Jump to content
СофтФорум - всё о компьютерах и не только

Посмотрите пожалуйста логи.


Recommended Posts

Здравствуйте!

Здесь мне уже помогли один раз. Большое спасибо. Теперь опять требуется помощь.

Копьютер живет своей особой жизнью))) Сам выключается и презагружается, тормозит, открывает вместо одного окна сразу штук по 20-ть и т.п. Посмотрите, пожалуста, логи.

Жду помощи. :doh:

virusinfo_syscure.zip

virusinfo_syscheck.zip

hijackthis.log

virusinfo_syscure.zip

virusinfo_syscheck.zip

hijackthis.log

Link to comment
Share on other sites

AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".

beginSearchRootkit(true, true);SetAVZGuardStatus(true);QuarantineFile('C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL','');QuarantineFile('C:\WINDOWS\system32\nvapi.dll','');QuarantineFile('C:\Program Files\Common Files\Nero\Lib\log4cxx.dll','');QuarantineFile('C:\DOCUME~1\7655~1\LOCALS~1\Temp\F{0CD2E140-8D60-11D3-9C32-00104B3801F6}0.xxx','');DeleteFile('C:\DOCUME~1\7655~1\LOCALS~1\Temp\F{0CD2E140-8D60-11D3-9C32-00104B3801F6}0.xxx');DeleteFile('C:\DOCUME~1\7655~1\LOCALS~1\Temp\F{317DDB61-870E-11D3-9C32-00104B3801F6}0.xxx');DeleteFile('C:\WINDOWS\System32\Drivers\Blh28.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Dcq04.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Fqa15.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Ijd50.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Kao41.sys');DeleteFile('C:\WINDOWS\System32\drivers\tcpsr.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Ust74.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Vkc11.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winal33.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winas56.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Windd66.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Wineg07.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winey84.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winhp10.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winia53.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winiv42.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winkt56.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winlx44.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winml87.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winmp28.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winmx21.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winnb54.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winnu48.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winqp54.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winti08.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Wintp88.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winuw87.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winvq87.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winxa47.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winxp87.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Winym11.sys');DeleteFile('C:\WINDOWS\System32\Drivers\Wme05.sys');DeleteFile('WinCtrl32.dll');DeleteFile('C:\WINDOWS\System32\Drivers\WinCtrl32.dll');DeleteService('Wme05');DeleteService('Winym11');DeleteService('Winxp87');DeleteService('Winxa47');DeleteService('Winvq87');DeleteService('Winuw87');DeleteService('Wintp88');DeleteService('Winti08');DeleteService('Winqp54');DeleteService('Winnu48');DeleteService('Winnb54');DeleteService('Winmx21');DeleteService('Winmp28');DeleteService('Winml87');DeleteService('Winlx44');DeleteService('Winkt56');DeleteService('Winiv42');DeleteService('Winia53');DeleteService('Winhp10');DeleteService('Winey84');DeleteService('Wineg07');DeleteService('Windd66');DeleteService('Winas56');DeleteService('Winal33');DeleteService('Vkc11');DeleteService('Ust74');DeleteService('tcpsr');DeleteService('Kao41');DeleteService('Ijd50');DeleteService('Fqa15');DeleteService('Dcq04');DeleteService('Blh28');BC_ImportALL;BC_Activate;ExecuteSysClean;RebootWindows(true);end.

После выполнения скрипта компьютер перезагрузится.

beginCreateQurantineArchive(GetAVZDirectory+'quarantine.zip');end.

Полученный архив отправьте на akok<at>pisem.net с указанной ссылкой на тему. (at=@)

Пофиксить в HijackThis следующие строчки

O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing) 

Скачайте Malwarebytes' Anti-Malware, установите, обновите базы, выберите "Perform Full Scan", нажмите "Scan", после сканирования - Ok - Show Results (показать результаты) - нажмите "Remove Selected" (удалить выделенные). Откройте лог и скопируйте в сообщение.

Повторите логи AVZ.

Скачайте RSIT. Запустите, выберите проверку файлов за последние три месяца и нажмите продолжить. Должны открыться два отчета log.txt и info.txt. Прикрепите их к следующему сообщению. Если вы их закрыли, то логи по умолчанию сохраняются в одноименной папке (RSIT) в корне системного диска.

Link to comment
Share on other sites

Здравствуйте.

