Созданные ответы форума
-
Сообщения
-
ComboFix 08-10-06.08 — 1 2008-10-07 22:01:00.4 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.310 [GMT 6:00]
Running from: C:Documents and Settings1??????? ????ComboFix.exe
Command switches used :: D:CFScript.txt
* Created a new restore point
* Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:Program FilesTS2009
C:Program FilesTS2009totalsecure.s1
C:WINDOWSIE4 Error Log.txt.
((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.2008-10-07 10:08 . 2008-10-07 22:05 54,156 —ah
C:WINDOWSQTFont.qfn
2008-10-07 10:08 . 2008-10-07 22:05 1,409 —a
C:WINDOWSQTFont.for
2008-10-06 16:05 . 2008-10-06 16:05d
C:Program FilesTrend Micro
2008-10-06 15:16 . 2008-10-06 15:18d
C:Program FilesMalwarebytes’ Anti-Malware
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and SettingsAll UsersApplication DataMalwarebytes
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and Settings1Application DataMalwarebytes
2008-10-06 15:16 . 2008-09-10 00:04 38,528 —a
C:WINDOWSsystem32driversmbamswissarmy.sys
2008-10-06 15:16 . 2008-09-10 00:03 17,200 —a
C:WINDOWSsystem32driversmbam.sys
2008-10-06 14:13 . 2008-10-06 14:13d
C:Program FilesESET
2008-10-06 14:13 . 2008-10-06 14:13d
C:Documents and SettingsAll UsersApplication DataESET
2008-10-06 13:14 . 2008-10-06 13:14d
C:Program FilesCommon FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Program FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Documents and SettingsAll UsersApplication DataParetoLogic Anti-Spyware
2008-10-06 12:12 . 2008-10-06 13:35d
C:Program FilesXoftSpySE
2008-10-06 12:00 . 2008-10-06 12:00 15,360 —ahs—- C:WINDOWSsystem32Thumbs.db
2008-10-06 10:57 . 2008-10-06 10:57d
C:Games
2008-10-01 18:13 . 2008-10-01 18:13d
C:Program FilesHiro-Media
2008-10-01 18:13 . 2008-10-01 18:13d
C:Documents and SettingsAll UsersApplication DataHiro-Media
2008-10-01 15:13 . 2008-10-01 15:13 792 —a
C:WINDOWSlines98.sav
2008-10-01 14:04 . 2008-10-01 14:04 120 —a
C:WINDOWSd4s.hst
2008-09-20 22:46 . 2008-04-14 22:10 159,232 —a
C:WINDOWSsystem32ptpusd.dll
2008-09-20 22:46 . 2001-10-19 21:06 5,632 —a
C:WINDOWSsystem32ptpusb.dll
2008-09-11 15:24 . 2008-09-11 16:09d
C:Documents and Settings1Application DataVKLife
2008-09-11 15:22 . 2008-09-17 10:14d
C:Program FilesAgent Vkontakte
2008-09-11 15:22 . 2008-09-11 15:38d
C:Documents and Settings1Application DataVKontakte
2008-09-10 21:51 . 2008-09-10 21:51d
C:Program FilesEA GAMES
2008-09-08 22:29 . 2008-09-08 22:29d
C:WINDOWSSun
2008-09-08 22:28 . 2008-06-10 02:32 73,728 —a
C:WINDOWSsystem32javacpl.cpl
2008-09-08 22:27 . 2008-09-08 22:28d
C:Program FilesJava
2008-09-08 22:20 . 2008-09-08 22:20d
C:Program FilesCommon FilesJava
2008-09-08 11:48 . 2008-08-28 11:50d
C:Program FilesMovie Maker.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 16:06 46,939,680 —sha-w C:WINDOWSsystem32driversfidbox.dat
2008-10-07 16:05 768,032 —sha-w C:WINDOWSsystem32driversfidbox2.dat
2008-10-07 15:19
d
w C:Documents and Settings1Application DataskypePM
2008-10-07 15:19
d
w C:Documents and Settings1Application DataSkype
2008-10-07 14:46 72,596 —sha-w C:WINDOWSsystem32driversfidbox2.idx
2008-10-07 14:46 622,148 —sha-w C:WINDOWSsystem32driversfidbox.idx
2008-10-07 14:45
d
w C:Program FilesQUIK КИТ Финанс
2008-10-07 14:45
d
w C:Documents and Settings1Application DataOrbit
2008-10-07 09:01
d
w C:Documents and SettingsAll UsersApplication DataKaspersky Lab
2008-10-06 09:49
d
w C:Program FilesICQToolbar
2008-10-06 09:03
d
w C:Program FilesOpera
2008-09-24 03:51
d
w C:Program FilesICQ6
2008-09-20 19:40
d
w C:Documents and Settings1Application DatauTorrent
2008-09-20 12:24
d
w C:Documents and Settings1Application DataMra
2008-09-17 12:49
d
w C:Program FilesuTorrent
2008-09-17 08:55
d
w C:Documents and Settings1Application DataICQ
2008-09-10 15:51
d—h—w C:Program FilesInstallShield Installation Information
2008-09-08 05:48
d
w C:Program FilesНовая папка
2008-08-29 18:44
d
w C:Program FilesRambler Assistant
2008-08-28 13:31
d
w C:Program FilesWindows Media Connect 2
2008-08-28 13:10
d
w C:Documents and Settings1Application DataDataLayer
2008-08-28 13:07
d
w C:Program FilesShasoft eBook 3.0
2008-08-28 05:29
d
w C:Documents and Settings1Application DataDownload Master
2008-08-27 17:58
d
w C:Program FilesDivX
2008-08-26 05:20
d
w C:Documents and SettingsAll UsersApplication DataOffice Genuine Advantage
2008-08-24 13:59
d
w C:Documents and Settings1Application DataNokia
2008-08-24 09:29
d
w C:Program FilesMSXML 4.0
2008-08-23 11:57
d
w C:Documents and SettingsAll UsersApplication DataHP
2008-08-23 11:57
d
w C:Documents and Settings1Application DataHP
2008-08-23 11:50
d
w C:Documents and SettingsAll UsersApplication DataWEBREG
2008-08-23 11:48
d
w C:Program FilesHP
2008-08-23 11:48
d
w C:Documents and SettingsAll UsersApplication DataHPSSUPPLY
2008-08-23 11:48
d
w C:Documents and Settings1Application DataHPAppData
2008-08-23 11:47
d
w C:Program FilesCommon FilesHP
2008-08-23 11:47
d
w C:Documents and SettingsAll UsersApplication DataHP Product Assistant
2008-08-23 11:46
d
w C:Program FilesHewlett-Packard
2008-08-23 11:46
d
w C:Program FilesCommon FilesHewlett-Packard
2008-08-23 11:45
d
w C:Documents and SettingsAll UsersApplication DataHewlett-Packard
2008-08-21 10:48
d
w C:Documents and Settings1Application Datarambler.ru
2008-08-21 05:07
d
w C:Documents and Settings1Application DataU3
2008-08-19 13:12
d
w C:Program FilesOrbitdownloader
2008-08-18 14:56
d
w C:Program FilesAlcohol Soft
2008-08-18 14:52 716,272 —-a-w C:WINDOWSsystem32driverssptd.sys
2008-08-15 09:24
d
w C:Program FilesJavaSoft
2008-08-14 14:13
d
w C:Program FilesGames.Rambler.ru
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataPlayFirst
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataAlawarWrapper
2008-08-14 14:13
d
w C:Documents and Settings1Application DataPlayFirst
2008-08-13 14:57
d
w C:Program FilesGames.Mail.Ru
2008-08-13 11:27
d
w C:Program FilesDIFX
2008-08-13 11:27
d
w C:Documents and SettingsAll UsersApplication DataPC Suite
2008-08-13 11:26
d
w C:Program FilesNokia
2008-08-13 11:26
d
w C:Program FilesCommon FilesPCSuite
2008-08-13 11:26
d
w C:Program FilesCommon FilesNokia
2008-08-13 11:26
d
w C:Documents and SettingsAll UsersApplication DataDownloaded Installations
2008-08-13 11:26
d
w C:Documents and Settings1Application DataPC Suite
2008-08-13 10:58
d
w C:Documents and SettingsAll UsersApplication DataEgoset
2008-08-13 07:13
d
w C:Program FilesDownload Master
2008-08-13 06:15
d
w C:Documents and SettingsAll UsersApplication DataNtiDvdCopy
2008-08-13 05:33
d
