Созданные ответы форума
-
Сообщения
-
Пробовал вчера.
ComboFix 08-11-14.01 — user 2008-11-16 10:25:24.2 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.1.1049.18.670 [GMT 3:00]
Running from: d:catvVideoПрограммыComboFix.exe
* Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.2008-11-13 12:11 . 2008-11-13 13:07
d
c:program filesTV Abonent 2008
2008-11-12 13:37 . 2008-10-24 14:21 455,296
c— c:windowssystem32dllcachemrxsmb.sys
2008-11-12 13:36 . 2008-09-04 20:17 1,106,944
c— c:windowssystem32dllcachemsxml3.dll
2008-11-07 18:48 . 2008-11-07 18:48d
c:documents and settingsГостьApplication DataLogitech
2008-11-02 19:29 . 2008-11-02 19:29d
c:documents and settingsAll UsersApplication DataLogiShrd
2008-11-02 19:28 . 2008-11-02 19:28d
c:documents and settingsuserApplication DataLogitech
2008-11-02 19:27 . 2008-11-02 19:27 0 —ah
c:windowssystem32driversMsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-11-02 19:27 . 2008-11-02 19:27 0 —ah
c:windowssystem32driversMsft_Kernel_LMouFilt_01005.Wdf
2008-11-02 19:25 . 2008-05-02 02:38 301,656 —a
c:windowssystem32BtCoreIf.dll
2008-11-02 19:25 . 2008-05-02 02:39 170,512 —a
c:windowssystem32kemutb.dll
2008-11-02 19:25 . 2008-05-02 02:39 145,936 —a
c:windowssystem32KemUtil.dll
2008-11-02 19:25 . 2008-05-02 02:40 117,264 —a
c:windowssystem32KemWnd.dll
2008-11-02 19:25 . 2008-05-02 02:40 84,496 —a
c:windowssystem32KemXML.dll
2008-11-02 19:24 . 2008-11-02 19:24d
c:program filesLogitech
2008-11-02 19:24 . 2008-11-02 19:26d
c:program filesCommon FilesLogishrd
2008-11-02 19:24 . 2008-11-02 19:24d
c:documents and settingsAll UsersApplication DataLogitech
2008-10-25 13:12 . 2008-10-25 13:12d
c:documents and settingsГостьApplication DataPROject MT
2008-10-25 10:58 . 2008-10-15 19:37 337,408
c— c:windowssystem32dllcachenetapi32.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 07:30
d
w c:program filesDrWeb
2008-11-15 11:56
d
w c:program filesjv16 PowerTools
2008-11-14 09:22
d
w c:documents and settingsAll UsersApplication DataFLEXnet
2008-11-02 16:24
d—h—w c:program filesInstallShield Installation Information
2008-10-24 11:21 455,296 —-a-w c:windowssystem32driversmrxsmb.sys
2008-10-21 11:55
d
w c:program filesMicrosoft Silverlight
2008-09-30 13:43 1,286,152 —-a-w c:windowssystem32msxml4.dll
2008-09-24 06:46
d
w c:program filesICQ6
2008-09-24 06:46
d
w c:documents and settingsuserApplication DataICQ
2008-09-24 06:37
d
w c:documents and settingsuserApplication DataInstallShield
2008-09-19 09:05
d
w c:documents and settingsГостьApplication DataAgnitum
2008-09-19 04:04
d
w c:program filesASPMonitor
2008-09-18 16:47
d
w c:documents and settingsuserApplication DataAgnitum
2008-09-18 16:45
d
w c:program filesAgnitum
2008-09-18 16:45
d
w c:documents and settingsAll UsersApplication DataAgnitum
2008-09-16 03:37
d
w c:documents and settingsuserApplication DataPROject MT
2008-09-15 15:27 1,846,528 —-a-w c:windowssystem32win32k.sys
2008-09-13 14:45 73,728 —-atw c:windowssystem32DRWEBSP.DLL
2008-09-10 01:15 1,307,648
w c:windowssystem32msxml6.dll
2008-09-04 17:17 1,106,944 —-a-w c:windowssystem32msxml3.dll
2008-08-26 08:26 826,368 —-a-w c:windowssystem32wininet.dll
.