Спасибо за помощь. Архив с карантином отправила по почте.

Вот еще один лог:

Malwarebytes' Anti-Malware 1.31

Версия базы данных: 1550

Windows 5.1.2600 Service Pack 2

27.12.2008 12:08:10

mbam-log-2008-12-27 (12-08-10).txt

Тип проверки: Полная (C:\|D:\|E:\|F:\|)

Проверено объектов: 134245

Прошло времени: 18 minute(s), 55 second(s)

Заражено процессов в памяти: 0

Заражено модулей в памяти: 0

Заражено ключей реестра: 5

Заражено значений реестра: 8

Заражено параметров реестра: 0

Заражено папок: 4

Заражено файлов: 8

Заражено процессов в памяти:

(Вредоносные программы не обнаружены)

Заражено модулей в памяти:

(Вредоносные программы не обнаружены)

Заражено ключей реестра:

HKEY_CLASSES_ROOT\Interface\{967a494a-6aec-4555-9caf-fa6eb00acf91} (Rogue.PestPatrol) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Rogue.PestPatrol) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Rogue.PestPatrol) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b1d3576a-ca42-4d09-83c1-15d563c19d71} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\altcompare (Trojan.Agent) -> Quarantined and deleted successfully.

Заражено значений реестра:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Заражено параметров реестра:

(Вредоносные программы не обнаружены)

Заражено папок:

C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

C:\AntivirAsistant (Rogue.Agent) -> Quarantined and deleted successfully.

C:\Program Files\altcmd (Trojan.Agent) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.

Заражено файлов:

C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wsnpoem\audio.dll.cla (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\altcmd\altcmd.inf (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\altcmd\altcmd32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\altcmd\uninstall.bat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Катя\Local Settings\Temp\60325cahp25ca0.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Link to comment
Share on other sites

Пофиксить в HijackThis следующие строчки

 R3 - URLSearchHook: (no name) -  - (no file)

C:\Катя.exe - это что?

Скачайте ComboFix здесь, здесь или здесь и сохраните на рабочий стол.

1. Необходимо установить Recovery Console по инструкции - how-to-use-combofix:

  • Скачайте установочный файл для своей ОС и сохраните на рабочий стол.
    Windows XP Professional с пакетом обновления 2 (SP2)
    Windows XP Home Edition с пакетом обновления 2 (SP2)
    Установочный файл Recovery Console для Windows XP SP3 идентичен Windows XP SP2
    Если Вы используете Windows XP с пакетом обновления 1 (SP1) или Исходный выпуск Windows XP, то необходимо обязательно ознакомится со статьей Как получить установочные диски Windows XP и скачать установочный файл Recovery Console, который соответствует виду Вашей системы.
  • Закройте все остальные приложения и мышкой перенесите установочный файл на иконку ComboFix, подтвердите лицензионное соглашение и установите Microsoft Recovery Console.

2. Внимание! Обязательно закройте все браузеры, временно выключите антивирус, firewall и другое защитное программное обеспечение. Не запускайте других программ во время работы Combofix. Combofix может отключить интернет через некоторое время после запуска, не переподключайте интернет пока Combofix не завершит работу. Если интернет не появился после окончания работы Combofix, перезагрузите компьютер. Во время работы Combofix не нажимайте кнопки мыши, это может стать причиной зависания Combofix.

3. Запустите combofix.exe, когда процесс завершится, скопируйте текст из C:\ComboFix.txt и вставьте в следующее сообщение или запакуйте файл C:\ComboFix.txt и прикрепите к сообщению.

Прим: В случае, если ComboFix не запускается, переименуйте combofix.exe в combo-fix.exe

Скопируйте текст ниже в блокнот и сохраните как файл с названием CFScript.txt на рабочий стол.

File::Driver::Folder::Registry::[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Bdl84.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Blh28.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Dcq04.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fqa15.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ijd50.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kao41.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\thU52.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ust74.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vkc11.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vuY51.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winal33.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winas56.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windd66.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wineg07.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winey84.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhp10.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winia53.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winiv42.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkt56.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winlx44.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winml87.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmp28.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmx21.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnb54.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnu48.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqp54.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winti08.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wintp88.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuw87.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvq87.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxa47.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxp87.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winym11.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wme05.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Bdl84.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Blh28.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Dcq04.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Fqa15.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Ijd50.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Kao41.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\thU52.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Ust74.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Vkc11.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vuY51.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winal33.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winas56.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Windd66.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wineg07.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winey84.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winhp10.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winia53.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winiv42.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winkt56.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winlx44.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winml87.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winmp28.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winmx21.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winnb54.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winnu48.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winqp54.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winti08.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wintp88.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winuw87.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winvq87.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winxa47.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winxp87.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winym11.sys][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wme05.sys]FileLook::DirLook::

После сохранения переместите CFScript.txt на пиктограмму ComboFix.exe.