w C:Documents and Settings1Application DataMedia Player Classic
2008-08-08 05:10
d—h—w C:Documents and SettingsAll UsersApplication DataCanonBJ
2008-07-23 16:48 200,704 —-a-w C:WINDOWSsystem32ssldivx.dll
2008-07-23 16:48 1,044,480 —-a-w C:WINDOWSsystem32libdivx.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32dllcachecdm.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32cdm.dll
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32wuauclt.exe
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32dllcachewuauclt.exe
2008-07-18 16:10 45,768 —-a-w C:WINDOWSsystem32wups2.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32wups.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32dllcachewups.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32wuapi.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32dllcachewuapi.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32wucltui.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32dllcachewucltui.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32wuweb.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32dllcachewuweb.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32wuaueng.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32dllcachewuaueng.dll
2008-07-07 20:29 253,952 —-a-w C:WINDOWSsystem32es.dll
2008-07-07 20:29 253,952
w C:WINDOWSsystem32dllcachees.dll
.((((((((((((((((((((((((((((( snapshot@2008-10-07_15.13.34.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-07 15:19:14 16,384 —-atw C:WINDOWSTempPerflib_Perfdata_dfc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32ctfmon.exe» [2008-04-14 15360]
«Skype»=»C:Program FilesSkypePhoneSkype.exe» [2008-07-23 21738792]
«PcSync»=»C:Program FilesNokiaNokia PC Suite 6PcSync2.exe» [2006-06-27 1449984]
«AlcoholAutomount»=»C:Program FilesAlcohol SoftAlcohol 120axcmd.exe» [2008-03-20 217544]
«VKontakte»=»C:Program FilesAgent VkontakteAgentVkontakte.exe» [2008-05-21 3537920]
«ParetoLogic Anti-Spyware»=»C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe» [2007-04-02 2639472][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«preload»=»C:WindowsRUNXMLPL.exe» [2007-04-21 20480]
«IAAnotif»=»C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SynTPEnh»=»C:Program FilesSynapticsSynTPSynTPEnh.exe» [2007-09-08 1015808]
«AzMixerSel»=»C:Program FilesRealtekInstallShieldAzMixerSel.exe» [2005-06-11 53248]
«IMJPMIG8.1″=»C:WINDOWSIMEimjp8_1IMJPMIG.EXE» [2004-08-18 208952]
«MSPY2002″=»C:WINDOWSsystem32IMEPINTLGNTImScInst.exe» [2004-08-18 59392]
«PHIME2002ASync»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«PHIME2002A»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«SynTPStart»=»C:Program FilesSynapticsSynTPSynTPStart.exe» [2007-09-08 102400]
«RemoteControl»=»C:Program FilesCyberLinkPowerDVDPDVDServ.exe» [2007-01-09 68640]
«LanguageShortcut»=»C:Program FilesCyberLinkPowerDVDLanguageLanguage.exe» [2007-01-09 52256]
«Acer ePresentation HPD»=»C:AcerEmpowering TechnologyePresentationePresentation.exe» [2007-03-02 208896]
«ePower_DMC»=»C:AcerEmpowering TechnologyePowerePower_DMC.exe» [2007-07-04 475136]
«Boot»=»C:AcerEmpowering TechnologyePowerBoot.exe» [2006-03-16 579584]
«eDataSecurity Loader»=»C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe» [2007-05-28 342528]
«eRecoveryService»=»C:AcerEmpowering TechnologyeRecoveryeRAgent.exe» [2007-07-11 421888]
«LManager»=»C:PROGRA~1LAUNCH~1LManager.exe» [2007-10-17 858632]
«IgfxTray»=»C:WINDOWSsystem32igfxtray.exe» [2007-06-13 142104]
«HotKeysCmds»=»C:WINDOWSsystem32hkcmd.exe» [2007-06-13 162584]
«Persistence»=»C:WINDOWSsystem32igfxpers.exe» [2007-06-13 138008]
«QuickTime Task»=»C:Program FilesQuickTimeqttask.exe» [2008-07-27 77824]
«MAgent»=»C:Program FilesMail.RuAgentMAgent.exe» [2008-09-22 3110392]
«Adobe Reader Speed Launcher»=»C:Program FilesAdobeReader 8.0ReaderReader_sl.exe» [2008-01-11 39792]
«PCSuiteTrayApplication»=»C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE» [2006-06-15 229376]
«HP Software Update»=»C:Program FilesHPHP Software UpdateHPWuSchd2.exe» [2007-03-11 49152]
«SunJavaUpdateSched»=»C:Program FilesJavajre1.6.0_07binjusched.exe» [2008-06-10 144784]
«RTHDCPL»=»RTHDCPL.EXE» [2007-05-28 C:WINDOWSRTHDCPL.exe][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32CTFMON.EXE» [2008-04-14 15360][hkey_local_machinesoftwaremicrosoftwindowscurrentversionexplorerShellExecuteHooks]
«{51C55F9E-C308-4c95-89AB-8858D8AFD819}»= «C:Program FilesParetoLogicAnti-SpywarePASShlExt.dll» [2007-03-29 98304][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«VIDC.YV12″= yv12vfw.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe»=
«C:\Program Files\ICQ6\ICQ.exe»=
«C:\Program Files\Mail.Ru\Agent\magent.exe»=
«C:\Program Files\BitTornado\btdownloadgui.exe»=
«C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe»=
«C:\Program Files\Orbitdownloader\orbitnet.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«C:\Program Files\ZyXEL\NetFriend\NetFriend.exe»=
«C:\Program Files\uTorrent\uTorrent.exe»=
«C:\Program Files\Opera\opera.exe»=
«C:\Program Files\Skype\Phone\Skype.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«45533:TCP»= 45533:TCP:utorrent
«45533:UDP»= 45533:UDP:ut
«55555:TCP»= 55555:TCP:1
«55555:UDP»= 55555:UDP:12R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe [2006-04-14 28933976]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:WINDOWSsystem32DRIVERSklim5.sys [2007-04-04 24344]
R3 usbstor;Драйвер запоминающих устройств для USB;C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2008-04-14 26368]
S3 int15.sys;int15.sys;C:AcerEmpowering TechnologyeRecoveryint15.sys [2005-01-13 69632]
S3 usbprint;Класс принтеров Microsoft USB;C:WINDOWSsystem32DRIVERSusbprint.sys [2008-04-14 25856][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85b-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — G:LaunchU3.exe -a
.
Contents of the ‘Scheduled Tasks’ folder2008-10-06 C:WINDOWSTasksParetoLogic Anti-Spyware.job
— C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe [2007-04-02 16:40]2008-10-06 C:WINDOWSTasksParetoLogic Update.job
— C:Program FilesCommon FilesParetoLogicUUSPareto_Update.exe [2007-08-01 13:39]2008-10-07 C:WINDOWSTasksUser_Feed_Synchronization-{1F20AC20-8159-4105-9DA9-46BAE8E5D3BF}.job
— C:WINDOWSsystem32msfeedssync.exe [2007-08-13 18:36]
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 22:05:34
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-10-07 22:08:01
ComboFix-quarantined-files.txt 2008-10-07 16:07:55
ComboFix2.txt 2008-10-07 09:14:07
ComboFix3.txt 2008-10-06 16:16:07Pre-Run: 3 100 409 856 ???? ????????
