Созданные ответы форума
-
Сообщения
-
ComboFix 09-07-14.08 — 1 16.07.2009 20:36.3.2 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.2047.1446 [GMT 4:00]
Running from: c:documents and settings1DesktopComboFix.exe
Command switches used :: c:documents and settings1DesktopCFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
«c:program filesAdobeadrouter.dll»
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:program filesAdobeadrouter.dll
.
((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.2009-07-16 15:52 . 2009-07-16 15:53
d
w- C:rsit
2009-07-16 15:14 . 2009-07-16 15:14
d
w- c:documents and settings1Local SettingsApplication DataHelp
2009-07-16 15:10 . 2009-07-16 15:23
d
w- c:program filesAd Muncher
2009-07-16 14:56 . 2009-07-16 14:56
d
w- c:program filesTrend Micro
2009-07-16 13:15 . 2009-07-16 14:37
d
w- c:program filesAdStopper
2009-07-16 12:45 . 2009-07-16 13:14
d
w- c:program filesStreet Fighter IV
2009-07-15 17:01 . 2009-07-15 17:01
d
w- c:documents and settings1Local SettingsApplication DataESET
2009-07-15 16:50 . 2009-07-15 16:50
d
w- c:documents and settingsLocalServiceLocal SettingsApplication DataESET
2009-07-15 16:38 . 2009-07-15 16:38
d
w- c:documents and settingsAll UsersApplication DataESET
2009-07-15 11:27 . 2009-07-15 11:27
d
w- C:Panchira.Teacher.1-2.[DVD]
2009-07-15 11:18 . 2009-07-15 11:20
d
w- C:Dark Chapel ep. 1 of 2
2009-07-06 18:50 . 2009-07-06 18:52
d
w- C:50 Cent-Forever King-2009
2009-07-05 16:16 . 2001-08-17 18:36 5632 —-a-w- c:windowssystem32ptpusb.dll
2009-07-05 16:16 . 2008-04-14 00:12 159232 —-a-w- c:windowssystem32ptpusd.dll
2009-07-05 10:13 . 2009-07-05 10:30
d
w- c:documents and settings1DoctorWeb
2009-07-05 10:12 . 2009-07-15 15:34
d
w- c:documents and settingsAll UsersApplication DataDoctor Web
2009-07-05 10:12 . 2009-07-16 11:44
d
w- c:program filesDrWeb
2009-07-04 21:02 . 2009-07-04 21:02
d
w- c:documents and settingsLocalServiceApplication DataAdSubscribe
2009-07-04 20:59 . 2009-07-14 17:09
d
w- c:documents and settings1Application DataAdSubscribe
2009-06-22 10:36 . 2009-06-22 10:36 10134 —-a-r- c:documents and settings1Application DataMicrosoftInstaller{E3E71D07-CD27-46CB-8448-16D4FB29AA13}ARPPRODUCTICON.exe
2009-06-22 10:36 . 2009-06-22 10:36
d
w- c:program filesMicrosoft WSE
2009-06-22 10:31 . 2009-06-22 10:35
d
w- C:The Sims 3
2009-06-22 06:06 . 2009-06-22 06:28
d
w- C:Terminator.4
2009-06-17 21:21 . 2009-06-17 21:21
d
w- C:50 Cent — War Angel LP.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 14:38 . 2008-08-26 15:41
d
w- c:program filesGoogle
2009-07-16 14:38 . 2009-03-10 14:16
d
w- c:program filesOpenAL
2009-07-16 14:38 . 2008-07-18 15:33
d
w- c:documents and settings1Application DatauTorrent
2009-07-15 16:38 . 2008-07-17 13:19
d
w- c:program filesESET