CFScript.gif

Когда сохранится новый отчет ComboFix, скопируйте текст из C:\ComboFix.txt в сообщение, еcли лог окажется очень большой, запакуйте ComboFix.txt и прикрепите к сообщению.

Пора уже на SP3 переезжать.

Link to comment
Share on other sites

Что такое Катя.ехе я не знаю.

Текст из С:\ComboFix.txt:

ComboFix 08-12-26.03 - Катя 2008-12-27 22:31:27.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.511.129 [GMT 3:00]

Running from: c:\documents and settings\Катя\Рабочий стол\ComboFix.exe

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated)

.

((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))

.

2008-12-27 12:45 . 2008-12-27 12:45 <DIR> d-------- C:\rsit

2008-12-27 12:45 . 2008-12-27 12:45 781,851 --a------ C:\RSIT.exe

2008-12-27 12:45 . 2007-06-28 14:36 401,720 --a------ C:\Катя.exe

2008-12-27 11:46 . 2008-12-27 11:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-27 11:46 . 2008-12-27 11:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-27 11:46 . 2008-12-27 11:46 <DIR> d-------- c:\documents and settings\Катя\Application Data\Malwarebytes

2008-12-27 11:46 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-27 11:46 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-27 11:45 . 2008-12-27 11:46 2,539,168 --a------ C:\mbam-setup.exe

2008-12-27 00:44 . 2008-12-27 11:37 <DIR> d-------- C:\avz4

2008-12-26 22:53 . 2008-12-26 22:53 109,905 --a------ C:\rules.zip

2008-12-20 23:12 . 2008-12-20 23:12 115,224 --a------ C:\img2-001.raw

2008-12-20 22:39 . 2008-12-20 22:41 <DIR> d-------- c:\program files\Microsoft LifeCam

2008-12-20 22:30 . 2007-04-11 00:46 1,966,312 -ra------ c:\windows\system32\drivers\VX1000.sys

2008-12-11 21:01 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll

2008-12-11 21:00 . 2008-12-11 21:00 <DIR> d-------- c:\windows\Logs

2008-12-11 20:46 . 2008-12-11 20:46 <DIR> d-------- c:\program files\PCGAME

2008-12-09 22:56 . 2008-12-09 22:56 <DIR> d-------- c:\program files\ICQ6Toolbar

2008-12-09 22:56 . 2008-12-09 22:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\ICQ

2008-12-09 22:56 . 2008-12-09 22:56 <DIR> d-------- c:\documents and settings\Катя\Application Data\Mozilla

2008-12-09 22:56 . 2008-12-09 23:03 <DIR> d-------- c:\documents and settings\Катя\Application Data\ICQ

2008-12-09 22:55 . 2008-12-09 22:57 <DIR> d-------- c:\program files\ICQ6.5

2008-12-04 23:12 . 2008-12-27 22:18 <DIR> d-------- c:\documents and settings\Катя\Application Data\skypePM

2008-12-04 23:12 . 2008-12-04 23:12 56 --ah----- c:\windows\system32\ezsidmv.dat

2008-12-04 23:09 . 2008-12-27 22:22 <DIR> d-------- c:\documents and settings\Катя\Application Data\Skype

2008-12-04 23:08 . 2008-12-04 23:08 <DIR> d-------- c:\program files\Skype

2008-12-04 23:08 . 2008-12-04 23:08 <DIR> d-------- c:\program files\Common Files\Skype

2008-12-04 23:08 . 2008-12-04 23:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-26 20:44 --------- d-----w c:\program files\McDonaldsDragons

2008-12-26 19:53 318,369 ----a-w C:\HiJackThis.zip

2008-12-26 19:52 3,639,856 ----a-w C:\avz4.zip

2008-12-26 19:51 11,887,608 ----a-w C:\cureit.exe

2008-12-09 20:06 --------- d-----w c:\program files\QIP Infium

2008-12-09 20:05 --------- d-----w c:\documents and settings\Катя\Application Data\QIP.Online

