Решена win32:confi wrm
- Автор темы Шурик
- Дата начала
- Статус
- Сообщения
- 25,320
- Решения
- 5
- Реакции
- 13,844
AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".
После выполнения скрипта компьютер перезагрузится.
Полученный архив отправьте на akok<at>pisem.net с указанной ссылкой на тему. (at=@)
Скачайте ComboFix здесь, здесь или здесь и сохраните на рабочий стол.
1. Внимание! Обязательно закройте все браузеры, временно выключите антивирус, firewall и другое защитное программное обеспечение. Не запускайте других программ во время работы Combofix. Combofix может отключить интернет через некоторое время после запуска, не переподключайте интернет пока Combofix не завершит работу. Если интернет не появился после окончания работы Combofix, перезагрузите компьютер. Во время работы Combofix не нажимайте кнопки мыши, это может стать причиной зависания Combofix.
2. Запустите combofix.exe, когда процесс завершится, скопируйте текст из C:\ComboFix.txt и вставьте в следующее сообщение или запакуйте файл C:\ComboFix.txt и прикрепите к сообщению.
Как использовать ComboFix - Руководство по применению
Прим: В случае, если ComboFix не запускается, переименуйте combofix.exe в combo-fix.exe
Скачайте Gmer или с зеркала. Запустите программу. После автоматической экспресс-проверки, отметьте галочкой все жесткие диски и нажмите на кнопку Scan. После окончания проверки сохраните его.
Код:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(true);
SetServiceStart('gfhfoal', 4);
QuarantineFile('C:\WINDOWS\system32\ipa.bat','');
QuarantineFile('C:\DOCUME~1\Intel\LOCALS~1\Temp\mc21.tmp','');
QuarantineFile('C:\WINDOWS\system32\Drivers\gfhfoal.sys','');
DeleteFile('C:\WINDOWS\system32\Drivers\gfhfoal.sys');
DeleteFile('C:\DOCUME~1\Intel\LOCALS~1\Temp\mc21.tmp');
DeleteService('gfhfoal');
BC_ImportALL;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
Код:
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.Полученный архив отправьте на akok<at>pisem.net с указанной ссылкой на тему. (at=@)
Скачайте ComboFix здесь, здесь или здесь и сохраните на рабочий стол.
1. Внимание! Обязательно закройте все браузеры, временно выключите антивирус, firewall и другое защитное программное обеспечение. Не запускайте других программ во время работы Combofix. Combofix может отключить интернет через некоторое время после запуска, не переподключайте интернет пока Combofix не завершит работу. Если интернет не появился после окончания работы Combofix, перезагрузите компьютер. Во время работы Combofix не нажимайте кнопки мыши, это может стать причиной зависания Combofix.
2. Запустите combofix.exe, когда процесс завершится, скопируйте текст из C:\ComboFix.txt и вставьте в следующее сообщение или запакуйте файл C:\ComboFix.txt и прикрепите к сообщению.
Как использовать ComboFix - Руководство по применению
Прим: В случае, если ComboFix не запускается, переименуйте combofix.exe в combo-fix.exe
Скачайте Gmer или с зеркала. Запустите программу. После автоматической экспресс-проверки, отметьте галочкой все жесткие диски и нажмите на кнопку Scan. После окончания проверки сохраните его.
ComboFix 10-02-16.02 - Intel 17.02.2010 11:07:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.894.469 [GMT 3:00]
Running from: c:\documents and settings\Intel\Рабочий стол\ComboFix.exe
Command switches used :: c:\documents and settings\Intel\Рабочий стол\WindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
AV: avast! antivirus 4.8.1368 [VPS 100216-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Документы\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\Образцы музыки\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\My Playlists\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\Sample Playlists\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\Sample Playlists\000C7600\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\Sync Playlists\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\Sync Playlists\2093FD1\_desktop.ini
c:\documents and settings\All Users\Документы\Мои рисунки\_desktop.ini
c:\documents and settings\All Users\Документы\Мои рисунки\Образцы рисунков\_desktop.ini
c:\documents and settings\All Users\Документы\Мои видеозаписи\_desktop.ini
c:\documents and settings\All Users\Документы\AlawarWrapper\_desktop.ini
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-0538374734-8259984524-027024184-0284
c:\recycler\S-1-5-21-1312658802-0535847120-210211992-1741
c:\recycler\S-1-5-21-5169348177-0554831416-391056225-5856
c:\recycler\S-1-5-21-5813815612-5113466532-863328442-6487
c:\windows\system32\blat.exe
c:\windows\system32\ieuinit.inf
----- BITS: Possible infected sites -----
hxxp://soft.export.yandex.ru
hxxp://download.yandex.ru
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_R_SERVER
((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.