Post-Run: 3,069,489,152 ???? ????????243 — E O F — 2008-09-10 14:48:49
новый лог
ComboFix 08-10-06.05 — 1 2008-10-07 15:07:55.3 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.230 [GMT 6:00]
Running from: C:Documents and Settings1??????? ????ComboFix.exe
Command switches used :: C:Documents and Settings1??????? ????CFScript.txt
* Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.2008-10-07 10:08 . 2008-10-07 15:12 54,156 —ah
C:WINDOWSQTFont.qfn
2008-10-07 10:08 . 2008-10-07 15:12 1,409 —a
C:WINDOWSQTFont.for
2008-10-06 16:05 . 2008-10-06 16:05d
C:Program FilesTrend Micro
2008-10-06 15:16 . 2008-10-06 15:18d
C:Program FilesMalwarebytes’ Anti-Malware
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and SettingsAll UsersApplication DataMalwarebytes
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and Settings1Application DataMalwarebytes
2008-10-06 15:16 . 2008-09-10 00:04 38,528 —a
C:WINDOWSsystem32driversmbamswissarmy.sys
2008-10-06 15:16 . 2008-09-10 00:03 17,200 —a
C:WINDOWSsystem32driversmbam.sys
2008-10-06 14:13 . 2008-10-06 14:13d
C:Program FilesESET
2008-10-06 14:13 . 2008-10-06 14:13d
C:Documents and SettingsAll UsersApplication DataESET
2008-10-06 13:14 . 2008-10-06 13:14d
C:Program FilesCommon FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Program FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Documents and SettingsAll UsersApplication DataParetoLogic Anti-Spyware
2008-10-06 12:12 . 2008-10-06 13:35d
C:Program FilesXoftSpySE
2008-10-06 12:00 . 2008-10-06 12:00 15,360 —ahs—- C:WINDOWSsystem32Thumbs.db
2008-10-06 11:07 . 2008-10-06 16:35d
C:Program FilesTS2009
2008-10-06 10:57 . 2008-10-06 10:57d
C:Games
2008-10-01 18:13 . 2008-10-01 18:13d
C:Program FilesHiro-Media
2008-10-01 18:13 . 2008-10-01 18:13d
C:Documents and SettingsAll UsersApplication DataHiro-Media
2008-10-01 15:13 . 2008-10-01 15:13 792 —a
C:WINDOWSlines98.sav
2008-10-01 14:04 . 2008-10-01 14:04 120 —a
C:WINDOWSd4s.hst
2008-09-20 22:46 . 2008-04-14 22:10 159,232 —a
C:WINDOWSsystem32ptpusd.dll
2008-09-20 22:46 . 2001-10-19 21:06 5,632 —a
C:WINDOWSsystem32ptpusb.dll
2008-09-11 15:24 . 2008-09-11 16:09d
C:Documents and Settings1Application DataVKLife
2008-09-11 15:22 . 2008-09-17 10:14d
C:Program FilesAgent Vkontakte
2008-09-11 15:22 . 2008-09-11 15:38d
C:Documents and Settings1Application DataVKontakte
2008-09-10 21:51 . 2008-09-10 21:51d
C:Program FilesEA GAMES
2008-09-08 22:29 . 2008-09-08 22:29d
C:WINDOWSSun
2008-09-08 22:28 . 2008-06-10 02:32 73,728 —a
C:WINDOWSsystem32javacpl.cpl
2008-09-08 22:27 . 2008-09-08 22:28d
C:Program FilesJava
2008-09-08 22:20 . 2008-09-08 22:20d
C:Program FilesCommon FilesJava
2008-09-08 11:48 . 2008-08-28 11:50d
C:Program FilesMovie Maker.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 09:12 761,120 —sha-w C:WINDOWSsystem32driversfidbox2.dat
2008-10-07 09:12 46,323,232 —sha-w C:WINDOWSsystem32driversfidbox.dat
2008-10-07 09:02
d
w C:Documents and Settings1Application DataSkype
2008-10-07 09:01
d
w C:Documents and SettingsAll UsersApplication DataKaspersky Lab
2008-10-07 08:59 72,044 —sha-w C:WINDOWSsystem32driversfidbox2.idx
2008-10-07 08:59 620,132 —sha-w C:WINDOWSsystem32driversfidbox.idx
2008-10-07 08:58
d
w C:Program FilesQUIK КИТ Финанс
2008-10-07 04:10
d
w C:Documents and Settings1Application DataskypePM
2008-10-06 09:49
d
w C:Program FilesICQToolbar
2008-10-06 09:48
d
w C:Documents and Settings1Application DataOrbit
2008-10-06 09:03
d
w C:Program FilesOpera
2008-09-24 03:51
d
w C:Program FilesICQ6
2008-09-20 19:40
d
w C:Documents and Settings1Application DatauTorrent
2008-09-20 12:24
d
w C:Documents and Settings1Application DataMra
2008-09-17 12:49
d
w C:Program FilesuTorrent
2008-09-17 08:55
d
w C:Documents and Settings1Application DataICQ
2008-09-10 15:51
d—h—w C:Program FilesInstallShield Installation Information
2008-09-08 05:48
d
w C:Program FilesНовая папка
2008-08-29 18:44
d
w C:Program FilesRambler Assistant
2008-08-28 13:31
d
w C:Program FilesWindows Media Connect 2
2008-08-28 13:10
d
w C:Documents and Settings1Application DataDataLayer
2008-08-28 13:07
d
w C:Program FilesShasoft eBook 3.0
2008-08-28 05:29
d
w C:Documents and Settings1Application DataDownload Master
2008-08-27 17:58
d
w C:Program FilesDivX
2008-08-26 05:20
d
w C:Documents and SettingsAll UsersApplication DataOffice Genuine Advantage
2008-08-24 13:59
d
w C:Documents and Settings1Application DataNokia
2008-08-24 09:29
d
w C:Program FilesMSXML 4.0
2008-08-23 11:57
d
w C:Documents and SettingsAll UsersApplication DataHP
2008-08-23 11:57
d
w C:Documents and Settings1Application DataHP
2008-08-23 11:50
d
w C:Documents and SettingsAll UsersApplication DataWEBREG
2008-08-23 11:48
d
w C:Program FilesHP
2008-08-23 11:48
d
w C:Documents and SettingsAll UsersApplication DataHPSSUPPLY
2008-08-23 11:48
d
w C:Documents and Settings1Application DataHPAppData
2008-08-23 11:47
d
w C:Program FilesCommon FilesHP
2008-08-23 11:47
d
w C:Documents and SettingsAll UsersApplication DataHP Product Assistant
2008-08-23 11:46
d
w C:Program FilesHewlett-Packard
2008-08-23 11:46
d
w C:Program FilesCommon FilesHewlett-Packard
2008-08-23 11:45
d
w C:Documents and SettingsAll UsersApplication DataHewlett-Packard
2008-08-21 10:48
d
w C:Documents and Settings1Application Datarambler.ru
2008-08-21 05:07
d
w C:Documents and Settings1Application DataU3
2008-08-19 13:12
d
w C:Program FilesOrbitdownloader
2008-08-18 14:56
d
w C:Program FilesAlcohol Soft
2008-08-18 14:52 716,272 —-a-w C:WINDOWSsystem32driverssptd.sys
2008-08-15 09:24
d
w C:Program FilesJavaSoft
2008-08-14 14:13
d
w C:Program FilesGames.Rambler.ru
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataPlayFirst
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataAlawarWrapper
2008-08-14 14:13
d
w C:Documents and Settings1Application DataPlayFirst
2008-08-13 14:57
d
w C:Program FilesGames.Mail.Ru
2008-08-13 11:27
d
w C:Program FilesDIFX
2008-08-13 11:27
d
w C:Documents and SettingsAll UsersApplication DataPC Suite
2008-08-13 11:26
d
w C:Program FilesNokia
2008-08-13 11:26
d
w C:Program FilesCommon FilesPCSuite
2008-08-13 11:26
d
w C:Program FilesCommon FilesNokia
2008-08-13 11:26
d
w C:Documents and SettingsAll UsersApplication DataDownloaded Installations
2008-08-13 11:26
d
w C:Documents and Settings1Application DataPC Suite
2008-08-13 10:58
d
w C:Documents and SettingsAll UsersApplication DataEgoset
2008-08-13 07:13
d
w C:Program FilesDownload Master
2008-08-13 06:15
d
w C:Documents and SettingsAll UsersApplication DataNtiDvdCopy
2008-08-13 05:33
d
w C:Documents and Settings1Application DataMedia Player Classic
2008-08-08 05:10
d—h—w C:Documents and SettingsAll UsersApplication DataCanonBJ
2008-07-23 16:48 200,704 —-a-w C:WINDOWSsystem32ssldivx.dll
2008-07-23 16:48 1,044,480 —-a-w C:WINDOWSsystem32libdivx.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32dllcachecdm.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32cdm.dll
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32wuauclt.exe
