Созданные ответы форума
-
Сообщения
-
Валерий, направляю лог
Спасибо за участие
❗ComboFix 09-10-07.05 — INeys 09.10.2009 10:03.8.2 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.502.177 [GMT 6:00]
Running from: c:documents and settingsINeysРабочий столComboFix.exe
Command switches used :: c:documents and settingsINeysРабочий столCFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}FILE ::
«c:documents and settingsAll UsersApplication Datadonahiwo.dat»
«c:documents and settingsAll UsersApplication Dataujibamij.dat»
«c:documents and settingsINeysApplication Datakicokuwida.dat»
«c:documents and settingsINeysApplication Dataseres.exe»
«c:documents and settingsINeysApplication Datauwyneg.dat»
«c:documents and settingsINeysLocal SettingsApplication Datasiwidaw.dat»
«c:documents and settingsINeysrestorer32_a.exe»
«c:windowsafimukutuh.dat»
«c:windowsbofyrynob.dat»
«c:windowscasipof.dat»
«c:windowshitajype.com»
«c:windowsihyneluv.com»
«c:windowslehiny.dat»
«c:windowsnyjaqikaxu.com»
«c:windowsoqagor.dat»
«c:windowsraxefoki.com»
«c:windowssivu.com»
«c:windowsyjyrudif.dat»
«c:windowsysywaqytob.com»
«c:windowsytowemala.dat»
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:documents and settingsAll UsersApplication Datadonahiwo.dat
c:documents and settingsAll UsersApplication Dataujibamij.dat
c:documents and settingsAll Users„®Єг¬Ґвлalutas.vbs
c:documents and settingsAll Users„®Єг¬Ґвлcozecidypu.reg
c:documents and settingsAll Users„®Єг¬Ґвлeqaq.inf
c:documents and settingsAll Users„®Єг¬Ґвлfodohu.bat
c:documents and settingsAll Users„®Єг¬Ґвлvuvyt.bat
c:documents and settingsAll Users„®Єг¬Ґвлwyvumucyh.vbs
c:documents and settingsAll Users„®Єг¬Ґвлxakubumeq.reg
c:documents and settingsAll Users„®Єг¬Ґвлxezip.bat
c:documents and settingsINeysApplication Datakicokuwida.dat
c:documents and settingsINeysApplication Datalizkavd.exe
c:documents and settingsINeysApplication Dataseres.exe
c:documents and settingsINeysApplication Datasvcst.exe
c:documents and settingsINeysApplication Datauwyneg.dat
c:documents and settingsINeysLocal SettingsApplication Datasiwidaw.dat
c:documents and settingsINeysoashdihasidhasuidhiasdhiashdiuasdhasd
c:documents and settingsINeysrestorer32_a.exe
c:windowsafimukutuh.dat
c:windowsbofyrynob.dat
c:windowscasipof.dat
c:windowsehycen._sy
c:windowshitajype.com
c:windowsihyneluv.com
c:windowslehiny.dat
c:windowsnyjaqikaxu.com
c:windowsoqagor.dat
c:windowsraxefoki.com
c:windowssivu.com
c:windowstaky._sy
c:windowsyjyrudif.dat
c:windowsysywaqytob.com
c:windowsytowemala.dat.