2009-07-09 09:24 . 2009-04-14 15:17 87784 —-a-w- c:documents and settings1Application Datafieryads.dat
2009-06-24 17:28 . 2008-07-18 14:49
d
w- c:program filesAnVir Task Manager
2009-06-23 21:13 . 2008-10-04 18:35
d
w- c:program filesBearShare
2009-06-22 10:31 . 2008-07-17 12:54
d—h—w- c:program filesInstallShield Installation Information
2009-06-19 11:11 . 2008-10-05 11:36 81724 —-a-w- c:windowsWar3Unin.dat
2009-06-16 14:36 . 2004-08-03 20:56 119808 —-a-w- c:windowssystem32t2embed.dll
2009-06-16 14:36 . 2001-08-23 12:00 81920 —-a-w- c:windowssystem32fontsub.dll
2009-06-15 20:38 . 2009-06-15 20:38 124 —-a-w- c:documents and settings1Local SettingsApplication Datafusioncache.dat
2009-06-14 21:36 . 2008-11-12 15:33
d
w- c:program filesDAEMON Tools Lite
2009-06-14 06:07 . 2009-03-01 08:42
d
w- c:documents and settings1Application DataDAEMON Tools Lite
2009-06-14 06:06 . 2008-11-12 15:33
d
w- c:program filesDAEMON Tools Toolbar
2009-06-14 06:03 . 2008-07-18 15:18 721904 —-a-w- c:windowssystem32driverssptd.sys
2009-06-11 21:22 . 2009-06-11 21:22
d
w- c:documents and settings1Application DataActivision
2009-06-07 12:40 . 2009-06-07 12:40
d
w- c:documents and settingsAll UsersApplication DataIce-pick Lodge
2009-06-07 12:30 . 2009-06-07 12:30
d
w- c:program filesND Games
2009-06-03 19:09 . 2004-08-03 20:56 1291264 —-a-w- c:windowssystem32quartz.dll
2009-05-28 12:37 . 2009-03-17 14:49
d
w- c:documents and settings1Application DataGrand Ages Rome
2009-05-23 14:59 . 2008-12-05 20:39 8 —-a-w- c:windowssystem32nvModes.dat
2009-05-23 14:58 . 2009-05-23 14:58
d
w- c:documents and settingsAll UsersApplication DatanView_Profiles
2009-05-17 19:40 . 2008-07-20 08:00
d
w- c:program filesCommon FilesAdobe
2009-05-14 11:49 . 2009-05-14 11:49 94360
w- c:windowssystem32driversepfwtdir.sys
2009-05-14 11:47 . 2009-05-14 11:47 107256
w- c:windowssystem32driversehdrv.sys
2009-05-14 11:41 . 2009-05-14 11:41 114472
w- c:windowssystem32driverseamon.sys
2009-05-11 19:16 . 2009-05-11 19:16 316816 —-a-w- c:windowssystem32appdrvrem01.exe
2009-05-11 19:16 . 2009-05-11 19:16 2997872 —-a-w- c:windowssystem32driversappdrv01.sys
2009-05-11 13:27 . 2008-11-12 15:22 8704 —-a-w- c:windowssystem32driversFStarForce.sys
2009-05-09 16:58 . 2009-05-07 14:58 279712 —-a-w- c:windowssystem32driversatksgt.sys
2009-05-09 16:58 . 2009-05-07 14:58 25888 —-a-w- c:windowssystem32driverslirsgt.sys
2009-05-07 15:32 . 2004-08-03 20:56 345600 —-a-w- c:windowssystem32localspl.dll
2009-04-29 04:46 . 2004-08-03 20:56 666624 —-a-w- c:windowssystem32wininet.dll
2009-04-29 04:46 . 2004-08-03 20:56 81920 —-a-w- c:windowssystem32ieencode.dll
2008-03-09 03:25 . 2008-07-19 15:14 236 —ha-w- c:program filesCommon Filesdx.reg
2009-06-20 10:38 . 2008-07-18 13:36 134648 —-a-w- c:program filesmozilla firefoxcomponentsbrwsrcmp.dll
.