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32dllcachewuauclt.exe
2008-07-18 16:10 45,768 —-a-w C:WINDOWSsystem32wups2.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32wups.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32dllcachewups.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32wuapi.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32dllcachewuapi.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32wucltui.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32dllcachewucltui.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32wuweb.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32dllcachewuweb.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32wuaueng.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32dllcachewuaueng.dll
2008-07-07 20:29 253,952 —-a-w C:WINDOWSsystem32es.dll
2008-07-07 20:29 253,952
w C:WINDOWSsystem32dllcachees.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32ctfmon.exe» [2008-04-14 15360]
«Skype»=»C:Program FilesSkypePhoneSkype.exe» [2008-07-23 21738792]
«PcSync»=»C:Program FilesNokiaNokia PC Suite 6PcSync2.exe» [2006-06-27 1449984]
«AlcoholAutomount»=»C:Program FilesAlcohol SoftAlcohol 120axcmd.exe» [2008-03-20 217544]
«VKontakte»=»C:Program FilesAgent VkontakteAgentVkontakte.exe» [2008-05-21 3537920]
«ParetoLogic Anti-Spyware»=»C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe» [2007-04-02 2639472][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«preload»=»C:WindowsRUNXMLPL.exe» [2007-04-21 20480]
«IAAnotif»=»C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SynTPEnh»=»C:Program FilesSynapticsSynTPSynTPEnh.exe» [2007-09-08 1015808]
«AzMixerSel»=»C:Program FilesRealtekInstallShieldAzMixerSel.exe» [2005-06-11 53248]
«IMJPMIG8.1″=»C:WINDOWSIMEimjp8_1IMJPMIG.EXE» [2004-08-18 208952]
«MSPY2002″=»C:WINDOWSsystem32IMEPINTLGNTImScInst.exe» [2004-08-18 59392]
«PHIME2002ASync»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«PHIME2002A»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«SynTPStart»=»C:Program FilesSynapticsSynTPSynTPStart.exe» [2007-09-08 102400]
«RemoteControl»=»C:Program FilesCyberLinkPowerDVDPDVDServ.exe» [2007-01-09 68640]
«LanguageShortcut»=»C:Program FilesCyberLinkPowerDVDLanguageLanguage.exe» [2007-01-09 52256]
«Acer ePresentation HPD»=»C:AcerEmpowering TechnologyePresentationePresentation.exe» [2007-03-02 208896]
«ePower_DMC»=»C:AcerEmpowering TechnologyePowerePower_DMC.exe» [2007-07-04 475136]
«Boot»=»C:AcerEmpowering TechnologyePowerBoot.exe» [2006-03-16 579584]
«eDataSecurity Loader»=»C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe» [2007-05-28 342528]
«eRecoveryService»=»C:AcerEmpowering TechnologyeRecoveryeRAgent.exe» [2007-07-11 421888]
«LManager»=»C:PROGRA~1LAUNCH~1LManager.exe» [2007-10-17 858632]
«IgfxTray»=»C:WINDOWSsystem32igfxtray.exe» [2007-06-13 142104]
«HotKeysCmds»=»C:WINDOWSsystem32hkcmd.exe» [2007-06-13 162584]
«Persistence»=»C:WINDOWSsystem32igfxpers.exe» [2007-06-13 138008]
«QuickTime Task»=»C:Program FilesQuickTimeqttask.exe» [2008-07-27 77824]
«MAgent»=»C:Program FilesMail.RuAgentMAgent.exe» [2008-09-22 3110392]
«Adobe Reader Speed Launcher»=»C:Program FilesAdobeReader 8.0ReaderReader_sl.exe» [2008-01-11 39792]
«PCSuiteTrayApplication»=»C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE» [2006-06-15 229376]
«HP Software Update»=»C:Program FilesHPHP Software UpdateHPWuSchd2.exe» [2007-03-11 49152]
«SunJavaUpdateSched»=»C:Program FilesJavajre1.6.0_07binjusched.exe» [2008-06-10 144784]
«RTHDCPL»=»RTHDCPL.EXE» [2007-05-28 C:WINDOWSRTHDCPL.exe][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32CTFMON.EXE» [2008-04-14 15360][hkey_local_machinesoftwaremicrosoftwindowscurrentversionexplorerShellExecuteHooks]
«{51C55F9E-C308-4c95-89AB-8858D8AFD819}»= «C:Program FilesParetoLogicAnti-SpywarePASShlExt.dll» [2007-03-29 98304][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«VIDC.YV12″= yv12vfw.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe»=
«C:\Program Files\ICQ6\ICQ.exe»=
«C:\Program Files\Mail.Ru\Agent\magent.exe»=
«C:\Program Files\BitTornado\btdownloadgui.exe»=
«C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe»=
«C:\Program Files\Orbitdownloader\orbitnet.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«C:\Program Files\ZyXEL\NetFriend\NetFriend.exe»=
«C:\Program Files\uTorrent\uTorrent.exe»=
«C:\Program Files\Opera\opera.exe»=
«C:\Program Files\Skype\Phone\Skype.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«45533:TCP»= 45533:TCP:utorrent
«45533:UDP»= 45533:UDP:ut
«55555:TCP»= 55555:TCP:1
«55555:UDP»= 55555:UDP:12R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe [2006-04-14 28933976]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:WINDOWSsystem32DRIVERSklim5.sys [2007-04-04 24344]
R3 usbstor;Драйвер запоминающих устройств для USB;C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2008-04-14 26368]
S3 int15.sys;int15.sys;C:AcerEmpowering TechnologyeRecoveryint15.sys [2005-01-13 69632]
S3 usbprint;Класс принтеров Microsoft USB;C:WINDOWSsystem32DRIVERSusbprint.sys [2008-04-14 25856][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85b-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — G:LaunchU3.exe -a[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85c-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — evkq381.com
ShellexploreCommand — evkq381.com
ShellopenCommand — evkq381.com[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{942ffed1-90fd-11dd-894b-001d721a7948}]
ShellAutoRuncommand — H:
ShellopenCommand — rundll32.exe .\scdrnru.dll,InstallM
.
Contents of the ‘Scheduled Tasks’ folder2008-10-06 C:WINDOWSTasksParetoLogic Anti-Spyware.job
— C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe [2007-04-02 16:40]2008-10-06 C:WINDOWSTasksParetoLogic Update.job
— C:Program FilesCommon FilesParetoLogicUUSPareto_Update.exe [2007-08-01 13:39]2008-10-07 C:WINDOWSTasksUser_Feed_Synchronization-{1F20AC20-8159-4105-9DA9-46BAE8E5D3BF}.job
— C:WINDOWSsystem32msfeedssync.exe [2007-08-13 18:36]
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 15:12:36
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-10-07 15:14:05
ComboFix-quarantined-files.txt 2008-10-07 09:14:00
ComboFix2.txt 2008-10-06 16:16:07Pre-Run: 3 180 777 472 ???? ????????
Post-Run: 3,156,447,232 ???? ????????239 — E O F — 2008-09-10 14:48:49
теперь нет проблем!
Спасибо вам, Валерий!!! ОГРОМНОЕ!
Мне очень повезло что я сразу попала на этот форум!сделала так как вы написали в другой теме:
Откройте блокнот и вставьте в него следующий текст:
Код: Выделить всё
File::
C:WINDOWSsystem32mfmlib.dllRegistry::
[-HKEY_LOCAL_MACHINE~Browser Helper Objects{E5F76779-DE98-4045-AE76-1B5F8CB6B98D}]Запишите получившийся файл на ваш рабочий стол под именем CFScript
Далее перетащите получившийся файл на иконку Combofix, как показано на картинке ниже.По окончанию работы Combofix будет создан новый лог файл, пожалуйста вставьте его в ваше ответное сообщение.