((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 )))))))))))))))))))))))))))))))
.2009-10-06 04:36 . 2009-10-06 04:44
d
w- c:documents and settingsINeysLocal SettingsApplication Datad3drpc32
2009-09-30 19:16 . 2009-09-30 21:33
d
w- c:windowssystem32CatRoot_bak
2009-09-30 06:42 . 2009-09-30 06:42
d
w- c:windowsServicePackFiles
2009-09-30 06:41 . 2009-09-30 06:41
d
w- c:program filesMSXML 6.0
2009-09-30 06:39 . 2009-09-30 06:39
d
w- c:program filesMSXML 4.0
2009-09-30 06:28 . 2009-02-09 11:52 2059520 -c—-w- c:windowssystem32dllcachentkrnlpa.exe
2009-09-30 06:28 . 2009-02-09 11:52 2017792 -c—-w- c:windowssystem32dllcachentkrpamp.exe
2009-09-30 06:28 . 2009-02-09 11:52 2182272 -c—-w- c:windowssystem32dllcachentoskrnl.exe
2009-09-30 06:28 . 2009-02-09 11:52 2138112 -c—-w- c:windowssystem32dllcachentkrnlmp.exe
2009-09-30 05:58 . 2008-06-14 17:59 272512 -c—-w- c:windowssystem32dllcachebthport.sys
2009-09-30 05:58 . 2008-06-14 17:59 272512
w- c:windowssystem32driversbthport.sys
2009-09-30 05:07 . 2008-10-24 11:10 453632 -c—-w- c:windowssystem32dllcachemrxsmb.sys
2009-09-29 10:49 . 2009-10-02 07:11
d
w- c:program filestrend micro
2009-09-29 10:49 . 2009-09-29 10:49
d
w- C:rsit
2009-09-29 09:25 . 2009-09-10 08:54 38224 —-a-w- c:windowssystem32driversmbamswissarmy.sys
2009-09-29 09:25 . 2009-09-10 08:53 19160 —-a-w- c:windowssystem32driversmbam.sys.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 21:01 . 2006-03-02 12:00 65818 —-a-w- c:windowssystem32perfc019.dat
2009-09-30 21:01 . 2006-03-02 12:00 424538 —-a-w- c:windowssystem32perfh019.dat
2009-09-29 09:26 . 2009-03-12 05:04
d
w- c:program filesMalwarebytes’ Anti-Malware
2009-09-22 09:22 . 2009-03-30 05:48
d
w- c:documents and settingsAll UsersApplication DataMicrosoft Help
2009-09-03 10:39 . 2008-08-29 04:40
d
w- c:program filesCommon FilesSWF Studio
2009-09-03 10:39 . 2006-03-02 12:00 1386496 —-a-w- c:windowssystem32msvbvm60.dll
2009-08-05 09:08 . 2006-03-02 12:00 204800 —-a-w- c:windowssystem32mswebdvd.dll
2009-07-29 04:54 . 2006-03-02 12:00 82432 —-a-w- c:windowssystem32fontsub.dll
2009-07-29 04:54 . 2006-03-02 12:00 119808 —-a-w- c:windowssystem32t2embed.dll
2009-07-17 18:57 . 2006-03-02 12:00 58880 —-a-w- c:windowssystem32atl.dll
2009-07-12 20:18 . 2006-03-02 12:00 233472 —-a-w- c:windowssystem32wmpdxm.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«QIP.Online»=»c:program filesQIP.Onlineqiponline.exe» [2008-12-30 3372032]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2004-08-17 1667584]
«ICQ»=»c:program filesICQ6.5ICQ.exe» [2009-03-01 172792][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«IgfxTray»=»c:windowssystem32igfxtray.exe» [2006-10-06 98304]
«HotKeysCmds»=»c:windowssystem32hkcmd.exe» [2006-10-06 114688]
«Persistence»=»c:windowssystem32igfxpers.exe» [2006-10-06 94208]
«ToolBoxFX»=»c:program filesHPToolBoxFXbinHPTLBXFX.exe» [2006-06-15 49152]
«RemoteControl»=»c:program filesCyberLinkPowerDVDPDVDServ.exe» [2004-11-02 32768]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2008-08-18 1447168]
«MAgent»=»c:program filesMail.RuAgentMAgent.exe» [2009-04-01 6210744]
«Malwarebytes Anti-Malware (reboot)»=»c:program filesMalwarebytes’ Anti-Malwarembam.exe» [2009-09-10 1312080]
«RTHDCPL»=»RTHDCPL.EXE» — c:windowsRTHDCPL.exe [2006-11-14 16270848]
«SkyTel»=»SkyTel.EXE» — c:windowsSkyTel.exe [2006-05-16 2879488][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2006-03-02 15360]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Cisco Systems VPN Client.lnk — c:program filesCisco SystemsVPN Clientvpngui.exe [2008-8-29 1537064]
PGPtray.lnk — c:program filesPGP CorporationPGP for Windows XPPGPtray.exe [2008-8-29 339968]
“бЄ®аҐл© § ЇгбЄ Adobe Reader.lnk — c:program filesAdobeAcrobat 7.0Readerreader_sl.exe [2005-9-24 29696][HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001
«FirewallOverride»=dword:00000001
«UpdatesDisableNotify»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\WINDOWS\system32\xrsslm12.exe»=
«c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE»=
«c:\Program Files\ICQ6.5\ICQ.exe»=R1 epfwtdir;epfwtdir;c:windowssystem32driversepfwtdir.sys [18.08.2008 14:27 34312]
R2 ekrn;Eset Service;c:program filesESETESET NOD32 Antivirusekrn.exe [18.08.2008 14:25 468224]
R2 PGPdisk;PGPdisk;c:windowssystem32driversPGPdisk.sys [29.08.2008 10:58 169120]
R2 PGPsdkDriver;PGPsdkDriver;c:windowssystem32driversPGPsdk.sys [29.08.2008 10:58 26624]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.yandex.ru/?clid=40316
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2Office12EXCEL.EXE/3000
IE: E&xport to Microsoft Excel — c:progra~1MICROS~2Office12EXCEL.EXE/3000
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe
DPF: {D8C8F760-38B2-49C7-B496-EC4DE639C26C} — hxxps://uc.is74.ru/portal/ISHelpers.cab
.**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-09 10:07
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERSS-1-5-21-73586283-1284227242-839522115-1003SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*.]