Sigcheck
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:windows$hf_mig$KB951748SP2QFEtcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:windows$hf_mig$KB951748SP3GDRtcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:windows$hf_mig$KB951748SP3QFEtcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:windows$NtServicePackUninstall$tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:windows$NtUninstallKB951748$tcpip.sys
[7] 2004-08-03 19:14 359040 9F4B36614A0FC234525BA224957DE55C c:windows$NtUninstallKB951748_0$tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:windowsServicePackFilesi386tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:windowssystem32dllcachetcpip.sys
[-] 2009-02-13 11:08 361600 CBEEBEB899E31EF52B962CB31FC8CA5C c:windowssystem32driverstcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-07-16_12.41.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-03 20:56 . 2008-04-14 00:12 111104 c:windowssystem32dllcachewiavideo.dll
+ 2009-01-18 12:05 . 2009-01-18 12:05 675840 c:windowsInstaller$PatchCache$Managed68AB67CA7DA79401B7449A01000000109.1.0JP2KLib.dll
+ 2008-12-05 20:56 . 2009-07-16 14:38 1477468 c:windowssystem32Restorerstrlog.dat
+ 2009-07-16 13:27 . 2009-07-16 13:27 6653952 c:windowsInstaller5f2e89.msp
+ 2009-02-27 08:39 . 2009-02-27 08:39 1302760 c:windowsInstaller$PatchCache$Managed68AB67CA7DA79401B7449A01000000109.1.0JSByteCodeWin.bin
+ 2008-12-18 12:48 . 2008-12-18 12:48 3645440 c:windowsInstaller$PatchCache$Managed68AB67CA7DA79401B7449A01000000109.1.0authplay.dll
+ 2009-02-27 12:37 . 2009-02-27 12:37 20403568 c:windowsInstaller$PatchCache$Managed68AB67CA7DA79401B7449A01000000109.1.0AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks]
«{95289393-33EA-4F8D-B952-483415B9C955}»= «c:documents and settings1Application DataMicrosoftInternet Explorerqipsearchbar.dll» [2008-12-30 131072][HKEY_CLASSES_ROOTclsid{95289393-33ea-4f8d-b952-483415b9c955}]
[HKEY_CLASSES_ROOTqipbar.QIPBHO.1]
[HKEY_CLASSES_ROOTTypeLib{45FF696B-5284-4781-B2CA-ECF3A742A17B}]
[HKEY_CLASSES_ROOTqipbar.QIPBHO][HKEY_LOCAL_MACHINE~Browser Helper Objects{95289393-33EA-4F8D-B952-483415B9C955}]
2008-12-30 12:56 131072 —-a-w- c:documents and settings1Application DataMicrosoftInternet Explorerqipsearchbar.dll[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2009-01-21 3117856][HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar][HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2009-01-21 3117856][HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar][HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-04-14 15360]
«AnVir Task Manager»=»c:program filesAnVir Task ManagerAnVir.exe» [2006-06-25 410624]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2008-04-14 1695232]
«STYLEXP»=»c:program filesTGTSoftStyleXPStyleXP.exe» [2006-05-24 1372160]
«PcSync»=»c:program filesNokiaNokia PC Suite 6PcSync2.exe» [2005-11-30 1306624]
«DAEMON Tools Lite»=»c:program filesDAEMON Tools Litedaemon.exe» [2009-04-23 691656][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2009-01-15 13680640]
«RemoteControl»=»c:program filesASUSTeKASUSDVDPDVDServ.exe» [2004-11-02 32768]
«NeroFilterCheck»=»c:windowssystem32NeroCheck.exe» [2001-07-09 155648]
«mouseElf»=»c:progra~1TWINTO~1MouseElf.EXE» [2004-08-25 192512]
«LogonStudio»=»c:program filesWinCustomizeLogonStudiologonstudio.exe» [2002-09-03 987187]
«EPSON Stylus CX4100 Series»=»c:windowsSystem32spoolDRIVERSW32X863E_FATIAEP.EXE» [2005-03-08 98304]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2009-01-15 86016]
«ioCentre»=»c:geniusioCentregTaskBar.exe» [2007-01-19 61440]
«PWRISOVM.EXE»=»c:program filesPowerISOPWRISOVM.EXE» [2009-03-15 180224]
«Adobe Reader Speed Launcher»=»c:program filesAdobeReader 9.0ReaderReader_sl.exe» [2009-02-27 35696]
«adstopper»=»c:program filesAdStopperAdStopperTrayApp.exe» [2009-04-08 588800]
«RTHDCPL»=»RTHDCPL.EXE» — c:windowsRTHDCPL.exe [2007-03-21 16126464]