2008-12-09 20:04 --------- d-----w c:\program files\QIP

2008-12-09 19:56 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-29 10:45 --------- d-----w c:\documents and settings\Катя\Application Data\Canon

2008-11-17 21:30 --------- d-----w c:\documents and settings\All Users\Application Data\CanonIJPLM

2008-11-15 09:29 --------- d-----w c:\program files\EA Games

2008-11-06 18:38 --------- d-----w c:\documents and settings\Катя\Application Data\QIP

2008-11-03 20:59 47,104 ------w c:\windows\AKDeInstall.exe

2008-11-03 20:59 --------- d-----w c:\program files\mpegable

2008-10-29 18:53 --------- d-----w c:\program files\MSECache

2008-08-15 17:49 242 --sha-w c:\windows\system32\1748230465.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2008-10-16 1578248]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2008-10-16 1578248]

[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]

[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]

[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]

[HKEY_CLASSES_ROOT\Yandex.Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2003-08-18 15360]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]

"Yupdate!"="c:\program files\Common Files\Yandex\Yupdate\yupdate.exe" [2008-09-01 479496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-06 7700480]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]

"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]

"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"DAEMON Tools-1033"="c:\program files\DRTools\daemon.exe" [2004-08-22 81920]

"IMCServerAutoStart"="c:\program files\InterVideo\IMCSvr\IMCSvr.exe" [2006-04-21 942080]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-21 29744]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]

"VX1000"="c:\windows\vVX1000.exe" [2007-04-11 709992]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-18 279912]

"nwiz"="nwiz.exe" [2006-10-06 c:\windows\system32\nwiz.exe]

"NvMediaCenter"="NvMCTray.dll" [2006-10-06 c:\windows\system32\nvmctray.dll]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2003-08-18 15360]

c:\documents and settings\All Users\ѓ« ў­®Ґ ¬Ґ­о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \

AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]

InterVideo Scheduler server.lnk - c:\program files\InterVideo\WinDVD Media Center\SchSvr.exe [2008-09-21 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]

--a------ 2008-03-13 15:48 1443072 c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ekrn"=2 (0x2)

"EhttpSrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent [tfile.ru]\\utorrent.exe"=

"c:\\Program Files\\SEGA\\Beijing 2008\\Beijing.exe"=

"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

"c:\\Program Files\\PCGAME\\PRO EVOLUTION SOCCER 2009\\pes2009.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"139:TCP"= 139:TCP:192.168.100.3/255.255.255.255,192.168.100.9/255.255.255.255,192.168.100.21/255.255.255.255:Enabled:@xpsp2res.dll,-22004

R0 UP55bus;UP55bus;c:\windows\system32\DRIVERS\UP55bus.sys [2008-08-26 155136]

R0 UP55prt;UP55prt;c:\windows\system32\Drivers\UP55prt.sys [2008-08-26 5248]

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]

R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-03-13 472320]

R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-12-09 222456]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-21 29744]

S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\DRIVERS\w200bus.sys [2008-02-01 61504]

S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\DRIVERS\w200mdfl.sys [2008-02-01 9328]

S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\DRIVERS\w200mdm.sys [2008-02-01 97056]

S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\w200mgmt.sys [2008-07-17 88560]

S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\w200obex.sys [2008-07-17 86368]

*Newly Created Service* - CATCHME

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yandex.ru/?clid=40488

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

TCP: {7AC794E2-CE72-434B-867E-C9DC9C3277DD} = 192.168.248.21

c:\windows\Downloaded Program Files\ImResCtl.dll - O16 -: {2D4C57AA-54C0-4942-BB2A-51DF0727950B}

hxxp://www.openkremlin.ru/cab/ImResCtl.cab

c:\windows\Downloaded Program Files\ImResCtl.inf

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-27 22:32:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-12-27 22:32:39

ComboFix-quarantined-files.txt 2008-12-27 19:32:32

ComboFix2.txt 2008-12-27 19:28:29

Pre-Run: 29 765 873 664 байт свободно

Post-Run: 29,756,194,816 байт свободно

164

Link to comment
Share on other sites

Лог после перемещения CFScript.txt:

ComboFix 08-12-26.03 - Катя 2008-12-27 22:49:54.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.511.128 [GMT 3:00]

Running from: c:\documents and settings\Катя\Рабочий стол\ComboFix.exe

Command switches used :: c:\documents and settings\Катя\Рабочий стол\CFScript.txt

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated)

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))

.