@Class=»Shell»[HKEY_USERSS-1-5-21-73586283-1284227242-839522115-1003SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*.OpenWithList]
@Class=»Shell»
«a»=»MSPVIEW.EXE»
«MRUList»=»a»[HKEY_USERSS-1-5-21-73586283-1284227242-839522115-1003SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*.OpenWithProgids]
«Ю_auto_file»=hex(0):[HKEY_LOCAL_MACHINEsoftwareClasses.*.]
@=»Ю_auto_file»
.
Completion time: 2009-10-09 10:08
ComboFix-quarantined-files.txt 2009-10-09 04:08
ComboFix2.txt 2009-10-08 04:22
ComboFix3.txt 2009-10-07 03:56
ComboFix4.txt 2009-10-06 04:46
ComboFix5.txt 2009-10-09 04:02Pre-Run: 19 900 305 408 байт свободно
Post-Run: 19 919 691 776 байт свободно177 — E O F — 2009-09-30 21:04
Валерий, вчера все было нормально, сегодня после включения опять появилось то же самое, проделал все как указано выше — не помогает.
Вот лог. Что можно сделать, подскажите пожалуйста!
Спасибо. 😳ComboFix 09-10-04.01 — INeys 06.10.2009 10:39.5.2 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.502.174 [GMT 6:00]
Running from: c:documents and settingsINeysРабочий столComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:documents and settingsAll Users„®Єг¬Ґвлalutas.vbs
c:documents and settingsAll Users„®Єг¬Ґвлcozecidypu.reg
c:documents and settingsAll Users„®Єг¬Ґвлeqaq.inf
c:documents and settingsAll Users„®Єг¬Ґвлfodohu.bat
c:documents and settingsAll Users„®Єг¬Ґвлvuvyt.bat
c:documents and settingsAll Users„®Єг¬Ґвлwyvumucyh.vbs
c:documents and settingsAll Users„®Єг¬Ґвлxakubumeq.reg
c:documents and settingsAll Users„®Єг¬Ґвлxezip.bat
c:documents and settingsINeysApplication Datalizkavd.exe
c:documents and settingsINeysApplication Dataseres.exe
c:documents and settingsINeysApplication Datasvcst.exe
c:documents and settingsINeysLocal SettingsApplication Datad3drpc32d3drpc32.dll
c:documents and settingsINeysoashdihasidhasuidhiasdhiashdiuasdhasd.
