Просканировал с помощью Hijack This

[aquapa9]

Просканировал с помощью Hijack This v2.0.2, как Вы и советовали. Разобраться, какие файлы удалять, не могу. Помогите. Зараннее благодарен. .Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:16:27, on 09.11.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesEsetnod32krn.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSRTHDCPL.EXE
C:Program FilesAmlMapleAmlMaple.exe
C:Program FilesHPHP Software UpdateHPWuSchd2.exe
C:Program FilesEsetnod32kui.exe
C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesVistaDriveIconVistaDrv.exe
C:Program FilesDownload Masterdmaster.exe
C:Documents and SettingsAdminLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe
C:Program FilesCommon FilesAheadLibNMBgMonitor.exe
C:Program FilesCommon FilesYandexYupdateyupdate.exe
C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesИгры от NevoSoftNevoDRMrun.exe
C:client windowsclient.exe
C:Program FilesHPDigital ImagingbinhpqSTE08.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 — HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 — HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.nevosoft.ru
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 — HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 — HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 — HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 — HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://www.kornet.ru/
R0 — HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Ссылки
O2 — BHO: HP Print Enhancer — {0347C33E-8762-4905-BF09-768834316C61} — C:Program FilesHPSmart Web Printinghpswp_printenhancer.dll
O2 — BHO: HP Print Clips — {053F9267-DC04-4294-A72C-58F732D338C0} — C:Program FilesHPSmart Web Printinghpswp_framework.dll
O2 — BHO: wljlibP — {0696F721-79BC-455A-970C-28B97FC1F9EE} — C:WINDOWSsystem32wljlib.dll (file missing)
O2 — BHO: arylibP — {27A21DF4-318D-4F98-8668-AF04DFBB5B4C} — C:WINDOWSsystem32arylib.dll (file missing)
O2 — BHO: amylibP — {29B981AD-1CE1-42A4-84B1-EF7781BF4326} — C:WINDOWSsystem32amylib.dll (file missing)
O2 — BHO: dtjlibP — {55E0286E-1193-4B77-B3F5-BFB6846113C5} — C:WINDOWSsystem32dtjlib.dll (file missing)
O2 — BHO: WebaltaBHO Object — {6C3BDD12-4B6F-44F1-87CB-4D94E1ED38A5} — C:PROGRA~1WebaltaWEBALT~2.DLL
O2 — BHO: SSVHelper Class — {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} — C:Program FilesJavajre1.6.0_06binssv.dll
O2 — BHO: IE 4.x-6.x BHO for Download Master — {9961627E-4059-41B4-8E0E-A7D6B3854ADF} — C:PROGRA~1DOWNLO~1dmiehlp.dll
O2 — BHO: Google Toolbar Helper — {AA58ED58-01DD-4D91-8333-CF10577473F7} — C:Documents and SettingsAdminGooglegoogletoolbar1.dll
O2 — BHO: kfclibP — {B006887D-E351-4D64-8C77-8BBFC5B8E325} — C:WINDOWSsystem32kfclib.dll (file missing)
O2 — BHO: tpilibP — {EBD8D326-CFE2-4FDE-9F1B-C44696D16D5C} — C:WINDOWSsystem32tpilib.dll (file missing)
O2 — BHO: pjzlibP — {ED04A368-E90F-43CF-BB44-6490F1C294E6} — C:Documents and SettingsAdminРабочий столupdater_15_52942131pjzlib.dll (file missing)
O2 — BHO: gqalibP — {F6AC332A-0B72-4E32-A255-42957CB1EC0C} — C:WINDOWSsystem32gqalib.dll (file missing)
O2 — BHO: qoylibP — {FC421820-FF29-4EBB-800F-59A7B3BBB00C} — C:WINDOWSsystem32qoylib.dll (file missing)