это новый лог:
ComboFix 08-10-05.10 — 1 2008-10-06 22:12:54.2 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.1.1049.18.428 [GMT 6:00]
Running from: C:Documents and Settings1??????? ????ComboFix.exe
Command switches used :: C:Documents and Settings1??????? ????CFScript.txt
* Created a new restore point
* Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section not completed((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.2008-10-06 16:05 . 2008-10-06 16:05
d
C:Program FilesTrend Micro
2008-10-06 15:16 . 2008-10-06 15:18d
C:Program FilesMalwarebytes’ Anti-Malware
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and SettingsAll UsersApplication DataMalwarebytes
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and Settings1Application DataMalwarebytes
2008-10-06 15:16 . 2008-09-10 00:04 38,528 —a
C:WINDOWSsystem32driversmbamswissarmy.sys
2008-10-06 15:16 . 2008-09-10 00:03 17,200 —a
C:WINDOWSsystem32driversmbam.sys
2008-10-06 14:13 . 2008-10-06 14:13d
C:Program FilesESET
2008-10-06 14:13 . 2008-10-06 14:13d
C:Documents and SettingsAll UsersApplication DataESET
2008-10-06 13:14 . 2008-10-06 13:14d
C:Program FilesCommon FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Program FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Documents and SettingsAll UsersApplication DataParetoLogic Anti-Spyware
2008-10-06 12:12 . 2008-10-06 13:35d
C:Program FilesXoftSpySE
2008-10-06 12:00 . 2008-10-06 12:00 15,360 —ahs—- C:WINDOWSsystem32Thumbs.db
2008-10-06 11:07 . 2008-10-06 16:35d
C:Program FilesTS2009
2008-10-06 10:57 . 2008-10-06 10:57d
C:Games
2008-10-01 18:13 . 2008-10-01 18:13d
C:Program FilesHiro-Media
2008-10-01 18:13 . 2008-10-01 18:13d
C:Documents and SettingsAll UsersApplication DataHiro-Media
2008-10-01 15:13 . 2008-10-01 15:13 792 —a
C:WINDOWSlines98.sav
2008-10-01 14:04 . 2008-10-01 14:04 120 —a
C:WINDOWSd4s.hst
2008-09-20 22:46 . 2008-04-14 22:10 159,232 —a
C:WINDOWSsystem32ptpusd.dll
2008-09-20 22:46 . 2001-10-19 21:06 5,632 —a
C:WINDOWSsystem32ptpusb.dll
2008-09-11 15:24 . 2008-09-11 16:09d
C:Documents and Settings1Application DataVKLife
2008-09-11 15:22 . 2008-09-17 10:14d
C:Program FilesAgent Vkontakte
2008-09-11 15:22 . 2008-09-11 15:38d
C:Documents and Settings1Application DataVKontakte
2008-09-10 21:51 . 2008-09-10 21:51d
C:Program FilesEA GAMES
2008-09-08 22:29 . 2008-09-08 22:29d
C:WINDOWSSun
2008-09-08 22:28 . 2008-06-10 02:32 73,728 —a
C:WINDOWSsystem32javacpl.cpl
2008-09-08 22:27 . 2008-09-08 22:28d
C:Program FilesJava
2008-09-08 22:20 . 2008-09-08 22:20d
C:Program FilesCommon FilesJava
2008-09-08 11:48 . 2008-08-28 11:50d
C:Program FilesMovie Maker.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 16:13 750,624 —sha-w C:WINDOWSsystem32driversfidbox2.dat
2008-10-06 16:13 46,056,224 —sha-w C:WINDOWSsystem32driversfidbox.dat
2008-10-06 15:55
d
w C:Documents and Settings1Application DataSkype
2008-10-06 15:51 70,916 —sha-w C:WINDOWSsystem32driversfidbox2.idx
2008-10-06 15:51 616,292 —sha-w C:WINDOWSsystem32driversfidbox.idx
2008-10-06 15:35
d
w C:Documents and SettingsAll UsersApplication DataKaspersky Lab
2008-10-06 14:45
d
w C:Program FilesQUIK КИТ Финанс
2008-10-06 10:20
d
w C:Documents and Settings1Application DataskypePM
2008-10-06 09:49
d
w C:Program FilesICQToolbar
2008-10-06 09:48
d
w C:Documents and Settings1Application DataOrbit
2008-10-06 09:03
d
w C:Program FilesOpera
2008-09-24 03:51
d
w C:Program FilesICQ6
2008-09-20 19:40
d
w C:Documents and Settings1Application DatauTorrent
2008-09-20 12:24
d
w C:Documents and Settings1Application DataMra
2008-09-17 12:49
d
w C:Program FilesuTorrent
2008-09-17 08:55
d
w C:Documents and Settings1Application DataICQ
2008-09-10 15:51
d—h—w C:Program FilesInstallShield Installation Information
2008-09-08 05:48
d
w C:Program FilesНовая папка
2008-08-29 18:44
d
w C:Program FilesRambler Assistant
2008-08-28 13:31
d
w C:Program FilesWindows Media Connect 2
2008-08-28 13:10
d
w C:Documents and Settings1Application DataDataLayer
2008-08-28 13:07
d
w C:Program FilesShasoft eBook 3.0
2008-08-28 05:29
d
w C:Documents and Settings1Application DataDownload Master
2008-08-27 17:58
d
w C:Program FilesDivX
2008-08-26 05:20
d
w C:Documents and SettingsAll UsersApplication DataOffice Genuine Advantage
2008-08-24 13:59
d
w C:Documents and Settings1Application DataNokia
2008-08-24 09:29
d
w C:Program FilesMSXML 4.0
2008-08-23 11:57
d
w C:Documents and SettingsAll UsersApplication DataHP
2008-08-23 11:57
d
w C:Documents and Settings1Application DataHP
2008-08-23 11:50
d
w C:Documents and SettingsAll UsersApplication DataWEBREG
2008-08-23 11:48
d
w C:Program FilesHP
2008-08-23 11:48
d
w C:Documents and SettingsAll UsersApplication DataHPSSUPPLY
2008-08-23 11:48
d
w C:Documents and Settings1Application DataHPAppData
2008-08-23 11:47
d
w C:Program FilesCommon FilesHP
2008-08-23 11:47
d
w C:Documents and SettingsAll UsersApplication DataHP Product Assistant
2008-08-23 11:46
d
w C:Program FilesHewlett-Packard
2008-08-23 11:46
d
w C:Program FilesCommon FilesHewlett-Packard
2008-08-23 11:45
d
w C:Documents and SettingsAll UsersApplication DataHewlett-Packard
2008-08-21 10:48
d
w C:Documents and Settings1Application Datarambler.ru
2008-08-21 05:07
d
w C:Documents and Settings1Application DataU3
2008-08-19 13:12
d
w C:Program FilesOrbitdownloader
2008-08-18 14:56
d
w C:Program FilesAlcohol Soft
2008-08-18 14:52 716,272 —-a-w C:WINDOWSsystem32driverssptd.sys
2008-08-15 09:24
d
w C:Program FilesJavaSoft
2008-08-14 14:13
d
w C:Program FilesGames.Rambler.ru
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataPlayFirst
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataAlawarWrapper
2008-08-14 14:13
d
w C:Documents and Settings1Application DataPlayFirst
2008-08-13 14:57
d
w C:Program FilesGames.Mail.Ru
2008-08-13 11:27
d
w C:Program FilesDIFX
2008-08-13 11:27
d
w C:Documents and SettingsAll UsersApplication DataPC Suite
2008-08-13 11:26
d
w C:Program FilesNokia
2008-08-13 11:26
d
w C:Program FilesCommon FilesPCSuite
2008-08-13 11:26
d
w C:Program FilesCommon FilesNokia
2008-08-13 11:26
d
w C:Documents and SettingsAll UsersApplication DataDownloaded Installations
2008-08-13 11:26
d
w C:Documents and Settings1Application DataPC Suite
2008-08-13 10:58
d
w C:Documents and SettingsAll UsersApplication DataEgoset
2008-08-13 07:13
d
w C:Program FilesDownload Master
2008-08-13 06:15
d
w C:Documents and SettingsAll UsersApplication DataNtiDvdCopy
2008-08-13 05:33
d
w C:Documents and Settings1Application DataMedia Player Classic
2008-08-08 05:10
d—h—w C:Documents and SettingsAll UsersApplication DataCanonBJ
2008-08-06 17:01 96,976 —-a-w C:WINDOWSsystem32driversklin.dat
2008-08-06 13:52
d
w C:Documents and SettingsAll UsersApplication DataCyberLink
2008-08-06 13:52
d
w C:Documents and Settings1Application DataCyberLink
2008-07-23 16:48 200,704 —-a-w C:WINDOWSsystem32ssldivx.dll
2008-07-23 16:48 1,044,480 —-a-w C:WINDOWSsystem32libdivx.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32dllcachecdm.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32cdm.dll
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32wuauclt.exe
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32dllcachewuauclt.exe
2008-07-18 16:10 45,768 —-a-w C:WINDOWSsystem32wups2.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32wups.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32dllcachewups.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32wuapi.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32dllcachewuapi.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32wucltui.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32dllcachewucltui.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32wuweb.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32dllcachewuweb.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32wuaueng.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32dllcachewuaueng.dll