((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.2009-10-06 04:36 . 2009-10-06 04:44
d
w- c:documents and settingsINeysLocal SettingsApplication Datad3drpc32
2009-10-02 07:39 . 2009-10-02 07:39 12080 —-a-w- c:windowsnyjaqikaxu.com
2009-10-01 09:44 . 2009-10-01 09:44 14835 —-a-w- c:windowscasipof.dat
2009-10-01 09:44 . 2009-10-01 09:44 13521 —-a-w- c:windowsafimukutuh.dat
2009-10-01 09:44 . 2009-10-01 09:44 16681 —-a-w- c:windowsoqagor.dat
2009-10-01 09:37 . 2009-10-01 09:37 19771 —-a-w- c:windowshitajype.com
2009-10-01 09:37 . 2009-10-01 09:37 18529 —-a-w- c:windowsytowemala.dat
2009-10-01 09:37 . 2009-10-01 09:37 13127 —-a-w- c:windowsihyneluv.com
2009-09-30 19:16 . 2009-09-30 21:33
d
w- c:windowssystem32CatRoot_bak
2009-09-30 06:42 . 2009-09-30 06:42
d
w- c:windowsServicePackFiles
2009-09-30 06:41 . 2009-09-30 06:41
d
w- c:program filesMSXML 6.0
2009-09-30 06:39 . 2009-09-30 06:39
d
w- c:program filesMSXML 4.0
2009-09-30 06:28 . 2009-02-09 11:52 2059520 -c—-w- c:windowssystem32dllcachentkrnlpa.exe
2009-09-30 06:28 . 2009-02-09 11:52 2017792 -c—-w- c:windowssystem32dllcachentkrpamp.exe
2009-09-30 06:28 . 2009-02-09 11:52 2182272 -c—-w- c:windowssystem32dllcachentoskrnl.exe
2009-09-30 06:28 . 2009-02-09 11:52 2138112 -c—-w- c:windowssystem32dllcachentkrnlmp.exe
2009-09-30 05:58 . 2008-06-14 17:59 272512 -c—-w- c:windowssystem32dllcachebthport.sys
2009-09-30 05:58 . 2008-06-14 17:59 272512
w- c:windowssystem32driversbthport.sys
2009-09-30 05:07 . 2008-10-24 11:10 453632 -c—-w- c:windowssystem32dllcachemrxsmb.sys
2009-09-30 04:26 . 2009-09-30 04:26 10212 —-a-w- c:windowssivu.com
2009-09-29 11:11 . 2009-09-29 11:11 12075 —-a-w- c:documents and settingsINeysLocal SettingsApplication Datasiwidaw.dat
2009-09-29 11:11 . 2009-09-29 11:11 11051 —-a-w- c:windowsraxefoki.com
2009-09-29 10:49 . 2009-10-02 07:11
d
w- c:program filestrend micro
2009-09-29 10:49 . 2009-09-29 10:49
d
w- C:rsit
2009-09-29 10:11 . 2009-09-29 10:11 10769 —-a-w- c:windowsysywaqytob.com
2009-09-29 10:11 . 2009-09-29 10:11 10715 —-a-w- c:windowsyjyrudif.dat
2009-09-29 09:25 . 2009-09-10 08:54 38224 —-a-w- c:windowssystem32driversmbamswissarmy.sys
2009-09-29 09:25 . 2009-09-10 08:53 19160 —-a-w- c:windowssystem32driversmbam.sys
2009-09-29 09:08 . 2009-09-29 09:08 17290 —-a-w- c:windowsbofyrynob.dat
2009-09-29 08:59 . 2009-09-29 08:59 19858 —-a-w- c:windowslehiny.dat
2009-09-29 08:55 . 2009-09-29 08:55 40448 —-a-w- c:documents and settingsINeysrestorer32_a.exe.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 09:37 . 2009-10-01 09:37 19678 —-a-w- c:documents and settingsINeysApplication Datauwyneg.dat
2009-09-30 21:01 . 2006-03-02 12:00 65818 —-a-w- c:windowssystem32perfc019.dat
2009-09-30 21:01 . 2006-03-02 12:00 424538 —-a-w- c:windowssystem32perfh019.dat
2009-09-29 11:11 . 2009-09-29 11:11 18935 —-a-w- c:documents and settingsAll UsersApplication Datadonahiwo.dat
2009-09-29 09:26 . 2009-03-12 05:04
d
w- c:program filesMalwarebytes’ Anti-Malware
2009-09-29 09:08 . 2009-09-29 09:08 18395 —-a-w- c:documents and settingsAll UsersApplication Dataujibamij.dat
2009-09-29 08:59 . 2009-09-29 08:59 12513 —-a-w- c:documents and settingsINeysApplication Datakicokuwida.dat
2009-09-22 09:22 . 2009-03-30 05:48
d
w- c:documents and settingsAll UsersApplication DataMicrosoft Help