2010-02-17 05:48 . 2010-02-17 05:48 -------- d-----w- C:\rsit
2010-02-16 17:03 . 2010-02-16 17:03 -------- d-----w- c:\documents and settings\Администратор\DoctorWeb
2010-02-16 16:18 . 2010-02-16 16:18 396 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B77536FE5FC05684B916823B52D0A671.dll
2010-02-16 16:18 . 2010-02-16 16:18 1429 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A07FA7ABB18FFE04298647A1D73E6D80.dll
2010-02-16 11:34 . 2010-02-16 11:34 -------- d-----w- c:\program files\Trend Micro
2010-02-16 11:16 . 2010-02-16 11:16 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-02-12 06:57 . 2010-02-12 07:01 -------- d-----w- c:\program files\TweakNow RegCleaner
2010-02-12 06:57 . 2010-02-12 06:57 -------- d-----w- c:\documents and settings\Intel\Application Data\TweakNow RegCleaner
2010-02-11 12:01 . 2010-02-16 15:33 -------- d-----w- c:\documents and settings\Intel\Application Data\Online Solutions
2010-02-11 11:08 . 2010-02-11 11:08 -------- d-----w- c:\program files\Online Solutions
2010-02-11 11:08 . 2010-02-11 11:08 -------- d-----w- c:\program files\Common Files\Online Solutions Shared
2010-02-11 09:28 . 2010-02-11 09:28 -------- d-----w- c:\program files\PIC
2010-02-11 09:28 . 2005-04-26 07:43 4654 ----a-w- c:\windows\big.reg
2010-02-11 09:28 . 2005-04-26 07:41 4654 ----a-w- c:\windows\small.reg
2010-02-11 07:58 . 2010-02-11 07:58 -------- d-----w- C:\UDC Output Files
2010-02-11 07:32 . 2010-02-11 07:32 -------- d-----w- c:\documents and settings\Intel\Application Data\CPUControl
2010-02-11 07:32 . 2010-02-11 07:32 -------- d-----w- c:\program files\CPU-Control
2010-02-11 05:53 . 2010-02-11 05:53 -------- d-----w- c:\windows\system32\SISComp
2010-02-11 05:53 . 2000-08-23 22:19 4300 ----a-w- c:\windows\system32\MEMIO.SYS
2010-02-10 08:51 . 2010-01-28 08:52 10588 ----a-r- c:\windows\system32\drivers\mpfilt.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 08:12 . 2007-09-02 04:38 -------- d-----w- c:\program files\SuperCopier2
2010-02-17 07:39 . 2008-12-16 11:47 -------- d-----w- c:\documents and settings\Intel\Application Data\uTorrent
2010-02-16 16:19 . 2010-02-11 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-02-16 13:33 . 2004-08-18 12:00 65160 ----a-w- c:\windows\system32\perfc019.dat
2010-02-16 13:33 . 2004-08-18 12:00 421696 ----a-w- c:\windows\system32\perfh019.dat
2010-02-12 07:10 . 2007-09-02 05:02 62808 ----a-w- c:\documents and settings\Intel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-11 14:09 . 2007-09-02 04:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-11 14:08 . 2008-11-16 17:23 -------- d-----w- c:\program files\Samsung
2010-02-11 13:44 . 2008-12-14 18:40 -------- d-----w- c:\program files\QIP
2010-02-11 12:53 . 2009-01-03 13:45 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-02-11 07:18 . 2009-01-24 17:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-11 07:16 . 2009-10-14 11:27 -------- d-----w- c:\program files\MTS Connect Manager
2010-02-10 10:24 . 2007-09-02 06:09 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-19 18:17 . 2009-12-19 18:17 -------- d-----w- c:\program files\IKEA HomePlanner
2009-12-19 18:17 . 2009-12-19 18:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-24 23:54 . 2009-04-02 21:45 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-04-02 21:46 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-04-02 21:46 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-04-02 21:46 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-04-02 21:46 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-04-02 21:46 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-04-02 21:46 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-04-02 21:46 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-04-02 21:46 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-26 16:17 . 2009-07-26 16:17 3686400 -c--a-w- c:\program files\Samsung New PC Studio USB Driver Installer.msi
2009-07-26 16:17 . 2009-07-26 16:17 96256 -c--a-w- c:\program files\1049.MST
2009-07-26 16:17 . 2009-07-26 16:17 14468 -c--a-w- c:\program files\0x0419.ini
2009-03-21 09:03 . 2009-03-21 09:03 3561329 -c--a-w- c:\program files\DAEMON Tools Lite.rar
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Punto Switcher"="c:\program files\Punto Switcher\ps.exe" [2003-11-12 207872]
"SuperCopier2.exe"="c:\program files\SuperCopier2\SuperCopier2.exe" [2006-07-07 1052672]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2006-03-28 634880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-07 761947]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-18 110592]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2006-04-25 2764800]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]
c:\documents and settings\All Users\ѓ«*ў*®Ґ ¬Ґ*о\Џа®Ја*¬¬л\Ђўв®§*Јаг§Є*\
BTTray.lnk - c:\program files\WIDCOMM\Џа®Ја*¬¬*®Ґ ®ЎҐбЇҐзҐ*ЁҐ Bluetooth\BTTray.exe [2004-11-29 569405]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-12-12 09:50 88204 ----a-w- c:\windows\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVStation Premium 3.75]
2006-12-15 15:16 159744 ----a-w- c:\program files\Samsung\AVStation Premium 3.75\AVSAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BatteryManager]
2006-04-25 11:05 2764800 ----a-w- c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 13:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisplayManager]
2006-05-03 16:22 413696 ----a-w- c:\program files\Samsung\DisplayManager\DisplayManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMHotKey]
2005-11-23 08:18 356352 ----a-w- c:\program files\Samsung\DisplayManager\DMLoader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
2009-07-31 06:46 24870912 ----a-w- c:\program files\CounterPath\eyeBeam 1.5\eyeBeam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 09:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 13:42 32768 ----a-w- c:\program files\PowerDVD\PDVDServ.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\uTorrent [tfile.ru]\\utorrent.exe"=
"c:\\Program Files\\CounterPath\\eyeBeam 1.5\\eyeBeam.exe"=
"c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2463:TCP"= 2463:TCP:azwtk
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03.01.2009 16:39 717296]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [03.04.2009 0:46 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03.04.2009 0:46 20560]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [11.02.2010 8:53 4300]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [29.03.2006 10:59 27648]
R3 SSB2413;SSB2413 Wireless Network Adapter Service;c:\windows\system32\drivers\SSB2413.sys [16.11.2008 20:39 470112]
S3 C7xxUSB;Samsung CMC7xx USB Network Driver;c:\windows\system32\DRIVERS\C7xUSBX3.sys --> c:\windows\system32\DRIVERS\C7xUSBX3.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [26.07.2009 21:09 36608]