«nwiz»=»nwiz.exe» — c:windowssystem32nwiz.exe [2009-01-15 1657376][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-14 15360]c:documents and settingsAll UsersStart MenuProgramsStartup
NaturalColorLoad.lnk — c:program filesSECNatural ColorNaturalColorLoad.exe [2008-7-20 155753][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogon]
«UIHost»=»c:program filesTGTSoftStyleXPLogonCurrentLogon.EXE»[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\Program Files\uTorrent\uTorrent.exe»=
«c:\GTA4\Grand Theft Auto IV\LaunchGTAIV.exe»=
«c:\GTA4\Grand Theft Auto IV\GTAIV.exe»=
«e:\CS1.6\SteamApps\sierus1\condition zero\hl.exe»=
«e:\Hellgate\Launcher.exe»=
«e:\QIP\qip.exe»=
«e:\GTA 4\Rockstar Games Social Club\RGSCLauncher.exe»=
«c:\Program Files\Akella\Sacred 2 — Fallen Angel\system\sacred2.exe»=
«c:\Program Files\Akella\Sacred 2 — Fallen Angel\system\s2gs.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«7400:TCP»= 7400:TCP:WAR BL
«6112:TCP»= 6112:TCP:Warcraft 3
«678:TCP»= 678:TCP:*:Disabled:warcraft 3R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:windowssystem32driverssfdrv01a.sys [05.07.2006 16:46 63352]
R1 appdrv01;Application Driver (01);c:windowssystem32driversappdrv01.sys [11.05.2009 23:16 2997872]
R1 ehdrv;ehdrv;c:windowssystem32driversehdrv.sys [14.05.2009 15:47 107256]
R2 ekrn;ESET Service;c:program filesESETESET NOD32 Antivirusekrn.exe [14.05.2009 15:47 731840]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:windowssystem32driversatl01_xp.sys [17.07.2008 16:56 38656]
R3 FStarForce;FStarForce;c:windowssystem32driversFStarForce.sys [12.11.2008 19:22 8704]
R3 gHidPnp;USB Device Enhanced Function Driver;c:windowssystem32driversgHidPnp.sys [09.02.2009 16:10 14848]
R3 gMouUsb;USB Mouse Device Drv;c:windowssystem32driversgMouUsb.sys [09.02.2009 16:10 9984]
S3 appdrvrem01;Application Driver Auto Removal Service (01);c:windowsSystem32appdrvrem01.exe svc —> c:windowsSystem32appdrvrem01.exe svc [?]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:windowssystem32driversgflmouhid.sys [19.07.2008 18:14 6656]
S3 NPF;NetGroup Packet Filter Driver;c:windowssystem32driversnpf.sys [07.11.2007 0:22 34064]— Other Services/Drivers In Memory —
*NewlyCreated* — GTNDIS5
*Deregistered* — BootScreen
.
— — — — ORPHANS REMOVED — — — —ShellIconOverlayIdentifiers-{E2085722-3AC0-4411-A14B-906AFE1A75C4} — c:program filesAdobeadrouter.dll
.
Supplementary Scan
.
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.qip.ru/search?query=%s&from=IE
IE: Download with &Shareaza — c:program filesBearShare MP3PluginsRazaWebHook.dll/3000
IE: E&xport to Microsoft Excel — c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
.**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 20:41
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINESystemControlSet001EnumHIDVid_0458&Pid_0048&MI_01&Col017&5787a31&0&0000LogConf]
@DACL=(02 0000)
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘explorer.exe'(2400)
c:windowsIMESPGRMR.DLL
c:program filesCommon FilesMicrosoft SharedINKSKCHUI.DLL
c:windowssystem32WPDShServiceObj.dll
c:program filesNokiaNokia PC Suite 6PhoneBrowser.dll
c:program filesNokiaNokia PC Suite 6PCSCM.dll
c:windowssystem32ConnAPI.DLL
c:program filesNokiaNokia PC Suite 6LangPhoneBrowser_eng.nlr
c:program filesNokiaNokia PC Suite 6ResourcePhoneBrowser_Nokia.ngr
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
Other Running Processes
.
c:program filesTGTSoftStyleXPStyleXPService.exe
c:program filesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
c:windowssystem32nvsvc32.exe
c:program filesLinksys Wireless-G PCI Network Adapter with SpeedBoosterWLService.exe
c:program filesLinksys Wireless-G PCI Network Adapter with SpeedBoosterWMP54GSv1_1.exe
c:progra~1NokiaNOKIAP~1LAUNCH~1.EXE
c:windowssystem32rundll32.exe
c:progra~1COMMON~1PCSuiteServicesSERVIC~1.EXE
c:progra~1COMMON~1NokiaMPAPIMPAPI3s.exe
.