2009-09-03 10:39 . 2008-08-29 04:40
d
w- c:program filesCommon FilesSWF Studio
2009-09-03 10:39 . 2006-03-02 12:00 1386496 —-a-w- c:windowssystem32msvbvm60.dll
2009-08-05 09:08 . 2006-03-02 12:00 204800 —-a-w- c:windowssystem32mswebdvd.dll
2009-07-29 04:54 . 2006-03-02 12:00 82432 —-a-w- c:windowssystem32fontsub.dll
2009-07-29 04:54 . 2006-03-02 12:00 119808 —-a-w- c:windowssystem32t2embed.dll
2009-07-17 18:57 . 2006-03-02 12:00 58880 —-a-w- c:windowssystem32atl.dll
2009-07-12 20:18 . 2006-03-02 12:00 233472 —-a-w- c:windowssystem32wmpdxm.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«QIP.Online»=»c:program filesQIP.Onlineqiponline.exe» [2008-12-30 3372032]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2004-08-17 1667584]
«ICQ»=»c:program filesICQ6.5ICQ.exe» [2009-03-01 172792]
«restorer32_a»=»c:documents and settingsINeysrestorer32_a.exe» [2009-09-29 40448]
«mserv»=»c:documents and settingsINeysApplication Dataseres.exe» [BU][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«IgfxTray»=»c:windowssystem32igfxtray.exe» [2006-10-06 98304]
«HotKeysCmds»=»c:windowssystem32hkcmd.exe» [2006-10-06 114688]
«Persistence»=»c:windowssystem32igfxpers.exe» [2006-10-06 94208]
«ToolBoxFX»=»c:program filesHPToolBoxFXbinHPTLBXFX.exe» [2006-06-15 49152]
«RemoteControl»=»c:program filesCyberLinkPowerDVDPDVDServ.exe» [2004-11-02 32768]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2008-08-18 1447168]
«MAgent»=»c:program filesMail.RuAgentMAgent.exe» [2009-04-01 6210744]
«Malwarebytes Anti-Malware (reboot)»=»c:program filesMalwarebytes’ Anti-Malwarembam.exe» [2009-09-10 1312080]
«restorer32_a»=»c:windowssystem32restorer32_a.exe» [BU]
«RTHDCPL»=»RTHDCPL.EXE» — c:windowsRTHDCPL.exe [2006-11-14 16270848]
«SkyTel»=»SkyTel.EXE» — c:windowsSkyTel.exe [2006-05-16 2879488][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2006-03-02 15360]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Cisco Systems VPN Client.lnk — c:program filesCisco SystemsVPN Clientvpngui.exe [2008-8-29 1537064]
PGPtray.lnk — c:program filesPGP CorporationPGP for Windows XPPGPtray.exe [2008-8-29 339968]
“бЄ®аҐл© § ЇгбЄ Adobe Reader.lnk — c:program filesAdobeAcrobat 7.0Readerreader_sl.exe [2005-9-24 29696][HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001
«FirewallOverride»=dword:00000001
«UpdatesDisableNotify»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\WINDOWS\system32\xrsslm12.exe»=
«c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE»=
«c:\Program Files\ICQ6.5\ICQ.exe»=R1 epfwtdir;epfwtdir;c:windowssystem32driversepfwtdir.sys [18.08.2008 14:27 34312]
R2 ekrn;Eset Service;c:program filesESETESET NOD32 Antivirusekrn.exe [18.08.2008 14:25 468224]
R2 PGPdisk;PGPdisk;c:windowssystem32driversPGPdisk.sys [29.08.2008 10:58 169120]
R2 PGPsdkDriver;PGPsdkDriver;c:windowssystem32driversPGPsdk.sys [29.08.2008 10:58 26624]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.yandex.ru/?clid=40316
uSearch Page = hxxp://www.google.com
uSearch Bar =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2Office12EXCEL.EXE/3000
IE: E&xport to Microsoft Excel — c:progra~1MICROS~2Office12EXCEL.EXE/3000
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe
DPF: {D8C8F760-38B2-49C7-B496-EC4DE639C26C} — hxxps://uc.is74.ru/portal/ISHelpers.cab
.