S3 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [26.07.2009 21:09 233472]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [26.07.2009 21:09 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [26.07.2009 21:09 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [26.07.2009 21:09 121856]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\documents and settings\Intel\Рабочий стол\Samsung\RealTemp_340\WinRing0.sys [11.02.2010 9:43 14416]
S4 gfhfoal;gfhfoal; [x]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Отправить через &Bluetooth - c:\program files\WIDCOMM\Программное обеспечение Bluetooth\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Intel\Application Data\Mozilla\Firefox\Profiles\6q9apw3x.default\
FF - prefs.js: browser.search.selectedEngine - Яндекс
FF - prefs.js: browser.startup.homepage - hxxp://www.rambler.ru/ri6
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-YotaAccess_U200 - c:\program files\Samsung Electronics\mWiMAX U200\YotaAccess.exe
AddRemove-dreams - c:\игры от nevosoft\Dreams\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 11:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85B691F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf77e2fc3
\Driver\ACPI -> ACPI.sys @ 0xf761dcb8
\Driver\atapi -> 0x85b691f8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a2656
ParseProcedure -> ntoskrnl.exe @ 0x8057950f
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a2656
ParseProcedure -> ntoskrnl.exe @ 0x8057950f
NDIS: Atheros Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf748bbc3
PacketIndicateHandler -> NDIS.sys @ 0xf7479a0b
SendHandler -> NDIS.sys @ 0xf748db31
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\Intel\LOCALS~1\Temp\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1564)
c:\program files\SuperCopier2\SC2Hook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\WIDCOMM\Программное обеспечение Bluetooth\bin\btwdins.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\program files\WIDCOMM\Программное обеспечение Bluetooth\BTTray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-17 11:15:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-17 08:15
Pre-Run: 8*754*458*624 байт свободно
Post-Run: 8*669*118*464 байт свободно
WindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional RU" /noexecute=optin /fastdetect
Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - D891E9086315233D73178D7B8A06DAFD
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.894.469 [GMT 3:00]
Running from: c:\documents and settings\Intel\Рабочий стол\ComboFix.exe
Command switches used :: c:\documents and settings\Intel\Рабочий стол\WindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
AV: avast! antivirus 4.8.1368 [VPS 100216-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Документы\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\Образцы музыки\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\My Playlists\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\Sample Playlists\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\Sample Playlists\000C7600\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\Sync Playlists\_desktop.ini
c:\documents and settings\All Users\Документы\Моя музыка\Sync Playlists\2093FD1\_desktop.ini
c:\documents and settings\All Users\Документы\Мои рисунки\_desktop.ini
c:\documents and settings\All Users\Документы\Мои рисунки\Образцы рисунков\_desktop.ini
c:\documents and settings\All Users\Документы\Мои видеозаписи\_desktop.ini
c:\documents and settings\All Users\Документы\AlawarWrapper\_desktop.ini
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-0538374734-8259984524-027024184-0284
c:\recycler\S-1-5-21-1312658802-0535847120-210211992-1741
c:\recycler\S-1-5-21-5169348177-0554831416-391056225-5856
c:\recycler\S-1-5-21-5813815612-5113466532-863328442-6487
c:\windows\system32\blat.exe
c:\windows\system32\ieuinit.inf
----- BITS: Possible infected sites -----
hxxp://soft.export.yandex.ru
hxxp://download.yandex.ru
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_R_SERVER
((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.
2010-02-17 05:48 . 2010-02-17 05:48 -------- d-----w- C:\rsit
2010-02-16 17:03 . 2010-02-16 17:03 -------- d-----w- c:\documents and settings\Администратор\DoctorWeb
2010-02-16 16:18 . 2010-02-16 16:18 396 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B77536FE5FC05684B916823B52D0A671.dll
2010-02-16 16:18 . 2010-02-16 16:18 1429 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A07FA7ABB18FFE04298647A1D73E6D80.dll
2010-02-16 11:34 . 2010-02-16 11:34 -------- d-----w- c:\program files\Trend Micro
2010-02-16 11:16 . 2010-02-16 11:16 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-02-12 06:57 . 2010-02-12 07:01 -------- d-----w- c:\program files\TweakNow RegCleaner
2010-02-12 06:57 . 2010-02-12 06:57 -------- d-----w- c:\documents and settings\Intel\Application Data\TweakNow RegCleaner
2010-02-11 12:01 . 2010-02-16 15:33 -------- d-----w- c:\documents and settings\Intel\Application Data\Online Solutions
2010-02-11 11:08 . 2010-02-11 11:08 -------- d-----w- c:\program files\Online Solutions
2010-02-11 11:08 . 2010-02-11 11:08 -------- d-----w- c:\program files\Common Files\Online Solutions Shared
2010-02-11 09:28 . 2010-02-11 09:28 -------- d-----w- c:\program files\PIC
2010-02-11 09:28 . 2005-04-26 07:43 4654 ----a-w- c:\windows\big.reg
2010-02-11 09:28 . 2005-04-26 07:41 4654 ----a-w- c:\windows\small.reg
2010-02-11 07:58 . 2010-02-11 07:58 -------- d-----w- C:\UDC Output Files
2010-02-11 07:32 . 2010-02-11 07:32 -------- d-----w- c:\documents and settings\Intel\Application Data\CPUControl
2010-02-11 07:32 . 2010-02-11 07:32 -------- d-----w- c:\program files\CPU-Control
2010-02-11 05:53 . 2010-02-11 05:53 -------- d-----w- c:\windows\system32\SISComp
2010-02-11 05:53 . 2000-08-23 22:19 4300 ----a-w- c:\windows\system32\MEMIO.SYS
2010-02-10 08:51 . 2010-01-28 08:52 10588 ----a-r- c:\windows\system32\drivers\mpfilt.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 08:12 . 2007-09-02 04:38 -------- d-----w- c:\program files\SuperCopier2
2010-02-17 07:39 . 2008-12-16 11:47 -------- d-----w- c:\documents and settings\Intel\Application Data\uTorrent
2010-02-16 16:19 . 2010-02-11 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-02-16 13:33 . 2004-08-18 12:00 65160 ----a-w- c:\windows\system32\perfc019.dat
2010-02-16 13:33 . 2004-08-18 12:00 421696 ----a-w- c:\windows\system32\perfh019.dat
2010-02-12 07:10 . 2007-09-02 05:02 62808 ----a-w- c:\documents and settings\Intel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-11 14:09 . 2007-09-02 04:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-11 14:08 . 2008-11-16 17:23 -------- d-----w- c:\program files\Samsung