O2 — BHO: MyCentria Internet Mate v2.2 — {FFFC57DB-1DE3-4303-B24D-CEE6DCDD3D86} — C:PROGRA~1MYCENT~1InfoBarMYCENT~1.DLL
O3 — Toolbar: &Webalta toolbar — {D4C56A33-3488-495B-8033-9BF834E276D8} — C:PROGRA~1WebaltaWEBALT~1.DLL
O3 — Toolbar: Яндекс.Бар — {91397D20-1446-11D4-8AF4-0040CA1127B6} — C:Program FilesYandexYandexBarIEyndbar.dll
O4 — HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 — HKLM..Run: [Alcmtr] ALCMTR.EXE
O4 — HKLM..Run: [AmlMaple] C:Program FilesAmlMapleAmlMaple.exe
O4 — HKLM..Run: [HP Software Update] C:Program FilesHPHP Software UpdateHPWuSchd2.exe
O4 — HKLM..Run: [nod32kui] «C:Program FilesEsetnod32kui.exe» /WAITSERVICE
O4 — HKLM..Run: [Outpost Firewall] C:Program FilesAgnitumOutpost Firewalloutpost.exe /waitservice
O4 — HKLM..Run: [OutpostFeedBack] C:Program FilesAgnitumOutpost Firewallfeedback.exe /dump:os_startup
O4 — HKLM..Run: [NeroFilterCheck] C:Program FilesCommon FilesAheadLibNeroCheck.exe
O4 — HKLM..Run: [Google Desktop Search] «C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe» /startup
O4 — HKLM..Run: [NevoDRM] «C:Program FilesИгры от NevoSoftNevoDRMNevoDRM.exe»
O4 — HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 — HKCU..Run: [VistaIcon] C:Program FilesVistaDriveIconVistaDrv.exe
O4 — HKCU..Run: [Tok-Cirrhatus] «C:Documents and SettingsAdminLocal SettingsApplication Datasmss.exe»
O4 — HKCU..Run: [Download Master] C:Program FilesDownload Masterdmaster.exe -autorun
O4 — HKCU..Run: [Google Update] «C:Documents and SettingsAdminLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe» /c
O4 — HKCU..Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] «C:Program FilesCommon FilesAheadLibNMBgMonitor.exe»
O4 — HKCU..Run: [Yupdate!] «C:Program FilesCommon FilesYandexYupdateyupdate.exe»
O4 — HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 — HKUSS-1-5-19..Run: [VistaIcon] C:Program FilesVistaDriveIconVistaDrv.exe (User ‘LOCAL SERVICE’)
O4 — HKUSS-1-5-19..RunOnce: [ZZZZ1_FirstLogonSetting] %SystemRoot%System32rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFcustom.inf,OnceFirstLogonInstall,0 (User ‘LOCAL SERVICE’)
O4 — HKUSS-1-5-19..RunOnce: [IE7_012] rundll32 advpack.dll,LaunchINFSectionEx IE7int.inf,AfterUserStart,,4,N (User ‘LOCAL SERVICE’)
O4 — HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 — HKUSS-1-5-20..RunOnce: [ZZZZ1_FirstLogonSetting] %SystemRoot%System32rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFcustom.inf,OnceFirstLogonInstall,0 (User ‘NETWORK SERVICE’)
O4 — HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘SYSTEM’)
O4 — HKUSS-1-5-18..RunOnce: [ZZZZ2_FirstLogonSetting] %SystemRoot%System32rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFcustom.inf,NewUserFirstLogonInstall,0 (User ‘SYSTEM’)
O4 — HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘Default user’)
O4 — HKUS.DEFAULT..RunOnce: [ZZZZ2_FirstLogonSetting] %SystemRoot%System32rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFcustom.inf,NewUserFirstLogonInstall,0 (User ‘Default user’)
O4 — Global Startup: HP Digital Imaging Monitor.lnk = C:Program FilesHPDigital Imagingbinhpqtra08.exe
O7 — HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1
O8 — Extra context menu item: &Экспорт в Microsoft Excel — res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O8 — Extra context menu item: Webalta — Добавить в Анти-Баннер — C:Program FilesWebaltaextentionsWebalta_antiban.htm