— — — — ORPHANS REMOVED — — — —HKCU-Run-d3drpc32 — c:documents and settingsINeysLocal SettingsApplication Datad3drpc32d3drpc32.dll
HKCU-Run-svchost — c:documents and settingsINeysApplication Datasvcst.exe**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 10:43
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERSS-1-5-21-73586283-1284227242-839522115-1003SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*.]
@Class=»Shell»[HKEY_USERSS-1-5-21-73586283-1284227242-839522115-1003SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*.OpenWithList]
@Class=»Shell»
«a»=»MSPVIEW.EXE»
«MRUList»=»a»[HKEY_USERSS-1-5-21-73586283-1284227242-839522115-1003SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*.OpenWithProgids]
«Ю_auto_file»=hex(0):[HKEY_LOCAL_MACHINEsoftwareClasses.*.]
@=»Ю_auto_file»
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘explorer.exe'(3660)
c:windowssystem32PGPhk.dll
c:windowssystem32shdoclc.dll
.
Other Running Processes
.
c:program filesCisco SystemsVPN Clientcvpnd.exe
c:program filesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
c:windowssystem32PGPServ.exe
c:windowssystem32rundll32.exe
c:program filesInternet ExplorerIEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2009-10-06 10:46 — machine was rebooted
ComboFix-quarantined-files.txt 2009-10-06 04:46
ComboFix2.txt 2009-10-05 07:59Pre-Run: 19 967 819 776 байт свободно
Post-Run: 19 933 057 024 байт свободно174 — E O F — 2009-09-30 21:04
Valeri, добрый день
Проделал все как было велено — удалилось, огромное спасибо!
Высылаю логComboFix 09-10-04.01 — INeys 05.10.2009 13:18.4.2 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.502.180 [GMT 6:00]
Running from: c:documents and settingsINeysРабочий столComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:documents and settingsAll Users„®Єг¬Ґвлalutas.vbs
c:documents and settingsAll Users„®Єг¬Ґвлcozecidypu.reg
c:documents and settingsAll Users„®Єг¬Ґвлeqaq.inf
c:documents and settingsAll Users„®Єг¬Ґвлfodohu.bat
c:documents and settingsAll Users„®Єг¬Ґвлvuvyt.bat
c:documents and settingsAll Users„®Єг¬Ґвлwyvumucyh.vbs
c:documents and settingsAll Users„®Єг¬Ґвлxakubumeq.reg
c:documents and settingsAll Users„®Єг¬Ґвлxezip.bat
c:documents and settingsINeysApplication Datalizkavd.exe
c:documents and settingsINeysApplication Dataseres.exe
c:documents and settingsINeysApplication Datasvcst.exe
c:documents and settingsINeysoashdihasidhasuidhiasdhiashdiuasdhasd.
((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.2009-10-02 07:39 . 2009-10-02 07:39 12080 —-a-w- c:windowsnyjaqikaxu.com
2009-10-01 09:44 . 2009-10-01 09:44 14835 —-a-w- c:windowscasipof.dat
2009-10-01 09:44 . 2009-10-01 09:44 13521 —-a-w- c:windowsafimukutuh.dat
2009-10-01 09:44 . 2009-10-01 09:44 16681 —-a-w- c:windowsoqagor.dat
2009-10-01 09:37 . 2009-10-01 09:37 19771 —-a-w- c:windowshitajype.com
2009-10-01 09:37 . 2009-10-01 09:37 18529 —-a-w- c:windowsytowemala.dat
2009-10-01 09:37 . 2009-10-01 09:37 13127 —-a-w- c:windowsihyneluv.com
2009-09-30 19:16 . 2009-09-30 21:33
d
w- c:windowssystem32CatRoot_bak
2009-09-30 06:42 . 2009-09-30 06:42
d
w- c:windowsServicePackFiles
2009-09-30 06:41 . 2009-09-30 06:41
d
w- c:program filesMSXML 6.0
2009-09-30 06:39 . 2009-09-30 06:39
d