2010-02-11 13:44 . 2008-12-14 18:40 -------- d-----w- c:\program files\QIP
2010-02-11 12:53 . 2009-01-03 13:45 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-02-11 07:18 . 2009-01-24 17:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-11 07:16 . 2009-10-14 11:27 -------- d-----w- c:\program files\MTS Connect Manager
2010-02-10 10:24 . 2007-09-02 06:09 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-19 18:17 . 2009-12-19 18:17 -------- d-----w- c:\program files\IKEA HomePlanner
2009-12-19 18:17 . 2009-12-19 18:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-24 23:54 . 2009-04-02 21:45 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-04-02 21:46 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-04-02 21:46 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-04-02 21:46 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-04-02 21:46 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-04-02 21:46 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-04-02 21:46 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-04-02 21:46 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-04-02 21:46 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-26 16:17 . 2009-07-26 16:17 3686400 -c--a-w- c:\program files\Samsung New PC Studio USB Driver Installer.msi
2009-07-26 16:17 . 2009-07-26 16:17 96256 -c--a-w- c:\program files\1049.MST
2009-07-26 16:17 . 2009-07-26 16:17 14468 -c--a-w- c:\program files\0x0419.ini
2009-03-21 09:03 . 2009-03-21 09:03 3561329 -c--a-w- c:\program files\DAEMON Tools Lite.rar
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Punto Switcher"="c:\program files\Punto Switcher\ps.exe" [2003-11-12 207872]
"SuperCopier2.exe"="c:\program files\SuperCopier2\SuperCopier2.exe" [2006-07-07 1052672]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2006-03-28 634880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-07 761947]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-18 110592]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2006-04-25 2764800]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]
c:\documents and settings\All Users\ѓ«*ў*®Ґ ¬Ґ*о\Џа®Ја*¬¬л\Ђўв®§*Јаг§Є*\
BTTray.lnk - c:\program files\WIDCOMM\Џа®Ја*¬¬*®Ґ ®ЎҐбЇҐзҐ*ЁҐ Bluetooth\BTTray.exe [2004-11-29 569405]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-12-12 09:50 88204 ----a-w- c:\windows\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVStation Premium 3.75]
2006-12-15 15:16 159744 ----a-w- c:\program files\Samsung\AVStation Premium 3.75\AVSAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BatteryManager]
2006-04-25 11:05 2764800 ----a-w- c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 13:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisplayManager]
2006-05-03 16:22 413696 ----a-w- c:\program files\Samsung\DisplayManager\DisplayManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMHotKey]
2005-11-23 08:18 356352 ----a-w- c:\program files\Samsung\DisplayManager\DMLoader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
2009-07-31 06:46 24870912 ----a-w- c:\program files\CounterPath\eyeBeam 1.5\eyeBeam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 09:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 13:42 32768 ----a-w- c:\program files\PowerDVD\PDVDServ.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\uTorrent [tfile.ru]\\utorrent.exe"=
"c:\\Program Files\\CounterPath\\eyeBeam 1.5\\eyeBeam.exe"=
"c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2463:TCP"= 2463:TCP:azwtk
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03.01.2009 16:39 717296]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [03.04.2009 0:46 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03.04.2009 0:46 20560]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [11.02.2010 8:53 4300]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [29.03.2006 10:59 27648]
R3 SSB2413;SSB2413 Wireless Network Adapter Service;c:\windows\system32\drivers\SSB2413.sys [16.11.2008 20:39 470112]
S3 C7xxUSB;Samsung CMC7xx USB Network Driver;c:\windows\system32\DRIVERS\C7xUSBX3.sys --> c:\windows\system32\DRIVERS\C7xUSBX3.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [26.07.2009 21:09 36608]
S3 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [26.07.2009 21:09 233472]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [26.07.2009 21:09 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [26.07.2009 21:09 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [26.07.2009 21:09 121856]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\documents and settings\Intel\Рабочий стол\Samsung\RealTemp_340\WinRing0.sys [11.02.2010 9:43 14416]
S4 gfhfoal;gfhfoal; [x]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Отправить через &Bluetooth - c:\program files\WIDCOMM\Программное обеспечение Bluetooth\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Intel\Application Data\Mozilla\Firefox\Profiles\6q9apw3x.default\
FF - prefs.js: browser.search.selectedEngine - Яндекс
FF - prefs.js: browser.startup.homepage - hxxp://www.rambler.ru/ri6
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-YotaAccess_U200 - c:\program files\Samsung Electronics\mWiMAX U200\YotaAccess.exe
AddRemove-dreams - c:\игры от nevosoft\Dreams\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 11:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85B691F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf77e2fc3
\Driver\ACPI -> ACPI.sys @ 0xf761dcb8
\Driver\atapi -> 0x85b691f8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a2656
ParseProcedure -> ntoskrnl.exe @ 0x8057950f
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a2656
ParseProcedure -> ntoskrnl.exe @ 0x8057950f
NDIS: Atheros Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf748bbc3
PacketIndicateHandler -> NDIS.sys @ 0xf7479a0b
SendHandler -> NDIS.sys @ 0xf748db31
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\Intel\LOCALS~1\Temp\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1564)
c:\program files\SuperCopier2\SC2Hook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\WIDCOMM\Программное обеспечение Bluetooth\bin\btwdins.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\program files\WIDCOMM\Программное обеспечение Bluetooth\BTTray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-17 11:15:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-17 08:15
Pre-Run: 8*754*458*624 байт свободно
Post-Run: 8*669*118*464 байт свободно
WindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional RU" /noexecute=optin /fastdetect
Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - D891E9086315233D73178D7B8A06DAFD
Последнее редактирование модератором:
- Сообщения
- 25,320
- Решения
- 5
- Реакции
- 13,844
Скопируйте текст ниже в блокнот и сохраните как файл с названием CFScript.txt на рабочий стол.