2008-12-27 12:45 . 2008-12-27 12:45 <DIR> d-------- C:\rsit

2008-12-27 12:45 . 2008-12-27 12:45 781,851 --a------ C:\RSIT.exe

2008-12-27 12:45 . 2007-06-28 14:36 401,720 --a------ C:\Катя.exe

2008-12-27 11:46 . 2008-12-27 11:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-27 11:46 . 2008-12-27 11:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-27 11:46 . 2008-12-27 11:46 <DIR> d-------- c:\documents and settings\Катя\Application Data\Malwarebytes

2008-12-27 11:46 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-27 11:46 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-27 11:45 . 2008-12-27 11:46 2,539,168 --a------ C:\mbam-setup.exe

2008-12-27 00:44 . 2008-12-27 11:37 <DIR> d-------- C:\avz4

2008-12-26 22:53 . 2008-12-26 22:53 109,905 --a------ C:\rules.zip

2008-12-20 23:12 . 2008-12-20 23:12 115,224 --a------ C:\img2-001.raw

2008-12-20 22:39 . 2008-12-20 22:41 <DIR> d-------- c:\program files\Microsoft LifeCam

2008-12-20 22:30 . 2007-04-11 00:46 1,966,312 -ra------ c:\windows\system32\drivers\VX1000.sys

2008-12-11 21:01 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll

2008-12-11 21:00 . 2008-12-11 21:00 <DIR> d-------- c:\windows\Logs

2008-12-11 20:46 . 2008-12-11 20:46 <DIR> d-------- c:\program files\PCGAME

2008-12-09 22:56 . 2008-12-09 22:56 <DIR> d-------- c:\program files\ICQ6Toolbar

2008-12-09 22:56 . 2008-12-09 22:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\ICQ

2008-12-09 22:56 . 2008-12-09 22:56 <DIR> d-------- c:\documents and settings\Катя\Application Data\Mozilla

2008-12-09 22:56 . 2008-12-09 23:03 <DIR> d-------- c:\documents and settings\Катя\Application Data\ICQ

2008-12-09 22:55 . 2008-12-09 22:57 <DIR> d-------- c:\program files\ICQ6.5

2008-12-04 23:12 . 2008-12-27 22:18 <DIR> d-------- c:\documents and settings\Катя\Application Data\skypePM

2008-12-04 23:12 . 2008-12-04 23:12 56 --ah----- c:\windows\system32\ezsidmv.dat

2008-12-04 23:09 . 2008-12-27 22:22 <DIR> d-------- c:\documents and settings\Катя\Application Data\Skype

2008-12-04 23:08 . 2008-12-04 23:08 <DIR> d-------- c:\program files\Skype

2008-12-04 23:08 . 2008-12-04 23:08 <DIR> d-------- c:\program files\Common Files\Skype

2008-12-04 23:08 . 2008-12-04 23:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-26 20:44 --------- d-----w c:\program files\McDonaldsDragons

2008-12-26 19:53 318,369 ----a-w C:\HiJackThis.zip

2008-12-26 19:52 3,639,856 ----a-w C:\avz4.zip

2008-12-26 19:51 11,887,608 ----a-w C:\cureit.exe

2008-12-09 20:06 --------- d-----w c:\program files\QIP Infium

2008-12-09 20:05 --------- d-----w c:\documents and settings\Катя\Application Data\QIP.Online

2008-12-09 20:04 --------- d-----w c:\program files\QIP

2008-12-09 19:56 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-29 10:45 --------- d-----w c:\documents and settings\Катя\Application Data\Canon

2008-11-17 21:30 --------- d-----w c:\documents and settings\All Users\Application Data\CanonIJPLM

2008-11-15 09:29 --------- d-----w c:\program files\EA Games

2008-11-06 18:38 --------- d-----w c:\documents and settings\Катя\Application Data\QIP

2008-11-03 20:59 47,104 ------w c:\windows\AKDeInstall.exe

2008-11-03 20:59 --------- d-----w c:\program files\mpegable

2008-10-29 18:53 --------- d-----w c:\program files\MSECache

2008-08-15 17:49 242 --sha-w c:\windows\system32\1748230465.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2008-10-16 1578248]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2008-10-16 1578248]