w- c:program filesMSXML 4.0
2009-09-30 06:28 . 2009-02-09 11:52 2059520 -c—-w- c:windowssystem32dllcachentkrnlpa.exe
2009-09-30 06:28 . 2009-02-09 11:52 2017792 -c—-w- c:windowssystem32dllcachentkrpamp.exe
2009-09-30 06:28 . 2009-02-09 11:52 2182272 -c—-w- c:windowssystem32dllcachentoskrnl.exe
2009-09-30 06:28 . 2009-02-09 11:52 2138112 -c—-w- c:windowssystem32dllcachentkrnlmp.exe
2009-09-30 05:58 . 2008-06-14 17:59 272512 -c—-w- c:windowssystem32dllcachebthport.sys
2009-09-30 05:58 . 2008-06-14 17:59 272512
w- c:windowssystem32driversbthport.sys
2009-09-30 05:07 . 2008-10-24 11:10 453632 -c—-w- c:windowssystem32dllcachemrxsmb.sys
2009-09-30 04:26 . 2009-09-30 04:26 10212 —-a-w- c:windowssivu.com
2009-09-29 11:11 . 2009-09-29 11:11 12075 —-a-w- c:documents and settingsINeysLocal SettingsApplication Datasiwidaw.dat
2009-09-29 11:11 . 2009-09-29 11:11 11051 —-a-w- c:windowsraxefoki.com
2009-09-29 10:49 . 2009-10-02 07:11
d
w- c:program filestrend micro
2009-09-29 10:49 . 2009-09-29 10:49
d
w- C:rsit
2009-09-29 10:11 . 2009-09-29 10:11 10769 —-a-w- c:windowsysywaqytob.com
2009-09-29 10:11 . 2009-09-29 10:11 10715 —-a-w- c:windowsyjyrudif.dat
2009-09-29 09:25 . 2009-09-10 08:54 38224 —-a-w- c:windowssystem32driversmbamswissarmy.sys
2009-09-29 09:25 . 2009-09-10 08:53 19160 —-a-w- c:windowssystem32driversmbam.sys
2009-09-29 09:08 . 2009-09-29 09:08 17290 —-a-w- c:windowsbofyrynob.dat
2009-09-29 08:59 . 2009-09-29 08:59 19858 —-a-w- c:windowslehiny.dat
2009-09-29 08:55 . 2009-09-29 08:55 40448 —-a-w- c:documents and settingsINeysrestorer32_a.exe.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 09:37 . 2009-10-01 09:37 19678 —-a-w- c:documents and settingsINeysApplication Datauwyneg.dat
2009-09-30 21:01 . 2006-03-02 12:00 65818 —-a-w- c:windowssystem32perfc019.dat
2009-09-30 21:01 . 2006-03-02 12:00 424538 —-a-w- c:windowssystem32perfh019.dat
2009-09-29 11:11 . 2009-09-29 11:11 18935 —-a-w- c:documents and settingsAll UsersApplication Datadonahiwo.dat
2009-09-29 09:26 . 2009-03-12 05:04
d
w- c:program filesMalwarebytes’ Anti-Malware
2009-09-29 09:08 . 2009-09-29 09:08 18395 —-a-w- c:documents and settingsAll UsersApplication Dataujibamij.dat
2009-09-29 08:59 . 2009-09-29 08:59 12513 —-a-w- c:documents and settingsINeysApplication Datakicokuwida.dat
2009-09-22 09:22 . 2009-03-30 05:48
d
w- c:documents and settingsAll UsersApplication DataMicrosoft Help
2009-09-03 10:39 . 2008-08-29 04:40
d
w- c:program filesCommon FilesSWF Studio
2009-09-03 10:39 . 2006-03-02 12:00 1386496 —-a-w- c:windowssystem32msvbvm60.dll
2009-08-05 09:08 . 2006-03-02 12:00 204800 —-a-w- c:windowssystem32mswebdvd.dll
2009-07-29 04:54 . 2006-03-02 12:00 82432 —-a-w- c:windowssystem32fontsub.dll
2009-07-29 04:54 . 2006-03-02 12:00 119808 —-a-w- c:windowssystem32t2embed.dll
2009-07-17 18:57 . 2006-03-02 12:00 58880 —-a-w- c:windowssystem32atl.dll
2009-07-12 20:18 . 2006-03-02 12:00 233472 —-a-w- c:windowssystem32wmpdxm.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«QIP.Online»=»c:program filesQIP.Onlineqiponline.exe» [2008-12-30 3372032]
«MSMSGS»=»c:program filesMessengermsmsgs.exe» [2004-08-17 1667584]
«swg»=»c:program filesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe» [2009-04-08 39408]
«ICQ»=»c:program filesICQ6.5ICQ.exe» [2009-03-01 172792]