2008-07-07 20:29 253,952 —-a-w C:WINDOWSsystem32es.dll
2008-07-07 20:29 253,952
w C:WINDOWSsystem32dllcachees.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32ctfmon.exe» [2008-04-14 15360]
«Skype»=»C:Program FilesSkypePhoneSkype.exe» [2008-07-23 21738792]
«PcSync»=»C:Program FilesNokiaNokia PC Suite 6PcSync2.exe» [2006-06-27 1449984]
«AlcoholAutomount»=»C:Program FilesAlcohol SoftAlcohol 120axcmd.exe» [2008-03-20 217544]
«VKontakte»=»C:Program FilesAgent VkontakteAgentVkontakte.exe» [2008-05-21 3537920]
«ParetoLogic Anti-Spyware»=»C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe» [2007-04-02 2639472][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«preload»=»C:WindowsRUNXMLPL.exe» [2007-04-21 20480]
«IAAnotif»=»C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SynTPEnh»=»C:Program FilesSynapticsSynTPSynTPEnh.exe» [2007-09-08 1015808]
«AzMixerSel»=»C:Program FilesRealtekInstallShieldAzMixerSel.exe» [2005-06-11 53248]
«IMJPMIG8.1″=»C:WINDOWSIMEimjp8_1IMJPMIG.EXE» [2004-08-18 208952]
«MSPY2002″=»C:WINDOWSsystem32IMEPINTLGNTImScInst.exe» [2004-08-18 59392]
«PHIME2002ASync»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«PHIME2002A»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«SynTPStart»=»C:Program FilesSynapticsSynTPSynTPStart.exe» [2007-09-08 102400]
«RemoteControl»=»C:Program FilesCyberLinkPowerDVDPDVDServ.exe» [2007-01-09 68640]
«LanguageShortcut»=»C:Program FilesCyberLinkPowerDVDLanguageLanguage.exe» [2007-01-09 52256]
«Acer ePresentation HPD»=»C:AcerEmpowering TechnologyePresentationePresentation.exe» [2007-03-02 208896]
«ePower_DMC»=»C:AcerEmpowering TechnologyePowerePower_DMC.exe» [2007-07-04 475136]
«Boot»=»C:AcerEmpowering TechnologyePowerBoot.exe» [2006-03-16 579584]
«eDataSecurity Loader»=»C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe» [2007-05-28 342528]
«eRecoveryService»=»C:AcerEmpowering TechnologyeRecoveryeRAgent.exe» [2007-07-11 421888]
«LManager»=»C:PROGRA~1LAUNCH~1LManager.exe» [2007-10-17 858632]
«IgfxTray»=»C:WINDOWSsystem32igfxtray.exe» [2007-06-13 142104]
«HotKeysCmds»=»C:WINDOWSsystem32hkcmd.exe» [2007-06-13 162584]
«Persistence»=»C:WINDOWSsystem32igfxpers.exe» [2007-06-13 138008]
«QuickTime Task»=»C:Program FilesQuickTimeqttask.exe» [2008-07-27 77824]
«MAgent»=»C:Program FilesMail.RuAgentMAgent.exe» [2008-09-22 3110392]
«Adobe Reader Speed Launcher»=»C:Program FilesAdobeReader 8.0ReaderReader_sl.exe» [2008-01-11 39792]
«PCSuiteTrayApplication»=»C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE» [2006-06-15 229376]
«HP Software Update»=»C:Program FilesHPHP Software UpdateHPWuSchd2.exe» [2007-03-11 49152]
«SunJavaUpdateSched»=»C:Program FilesJavajre1.6.0_07binjusched.exe» [2008-06-10 144784]
«RTHDCPL»=»RTHDCPL.EXE» [2007-05-28 C:WINDOWSRTHDCPL.exe][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32CTFMON.EXE» [2008-04-14 15360][hkey_local_machinesoftwaremicrosoftwindowscurrentversionexplorerShellExecuteHooks]
«{51C55F9E-C308-4c95-89AB-8858D8AFD819}»= «C:Program FilesParetoLogicAnti-SpywarePASShlExt.dll» [2007-03-29 98304][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«VIDC.YV12″= yv12vfw.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe»=
«C:\Program Files\ICQ6\ICQ.exe»=
«C:\Program Files\Mail.Ru\Agent\magent.exe»=
«C:\Program Files\BitTornado\btdownloadgui.exe»=
«C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe»=
«C:\Program Files\Orbitdownloader\orbitnet.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«C:\Program Files\ZyXEL\NetFriend\NetFriend.exe»=
«C:\Program Files\uTorrent\uTorrent.exe»=
«C:\Program Files\Opera\opera.exe»=
«C:\Program Files\Skype\Phone\Skype.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«45533:TCP»= 45533:TCP:utorrent
«45533:UDP»= 45533:UDP:ut
«55555:TCP»= 55555:TCP:1
«55555:UDP»= 55555:UDP:12R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe [2006-04-14 28933976]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:WINDOWSsystem32DRIVERSklim5.sys [2007-04-04 24344]
R3 usbstor;Драйвер запоминающих устройств для USB;C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2008-04-14 26368]
S3 int15.sys;int15.sys;C:AcerEmpowering TechnologyeRecoveryint15.sys [2005-01-13 69632]
S3 usbprint;Класс принтеров Microsoft USB;C:WINDOWSsystem32DRIVERSusbprint.sys [2008-04-14 25856][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85b-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — G:LaunchU3.exe -a[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85c-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — evkq381.com
ShellexploreCommand — evkq381.com
ShellopenCommand — evkq381.com[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{942ffed1-90fd-11dd-894b-001d721a7948}]
ShellAutoRuncommand — H:
ShellopenCommand — rundll32.exe .\scdrnru.dll,InstallM
.
Contents of the ‘Scheduled Tasks’ folder2008-10-06 C:WINDOWSTasksParetoLogic Anti-Spyware.job
— C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe [2007-04-02 16:40]2008-10-06 C:WINDOWSTasksParetoLogic Update.job
— C:Program FilesCommon FilesParetoLogicUUSPareto_Update.exe [2007-08-01 13:39]2008-10-05 C:WINDOWSTasksUser_Feed_Synchronization-{1F20AC20-8159-4105-9DA9-46BAE8E5D3BF}.job
— C:WINDOWSsystem32msfeedssync.exe [2007-08-13 18:36]
.
— — — — ORPHANS REMOVED — — — —URLSearchHooks-{83821C2B-32A8-4DD7-B6D4-44309A78E668} — (no file)
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 22:13:21
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
**************************************************************************
.
Completion time: 2008-10-06 22:16:04
ComboFix-quarantined-files.txt 2008-10-06 16:16:02
ComboFix2.txt 2008-10-06 16:01:19Pre-Run: 2 570 588 160 ???? ????????
Post-Run: 2,541,649,920 ???? ????????242 — E O F — 2008-09-10 14:48:49
ComboFix 08-10-05.08 — 1 2008-10-06 21:39:41.1 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.259 [GMT 6:00]
Running from: C:Documents and Settings1??????? ????ComboFix.exe
* Created a new restore point
* Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:WINDOWSk.txt
C:WINDOWSsystem32AutoRun.inf
C:WINDOWSsystem32c.ico
C:WINDOWSsystem32Desktop_.ini
C:WINDOWSsystem32fhl.dll
C:WINDOWSsystem32m.ico
C:WINDOWSsystem32rgf.dll
C:WINDOWSsystem32rtl60.bpl
C:WINDOWSsystem32s.ico
C:WINDOWSTemplog.txt.
((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.2008-10-06 16:05 . 2008-10-06 16:05
d
C:Program FilesTrend Micro
2008-10-06 15:16 . 2008-10-06 15:18d
C:Program FilesMalwarebytes’ Anti-Malware
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and SettingsAll UsersApplication DataMalwarebytes
2008-10-06 15:16 . 2008-10-06 15:16d
C:Documents and Settings1Application DataMalwarebytes
2008-10-06 15:16 . 2008-09-10 00:04 38,528 —a
C:WINDOWSsystem32driversmbamswissarmy.sys
2008-10-06 15:16 . 2008-09-10 00:03 17,200 —a
C:WINDOWSsystem32driversmbam.sys
2008-10-06 14:13 . 2008-10-06 14:13d
C:Program FilesESET
2008-10-06 14:13 . 2008-10-06 14:13d
C:Documents and SettingsAll UsersApplication DataESET
2008-10-06 13:14 . 2008-10-06 13:14d
C:Program FilesCommon FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Program FilesParetoLogic
2008-10-06 13:09 . 2008-10-06 13:09d
C:Documents and SettingsAll UsersApplication DataParetoLogic Anti-Spyware
2008-10-06 12:12 . 2008-10-06 13:35d
C:Program FilesXoftSpySE
2008-10-06 12:00 . 2008-10-06 12:00 15,360 —ahs—- C:WINDOWSsystem32Thumbs.db
2008-10-06 11:07 . 2008-10-06 16:35d