[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]

[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]

[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]

[HKEY_CLASSES_ROOT\Yandex.Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]

"Yupdate!"="c:\program files\Common Files\Yandex\Yupdate\yupdate.exe" [2008-09-01 479496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-06 7700480]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]

"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]

"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"DAEMON Tools-1033"="c:\program files\DRTools\daemon.exe" [2004-08-22 81920]

"IMCServerAutoStart"="c:\program files\InterVideo\IMCSvr\IMCSvr.exe" [2006-04-21 942080]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-21 29744]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]

"VX1000"="c:\windows\vVX1000.exe" [2007-04-11 709992]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-18 279912]

"nwiz"="nwiz.exe" [2006-10-06 c:\windows\system32\nwiz.exe]

"NvMediaCenter"="NvMCTray.dll" [2006-10-06 c:\windows\system32\nvmctray.dll]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2003-08-18 15360]

c:\documents and settings\All Users\ѓ« ў­®Ґ ¬Ґ­о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \

AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]

InterVideo Scheduler server.lnk - c:\program files\InterVideo\WinDVD Media Center\SchSvr.exe [2008-09-21 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]

--a------ 2008-03-13 15:48 1443072 c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ekrn"=2 (0x2)

"EhttpSrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent [tfile.ru]\\utorrent.exe"=

"c:\\Program Files\\SEGA\\Beijing 2008\\Beijing.exe"=

"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

"c:\\Program Files\\PCGAME\\PRO EVOLUTION SOCCER 2009\\pes2009.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"139:TCP"= 139:TCP:192.168.100.3/255.255.255.255,192.168.100.9/255.255.255.255,192.168.100.21/255.255.255.255:Enabled:@xpsp2res.dll,-22004

R0 UP55bus;UP55bus;c:\windows\system32\DRIVERS\UP55bus.sys [2008-08-26 155136]

R0 UP55prt;UP55prt;c:\windows\system32\Drivers\UP55prt.sys [2008-08-26 5248]

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]

R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-03-13 472320]

R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-12-09 222456]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-21 29744]

S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\DRIVERS\w200bus.sys [2008-02-01 61504]

S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\DRIVERS\w200mdfl.sys [2008-02-01 9328]

S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\DRIVERS\w200mdm.sys [2008-02-01 97056]

S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\w200mgmt.sys [2008-07-17 88560]

S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\w200obex.sys [2008-07-17 86368]

*Newly Created Service* - CATCHME

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yandex.ru/?clid=40488

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

TCP: {7AC794E2-CE72-434B-867E-C9DC9C3277DD} = 192.168.248.21

c:\windows\Downloaded Program Files\ImResCtl.dll - O16 -: {2D4C57AA-54C0-4942-BB2A-51DF0727950B}

hxxp://www.openkremlin.ru/cab/ImResCtl.cab

c:\windows\Downloaded Program Files\ImResCtl.inf

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-27 22:51:05

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-12-27 22:51:32

ComboFix-quarantined-files.txt 2008-12-27 19:51:26

ComboFix2.txt 2008-12-27 19:32:40

ComboFix3.txt 2008-12-27 19:28:29

Pre-Run: 29 735 858 176 байт свободно

Post-Run: 29,726,330,880 байт свободно

166

Link to comment
Share on other sites

Скопируйте текст ниже в блокнот и сохраните как файл с названием CFScript.txt на рабочий стол.

File::C:\Катя.exeDriver::Folder::Registry::FileLook::DirLook::

После сохранения переместите CFScript.txt на пиктограмму ComboFix.exe.

CFScript.gif

Когда сохранится новый отчет ComboFix, скопируйте текст из C:\ComboFix.txt в сообщение, еcли лог окажется очень большой, запакуйте ComboFix.txt и прикрепите к сообщению.

Запакуйте пожалуйста папку C:\Qoobox\Quarantine\ с паролем virus и пришлите на akok<at>pisem.net (at=@) с указанием пароля: virus в теле письма

Деинсталлируйте ComboFix: нажмите пусквыполнить - Combofix /u

Скачайте OTCleanIt, запустите, нажмите Clean up

Как самочуствие пациента?