«restorer32_a»=»c:documents and settingsINeysrestorer32_a.exe» [2009-09-29 40448][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«IgfxTray»=»c:windowssystem32igfxtray.exe» [2006-10-06 98304]
«HotKeysCmds»=»c:windowssystem32hkcmd.exe» [2006-10-06 114688]
«Persistence»=»c:windowssystem32igfxpers.exe» [2006-10-06 94208]
«ToolBoxFX»=»c:program filesHPToolBoxFXbinHPTLBXFX.exe» [2006-06-15 49152]
«RemoteControl»=»c:program filesCyberLinkPowerDVDPDVDServ.exe» [2004-11-02 32768]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2008-08-18 1447168]
«MAgent»=»c:program filesMail.RuAgentMAgent.exe» [2009-04-01 6210744]
«Malwarebytes Anti-Malware (reboot)»=»c:program filesMalwarebytes’ Anti-Malwarembam.exe» [2009-09-10 1312080]
«RTHDCPL»=»RTHDCPL.EXE» — c:windowsRTHDCPL.exe [2006-11-14 16270848]
«SkyTel»=»SkyTel.EXE» — c:windowsSkyTel.exe [2006-05-16 2879488][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2006-03-02 15360]c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Cisco Systems VPN Client.lnk — c:program filesCisco SystemsVPN Clientvpngui.exe [2008-8-29 1537064]
PGPtray.lnk — c:program filesPGP CorporationPGP for Windows XPPGPtray.exe [2008-8-29 339968]
“бЄ®аҐл© § ЇгбЄ Adobe Reader.lnk — c:program filesAdobeAcrobat 7.0Readerreader_sl.exe [2005-9-24 29696][HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001
«FirewallOverride»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\WINDOWS\system32\xrsslm12.exe»=
«c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE»=
«c:\Program Files\ICQ6.5\ICQ.exe»=R1 epfwtdir;epfwtdir;c:windowssystem32driversepfwtdir.sys [18.08.2008 14:27 34312]
R2 ekrn;Eset Service;c:program filesESETESET NOD32 Antivirusekrn.exe [18.08.2008 14:25 468224]
R2 PGPdisk;PGPdisk;c:windowssystem32driversPGPdisk.sys [29.08.2008 10:58 169120]
R2 PGPsdkDriver;PGPsdkDriver;c:windowssystem32driversPGPsdk.sys [29.08.2008 10:58 26624]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.yandex.ru/?clid=40316
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2Office12EXCEL.EXE/3000
IE: E&xport to Microsoft Excel — c:progra~1MICROS~2Office12EXCEL.EXE/3000
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe
DPF: {D8C8F760-38B2-49C7-B496-EC4DE639C26C} — hxxps://uc.is74.ru/portal/ISHelpers.cab
.
— — — — ORPHANS REMOVED — — — —HKCU-Run-mserv — c:documents and settingsINeysApplication Dataseres.exe
HKLM-Run-restorer32_a — c:windowssystem32restorer32_a.exe**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 13:58
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERSS-1-5-21-73586283-1284227242-839522115-1003SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*.]
@Class=»Shell»[HKEY_USERSS-1-5-21-73586283-1284227242-839522115-1003SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*.OpenWithList]
@Class=»Shell»
«a»=»MSPVIEW.EXE»
«MRUList»=»a»[HKEY_USERSS-1-5-21-73586283-1284227242-839522115-1003SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*.OpenWithProgids]
«Ю_auto_file»=hex(0):[HKEY_LOCAL_MACHINEsoftwareClasses.*.]
@=»Ю_auto_file»
.
Completion time: 2009-10-05 13:59
ComboFix-quarantined-files.txt 2009-10-05 07:59Pre-Run: 15 960 928 256 байт свободно
Post-Run: 19 967 246 336 байт свободно154 — E O F — 2009-09-30 21:04