C:Program FilesTS2009
2008-10-06 10:57 . 2008-10-06 10:57d
C:Games
2008-10-01 18:13 . 2008-10-01 18:13d
C:Program FilesHiro-Media
2008-10-01 18:13 . 2008-10-01 18:13d
C:Documents and SettingsAll UsersApplication DataHiro-Media
2008-10-01 15:13 . 2008-10-01 15:13 792 —a
C:WINDOWSlines98.sav
2008-10-01 14:04 . 2008-10-01 14:04 120 —a
C:WINDOWSd4s.hst
2008-09-20 22:46 . 2008-04-14 22:10 159,232 —a
C:WINDOWSsystem32ptpusd.dll
2008-09-20 22:46 . 2001-10-19 21:06 5,632 —a
C:WINDOWSsystem32ptpusb.dll
2008-09-11 15:24 . 2008-09-11 16:09d
C:Documents and Settings1Application DataVKLife
2008-09-11 15:22 . 2008-09-17 10:14d
C:Program FilesAgent Vkontakte
2008-09-11 15:22 . 2008-09-11 15:38d
C:Documents and Settings1Application DataVKontakte
2008-09-10 21:51 . 2008-09-10 21:51d
C:Program FilesEA GAMES
2008-09-08 22:29 . 2008-09-08 22:29d
C:WINDOWSSun
2008-09-08 22:28 . 2008-06-10 02:32 73,728 —a
C:WINDOWSsystem32javacpl.cpl
2008-09-08 22:27 . 2008-09-08 22:28d
C:Program FilesJava
2008-09-08 22:20 . 2008-09-08 22:20d
C:Program FilesCommon FilesJava
2008-09-08 11:48 . 2008-08-28 11:50d
C:Program FilesMovie Maker.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 15:55 747,296 —sha-w C:WINDOWSsystem32driversfidbox2.dat
2008-10-06 15:55 45,954,080 —sha-w C:WINDOWSsystem32driversfidbox.dat
2008-10-06 15:55
d
w C:Documents and Settings1Application DataSkype
2008-10-06 15:51 70,916 —sha-w C:WINDOWSsystem32driversfidbox2.idx
2008-10-06 15:51 616,292 —sha-w C:WINDOWSsystem32driversfidbox.idx
2008-10-06 15:35
d
w C:Documents and SettingsAll UsersApplication DataKaspersky Lab
2008-10-06 14:45
d
w C:Program FilesQUIK КИТ Финанс
2008-10-06 10:20
d
w C:Documents and Settings1Application DataskypePM
2008-10-06 09:49
d
w C:Program FilesICQToolbar
2008-10-06 09:48
d
w C:Documents and Settings1Application DataOrbit
2008-10-06 09:03
d
w C:Program FilesOpera
2008-09-24 03:51
d
w C:Program FilesICQ6
2008-09-20 19:40
d
w C:Documents and Settings1Application DatauTorrent
2008-09-20 12:24
d
w C:Documents and Settings1Application DataMra
2008-09-17 12:49
d
w C:Program FilesuTorrent
2008-09-17 08:55
d
w C:Documents and Settings1Application DataICQ
2008-09-10 15:51
d—h—w C:Program FilesInstallShield Installation Information
2008-09-08 05:48
d
w C:Program FilesНовая папка
2008-08-29 18:44
d
w C:Program FilesRambler Assistant
2008-08-28 13:31
d
w C:Program FilesWindows Media Connect 2
2008-08-28 13:10
d
w C:Documents and Settings1Application DataDataLayer
2008-08-28 13:07
d
w C:Program FilesShasoft eBook 3.0
2008-08-28 05:29
d
w C:Documents and Settings1Application DataDownload Master
2008-08-27 17:58
d
w C:Program FilesDivX
2008-08-26 05:20
d
w C:Documents and SettingsAll UsersApplication DataOffice Genuine Advantage
2008-08-24 13:59
d
w C:Documents and Settings1Application DataNokia
2008-08-24 09:29
d
w C:Program FilesMSXML 4.0
2008-08-23 11:57
d
w C:Documents and SettingsAll UsersApplication DataHP
2008-08-23 11:57
d
w C:Documents and Settings1Application DataHP
2008-08-23 11:50
d
w C:Documents and SettingsAll UsersApplication DataWEBREG
2008-08-23 11:48
d
w C:Program FilesHP
2008-08-23 11:48
d
w C:Documents and SettingsAll UsersApplication DataHPSSUPPLY
2008-08-23 11:48
d
w C:Documents and Settings1Application DataHPAppData
2008-08-23 11:47
d
w C:Program FilesCommon FilesHP
2008-08-23 11:47
d
w C:Documents and SettingsAll UsersApplication DataHP Product Assistant
2008-08-23 11:46
d
w C:Program FilesHewlett-Packard
2008-08-23 11:46
d
w C:Program FilesCommon FilesHewlett-Packard
2008-08-23 11:45
d
w C:Documents and SettingsAll UsersApplication DataHewlett-Packard
2008-08-21 10:48
d
w C:Documents and Settings1Application Datarambler.ru
2008-08-21 05:07
d
w C:Documents and Settings1Application DataU3
2008-08-19 13:12
d
w C:Program FilesOrbitdownloader
2008-08-18 14:56
d
w C:Program FilesAlcohol Soft
2008-08-18 14:52 716,272 —-a-w C:WINDOWSsystem32driverssptd.sys
2008-08-15 09:24
d
w C:Program FilesJavaSoft
2008-08-14 14:13
d
w C:Program FilesGames.Rambler.ru
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataPlayFirst
2008-08-14 14:13
d
w C:Documents and SettingsAll UsersApplication DataAlawarWrapper
2008-08-14 14:13
d
w C:Documents and Settings1Application DataPlayFirst
2008-08-13 14:57
d
w C:Program FilesGames.Mail.Ru
2008-08-13 11:27
d
w C:Program FilesDIFX
2008-08-13 11:27
d
w C:Documents and SettingsAll UsersApplication DataPC Suite
2008-08-13 11:26
d
w C:Program FilesNokia
2008-08-13 11:26
d
w C:Program FilesCommon FilesPCSuite
2008-08-13 11:26
d
w C:Program FilesCommon FilesNokia
2008-08-13 11:26
d
w C:Documents and SettingsAll UsersApplication DataDownloaded Installations
2008-08-13 11:26
d
w C:Documents and Settings1Application DataPC Suite
2008-08-13 10:58
d
w C:Documents and SettingsAll UsersApplication DataEgoset
2008-08-13 07:13
d
w C:Program FilesDownload Master
2008-08-13 06:15
d
w C:Documents and SettingsAll UsersApplication DataNtiDvdCopy
2008-08-13 05:33
d
w C:Documents and Settings1Application DataMedia Player Classic
2008-08-08 05:10
d—h—w C:Documents and SettingsAll UsersApplication DataCanonBJ
2008-08-06 17:01 96,976 —-a-w C:WINDOWSsystem32driversklin.dat
2008-08-06 13:52
d
w C:Documents and SettingsAll UsersApplication DataCyberLink
2008-08-06 13:52
d
w C:Documents and Settings1Application DataCyberLink
2008-07-23 16:48 200,704 —-a-w C:WINDOWSsystem32ssldivx.dll
2008-07-23 16:48 1,044,480 —-a-w C:WINDOWSsystem32libdivx.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32dllcachecdm.dll
2008-07-18 16:10 94,920 —-a-w C:WINDOWSsystem32cdm.dll
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32wuauclt.exe
2008-07-18 16:10 53,448 —-a-w C:WINDOWSsystem32dllcachewuauclt.exe
2008-07-18 16:10 45,768 —-a-w C:WINDOWSsystem32wups2.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32wups.dll
2008-07-18 16:10 36,552 —-a-w C:WINDOWSsystem32dllcachewups.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32wuapi.dll
2008-07-18 16:09 563,912 —-a-w C:WINDOWSsystem32dllcachewuapi.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32wucltui.dll
2008-07-18 16:09 325,832 —-a-w C:WINDOWSsystem32dllcachewucltui.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32wuweb.dll
2008-07-18 16:09 205,000 —-a-w C:WINDOWSsystem32dllcachewuweb.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32wuaueng.dll
2008-07-18 16:09 1,811,656 —-a-w C:WINDOWSsystem32dllcachewuaueng.dll
2008-07-07 20:29 253,952 —-a-w C:WINDOWSsystem32es.dll
2008-07-07 20:29 253,952
w C:WINDOWSsystem32dllcachees.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks]
«{83821C2B-32A8-4DD7-B6D4-44309A78E668}»= «C:Program FilesMail.RuAgentMradllnewmrasearch.dll» [2008-09-22 46584][HKEY_CLASSES_ROOTclsid{83821c2b-32a8-4dd7-b6d4-44309a78e668}]
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32ctfmon.exe» [2008-04-14 15360]
«Skype»=»C:Program FilesSkypePhoneSkype.exe» [2008-07-23 21738792]
«PcSync»=»C:Program FilesNokiaNokia PC Suite 6PcSync2.exe» [2006-06-27 1449984]
«AlcoholAutomount»=»C:Program FilesAlcohol SoftAlcohol 120axcmd.exe» [2008-03-20 217544]
«VKontakte»=»C:Program FilesAgent VkontakteAgentVkontakte.exe» [2008-05-21 3537920]
«ParetoLogic Anti-Spyware»=»C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe» [2007-04-02 2639472][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«preload»=»C:WindowsRUNXMLPL.exe» [2007-04-21 20480]
«IAAnotif»=»C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-03-21 174872]
«SynTPEnh»=»C:Program FilesSynapticsSynTPSynTPEnh.exe» [2007-09-08 1015808]
«AzMixerSel»=»C:Program FilesRealtekInstallShieldAzMixerSel.exe» [2005-06-11 53248]
«IMJPMIG8.1″=»C:WINDOWSIMEimjp8_1IMJPMIG.EXE» [2004-08-18 208952]