Link to comment
Share on other sites

Вот он - новый лог.

ComboFix 08-12-26.03 - Катя 2008-12-28 0:32:50.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.511.261 [GMT 3:00]

Running from: c:\documents and settings\Катя\Рабочий стол\ComboFix.exe

Command switches used :: c:\documents and settings\Катя\Рабочий стол\CFScript.txt

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated)

* Created a new restore point

FILE ::

C:\Катя.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Катя.exe

.

((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))

.

2008-12-27 12:45 . 2008-12-27 12:45 <DIR> d-------- C:\rsit

2008-12-27 12:45 . 2008-12-27 12:45 781,851 --a------ C:\RSIT.exe

2008-12-27 11:46 . 2008-12-27 11:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-27 11:46 . 2008-12-27 11:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-27 11:46 . 2008-12-27 11:46 <DIR> d-------- c:\documents and settings\Катя\Application Data\Malwarebytes

2008-12-27 11:46 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-27 11:46 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-27 11:45 . 2008-12-27 11:46 2,539,168 --a------ C:\mbam-setup.exe

2008-12-27 00:44 . 2008-12-27 11:37 <DIR> d-------- C:\avz4

2008-12-26 22:53 . 2008-12-26 22:53 109,905 --a------ C:\rules.zip

2008-12-20 23:12 . 2008-12-20 23:12 115,224 --a------ C:\img2-001.raw

2008-12-20 22:39 . 2008-12-20 22:41 <DIR> d-------- c:\program files\Microsoft LifeCam

2008-12-20 22:30 . 2007-04-11 00:46 1,966,312 -ra------ c:\windows\system32\drivers\VX1000.sys

2008-12-11 21:01 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll

2008-12-11 21:00 . 2008-12-11 21:00 <DIR> d-------- c:\windows\Logs

2008-12-11 20:46 . 2008-12-11 20:46 <DIR> d-------- c:\program files\PCGAME

2008-12-09 22:56 . 2008-12-09 22:56 <DIR> d-------- c:\program files\ICQ6Toolbar

2008-12-09 22:56 . 2008-12-09 22:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\ICQ

2008-12-09 22:56 . 2008-12-09 22:56 <DIR> d-------- c:\documents and settings\Катя\Application Data\Mozilla

2008-12-09 22:56 . 2008-12-09 23:03 <DIR> d-------- c:\documents and settings\Катя\Application Data\ICQ

2008-12-09 22:55 . 2008-12-09 22:57 <DIR> d-------- c:\program files\ICQ6.5

2008-12-04 23:12 . 2008-12-27 22:18 <DIR> d-------- c:\documents and settings\Катя\Application Data\skypePM

2008-12-04 23:12 . 2008-12-04 23:12 56 --ah----- c:\windows\system32\ezsidmv.dat

2008-12-04 23:09 . 2008-12-27 22:22 <DIR> d-------- c:\documents and settings\Катя\Application Data\Skype

2008-12-04 23:08 . 2008-12-04 23:08 <DIR> d-------- c:\program files\Skype

2008-12-04 23:08 . 2008-12-04 23:08 <DIR> d-------- c:\program files\Common Files\Skype

2008-12-04 23:08 . 2008-12-04 23:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-26 20:44 --------- d-----w c:\program files\McDonaldsDragons

2008-12-26 19:53 318,369 ----a-w C:\HiJackThis.zip

2008-12-26 19:52 3,639,856 ----a-w C:\avz4.zip

2008-12-26 19:51 11,887,608 ----a-w C:\cureit.exe

2008-12-09 20:06 --------- d-----w c:\program files\QIP Infium

2008-12-09 20:05 --------- d-----w c:\documents and settings\Катя\Application Data\QIP.Online

2008-12-09 20:04 --------- d-----w c:\program files\QIP

2008-12-09 19:56 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-29 10:45 --------- d-----w c:\documents and settings\Катя\Application Data\Canon

2008-11-17 21:30 --------- d-----w c:\documents and settings\All Users\Application Data\CanonIJPLM

2008-11-15 09:29 --------- d-----w c:\program files\EA Games

2008-11-06 18:38 --------- d-----w c:\documents and settings\Катя\Application Data\QIP

