 3885408 —-a-w- c:program filesWindows LiveMessengermsnmsgr.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNeroFilterCheck]
2001-07-09 07:50 155648 -c—a-w- c:windowssystem32NeroCheck.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregOpwareSE2]
2003-05-08 07:00 49152 -c—a-w- c:program filesScanSoftOmniPageSE2.0opwareSE2.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregP17Helper]
2005-05-03 11:38 64512 -c—a-r- c:windowssystem32P17.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPC Suite Tray]
2009-06-25 12:12 1414144 —-a-w- c:program filesNokiaNokia PC Suite 7PCSuite.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuickTime Task]
2010-02-15 15:50 417792 —-a-w- c:program filesQuickTimeQTTask.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSoundMan]
2005-05-03 10:43 90112 -c—a-w- c:windowsSOUNDMAN.EXE[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregStartCCC]
2008-08-01 12:23 61440 -c—a-w- c:program filesATI TechnologiesATI.ACECore-StaticCLIStart.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSunJavaUpdateSched]
2007-03-13 23:43 83608 -c—a-w- c:program filesJavajre1.6.0_01binjusched.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregswg]
2007-11-12 18:09 68856 -c—a-w- c:program filesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregTrueImageMonitor.exe]
2005-11-28 12:01 1005302 -c—a-w- c:program filesAcronisTrueImageTrueImageMonitor.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregUpdReg]
2000-05-10 22:00 90112 -c—-w- c:windowsUpdreg.EXE[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregWinampAgent]
2008-01-15 21:54 37376 -c—a-w- c:program filesWinampwinampa.exe[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\totalcmd\TOTALCMD.EXE»=
«c:\Program Files\FlylinkDC++\FlylinkDC.exe»=
«c:\Program Files\SiSoftware\SiSoftware Sandra Pro Business XI.SP2\Win32\RpcDataSrv.exe»=
«c:\Program Files\SiSoftware\SiSoftware Sandra Pro Business XI.SP2\RpcSandraSrv.exe»=
«c:\Program Files\QIP\qip.exe»=
«c:\Program Files\Total Commander\Totalcmd.exe»=
«c:\WINDOWS\system32\PnkBstrA.exe»=
«c:\WINDOWS\system32\PnkBstrB.exe»=
«c:\Program Files\Messenger\msmsgs.exe»=
«c:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 7.0.1.325\Russian\setup.exe»=
«e:\Cropp\psp\uTorrent.exe»=
«c:\Program Files\QIP Infium\infium.exe»=
«c:\Program Files\Microsoft ActiveSync\wcescomm.exe»=
«c:\Program Files\Microsoft ActiveSync\WCESMgr.exe»=
«c:\Program Files\VideoLAN\VLC\vlc.exe»=
«c:\Program Files\Windows Live\Messenger\msnmsgr.exe»=
«c:\Program Files\Mozilla Firefox\firefox.exe»=
«c:\Program Files\Skype\Plugin Manager\skypePM.exe»=
«e:\QUAKElll\quake3.exe»=
«c:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe»=
«c:\Program Files\Logitech\Logitech Vid\Vid.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«9844:TCP»= 9844:TCP:fxqtzmrR0 klbg;Kaspersky Lab Boot Guard Driver;c:windowssystem32driversklbg.sys [14.10.2009 21:18 36880]
R0 sptd;sptd;c:windowssystem32driverssptd.sys [25.03.2007 8:35 717296]
R1 atitray;atitray;c:program filesRadeon Omega Driversv3.8.330ATI Tray Toolsatitray.sys [14.11.2005 1:43 14336]
R2 ICQ Service;ICQ Service;c:program filesICQ6ToolbarICQ Service.exe [13.12.2008 0:46 222456]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:windowssystem32driversklim5.sys [14.09.2009 14:42 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:windowssystem32driversklmouflt.sys [02.10.2009 19:39 19472]
R3 PhTVTune;VideoWonder ProTV WDM TVTuner;c:windowssystem32driversSilicon.sys [24.03.2007 23:49 21888]
R3 Tetris;Tetris driver;c:windowssystem32driversTetris.sys [30.08.2007 14:32 48928]
S0 d347bus;d347bus;c:windowssystem32driversd347bus.sys [26.05.2007 18:38 155136]
S0 d347prt;d347prt;c:windowssystem32driversd347prt.sys [26.05.2007 18:38 5248]
S2 gupdate1c995afc65ce744;Google Update Service (gupdate1c995afc65ce744);c:program filesGoogleUpdateGoogleUpdate.exe [23.02.2009 15:10 133104]
S2 LogWatch;Event Log Watch;i:ca_licLogWatNT.exe —> i:ca_licLogWatNT.exe [?]
