Новый участник
Сообщения: 48
Благодарности: 0
|
Профиль
|
Отправить PM
| Цитировать
ЭТО ЛОГ ПО COMBO FIX !!!
Код:  --------------------------------------------------------------------------------------------------------------
ComboFix 09-12-22.07 - Администратор 23.12.2009 16:34:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.3583.3306 [GMT 3:00]
Running from: d:\installs\Программы для Windows\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Персональный файервол ESET *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Common Files\keylog.txt
c:\program files\IEToolbar404\find404.com search engine\tbHElper.dll
c:\recycler\S-1-5-21-3504091190-7587853305-832207285-0224
c:\recycler\S-1-5-21-7951533974-4057461734-013824168-3203
c:\recycler\S-1-5-21-8019161374-7979388734-412460543-7387
c:\windows\logfile32.txt
c:\windows\system32\57.exe
c:\windows\system32\77.exe
c:\windows\system32\78.exe
c:\windows\system32\i
c:\windows\system32\vbrun100.dll
C:\x5p2a1x8j5w6.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_OREANS32
-------\Service_oreans32
((((((((((((((((((((((((( Files Created from 2009-11-23 to 2009-12-23 )))))))))))))))))))))))))))))))
.
2009-12-23 13:17 . 2009-12-23 13:17 -------- d-----w- c:\documents and settings\Администратор\Local Settings\Application Data\ApplicationHistory
2009-12-23 13:17 . 2009-12-23 13:17 136 ----a-w- c:\documents and settings\Администратор\Local Settings\Application Data\fusioncache.dat
2009-12-23 13:16 . 2009-12-23 13:16 38912 ----a-w- c:\windows\system32\15.scr
2009-12-22 19:07 . 2009-12-22 19:07 38912 ----a-w- c:\windows\system32\26.scr
2009-12-22 18:32 . 2004-06-14 11:56 427864 ----a-w- c:\windows\system32\XceedZip.dll
2009-12-22 18:32 . 2009-12-22 18:32 -------- d-----w- c:\program files\Driver-Soft
2009-12-22 18:13 . 2009-12-22 18:13 38912 ----a-w- c:\windows\system32\74.scr
2009-12-22 17:36 . 2009-12-22 17:36 -------- d-----w- c:\documents and settings\Администратор\Local Settings\Application Data\Identities
2009-12-22 17:31 . 2009-12-22 19:08 135168 ----a-w- c:\windows\system32\mini.exe
2009-12-22 17:31 . 2009-12-22 19:08 147456 ----a-w- c:\windows\system32\Ms16.exe
2009-12-22 17:31 . 2009-12-22 17:31 38912 ----a-w- c:\windows\system32\44.scr
2009-12-22 17:23 . 2009-12-22 17:23 -------- d-----w- c:\documents and settings\Администратор\Local Settings\Application Data\ESET
2009-12-22 17:20 . 2009-12-22 17:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-12-22 17:07 . 2009-12-22 17:07 -------- d-----w- c:\documents and settings\Администратор\Application Data\ESET
2009-12-22 17:06 . 2009-12-22 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-12-22 16:00 . 2009-12-22 16:04 11264 ----a-w- c:\windows\system32\drivers\uze5otcy.sys
2009-12-22 13:45 . 2009-12-22 13:45 -------- d-----w- c:\documents and settings\Администратор\Application Data\Malwarebytes
2009-12-22 13:45 . 2009-12-03 13:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 13:45 . 2009-12-22 13:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-22 13:45 . 2009-12-22 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-22 13:45 . 2009-12-03 13:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 10:42 . 2009-12-22 13:22 0 ----a-w- c:\windows\system32\drivers\vieqvowm.sys
2009-12-22 10:42 . 2009-12-22 10:42 -------- d-----w- c:\program files\IEToolbar404
2009-12-22 10:42 . 2009-12-22 10:42 -------- d-----w- c:\windows\Sun
2009-12-21 21:11 . 2009-12-23 03:58 67584 ----a-w- c:\windows\system32\ccda_v8.exe
2009-12-21 20:25 . 2009-12-21 20:25 388096 ----a-r- c:\documents and settings\Администратор\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-21 20:25 . 2009-12-21 20:25 -------- d-----w- c:\program files\TrendMicro