После сохранения переместите CFScript.txt на пиктограмму ComboFix.exe.
Когда сохранится новый отчет ComboFix, запакуйте ComboFix.txt и прикрепите к сообщению.
Добавлено через 1 минуту 37 секунд
Воспользуйтесь Quick Killer используя утилитами TDSS Killer и Kido Killer.
Отчеты этих утилит тоже приложите.
Код:
KillAll::
File::
Driver::
azwtk
gfhfoal
Folder::
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2463:TCP"=-
FileLook::
DirLook::Когда сохранится новый отчет ComboFix, запакуйте ComboFix.txt и прикрепите к сообщению.
Добавлено через 1 минуту 37 секунд
Воспользуйтесь Quick Killer используя утилитами TDSS Killer и Kido Killer.
Отчеты этих утилит тоже приложите.
ComboFix 10-02-16.02 - Intel 17.02.2010 11:49:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.894.511 [GMT 3:00]
Running from: c:\documents and settings\Intel\Рабочий стол\ComboFix.exe
Command switches used :: c:\documents and settings\Intel\Рабочий стол\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100216-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
The following files were disabled during the run:
c:\program files\SuperCopier2\SC2Hook.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_GFHFOAL
-------\Service_gfhfoal
((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.
2010-02-17 05:48 . 2010-02-17 05:48 -------- d-----w- C:\rsit
2010-02-16 17:03 . 2010-02-16 17:03 -------- d-----w- c:\documents and settings\Администратор\DoctorWeb
2010-02-16 16:18 . 2010-02-16 16:18 396 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B77536FE5FC05684B916823B52D0A671.dll
2010-02-16 16:18 . 2010-02-16 16:18 1429 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A07FA7ABB18FFE04298647A1D73E6D80.dll
2010-02-16 11:34 . 2010-02-16 11:34 -------- d-----w- c:\program files\Trend Micro
2010-02-16 11:16 . 2010-02-16 11:16 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-02-12 06:57 . 2010-02-12 07:01 -------- d-----w- c:\program files\TweakNow RegCleaner
2010-02-12 06:57 . 2010-02-12 06:57 -------- d-----w- c:\documents and settings\Intel\Application Data\TweakNow RegCleaner
2010-02-11 12:01 . 2010-02-16 15:33 -------- d-----w- c:\documents and settings\Intel\Application Data\Online Solutions
2010-02-11 11:08 . 2010-02-11 11:08 -------- d-----w- c:\program files\Online Solutions
2010-02-11 11:08 . 2010-02-11 11:08 -------- d-----w- c:\program files\Common Files\Online Solutions Shared
2010-02-11 09:28 . 2010-02-11 09:28 -------- d-----w- c:\program files\PIC
2010-02-11 09:28 . 2005-04-26 07:43 4654 ----a-w- c:\windows\big.reg
2010-02-11 09:28 . 2005-04-26 07:41 4654 ----a-w- c:\windows\small.reg
2010-02-11 07:58 . 2010-02-11 07:58 -------- d-----w- C:\UDC Output Files
2010-02-11 07:32 . 2010-02-11 07:32 -------- d-----w- c:\documents and settings\Intel\Application Data\CPUControl
2010-02-11 07:32 . 2010-02-11 07:32 -------- d-----w- c:\program files\CPU-Control
2010-02-11 05:53 . 2010-02-11 05:53 -------- d-----w- c:\windows\system32\SISComp
2010-02-11 05:53 . 2000-08-23 22:19 4300 ----a-w- c:\windows\system32\MEMIO.SYS
2010-02-10 08:51 . 2010-01-28 08:52 10588 ----a-r- c:\windows\system32\drivers\mpfilt.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 08:53 . 2007-09-02 04:38 -------- d-----w- c:\program files\SuperCopier2
2010-02-17 07:39 . 2008-12-16 11:47 -------- d-----w- c:\documents and settings\Intel\Application Data\uTorrent
2010-02-16 16:19 . 2010-02-11 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-02-16 13:33 . 2004-08-18 12:00 65160 ----a-w- c:\windows\system32\perfc019.dat
2010-02-16 13:33 . 2004-08-18 12:00 421696 ----a-w- c:\windows\system32\perfh019.dat
2010-02-12 07:10 . 2007-09-02 05:02 62808 ----a-w- c:\documents and settings\Intel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-11 14:09 . 2007-09-02 04:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-11 14:08 . 2008-11-16 17:23 -------- d-----w- c:\program files\Samsung
2010-02-11 13:44 . 2008-12-14 18:40 -------- d-----w- c:\program files\QIP
2010-02-11 12:53 . 2009-01-03 13:45 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-02-11 07:18 . 2009-01-24 17:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-11 07:16 . 2009-10-14 11:27 -------- d-----w- c:\program files\MTS Connect Manager
2010-02-10 10:24 . 2007-09-02 06:09 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-19 18:17 . 2009-12-19 18:17 -------- d-----w- c:\program files\IKEA HomePlanner
2009-12-19 18:17 . 2009-12-19 18:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-24 23:54 . 2009-04-02 21:45 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-04-02 21:46 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-04-02 21:46 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-04-02 21:46 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-04-02 21:46 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-04-02 21:46 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-04-02 21:46 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-04-02 21:46 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-04-02 21:46 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-26 16:17 . 2009-07-26 16:17 3686400 -c--a-w- c:\program files\Samsung New PC Studio USB Driver Installer.msi
2009-07-26 16:17 . 2009-07-26 16:17 96256 -c--a-w- c:\program files\1049.MST
2009-07-26 16:17 . 2009-07-26 16:17 14468 -c--a-w- c:\program files\0x0419.ini
2009-03-21 09:03 . 2009-03-21 09:03 3561329 -c--a-w- c:\program files\DAEMON Tools Lite.rar
.