S3 Irbis64_Service;Irbis64_Service;c:irbis64service_64.exe c:irbis64 —> c:irbis64service_64.exe c:irbis64 [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:windowssystem32driversnmwcdnsu.sys [10.12.2009 2:28 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:windowssystem32driversnmwcdnsuc.sys [10.12.2009 2:28 8320]HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost — NetSvcs
epzck
cttrwf
rntxmn
oguqct
oeceyrqxq
xeqpbo
jwmxbd
.
Contents of the ‘Scheduled Tasks’ folder2010-02-27 c:windowsTasksAppleSoftwareUpdate.job
— c:program filesApple Software UpdateSoftwareUpdate.exe [2008-07-30 09:34]2010-03-04 c:windowsTasksGoogleUpdateTaskMachineCore.job
— c:program filesGoogleUpdateGoogleUpdate.exe [2009-02-23 12:10]2010-03-04 c:windowsTasksGoogleUpdateTaskMachineUA.job
— c:program filesGoogleUpdateGoogleUpdate.exe [2009-02-23 12:10]
.
.
Supplementary Scan
.
uStart Page = start.qip.ru
uDefault_Search_URL = hxxp://search.qip.ru
mStart Page = hxxp://www.windowsxlive.net
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: SoftwareMicrosoftInternet ExplorerSearchUrl; ValueType: string; ValueName: ‘; ValueData: ‘; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: &Winamp Search — c:documents and settingsAll UsersApplication DataWinamp ToolbarieToolbarresourcesen-USlocalsearch.html
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List — c:program filesCanonEasy-WebPrintResource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print — c:program filesCanonEasy-WebPrintResource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview — c:program filesCanonEasy-WebPrintResource.dll/RC_Preview.html
IE: Easy-WebPrint Print — c:program filesCanonEasy-WebPrintResource.dll/RC_Print.html
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE574} — c:program filesPRMT6PRMTIEprmtie5.htm
TCP: {C1380026-0D59-45CF-8C48-951ED4EF6577} = 80.70.224.2,80.70.224.4
TCP: {C50B6EB1-B17D-44BC-90A4-3C050E5DA265} = 80.70.224.2,80.70.224.4
TCP: {E1814A5A-5CDA-40C8-806C-396411C24554} = 80.70.224.2,80.70.224.4
Handler: bwfile-8876480 — {9462A756-7B47-47BC-8C80-C34B9B80B32B} — c:program filesLogitechDesktop Messenger8876480ProgramGAPlugProtocol-8876480.dll
FF — ProfilePath — c:documents and settingsANTApplication DataMozillaFirefoxProfilesso4gyn3i.default
FF — prefs.js: browser.search.selectedEngine — QIP Search
FF — prefs.js: browser.startup.homepage — hxxp://active.mns.ru
FF — prefs.js: keyword.URL — hxxp://search.qip.ru/search?from=FF&query=
FF — component: c:program filesMozilla Firefoxcomponentsqippipe.dll
FF — component: c:program filesMozilla Firefoxextensionslinkfilter@kaspersky.rucomponentsKavLinkFilter.dll
FF — plugin: c:program filesGoogleGoogle Earthpluginnpgeplugin.dll
FF — plugin: c:program filesGoogleUpdate1.2.183.17npGoogleOneClick8.dll
FF — plugin: c:program filesMozilla Firefoxpluginsnpqtplugin8.dll
FF — plugin: c:program filesMozilla Firefoxpluginsnpvlc.dll
FF — plugin: c:program filesQuickTimePluginsnpqtplugin8.dll
.
.
File Associations
.
inifile=%SystemRoot%System32NOTEPAD.EXE %1″
.