O8 — Extra context menu item: Закачать ВСЕ при помощи Download Master — C:Program FilesDownload Masterdmieall.htm
O8 — Extra context menu item: Закачать при помощи Download Master — C:Program FilesDownload Masterdmie.htm
O9 — Extra button: (no name) — {08B0E5C0-4FCB-11CF-AAA5-00401C608501} — C:Program FilesJavajre1.6.0_06binssv.dll
O9 — Extra ‘Tools’ menuitem: Sun Java Console — {08B0E5C0-4FCB-11CF-AAA5-00401C608501} — C:Program FilesJavajre1.6.0_06binssv.dll
O9 — Extra button: Быстрая настройка Outpost Firewall Pro — {44627E97-789B-40d4-B5C2-58BD171129A1} — C:Program FilesAgnitumOutpost FirewallPluginsBrowserBarie_bar.dll
O9 — Extra button: Альбом клипов HP — {58ECB495-38F0-49cb-A538-10282ABF65E7} — C:Program FilesHPSmart Web Printinghpswp_extensions.dll
O9 — Extra button: Расширенный выбор HP — {700259D7-1666-479a-93B1-3250410481E8} — C:Program FilesHPSmart Web Printinghpswp_extensions.dll
O9 — Extra button: Download Master — {8DAE90AD-4583-4977-9DD4-4360F7A45C74} — C:Program FilesDownload Masterdmaster.exe
O9 — Extra ‘Tools’ menuitem: &Download Master — {8DAE90AD-4583-4977-9DD4-4360F7A45C74} — C:Program FilesDownload Masterdmaster.exe
O9 — Extra button: Research — {92780B25-18CC-41C8-B9BE-3C9C571A8263} — C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 — Extra button: (no name) — {e2e2dd38-d088-4134-82b7-f2ba38496583} — C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 — Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 — {e2e2dd38-d088-4134-82b7-f2ba38496583} — C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O17 — HKLMSystemCCSServicesTcpip..{2729C846-E804-4E23-AEF5-82B14538E173}: NameServer = 195.230.99.6
O20 — AppInit_DLLs: C:PROGRA~1AgnitumOUTPOS~1wl_hook.dll C:PROGRA~1GoogleGOOGLE~1GOEC62~1.DLL
O20 — Winlogon Notify: crypt — C:WINDOWSSYSTEM32crypts.dll
O23 — Service: Ati HotKey Poller — ATI Technologies Inc. — C:WINDOWSsystem32Ati2evxx.exe
O23 — Service: Журнал событий (Eventlog) — Корпорация Майкрософт — C:WINDOWSsystem32services.exe
O23 — Service: Диспетчер Google Desktop 5.8.809.23506 (GoogleDesktopManager-092308-165331) — Google — C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe
O23 — Service: Служба COM записи компакт-дисков IMAPI (ImapiService) — Корпорация Майкрософт — C:WINDOWSsystem32imapi.exe
O23 — Service: NOD32 Kernel Service (NOD32krn) — Eset — C:Program FilesEsetnod32krn.exe
O23 — Service: Outpost Firewall Service (OutpostFirewall) — Agnitum Ltd. — C:Program FilesAgnitumOutpost Firewalloutpost.exe
O23 — Service: Plug and Play (PlugPlay) — Корпорация Майкрософт — C:WINDOWSsystem32services.exe
O23 — Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) — Корпорация Майкрософт — C:WINDOWSsystem32sessmgr.exe
O23 — Service: Смарт-карты (SCardSvr) — Корпорация Майкрософт — C:WINDOWSSystem32SCardSvr.exe
O23 — Service: Журналы и оповещения производительности (SysmonLog) — Корпорация Майкрософт — C:WINDOWSsystem32smlogsvc.exe
O23 — Service: Теневое копирование тома (VSS) — Корпорация Майкрософт — C:WINDOWSSystem32vssvc.exe
O23 — Service: Webalta Controller (WebaltaController) — Unknown owner — C:Program FilesWebaltaWebaltaUpdaterService.exe
O23 — Service: Адаптер производительности WMI (WmiApSrv) — Корпорация Майкрософт — C:WINDOWSsystem32wbemwmiapsrv.exe