Sigcheck
2008-04-14 20:41 509440 b3b5d5855127e240c88451030aaee76e c:windowsServicePackFilesi386winlogon.exe
2008-08-06 23:47 509440 fad4579b18a9e134b5bac0a88874e2fd c:windowssystem32winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE~Browser Helper Objects{B4806C1A-FE8A-4008-9DA3-8CEDB6E82C10}]
2008-03-20 15:28 2469888 —a
c:program filesWebMoney Advisorwmadvisor.dll[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840}»= «c:program filesWebMoney Advisorwmadvisor.dll» [2008-03-20 2469888][HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840}»= «c:program filesWebMoney Advisorwmadvisor.dll» [2008-03-20 2469888][HKEY_CLASSES_ROOTclsid{3affd7f7-fd3d-4c9d-8f83-03296a1a8840}]
[HKEY_CLASSES_ROOTTBSB03223.TBSB03223.3]
[HKEY_CLASSES_ROOTTypeLib{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOTTBSB03223.TBSB03223][HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-04-14 15360]
«Download Master»=»c:program filesDownload Masterdmaster.exe» [2008-07-01 3282432][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«HControl»=»c:windowsATK0100HControl.exe» [2005-07-07 102400]
«ATIPTA»=»c:program filesATI TechnologiesATI Control Panelatiptaxx.exe» [2005-05-12 344064]
«SynTPEnh»=»c:program filesSynapticsSynTPSynTPEnh.exe» [2005-05-11 708697]
«WHITNEY_S2P»=»c:program filesSamsungSamsung SCX-4×21 SeriesPSUScan2pc.exe» [2006-03-27 229376]
«QuickTime Task»=»c:windowssystem32qttask.exe» [2008-06-08 98304]
«Amicon VPN Client»=»c:program filesAmiconClient FPSU-IPIP-Client.exe» [2007-02-21 495616]
«SpIDerNT»=»c:progra~1DrWebspiderui.exe» [2007-10-01 214552]
«SpIDerMail»=»c:program filesDrWebspiderml.exe» [2007-09-19 361712]
«OutpostMonitor»=»c:progra~1AgnitumOUTPOS~1op_mon.exe» [2008-02-29 1065472]
«OutpostFeedBack»=»c:program filesAgnitumOutpost Firewall Profeedback.exe» [2008-02-29 419144]
«RTHDCPL»=»RTHDCPL.EXE» [2005-07-13 c:windowsRTHDCPL.EXE][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-14 15360][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowsCurrentversionpoliciesexplorerRun]
«application»=»c:program filesASPMonitorASMonitor.exe» [2007-05-28 667136]c:documents and settingsuserѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Total Commander.lnk — c:program filesTotal CommanderTotalcmd.exe [2007-01-25 1058000]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Firebird Guardian.lnk — d:program filesExpert SystemsQuick Sales 2 FreeFBBinfbguard.exe [2008-09-06 65536]
Logitech SetPoint.lnk — c:program filesLogitechSetPointSetPoint.exe [2008-11-02 805392][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyIntelWireless]
2005-05-31 21:46 110592 c:program filesIntelWirelessBinLgNotify.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyLBTWlgn]
2008-05-02 02:42 72208 c:program filesCommon FilesLogishrdBluetoothLBTWLgn.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«msacm.iac2″= c:progra~1ACEMEG~1SystemSInteliac25_32.ax
«msacm.sl_anet»= c:progra~1ACEMEG~1SystemSsl_anet.acm
«vidc.yv12″= c:progra~1ACEMEG~1SystemSATIatiyuv12.DLL
«vidc.iyuv»= c:progra~1ACEMEG~1SystemSInteliyuv_32.dll
«vidc.yvu9″= c:progra~1ACEMEG~1SystemSIntelIyvu9_32.dll
«vidc.uyvy»= c:progra~1ACEMEG~1SystemSMICROS~1msyuv.dll
«vidc.yuy2″= c:progra~1ACEMEG~1SystemSMICROS~1msyuv.dll
«vidc.yvyu»= c:progra~1ACEMEG~1SystemSMICROS~1msyuv.dll
«msacm.msaudio1″= c:progra~1ACEMEG~1SystemSMICROS~1msaud32.acm
«vidc.vp31″= vp31vfw.dll
«vidc.3iv2″= 3ivxVfWCodec.dll[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdfLoadGroup]
@=»»[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\Program Files\ASPMonitor\ASMonitor.exe»=
«c:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe»=
«c:\Program Files\Total Commander\Totalcmd.exe»=
«c:\Program Files\LDC++\LDCPlusPlus.exe»=