((((((((((((((((((((((((((((( SnapShot@2010-02-17_08.13.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-17 08:53 . 2010-02-17 08:53 16384 c:\windows\Temp\Perflib_Perfdata_5f0.dat
+ 2010-02-17 08:46 . 2010-02-17 08:46 16384 c:\windows\Temp\Perflib_Perfdata_5d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Punto Switcher"="c:\program files\Punto Switcher\ps.exe" [2003-11-12 207872]
"SuperCopier2.exe"="c:\program files\SuperCopier2\SuperCopier2.exe" [2006-07-07 1052672]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2006-03-28 634880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-07 761947]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-18 110592]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2006-04-25 2764800]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]
c:\documents and settings\All Users\ѓ«*ў*®Ґ ¬Ґ*о\Џа®Ја*¬¬л\Ђўв®§*Јаг§Є*\
BTTray.lnk - c:\program files\WIDCOMM\Џа®Ја*¬¬*®Ґ ®ЎҐбЇҐзҐ*ЁҐ Bluetooth\BTTray.exe [2004-11-29 569405]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-12-12 09:50 88204 ----a-w- c:\windows\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVStation Premium 3.75]
2006-12-15 15:16 159744 ----a-w- c:\program files\Samsung\AVStation Premium 3.75\AVSAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BatteryManager]
2006-04-25 11:05 2764800 ----a-w- c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 13:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisplayManager]
2006-05-03 16:22 413696 ----a-w- c:\program files\Samsung\DisplayManager\DisplayManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMHotKey]
2005-11-23 08:18 356352 ----a-w- c:\program files\Samsung\DisplayManager\DMLoader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
2009-07-31 06:46 24870912 ----a-w- c:\program files\CounterPath\eyeBeam 1.5\eyeBeam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 09:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 13:42 32768 ----a-w- c:\program files\PowerDVD\PDVDServ.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\uTorrent [tfile.ru]\\utorrent.exe"=
"c:\\Program Files\\CounterPath\\eyeBeam 1.5\\eyeBeam.exe"=
"c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03.01.2009 16:39 717296]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [03.04.2009 0:46 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03.04.2009 0:46 20560]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [11.02.2010 8:53 4300]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [29.03.2006 10:59 27648]
R3 SSB2413;SSB2413 Wireless Network Adapter Service;c:\windows\system32\drivers\SSB2413.sys [16.11.2008 20:39 470112]
S3 C7xxUSB;Samsung CMC7xx USB Network Driver;c:\windows\system32\DRIVERS\C7xUSBX3.sys --> c:\windows\system32\DRIVERS\C7xUSBX3.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [26.07.2009 21:09 36608]
S3 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [26.07.2009 21:09 233472]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [26.07.2009 21:09 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [26.07.2009 21:09 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [26.07.2009 21:09 121856]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\documents and settings\Intel\Рабочий стол\Samsung\RealTemp_340\WinRing0.sys [11.02.2010 9:43 14416]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Отправить через &Bluetooth - c:\program files\WIDCOMM\Программное обеспечение Bluetooth\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Intel\Application Data\Mozilla\Firefox\Profiles\6q9apw3x.default\
FF - prefs.js: browser.search.selectedEngine - Яндекс
FF - prefs.js: browser.startup.homepage - hxxp://www.rambler.ru/ri6
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 11:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85B691F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf77e2fc3
\Driver\ACPI -> ACPI.sys @ 0xf761dcb8
\Driver\atapi -> 0x85b691f8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a2656
ParseProcedure -> ntoskrnl.exe @ 0x8057950f
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a2656
ParseProcedure -> ntoskrnl.exe @ 0x8057950f
NDIS: Atheros Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf748bbc3
PacketIndicateHandler -> NDIS.sys @ 0xf7479a0b
SendHandler -> NDIS.sys @ 0xf748db31
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\Intel\LOCALS~1\Temp\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3832)
c:\program files\SuperCopier2\SC2Hook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\WIDCOMM\Программное обеспечение Bluetooth\bin\btwdins.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\program files\WIDCOMM\Программное обеспечение Bluetooth\BTTray.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-02-17 11:55:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-17 08:55
ComboFix2.txt 2010-02-17 08:15
Pre-Run: 8*677*191*680 байт свободно
Post-Run: 8*632*242*176 байт свободно
Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - F7F4A5A6013B1ECD31E5F1BCA7F3585A
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1049.18.894.511 [GMT 3:00]
Running from: c:\documents and settings\Intel\Рабочий стол\ComboFix.exe
Command switches used :: c:\documents and settings\Intel\Рабочий стол\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100216-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
The following files were disabled during the run:
c:\program files\SuperCopier2\SC2Hook.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_GFHFOAL
-------\Service_gfhfoal
((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.