2009-12-21 20:08 . 2009-12-21 20:08 -------- d-----w- c:\documents and settings\Администратор\DoctorWeb
2009-12-21 19:55 . 2005-01-03 06:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-12-21 19:55 . 2009-12-21 19:55 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-12-21 19:55 . 2009-12-21 19:55 33824 ----a-w- c:\windows\system32\drivers\oreans32.sys
2009-12-21 18:58 . 2009-12-21 18:58 0 ----a-w- c:\windows\nsreg.dat
2009-12-21 18:58 . 2009-12-21 18:58 -------- d-----w- c:\documents and settings\Администратор\Local Settings\Application Data\Mozilla
2009-12-21 18:37 . 2009-12-21 18:37 -------- d-----w- c:\program files\FlylinkDC++
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 13:00 . 2009-12-21 14:38 -------- d-----w- c:\program files\AIMP2
2009-12-22 18:36 . 2009-12-22 18:35 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-12-22 18:35 . 2009-12-22 18:35 -------- d-----w- c:\documents and settings\Администратор\Application Data\Media Player Classic
2009-12-21 17:01 . 2009-12-21 14:47 -------- d-----w- c:\program files\ACAD2000
2009-12-21 15:51 . 2009-12-21 14:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-21 15:38 . 2009-12-21 14:07 -------- d-----w- c:\program files\Realtek
2009-12-21 14:50 . 2009-12-21 14:35 72224 ----a-w- c:\documents and settings\Администратор\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 14:47 . 2009-12-21 14:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-12-21 14:39 . 2009-12-21 14:34 -------- d-----w- c:\program files\Total Commander
2009-12-21 14:37 . 2009-12-21 14:37 -------- d-----w- c:\program files\Magic Gooddy
2009-12-21 14:35 . 2009-12-21 14:35 -------- d-----w- c:\program files\RocketDock
2009-12-21 14:34 . 2009-12-21 14:34 -------- d-----w- c:\program files\Opera
2009-12-21 14:34 . 2009-12-21 14:34 -------- d-----w- c:\documents and settings\Администратор\Application Data\Nokia
2009-12-21 14:34 . 2009-12-21 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2009-12-21 14:34 . 2009-12-21 14:34 -------- d-----w- c:\documents and settings\Администратор\Application Data\PC Suite
2009-12-21 14:30 . 2009-12-21 14:30 -------- d-----w- c:\program files\Common Files\PCSuite
2009-12-21 14:30 . 2009-12-21 14:30 -------- d-----w- c:\program files\Common Files\Nokia
2009-12-21 14:30 . 2009-12-21 14:30 -------- d-----w- c:\program files\Nokia
2009-12-21 14:30 . 2009-12-21 14:30 -------- d-----w- c:\program files\DIFX
2009-12-21 14:30 . 2009-12-21 14:30 -------- d-----w- c:\program files\PC Connectivity Solution
2009-12-21 14:30 . 2009-12-21 14:30 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\pcswpcsi.exe
2009-12-21 14:30 . 2009-12-21 14:30 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstCCD.exe
2009-12-21 14:30 . 2009-12-21 14:30 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-12-21 14:30 . 2009-12-21 14:30 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCS.exe
2009-12-21 14:30 . 2009-12-21 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-12-21 14:29 . 2009-12-21 14:29 -------- d-----w- c:\program files\VKLife
2009-12-21 14:28 . 2009-12-21 14:28 -------- d-----w- c:\program files\Microsoft.NET
2009-12-21 14:22 . 2008-04-15 12:00 64760 ----a-w- c:\windows\system32\perfc019.dat
2009-12-21 14:22 . 2008-04-15 12:00 421150 ----a-w- c:\windows\system32\perfh019.dat
2009-12-21 14:07 . 2009-12-21 14:07 -------- d-----w- c:\program files\AMD
2009-12-21 14:02 . 2009-12-21 14:02 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-21 14:02 . 2009-12-21 14:02 -------- d-----w- c:\program files\Yahoo!