—
End of file — 11443 bytes P.S. Пользуюсь Mozilla Firefox и поэтому, думаю, Internet Explorer мне ненужен.

[Admin]

Здравствуйте, добро пожаловать на Spyware-ru форум.

Пожалуйста подробно опишите вашу проблему. Судя по логу ваш компьютер заражён трояном показывающим всплывающие окна и трояном Troj/Agent-GJR.

Запустите HijackThis, кликните по кнопке Do a system scan only.
Далее отметьте галочками (слева) следующие строки:

O2 - BHO: wljlibP - {0696F721-79BC-455A-970C-28B97FC1F9EE} - C:WINDOWSsystem32wljlib.dll (file missing)

O2 - BHO: arylibP - {27A21DF4-318D-4F98-8668-AF04DFBB5B4C} - C:WINDOWSsystem32arylib.dll (file missing)

O2 - BHO: amylibP - {29B981AD-1CE1-42A4-84B1-EF7781BF4326} - C:WINDOWSsystem32amylib.dll (file missing)

O2 - BHO: dtjlibP - {55E0286E-1193-4B77-B3F5-BFB6846113C5} - C:WINDOWSsystem32dtjlib.dll (file missing)

O2 - BHO: kfclibP - {B006887D-E351-4D64-8C77-8BBFC5B8E325} - C:WINDOWSsystem32kfclib.dll (file missing)

O2 - BHO: tpilibP - {EBD8D326-CFE2-4FDE-9F1B-C44696D16D5C} - C:WINDOWSsystem32tpilib.dll (file missing)

O2 - BHO: pjzlibP - {ED04A368-E90F-43CF-BB44-6490F1C294E6} - C:Documents and SettingsAdminРабочий столupdater_15_52942131pjzlib.dll (file missing)

O2 - BHO: gqalibP - {F6AC332A-0B72-4E32-A255-42957CB1EC0C} - C:WINDOWSsystem32gqalib.dll (file missing)

O2 - BHO: qoylibP - {FC421820-FF29-4EBB-800F-59A7B3BBB00C} - C:WINDOWSsystem32qoylib.dll (file missing)

O2 - BHO: MyCentria Internet Mate v2.2 - {FFFC57DB-1DE3-4303-B24D-CEE6DCDD3D86} - C:PROGRA~1MYCENT~1InfoBarMYCENT~1.DLL

O4 - HKCU..Run: [Tok-Cirrhatus] "C:Documents and SettingsAdminLocal SettingsApplication Datasmss.exe"

O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1

O20 - Winlogon Notify: crypt - C:WINDOWSSYSTEM32crypts.dll

Кликните по кнопке Fix checked и подтвердите свои действия выбрав YES.

Закройте HijackThis и перезагрузите компьютер.

Скачайте программу Combofix. Закройте все открытые окна и запустите эту программу.
После выполнения будет создан лог файл, пожалуйста вставьте его в ваш ответ.