«MSPY2002″=»C:WINDOWSsystem32IMEPINTLGNTImScInst.exe» [2004-08-18 59392]
«PHIME2002ASync»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«PHIME2002A»=»C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE» [2004-08-18 455168]
«SynTPStart»=»C:Program FilesSynapticsSynTPSynTPStart.exe» [2007-09-08 102400]
«RemoteControl»=»C:Program FilesCyberLinkPowerDVDPDVDServ.exe» [2007-01-09 68640]
«LanguageShortcut»=»C:Program FilesCyberLinkPowerDVDLanguageLanguage.exe» [2007-01-09 52256]
«Acer ePresentation HPD»=»C:AcerEmpowering TechnologyePresentationePresentation.exe» [2007-03-02 208896]
«ePower_DMC»=»C:AcerEmpowering TechnologyePowerePower_DMC.exe» [2007-07-04 475136]
«Boot»=»C:AcerEmpowering TechnologyePowerBoot.exe» [2006-03-16 579584]
«eDataSecurity Loader»=»C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe» [2007-05-28 342528]
«eRecoveryService»=»C:AcerEmpowering TechnologyeRecoveryeRAgent.exe» [2007-07-11 421888]
«LManager»=»C:PROGRA~1LAUNCH~1LManager.exe» [2007-10-17 858632]
«IgfxTray»=»C:WINDOWSsystem32igfxtray.exe» [2007-06-13 142104]
«HotKeysCmds»=»C:WINDOWSsystem32hkcmd.exe» [2007-06-13 162584]
«Persistence»=»C:WINDOWSsystem32igfxpers.exe» [2007-06-13 138008]
«QuickTime Task»=»C:Program FilesQuickTimeqttask.exe» [2008-07-27 77824]
«MAgent»=»C:Program FilesMail.RuAgentMAgent.exe» [2008-09-22 3110392]
«Adobe Reader Speed Launcher»=»C:Program FilesAdobeReader 8.0ReaderReader_sl.exe» [2008-01-11 39792]
«PCSuiteTrayApplication»=»C:PROGRA~1NokiaNOKIAP~1LAUNCH~1.EXE» [2006-06-15 229376]
«HP Software Update»=»C:Program FilesHPHP Software UpdateHPWuSchd2.exe» [2007-03-11 49152]
«SunJavaUpdateSched»=»C:Program FilesJavajre1.6.0_07binjusched.exe» [2008-06-10 144784]
«AVP»=»C:Program FilesKaspersky LabKaspersky Internet Security 7.0avp.exe» [2007-06-28 218376]
«RTHDCPL»=»RTHDCPL.EXE» [2007-05-28 C:WINDOWSRTHDCPL.exe][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»C:WINDOWSsystem32CTFMON.EXE» [2008-04-14 15360][hkey_local_machinesoftwaremicrosoftwindowscurrentversionexplorerShellExecuteHooks]
«{51C55F9E-C308-4c95-89AB-8858D8AFD819}»= «C:Program FilesParetoLogicAnti-SpywarePASShlExt.dll» [2007-03-29 98304][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«VIDC.YV12″= yv12vfw.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
«DisableMonitoring»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
«DisableMonitoring»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe»=
«C:\Program Files\ICQ6\ICQ.exe»=
«C:\Program Files\Mail.Ru\Agent\magent.exe»=
«C:\Program Files\BitTornado\btdownloadgui.exe»=
«C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe»=
«C:\Program Files\Orbitdownloader\orbitnet.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«C:\Program Files\ZyXEL\NetFriend\NetFriend.exe»=
«C:\Program Files\uTorrent\uTorrent.exe»=
«C:\Program Files\Opera\opera.exe»=
«C:\Program Files\Skype\Phone\Skype.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«45533:TCP»= 45533:TCP:utorrent
«45533:UDP»= 45533:UDP:ut
«55555:TCP»= 55555:TCP:1
«55555:UDP»= 55555:UDP:12R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe [2006-04-14 28933976]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:WINDOWSsystem32DRIVERSklim5.sys [2007-04-04 24344]
R3 usbstor;Драйвер запоминающих устройств для USB;C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2008-04-14 26368]
S3 int15.sys;int15.sys;C:AcerEmpowering TechnologyeRecoveryint15.sys [2005-01-13 69632]
S3 usbprint;Класс принтеров Microsoft USB;C:WINDOWSsystem32DRIVERSusbprint.sys [2008-04-14 25856][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85b-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — G:LaunchU3.exe -a[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{820bf85c-68ec-11dd-88e6-001d721a7948}]
ShellAutoRuncommand — evkq381.com
ShellexploreCommand — evkq381.com
ShellopenCommand — evkq381.com[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{942ffed1-90fd-11dd-894b-001d721a7948}]
ShellAutoRuncommand — H:
ShellopenCommand — rundll32.exe .\scdrnru.dll,InstallM
.
Contents of the ‘Scheduled Tasks’ folder2008-10-06 C:WINDOWSTasksParetoLogic Anti-Spyware.job
— C:Program FilesParetoLogicAnti-SpywarePareto_AS.exe [2007-04-02 16:40]2008-10-06 C:WINDOWSTasksParetoLogic Update.job
— C:Program FilesCommon FilesParetoLogicUUSPareto_Update.exe [2007-08-01 13:39]2008-10-05 C:WINDOWSTasksUser_Feed_Synchronization-{1F20AC20-8159-4105-9DA9-46BAE8E5D3BF}.job
— C:WINDOWSsystem32msfeedssync.exe [2007-08-13 18:36]
.
— — — — ORPHANS REMOVED — — — —HKLM-Run-eLockMonitor — C:AcerEmpowering TechnologyeLockMonitorLaunchMonitor.exe
.
Supplementary Scan
.
R0 -: HKCU-Main,Start Page = hxxp://www.msn.com
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKLM-Main,Start Page = hxxp://www.msn.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
O8 -: &Download by Orbit — C:Program FilesOrbitdownloaderorbitmxt.dll/201
O8 -: &Grab video by Orbit — C:Program FilesOrbitdownloaderorbitmxt.dll/204
O8 -: &Экспорт в Microsoft Excel — C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O8 -: Do&wnload selected by Orbit — C:Program FilesOrbitdownloaderorbitmxt.dll/203
O8 -: Down&load all by Orbit — C:Program FilesOrbitdownloaderorbitmxt.dll/202
O8 -: Добавить в Rambler-Закладки — C:Program FilesRambler AssistantramblertoolbarU0.dll/zakladki.htm
O8 -: Закачать ВСЕ при помощи Download Master — C:Program FilesDownload Masterdmieall.htm
O8 -: Закачать при помощи Download Master — C:Program FilesDownload Masterdmie.htm
O8 -: Найти в интернете — C:Program FilesMail.RuSputnikMailRuSputnik.dll/282
O8 -: Найти в словарях — C:Program FilesMail.RuSputnikMailRuSputnik.dll/283
O8 -: Найти с помощью Рамблера — C:Program FilesRambler AssistantramblertoolbarU0.dll/search.htm
O8 -: Перевести с помощью словарей Рамблера — C:Program FilesRambler AssistantramblertoolbarU0.dll/dic.htm
O8 -: Поиск@Mail.Ru — C:Program FilesMail.RuSputnikMailRuSputnik.dll/SEARCH.HTM
O8 -: Словари@Mail.Ru — C:Program FilesMail.RuSputnikMailRuSputnik.dll/TRANSLATE.HTM
O9 -: {7558B7E5-7B26-4201-BEDB-00D5FF534523} — C:Program FilesMail.RuAgentmagent.exe
O9 -: {8DAE90AD-4583-4977-9DD4-4360F7A45C74} — C:Program FilesDownload Masterdmaster.exe
O9 -: {7558B7E5-7B26-4201-BEDB-00D5FF534523} — C:Program FilesMail.RuAgentmagent.exe —
O9 -: {8DAE90AD-4583-4977-9DD4-4360F7A45C74} — C:Program FilesDownload Masterdmaster.exe —
O18 -: Handler: hiro — {50BA1131-168F-4c08-A69B-4012273F222E} — %~$path:i
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 21:53:31
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
Other Running Processes
.
C:WINDOWSsystem32agrsmsvc.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAANTmon.exe
C:Program FilesCommon FilesLightScribeLSSrvc.exe
C:WINDOWSsystem32igfxsrvc.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesCyberLinkShared FilesRichVideo.exe
C:Program FilesAlcohol SoftAlcohol 120StarWindStarWindServiceAE.exe
C:WINDOWSsystem32wbemwmiapsrv.exe
C:AcerEmpowering TechnologyeLockServiceeLockServ.exe
C:PROGRA~1COMMON~1NokiaMPAPIMPAPI3s.exe
C:WINDOWSsystem32igfxext.exe
C:DOCUME~11LOCALS~1TempRtkBtMnt.exe
C:AcerEmpowering TechnologyAcer.Empowering.Framework.Launcher.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesCommon FilesPCSuiteServicesServiceLayer.exe
C:WINDOWSsystem32wbemunsecapp.exe
C:Program FilesHPDigital Imagingbinhpqste08.exe
.
**************************************************************************
.
Completion time: 2008-10-06 22:01:16 — machine was rebooted
ComboFix-quarantined-files.txt 2008-10-06 16:01:04Pre-Run: 1 511 211 008 ???? ????????
Post-Run: 2,583,867,392 ???? ????????308 — E O F — 2008-09-10 14:48:49