«c:\Program Files\WebMoney\WebMoney.exe»=
«d:\Program Files\Expert Systems\Quick Sales 2 Free\FB\Bin\fbserver.exe»=
«c:\Program Files\ICQ6\ICQ.exe»=R0 Nh;Nh;c:windowssystem32driversNh.sys [2007-04-17 74240]
R1 SandBox;SandBox;c:windowssystem32DRIVERSSandBox.sys [2008-09-18 446976]
R1 tdicf;Amicon TDI filter;c:windowssystem32driverstdicf.sys [2006-02-21 5248]
R2 acssrv;Agnitum Client Security Service;c:progra~1AgnitumOUTPOS~1acs.exe [2008-09-18 1176904]
R2 amupdsvc;Amicon Automatic Updates Service;c:windowssystem32amupdsvc.exe [2006-08-02 53248]
R2 ITECIRService;ITE Remote Control Service;c:windowssystem32RemoteControlService.exe [2008-05-24 656384]
R2 SPIDER;SpIDer Guard File System Monitor;??c:progra~1DrWebspider.sys [2008-09-13 308600]
R2 SPIDERNT;SpIDer Guard for Windows;c:progra~1DrWebspidernt.exe [2008-09-13 218648]
R3 afw;Agnitum firewall driver;c:windowssystem32DRIVERSafw.sys [2008-09-18 206352]
R3 ITECIR;ITE CIR Driver;c:windowssystem32DRIVERSITECIR.sys [2008-05-24 7366]
S2 SSPORT;SSPORT;??c:windowssystem32DriversSSPORT.sys []
S3 Apache2.2;Apache2.2;»c:program filesApache Software FoundationApache2.2binhttpd.exe» -k runservice [2008-01-17 24635]
S3 ASWFilt;ASWFilt;c:windowssystem32FiltASWFilt.dll [2008-09-18 33024]
S3 BKLoad;VPN KeyDevLoader;c:windowssystem32Driversbkload.sys [2006-04-14 81664]
S3 Shipka;VPN KeyDev;c:windowssystem32DriversShipka.sys [2006-06-08 83072]
.
.
Supplementary Scan
.
FireFox -: Profile — c:documents and settingsuserApplication DataMozillaFirefoxProfilesfjg3r8q8.default
FireFox -: prefs.js — STARTUP.HOMEPAGE — http://www.mail.ru
FF -: plugin — c:program filesACE Mega CoDecS PackSystemSRealMediaBrowserpluginsnppl3260.dll
FF -: plugin — c:program filesACE Mega CoDecS PackSystemSRealMediaBrowserpluginsnprpjplug.dll
FF -: plugin — c:program filesAdobeAcrobat 8.0Acrobatbrowsernppdf32.dll
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 10:31:32
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
Other Running Processes
.
c:windowssystem32ati2evxx.exe
c:program filesIntelWirelessBinEvtEng.exe
c:program filesIntelWirelessBinS24EvMon.exe
c:program filesIntelWirelessBinWLKEEPER.exe
c:program filesIntelWirelessBinZCfgSvc.exe
c:windowssystem32ati2evxx.exe
c:program filesCommon FilesAcronisSchedule2schedul2.exe
c:progra~1IntelWirelessBin1XConfig.exe
c:windowsATKKBService.exe
c:program filesCommon FilesMicrosoft SharedVS7DEBUGmdm.exe
c:program filesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe
c:windowssystem32snmptrap.exe
c:program filesMicrosoft SQL Server90Sharedsqlbrowser.exe
c:program filesMicrosoft SQL Server90Sharedsqlwriter.exe
c:program filesCommon FilesAcronisFomatikTrueImageTryStartService.exe
c:windowsATK0100ATKOSD.exe
d:program filesExpert SystemsQuick Sales 2 FreeFBBinfbserver.exe
c:program filesCommon FilesLogishrdKHAL2KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-11-16 10:36:42 — machine was rebooted
ComboFix-quarantined-files.txt 2008-11-16 07:36:28
ComboFix2.txt 2008-11-15 11:23:51Pre-Run: 5 806 194 688 байт свободно
Post-Run: 5,741,142,016 байт свободно188 — E O F — 2008-11-12 13:31:37
Очистил временные каталоги при помощи ATF Cleaner by Atribune.
Проверил весь диск при помощи dr.Web и Malwarebytes. Ничего не обнаружено.
При запуске IE, получаю все то же сообщение:
C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5JCNBDN45ihhh[1].htmScript.0 — инфицирован Trojan.Click.20674
Заметил, что это просходит не при каждом заходе на новую страницу, а как-то непериодично.
Вижу через Outpost, что происходит попытка соединения на
«Запрос: HTTP11 GET do.qwertyy.cn/swfobject.js»
или
«Запрос: HTTP11 GET do.qwertyy.cn/office.htm»
или
«Запрос: HTTP11 GET do.qwertyy.cn/ihhh.html»
и т.д., все на do.qwertyy.cn
При этом dr.Web и начинает ругаться.