2010-02-17 05:48 . 2010-02-17 05:48 -------- d-----w- C:\rsit
2010-02-16 17:03 . 2010-02-16 17:03 -------- d-----w- c:\documents and settings\Администратор\DoctorWeb
2010-02-16 16:18 . 2010-02-16 16:18 396 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B77536FE5FC05684B916823B52D0A671.dll
2010-02-16 16:18 . 2010-02-16 16:18 1429 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A07FA7ABB18FFE04298647A1D73E6D80.dll
2010-02-16 11:34 . 2010-02-16 11:34 -------- d-----w- c:\program files\Trend Micro
2010-02-16 11:16 . 2010-02-16 11:16 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-02-12 06:57 . 2010-02-12 07:01 -------- d-----w- c:\program files\TweakNow RegCleaner
2010-02-12 06:57 . 2010-02-12 06:57 -------- d-----w- c:\documents and settings\Intel\Application Data\TweakNow RegCleaner
2010-02-11 12:01 . 2010-02-16 15:33 -------- d-----w- c:\documents and settings\Intel\Application Data\Online Solutions
2010-02-11 11:08 . 2010-02-11 11:08 -------- d-----w- c:\program files\Online Solutions
2010-02-11 11:08 . 2010-02-11 11:08 -------- d-----w- c:\program files\Common Files\Online Solutions Shared
2010-02-11 09:28 . 2010-02-11 09:28 -------- d-----w- c:\program files\PIC
2010-02-11 09:28 . 2005-04-26 07:43 4654 ----a-w- c:\windows\big.reg
2010-02-11 09:28 . 2005-04-26 07:41 4654 ----a-w- c:\windows\small.reg
2010-02-11 07:58 . 2010-02-11 07:58 -------- d-----w- C:\UDC Output Files
2010-02-11 07:32 . 2010-02-11 07:32 -------- d-----w- c:\documents and settings\Intel\Application Data\CPUControl
2010-02-11 07:32 . 2010-02-11 07:32 -------- d-----w- c:\program files\CPU-Control
2010-02-11 05:53 . 2010-02-11 05:53 -------- d-----w- c:\windows\system32\SISComp
2010-02-11 05:53 . 2000-08-23 22:19 4300 ----a-w- c:\windows\system32\MEMIO.SYS
2010-02-10 08:51 . 2010-01-28 08:52 10588 ----a-r- c:\windows\system32\drivers\mpfilt.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 08:53 . 2007-09-02 04:38 -------- d-----w- c:\program files\SuperCopier2
2010-02-17 07:39 . 2008-12-16 11:47 -------- d-----w- c:\documents and settings\Intel\Application Data\uTorrent
2010-02-16 16:19 . 2010-02-11 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-02-16 13:33 . 2004-08-18 12:00 65160 ----a-w- c:\windows\system32\perfc019.dat
2010-02-16 13:33 . 2004-08-18 12:00 421696 ----a-w- c:\windows\system32\perfh019.dat
2010-02-12 07:10 . 2007-09-02 05:02 62808 ----a-w- c:\documents and settings\Intel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-11 14:09 . 2007-09-02 04:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-11 14:08 . 2008-11-16 17:23 -------- d-----w- c:\program files\Samsung
2010-02-11 13:44 . 2008-12-14 18:40 -------- d-----w- c:\program files\QIP
2010-02-11 12:53 . 2009-01-03 13:45 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-02-11 07:18 . 2009-01-24 17:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-11 07:16 . 2009-10-14 11:27 -------- d-----w- c:\program files\MTS Connect Manager
2010-02-10 10:24 . 2007-09-02 06:09 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-19 18:17 . 2009-12-19 18:17 -------- d-----w- c:\program files\IKEA HomePlanner
2009-12-19 18:17 . 2009-12-19 18:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-24 23:54 . 2009-04-02 21:45 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-04-02 21:46 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-04-02 21:46 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-04-02 21:46 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-04-02 21:46 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-04-02 21:46 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-04-02 21:46 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-04-02 21:46 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-04-02 21:46 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-26 16:17 . 2009-07-26 16:17 3686400 -c--a-w- c:\program files\Samsung New PC Studio USB Driver Installer.msi
2009-07-26 16:17 . 2009-07-26 16:17 96256 -c--a-w- c:\program files\1049.MST
2009-07-26 16:17 . 2009-07-26 16:17 14468 -c--a-w- c:\program files\0x0419.ini
2009-03-21 09:03 . 2009-03-21 09:03 3561329 -c--a-w- c:\program files\DAEMON Tools Lite.rar
.