2009-12-21 13:54 . 2009-12-21 13:54 -------- d-----w- c:\program files\microsoft frontpage
2009-12-21 13:54 . 2009-12-21 13:54 -------- d-----w- c:\program files\VistaDriveIcon
2009-12-21 13:54 . 2009-12-21 13:54 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-21 13:54 . 2009-12-21 13:53 -------- d-----w- c:\program files\Java
2009-12-21 13:53 . 2009-12-21 13:53 -------- d-----w- c:\program files\Common Files\Java
2009-12-21 13:51 . 2009-12-21 13:51 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-21 13:48 . 2009-12-21 13:48 22564 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-21 13:47 . 2009-12-21 13:47 -------- d-----w- c:\program files\System
2009-12-21 13:47 . 2009-12-21 13:47 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-11 18:00 . 2009-12-22 18:35 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-11-25 08:19 . 2009-12-21 14:45 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-06 15:54 . 2009-12-21 16:38 5922816 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-10-06 13:34 . 2009-12-21 16:38 18750976 ----a-w- c:\windows\RTHDCPL.EXE
2009-09-29 15:38 . 2009-12-21 15:38 352256 ----a-w- c:\windows\vncutil.exe
.
------- Sigcheck -------
[-] 2008-04-15 . EAEC6EA32BDABD7622371C10B8D68A17 . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-07-16 . EC5B872AC2BF6DEA91D1DE3E8B8289BF . 76632 . . [7.1.6001.65] . . c:\windows\system32\wuauclt.exe
[-] 2008-07-16 . 4378CDCD0EDB9BA360B44591B09A50E7 . 691200 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2008-07-16 . 047953A8B30891F5F8F0BF68ABFEA339 . 2286592 . . [5.1.2600.5586] . . c:\windows\system32\ntoskrnl.exe
[-] 2008-07-16 . 371C41F777924F3EA3BFAD18C6A04502 . 584192 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2008-07-16 . FD5DD7FC4240E3DFFB0BBD40DBABF4B1 . 948224 . . [7.00.6000.20815] . . c:\windows\system32\wininet.dll
[-] 2008-07-16 . 5116FC3994DF129F40B9DDBCCC394195 . 1597952 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-07-16 . A20D3430A2FF4E619FE9FAA1D2FD2970 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
[-] 2008-07-16 . 17A73D46CA1D681CEE05658A2F4419DA . 17408 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2008-07-16 . 9C8B91FF9F5CC6C6C17A1593255F46D3 . 2165248 . . [5.1.2600.5586] . . c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-10 8429568]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"UpdatesOverride"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21.12.2009 16:54 717296]
R1 uze5otcy;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uze5otcy.sys [22.12.2009 19:00 11264]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [21.12.2009 18:38 1684736]
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
TCP: {5209C0EB-BC4A-4044-AE76-FCB63B2B6F2F} = 109.86.2.2,109.86.2.21
FF - ProfilePath - c:\documents and settings\Администратор\Application Data\Mozilla\Firefox\Profiles\4sxg4a6k.default\
FF - prefs.js: browser.search.selectedEngine - Google
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-23 16:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spnz.sys >>UNKNOWN [0x8A472938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28
\Driver\ACPI -> ACPI.sys @ 0xf7496cb8
\Driver\atapi -> atapi.sys @ 0xf7978b40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66aa
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b9
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66aa
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b9
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xbaf12bb0
PacketIndicateHandler -> NDIS.sys @ 0xbaf01a0d
SendHandler -> NDIS.sys @ 0xbaf15b40
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\cscui.dll
- - - - - - - > 'explorer.exe'(640)
c:\windows\system32\COMRes.dll
c:\windows\System32\cscui.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\MSVCP60.dll
c:\windows\system32\wpdshserviceobj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_rus.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Opera\opera.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2009-12-23 16:40:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-23 13:40
Pre-Run: 12*106*149*888 байт свободно
Post-Run: 12*130*439*168 байт свободно
- - End Of File - - AD441557829FA26D59A76A89AEB4F41C
|
Последний раз редактировалось Drongo, 23-12-2009 в 19:44.
Причина: Скрываем текст...
Отправлено: 18:11, 23-12-2009
| #27
|