2008-11-03 20:59 47,104 ------w c:\windows\AKDeInstall.exe

2008-11-03 20:59 --------- d-----w c:\program files\mpegable

2008-10-29 18:53 --------- d-----w c:\program files\MSECache

2008-08-15 17:49 242 --sha-w c:\windows\system32\1748230465.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2008-10-16 1578248]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2008-10-16 1578248]

[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]

[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]

[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]

[HKEY_CLASSES_ROOT\Yandex.Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]

"Yupdate!"="c:\program files\Common Files\Yandex\Yupdate\yupdate.exe" [2008-09-01 479496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-06 7700480]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]

"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]

"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"DAEMON Tools-1033"="c:\program files\DRTools\daemon.exe" [2004-08-22 81920]

"IMCServerAutoStart"="c:\program files\InterVideo\IMCSvr\IMCSvr.exe" [2006-04-21 942080]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-21 29744]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]

"VX1000"="c:\windows\vVX1000.exe" [2007-04-11 709992]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-18 279912]

"nwiz"="nwiz.exe" [2006-10-06 c:\windows\system32\nwiz.exe]

"NvMediaCenter"="NvMCTray.dll" [2006-10-06 c:\windows\system32\nvmctray.dll]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2003-08-18 15360]

c:\documents and settings\All Users\ѓ« ў­®Ґ ¬Ґ­о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \

AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]

InterVideo Scheduler server.lnk - c:\program files\InterVideo\WinDVD Media Center\SchSvr.exe [2008-09-21 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]

--a------ 2008-03-13 15:48 1443072 c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ekrn"=2 (0x2)

"EhttpSrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent [tfile.ru]\\utorrent.exe"=

"c:\\Program Files\\SEGA\\Beijing 2008\\Beijing.exe"=

"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

"c:\\Program Files\\PCGAME\\PRO EVOLUTION SOCCER 2009\\pes2009.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"139:TCP"= 139:TCP:192.168.100.3/255.255.255.255,192.168.100.9/255.255.255.255,192.168.100.21/255.255.255.255:Enabled:@xpsp2res.dll,-22004

R0 UP55bus;UP55bus;c:\windows\system32\DRIVERS\UP55bus.sys [2008-08-26 155136]

R0 UP55prt;UP55prt;c:\windows\system32\Drivers\UP55prt.sys [2008-08-26 5248]

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]

R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-03-13 472320]

R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-12-09 222456]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-21 29744]

S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\DRIVERS\w200bus.sys [2008-02-01 61504]

S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\DRIVERS\w200mdfl.sys [2008-02-01 9328]

S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\DRIVERS\w200mdm.sys [2008-02-01 97056]

S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\w200mgmt.sys [2008-07-17 88560]

S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\w200obex.sys [2008-07-17 86368]

*Newly Created Service* - CATCHME

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yandex.ru/?clid=40488

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

TCP: {7AC794E2-CE72-434B-867E-C9DC9C3277DD} = 192.168.248.21

c:\windows\Downloaded Program Files\ImResCtl.dll - O16 -: {2D4C57AA-54C0-4942-BB2A-51DF0727950B}

hxxp://www.openkremlin.ru/cab/ImResCtl.cab

c:\windows\Downloaded Program Files\ImResCtl.inf

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-28 00:34:39

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-12-28 0:35:08

ComboFix-quarantined-files.txt 2008-12-27 21:35:00

ComboFix2.txt 2008-12-27 19:51:33

ComboFix3.txt 2008-12-27 19:32:40

ComboFix4.txt 2008-12-27 19:28:29

Pre-Run: 29 672 665 088 байт свободно

Post-Run: 29,698,994,176 байт свободно

172

Самочуствие по-мойму не очень пока. Сейчас доделаю все что вы написали и посмотрю что будет :)

Link to comment
Share on other sites

Все сделала. Теперь все в порядке, просто сначала показалось, что подтормаживает немного, программы медленно открывает.

Спасибо за помощь. В очередной раз меня спасли :)

А что такое "Пора уже на SP3 переезжать"? можно подробнее? :)

Link to comment
Share on other sites

Катя.ехе - это оказался HJT :)

Необходимо установить пакет обновлений SP3 и IE7. И все вышедшие хотфиксы при помощи Windows Update. (!!! после установки SP3 возможно потребуется повторная активация).

Link to comment
Share on other sites

Опять те же проблемы. Компьютер сам выключается и перезагружается, медленно открывает программы. Как все было так и осталось. :doh:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...