**************************************************************************
.
Completion time: 2009-07-16 20:44 — machine was rebooted
ComboFix-quarantined-files.txt 2009-07-16 16:44
ComboFix2.txt 2009-07-16 16:21
ComboFix3.txt 2009-07-16 12:42Pre-Run: 95 512 477 696 bytes free
Post-Run: 95 517 405 184 байт свободно247 — E O F — 2009-07-16 10:04
вот log от combofix
ComboFix 09-07-14.08 — 1 16.07.2009 20:15.2.2 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.2047.1367 [GMT 4:00]
Running from: c:documents and settings1DesktopComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.2009-07-16 15:52 . 2009-07-16 15:53
d
w- C:rsit
2009-07-16 15:14 . 2009-07-16 15:14
d
w- c:documents and settings1Local SettingsApplication DataHelp
2009-07-16 15:10 . 2009-07-16 15:23
d
w- c:program filesAd Muncher
2009-07-16 14:56 . 2009-07-16 14:56
d
w- c:program filesTrend Micro
2009-07-16 13:15 . 2009-07-16 14:37
d
w- c:program filesAdStopper
2009-07-16 12:45 . 2009-07-16 13:14
d
w- c:program filesStreet Fighter IV
2009-07-15 17:01 . 2009-07-15 17:01
d
w- c:documents and settings1Local SettingsApplication DataESET
2009-07-15 16:50 . 2009-07-15 16:50
d
w- c:documents and settingsLocalServiceLocal SettingsApplication DataESET
2009-07-15 16:38 . 2009-07-15 16:38
d
w- c:documents and settingsAll UsersApplication DataESET
2009-07-15 11:27 . 2009-07-15 11:27
d
w- C:Panchira.Teacher.1-2.[DVD]
2009-07-15 11:18 . 2009-07-15 11:20
d
w- C:Dark Chapel ep. 1 of 2
2009-07-06 18:50 . 2009-07-06 18:52
d
w- C:50 Cent-Forever King-2009
2009-07-05 16:16 . 2001-08-17 18:36 5632 —-a-w- c:windowssystem32ptpusb.dll
2009-07-05 16:16 . 2008-04-14 00:12 159232 —-a-w- c:windowssystem32ptpusd.dll
2009-07-05 10:13 . 2009-07-05 10:30
d
w- c:documents and settings1DoctorWeb
2009-07-05 10:12 . 2009-07-15 15:34
d
w- c:documents and settingsAll UsersApplication DataDoctor Web
2009-07-05 10:12 . 2009-07-16 11:44
d
w- c:program filesDrWeb
2009-07-04 21:02 . 2009-07-04 21:02
d
w- c:documents and settingsLocalServiceApplication DataAdSubscribe
2009-07-04 20:59 . 2009-07-14 17:09
d
w- c:documents and settings1Application DataAdSubscribe
2009-06-22 10:36 . 2009-06-22 10:36 10134 —-a-r- c:documents and settings1Application DataMicrosoftInstaller{E3E71D07-CD27-46CB-8448-16D4FB29AA13}ARPPRODUCTICON.exe
2009-06-22 10:36 . 2009-06-22 10:36
d
w- c:program filesMicrosoft WSE
2009-06-22 10:31 . 2009-06-22 10:35
d
w- C:The Sims 3
2009-06-22 06:06 . 2009-06-22 06:28
d
w- C:Terminator.4
2009-06-17 21:21 . 2009-06-17 21:21
d
w- C:50 Cent — War Angel LP.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 14:38 . 2008-08-26 15:41
d
w- c:program filesGoogle
2009-07-16 14:38 . 2009-03-10 14:16
d
w- c:program filesOpenAL
2009-07-16 14:38 . 2008-07-18 15:33
d
w- c:documents and settings1Application DatauTorrent
2009-07-15 16:38 . 2008-07-17 13:19
d