((((((((((((((((((((((((((((( SnapShot@2010-02-17_08.13.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-17 08:53 . 2010-02-17 08:53 16384 c:\windows\Temp\Perflib_Perfdata_5f0.dat
+ 2010-02-17 08:46 . 2010-02-17 08:46 16384 c:\windows\Temp\Perflib_Perfdata_5d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Punto Switcher"="c:\program files\Punto Switcher\ps.exe" [2003-11-12 207872]
"SuperCopier2.exe"="c:\program files\SuperCopier2\SuperCopier2.exe" [2006-07-07 1052672]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-04-02 102400]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2006-03-28 634880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-07 761947]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-18 110592]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2006-04-25 2764800]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]
c:\documents and settings\All Users\ѓ«*ў*®Ґ ¬Ґ*о\Џа®Ја*¬¬л\Ђўв®§*Јаг§Є*\
BTTray.lnk - c:\program files\WIDCOMM\Џа®Ја*¬¬*®Ґ ®ЎҐбЇҐзҐ*ЁҐ Bluetooth\BTTray.exe [2004-11-29 569405]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-12-12 09:50 88204 ----a-w- c:\windows\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVStation Premium 3.75]
2006-12-15 15:16 159744 ----a-w- c:\program files\Samsung\AVStation Premium 3.75\AVSAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BatteryManager]
2006-04-25 11:05 2764800 ----a-w- c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 13:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisplayManager]
2006-05-03 16:22 413696 ----a-w- c:\program files\Samsung\DisplayManager\DisplayManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMHotKey]
2005-11-23 08:18 356352 ----a-w- c:\program files\Samsung\DisplayManager\DMLoader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
2009-07-31 06:46 24870912 ----a-w- c:\program files\CounterPath\eyeBeam 1.5\eyeBeam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 09:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 13:42 32768 ----a-w- c:\program files\PowerDVD\PDVDServ.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\uTorrent [tfile.ru]\\utorrent.exe"=
"c:\\Program Files\\CounterPath\\eyeBeam 1.5\\eyeBeam.exe"=
"c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03.01.2009 16:39 717296]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [03.04.2009 0:46 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03.04.2009 0:46 20560]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [11.02.2010 8:53 4300]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [29.03.2006 10:59 27648]
R3 SSB2413;SSB2413 Wireless Network Adapter Service;c:\windows\system32\drivers\SSB2413.sys [16.11.2008 20:39 470112]
S3 C7xxUSB;Samsung CMC7xx USB Network Driver;c:\windows\system32\DRIVERS\C7xUSBX3.sys --> c:\windows\system32\DRIVERS\C7xUSBX3.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [26.07.2009 21:09 36608]
S3 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [26.07.2009 21:09 233472]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [26.07.2009 21:09 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [26.07.2009 21:09 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [26.07.2009 21:09 121856]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\documents and settings\Intel\Рабочий стол\Samsung\RealTemp_340\WinRing0.sys [11.02.2010 9:43 14416]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Отправить через &Bluetooth - c:\program files\WIDCOMM\Программное обеспечение Bluetooth\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Intel\Application Data\Mozilla\Firefox\Profiles\6q9apw3x.default\
FF - prefs.js: browser.search.selectedEngine - Яндекс
FF - prefs.js: browser.startup.homepage - hxxp://www.rambler.ru/ri6
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 11:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85B691F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf77e2fc3
\Driver\ACPI -> ACPI.sys @ 0xf761dcb8
\Driver\atapi -> 0x85b691f8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a2656
ParseProcedure -> ntoskrnl.exe @ 0x8057950f
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a2656
ParseProcedure -> ntoskrnl.exe @ 0x8057950f
NDIS: Atheros Wireless Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf748bbc3
PacketIndicateHandler -> NDIS.sys @ 0xf7479a0b
SendHandler -> NDIS.sys @ 0xf748db31
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\Intel\LOCALS~1\Temp\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3832)
c:\program files\SuperCopier2\SC2Hook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\WIDCOMM\Программное обеспечение Bluetooth\bin\btwdins.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\program files\WIDCOMM\Программное обеспечение Bluetooth\BTTray.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-02-17 11:55:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-17 08:55
ComboFix2.txt 2010-02-17 08:15
Pre-Run: 8*677*191*680 байт свободно
Post-Run: 8*632*242*176 байт свободно
Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - F7F4A5A6013B1ECD31E5F1BCA7F3585A
Информация
Пожалуйста, пользуйтесь спойлером
- Сообщения
- 25,320
- Решения
- 5
- Реакции
- 13,844
Скачайте Gmer или с зеркала. Запустите программу. После автоматической экспресс-проверки, отметьте галочкой все жесткие диски и нажмите на кнопку Scan. После окончания проверки сохраните его.
Добавлено через 2 минуты 43 секунды
Необходимо обновить систему до SP3 + все заплатки.
Ознакомтесь и выполните подготовительные действия "Как удалить Net-Worm.Win32.Kido"
Добавлено через 2 минуты 43 секунды
Необходимо обновить систему до SP3 + все заплатки.
Ознакомтесь и выполните подготовительные действия "Как удалить Net-Worm.Win32.Kido"
Сейчас в тех, что хранятся в Temp
Добавлено через 10 минут 28 секунд
Kido сказал, что всё чисто - пока ему верю
Добавлено через 33 минуты 39 секунд
Аваст при проверке во время загрузки ничего не обнаружил.
Может быть еще и преждевременно, но хочу сказать вам СПАСИБО.
Добавлено через 10 минут 28 секунд
Kido сказал, что всё чисто - пока ему верю
Добавлено через 33 минуты 39 секунд
Аваст при проверке во время загрузки ничего не обнаружил.
Может быть еще и преждевременно, но хочу сказать вам СПАСИБО.
- Сообщения
- 25,320
- Решения
- 5
- Реакции
- 13,844
Не забудьте
https://safezone.cc/forum/showthread.php?t=2065
https://safezone.cc/forum/showthread.php?t=2065
- Статус
Похожие темы
- Закрыта
- Закрыта