— — — — ORPHANS REMOVED — — — —SSODL-UpdateCheck-{0894318A-AFBB-4AF6-87B7-AB50773F1FD3} — (no file)
MSConfigStartUp-ATICCC — c:program filesATI TechnologiesATI.ACECLIStart.exe
MSConfigStartUp-egui — c:program filesESETESET NOD32 Antivirusegui.exe
MSConfigStartUp-Kleptomania — c:progra~1KLEPTO~1k-mania.exe
MSConfigStartUp-LogitechCommunicationsManager — c:program filesCommon FilesLogiShrdLComMgrCommunications_Helper.exe
MSConfigStartUp-LogitechQuickCamRibbon — c:program filesLogitechQuickCamQuickcam.exe
MSConfigStartUp-Punto Switcher — c:program filesPunto Switcherpunto.exe
MSConfigStartUp-QIP — c:program filesQIP.Onlineqiponline.exe
MSConfigStartUp-Winpower — c:program filesUpsPilotWinpower.exe
AddRemove-Fable — The Lost Chapters_is1 — i:fable — the lost chaptersunins000.exe
AddRemove-HijackThis — c:program filesTrend MicroHijackThisHijackThis.exe
AddRemove-XPv3.8.330 — c:windowsRadeon Omega Drivers v3.8.330
AddRemove-Winamp Toolbar for Firefox — c:documents and settingsANTApplication DataMozillaFirefoxProfilesso4gyn3i.defaultextensions{0b38152b-1b20-484d-a11f-5e04a9b0661f}uninstall.exe
AddRemove-{DF0273D1-2E03-484D-8FFB-02C39438A6C1} — E:Uninstall.exe**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 22:27
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys sfsync02.sys hal.dll >>UNKNOWN [0x86F651F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
DriverDisk -> CLASSPNP.SYS @ 0xf75cbfc3
DriverACPI -> ACPI.sys @ 0xf73f0cb8
Driveratapi -> sfsync02.sys @ 0xf7807d60
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059ece9
ParseProcedure -> ntoskrnl.exe @ 0x8057e98a
DeviceHarddisk0DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059ece9
ParseProcedure -> ntoskrnl.exe @ 0x8057e98a
NDIS: D-Link DFE-520TX PCI Fast Ethernet Adapter #3 -> SendCompleteHandler -> NDIS.sys @ 0xf727cba0
PacketIndicateHandler -> NDIS.sys @ 0xf7289b21
SendHandler -> NDIS.sys @ 0xf726787b
user & kernel MBR OK**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(1580)
c:windowssystem32Ati2evxx.dll— — — — — — — > ‘lsass.exe'(1636)
c:windowssystem32relog_ap.dll— — — — — — — > ‘explorer.exe'(5264)
c:windowsTEMPlogishrdLVPrcInj01.dll
c:program filesYandexPunto Switcherpshook.dll
c:program filesLogitechSetPointlgscroll.dll
c:windowssystem32WPDShServiceObj.dll
c:program filesNokiaNokia PC Suite 7PhoneBrowser.dll
c:program filesNokiaNokia PC Suite 7NGSCM.DLL
c:program filesNokiaNokia PC Suite 7LangPhoneBrowser_rus.nlr
c:program filesNokiaNokia PC Suite 7ResourcePhoneBrowser_Nokia.ngr
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
c:windowssystem32browselc.dll
c:program filesMicrosoft OfficeOFFICE11msohev.dll
c:program filesCommon FilesAdobeAcrobatActiveXPDFShell.dll
.
Other Running Processes
.
c:windowssystem32Ati2evxx.exe
c:windowssystem32Ati2evxx.exe
c:program filesCommon FilesAcronisSchedule2schedul2.exe
c:windowssystem32CTsvcCDA.exe
c:program filesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
c:program filesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
c:program filesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe
c:windowssystem32PnkBstrA.exe
c:program filesCyberLinkShared filesRichVideo.exe
c:program filesMicrosoft SQL Server90Sharedsqlbrowser.exe
c:program filesMicrosoft SQL Server90Sharedsqlwriter.exe
c:windowssystem32wscntfy.exe
c:program filesCommon FilesLogishrdLQCVFXCOCIManager.exe
c:program filesCommon FilesLogitechKHALKHALMNPR.EXE
c:program filesPC Connectivity SolutionServiceLayer.exe
c:program filesPC Connectivity SolutionTransportsNclIrSrv.exe
c:program filesPC Connectivity SolutionTransportsNclRSSrv.exe
c:program filesPC Connectivity SolutionTransportsNclMSBTSrv.exe
c:program filesPC Connectivity SolutionTransportsNclUSBSrv.exe
c:program filesSkypePlugin ManagerskypePM.exe
c:windowssystem32wbemwmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-03-04 22:32:32 — machine was rebooted
ComboFix-quarantined-files.txt 2010-03-04 19:32Pre-Run: 1 467 949 056 байт свободно
Post-Run: 1 619 087 360 байт свободноWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT=»Microsoft Windows Recovery Console» /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS=»Microsoft Windows XP Professional RU» /noexecute=optin /fastdetect— — End Of File — — A374B872C0BF230408A1EAADBD192D03