w- c:program filesESET
2009-07-09 09:24 . 2009-04-14 15:17 87784 —-a-w- c:documents and settings1Application Datafieryads.dat
2009-06-24 17:28 . 2008-07-18 14:49
d
w- c:program filesAnVir Task Manager
2009-06-23 21:13 . 2008-10-04 18:35
d
w- c:program filesBearShare
2009-06-22 10:31 . 2008-07-17 12:54
d—h—w- c:program filesInstallShield Installation Information
2009-06-19 11:11 . 2008-10-05 11:36 81724 —-a-w- c:windowsWar3Unin.dat
2009-06-16 14:36 . 2004-08-03 20:56 119808 —-a-w- c:windowssystem32t2embed.dll
2009-06-16 14:36 . 2001-08-23 12:00 81920 —-a-w- c:windowssystem32fontsub.dll
2009-06-15 20:38 . 2009-06-15 20:38 124 —-a-w- c:documents and settings1Local SettingsApplication Datafusioncache.dat
2009-06-14 21:36 . 2008-11-12 15:33
d
w- c:program filesDAEMON Tools Lite
2009-06-14 06:07 . 2009-03-01 08:42
d
w- c:documents and settings1Application DataDAEMON Tools Lite
2009-06-14 06:06 . 2008-11-12 15:33
d
w- c:program filesDAEMON Tools Toolbar
2009-06-14 06:03 . 2008-07-18 15:18 721904 —-a-w- c:windowssystem32driverssptd.sys
2009-06-11 21:22 . 2009-06-11 21:22
d
w- c:documents and settings1Application DataActivision
2009-06-07 12:40 . 2009-06-07 12:40
d
w- c:documents and settingsAll UsersApplication DataIce-pick Lodge
2009-06-07 12:30 . 2009-06-07 12:30
d
w- c:program filesND Games
2009-06-03 19:09 . 2004-08-03 20:56 1291264 —-a-w- c:windowssystem32quartz.dll
2009-05-28 12:37 . 2009-03-17 14:49
d
w- c:documents and settings1Application DataGrand Ages Rome
2009-05-23 14:59 . 2008-12-05 20:39 8 —-a-w- c:windowssystem32nvModes.dat
2009-05-23 14:58 . 2009-05-23 14:58
d
w- c:documents and settingsAll UsersApplication DatanView_Profiles
2009-05-17 19:40 . 2008-07-20 08:00
d
w- c:program filesCommon FilesAdobe
2009-05-14 11:49 . 2009-05-14 11:49 94360
w- c:windowssystem32driversepfwtdir.sys
2009-05-14 11:47 . 2009-05-14 11:47 107256
w- c:windowssystem32driversehdrv.sys
2009-05-14 11:41 . 2009-05-14 11:41 114472
w- c:windowssystem32driverseamon.sys
2009-05-11 19:16 . 2009-05-11 19:16 316816 —-a-w- c:windowssystem32appdrvrem01.exe
2009-05-11 19:16 . 2009-05-11 19:16 2997872 —-a-w- c:windowssystem32driversappdrv01.sys
2009-05-11 13:27 . 2008-11-12 15:22 8704 —-a-w- c:windowssystem32driversFStarForce.sys
2009-05-09 16:58 . 2009-05-07 14:58 279712 —-a-w- c:windowssystem32driversatksgt.sys
2009-05-09 16:58 . 2009-05-07 14:58 25888 —-a-w- c:windowssystem32driverslirsgt.sys
2009-05-07 15:32 . 2004-08-03 20:56 345600 —-a-w- c:windowssystem32localspl.dll
2009-04-29 04:46 . 2004-08-03 20:56 666624 —-a-w- c:windowssystem32wininet.dll
2009-04-29 04:46 . 2004-08-03 20:56 81920 —-a-w- c:windowssystem32ieencode.dll
2008-03-09 03:25 . 2008-07-19 15:14 236 —ha-w- c:program filesCommon Filesdx.reg
2009-06-20 10:38 . 2008-07-18 13:36 134648 —-a-w- c:program filesmozilla firefoxcomponentsbrwsrcmp.dll
.
Sigcheck
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:windows$hf_mig$KB951748SP2QFEtcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:windows$hf_mig$KB951748SP3GDRtcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:windows$hf_mig$KB951748SP3QFEtcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:windows$NtServicePackUninstall$tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:windows$NtUninstallKB951748$tcpip.sys
[7] 2004-08-03 19:14 359040 9F4B36614A0FC234525BA224957DE55C c:windows$NtUninstallKB951748_0$tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:windowsServicePackFilesi386tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:windowssystem32dllcachetcpip.sys
[-] 2009-02-13 11:08 361600 CBEEBEB899E31EF52B962CB31FC8CA5C c:windowssystem32driverstcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-07-16_12.41.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-03 20:56 . 2008-04-14 00:12 111104 c:windowssystem32dllcachewiavideo.dll
+ 2009-01-18 12:05 . 2009-01-18 12:05 675840 c:windowsInstaller$PatchCache$Managed68AB67CA7DA79401B7449A01000000109.1.0JP2KLib.dll
+ 2008-12-05 20:56 . 2009-07-16 14:38 1477468 c:windowssystem32Restorerstrlog.dat
+ 2009-07-16 13:27 . 2009-07-16 13:27 6653952 c:windowsInstaller5f2e89.msp
+ 2009-02-27 08:39 . 2009-02-27 08:39 1302760 c:windowsInstaller$PatchCache$Managed68AB67CA7DA79401B7449A01000000109.1.0JSByteCodeWin.bin
+ 2008-12-18 12:48 . 2008-12-18 12:48 3645440 c:windowsInstaller$PatchCache$Managed68AB67CA7DA79401B7449A01000000109.1.0authplay.dll
+ 2009-02-27 12:37 . 2009-02-27 12:37 20403568 c:windowsInstaller$PatchCache$Managed68AB67CA7DA79401B7449A01000000109.1.0AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks]
«{95289393-33EA-4F8D-B952-483415B9C955}»= «c:documents and settings1Application DataMicrosoftInternet Explorerqipsearchbar.dll» [2008-12-30 131072][HKEY_CLASSES_ROOTclsid{95289393-33ea-4f8d-b952-483415b9c955}]
[HKEY_CLASSES_ROOTqipbar.QIPBHO.1]
[HKEY_CLASSES_ROOTTypeLib{45FF696B-5284-4781-B2CA-ECF3A742A17B}]
[HKEY_CLASSES_ROOTqipbar.QIPBHO][HKEY_LOCAL_MACHINE~Browser Helper Objects{95289393-33EA-4F8D-B952-483415B9C955}]
2008-12-30 12:56 131072 —-a-w- c:documents and settings1Application DataMicrosoftInternet Explorerqipsearchbar.dll[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2009-01-21 3117856][HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar][HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2009-01-21 3117856][HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionexplorershelliconoverlayidentifiersAdRouter]
@=»{E2085722-3AC0-4411-A14B-906AFE1A75C4}»
[HKEY_CLASSES_ROOTCLSID{E2085722-3AC0-4411-A14B-906AFE1A75C4}]
2009-07-13 20:46 98304 —-a-w- c:program filesAdobeadrouter.dll[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-04-14 15360]
«AnVir Task Manager»=»c:program filesAnVir Task ManagerAnVir.exe» [2006-06-25 410624]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2008-04-14 1695232]
«STYLEXP»=»c:program filesTGTSoftStyleXPStyleXP.exe» [2006-05-24 1372160]
«PcSync»=»c:program filesNokiaNokia PC Suite 6PcSync2.exe» [2005-11-30 1306624]
«DAEMON Tools Lite»=»c:program filesDAEMON Tools Litedaemon.exe» [2009-04-23 691656][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2009-01-15 13680640]
«RemoteControl»=»c:program filesASUSTeKASUSDVDPDVDServ.exe» [2004-11-02 32768]
«NeroFilterCheck»=»c:windowssystem32NeroCheck.exe» [2001-07-09 155648]
«mouseElf»=»c:progra~1TWINTO~1MouseElf.EXE» [2004-08-25 192512]
«LogonStudio»=»c:program filesWinCustomizeLogonStudiologonstudio.exe» [2002-09-03 987187]
«EPSON Stylus CX4100 Series»=»c:windowsSystem32spoolDRIVERSW32X863E_FATIAEP.EXE» [2005-03-08 98304]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2009-01-15 86016]
«ioCentre»=»c:geniusioCentregTaskBar.exe» [2007-01-19 61440]
«PWRISOVM.EXE»=»c:program filesPowerISOPWRISOVM.EXE» [2009-03-15 180224]
«Adobe Reader Speed Launcher»=»c:program filesAdobeReader 9.0ReaderReader_sl.exe» [2009-02-27 35696]
«adstopper»=»c:program filesAdStopperAdStopperTrayApp.exe» [2009-04-08 588800]
«RTHDCPL»=»RTHDCPL.EXE» — c:windowsRTHDCPL.exe [2007-03-21 16126464]
«nwiz»=»nwiz.exe» — c:windowssystem32nwiz.exe [2009-01-15 1657376][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-14 15360]c:documents and settingsAll UsersStart MenuProgramsStartup
NaturalColorLoad.lnk — c:program filesSECNatural ColorNaturalColorLoad.exe [2008-7-20 155753][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogon]
«UIHost»=»c:program filesTGTSoftStyleXPLogonCurrentLogon.EXE»[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\Program Files\uTorrent\uTorrent.exe»=
«c:\GTA4\Grand Theft Auto IV\LaunchGTAIV.exe»=
«c:\GTA4\Grand Theft Auto IV\GTAIV.exe»=
«e:\CS1.6\SteamApps\sierus1\condition zero\hl.exe»=
«e:\Hellgate\Launcher.exe»=
«e:\QIP\qip.exe»=
«e:\GTA 4\Rockstar Games Social Club\RGSCLauncher.exe»=
«c:\Program Files\Akella\Sacred 2 — Fallen Angel\system\sacred2.exe»=
«c:\Program Files\Akella\Sacred 2 — Fallen Angel\system\s2gs.exe»=[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«7400:TCP»= 7400:TCP:WAR BL
«6112:TCP»= 6112:TCP:Warcraft 3
«678:TCP»= 678:TCP:*:Disabled:warcraft 3R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:windowssystem32driverssfdrv01a.sys [05.07.2006 16:46 63352]
R1 appdrv01;Application Driver (01);c:windowssystem32driversappdrv01.sys [11.05.2009 23:16 2997872]
R1 ehdrv;ehdrv;c:windowssystem32driversehdrv.sys [14.05.2009 15:47 107256]
R2 ekrn;ESET Service;c:program filesESETESET NOD32 Antivirusekrn.exe [14.05.2009 15:47 731840]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:windowssystem32driversatl01_xp.sys [17.07.2008 16:56 38656]
R3 FStarForce;FStarForce;c:windowssystem32driversFStarForce.sys [12.11.2008 19:22 8704]
R3 gHidPnp;USB Device Enhanced Function Driver;c:windowssystem32driversgHidPnp.sys [09.02.2009 16:10 14848]
R3 gMouUsb;USB Mouse Device Drv;c:windowssystem32driversgMouUsb.sys [09.02.2009 16:10 9984]
S3 appdrvrem01;Application Driver Auto Removal Service (01);c:windowsSystem32appdrvrem01.exe svc —> c:windowsSystem32appdrvrem01.exe svc [?]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:windowssystem32driversgflmouhid.sys [19.07.2008 18:14 6656]
S3 NPF;NetGroup Packet Filter Driver;c:windowssystem32driversnpf.sys [07.11.2007 0:22 34064]— Other Services/Drivers In Memory —
*Deregistered* — BootScreen
.
.
Supplementary Scan
.
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.qip.ru/search?query=%s&from=IE
IE: Download with &Shareaza — c:program filesBearShare MP3PluginsRazaWebHook.dll/3000
IE: E&xport to Microsoft Excel — c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
.**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 20:20
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINESystemControlSet001EnumHIDVid_0458&Pid_0048&MI_01&Col017&5787a31&0&0000LogConf]
@DACL=(02 0000)
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘explorer.exe'(3756)
c:program filesAdobeadrouter.dll
c:windowsIMESPGRMR.DLL
c:program filesCommon FilesMicrosoft SharedINKSKCHUI.DLL
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
c:program filesTGTSoftStyleXPTGT_BHO.dll
c:progra~1MICROS~2OFFICE11msohev.dll
c:program filesCommon FilesAdobeAcrobatActiveXPDFShell.dll
c:program filesCommon FilesAdobeAcrobatActiveXPDFShell.RUS
.
Completion time: 2009-07-16 20:21
ComboFix-quarantined-files.txt 2009-07-16 16:21
ComboFix2.txt 2009-07-16 12:42Pre-Run: 95 489 384 448 bytes free
Post-Run: 95 508 541 440 байт свободно227 — E O F — 2009-07-16 10:04