[aquapa9]

Выполнил все, как вы рекомендовали в своем сообщении:ComboFix 08-11-09.04 — Admin 2008-11-10 20:17:21.1 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.1290 [GMT 2:00]
Running from: c:documents and settingsAdminРабочий столComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:docume~1AdminLOCALS~1Tempinstall_flash_player.exe
c:documents and settingsAdminLocal SettingsTemporary Internet Files0EB9F12C_6E6B_4c03_AEBA_8C04CFA98AA4.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files0EB9F12C_6E6B_4c03_AEBA_8C04CFA98AA4.jpg
c:documents and settingsAdminLocal SettingsTemporary Internet Files15913497_F86C_4218_8817_F50940D1E1B2.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files29887DDE_00B9_4011_9CF7_59511F1ECC1B.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files2A665EDD_5758_480c_8366_66DFC5F23877.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files35B7DFFA_884F_4fbc_8E60_DA601BDC7BF7.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files362FD6E8_8CDA_4c2a_A8AA-BDA22B321711.jpg
c:documents and settingsAdminLocal SettingsTemporary Internet Files3DF04940_9866_4241_A998_0CDDFAFD147A.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files426500D7_0FF3_426c_828D_065DBAEA0581.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files5C6C645F_BAA8_4149_BFEB_2031230FF0FD.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files61EA7D69_19D4_421a_A899_0DF4D58CD119.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files61EA7D69_19D4_421a_A899_0DF4D58CD119.jpg
c:documents and settingsAdminLocal SettingsTemporary Internet Files777FDAFB_83CF_4960_AA71_4E5D7BCD8E57.gif
c:documents and settingsAdminLocal SettingsTemporary Internet Files8DA878D5_E80B_4721_B75A_17EFFAF1A700.gif
c:documents and settingsAdminLocal SettingsTemporary Internet FilesA2B240D6_0386_419e_91C5_3F7D90437CD0.jpg
c:documents and settingsAdminLocal SettingsTemporary Internet FilesC75CEF8D_5AF4_4563_8594_C45A45E14E63.gif
c:documents and settingsAdminLocal SettingsTemporary Internet FilesC75CEF8D_5AF4_4563_8594_C45A45E14E63.jpg
c:documents and settingsAdminLocal SettingsTemporary Internet FilesE21285C1_40E6_435c_A69F_3387E7BD89CB.gif
c:documents and settingsAdminLocal SettingsTemporary Internet FilesE9A4D648_ED73_4ea7_88B2_18332DBA4F3E.jpg
c:program filesGooglegoogletoolbar1.dll
c:windowssystem32AutoRun.inf
c:windowssystem32crypts.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

---

Legacy_VFILT

---

Service_VFILT

((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-09 21:15 . 2008-11-09 21:15

d

---

c:program filesTrend Micro
2008-11-09 20:53 . 2008-11-09 20:47 102,664 —a

---

c:windowssystem32driverstmcomm.sys
2008-11-09 20:46 . 2008-11-09 20:55 d

---

c:documents and settingsAdmin.housecall6.6
2008-11-09 10:31 . 2008-11-09 13:02 632 —a

---

C:settings.dat
2008-11-08 21:26 . 2008-11-08 21:26 d

---

c:documents and settingsAdminApplication DataBeezzle
2008-11-08 20:56 . 2008-11-08 20:56 d

---

c:documents and settingsAdminApplication DataBeachPartyCraze
2008-11-08 16:04 . 2008-11-08 16:04 d

---

c:program filesYandex
2008-11-08 16:04 . 2008-11-08 16:04 d

---

c:program filesCommon FilesYandex
2008-11-08 16:04 . 2008-11-08 16:04 d

---

c:documents and settingsAdminApplication DataYandex
2008-11-08 04:38 . 2008-11-08 04:50 d

---

c:documents and settingsAdminApplication DataLegends of pirates
2008-11-02 17:49 . 2008-11-02 17:49 d

---

c:program filesNevoSoft
2008-11-02 17:39 . 2008-11-08 22:09 d

---

c:program filesWebalta
2008-11-02 17:39 . 2008-11-02 17:39 d

---

c:documents and settingsAdminApplication DataWebalta
2008-11-02 16:33 . 2008-11-02 16:33 d

---

c:documents and settingsAdminApplication DataTemp App Data
2008-11-02 16:33 . 2008-11-02 16:33 d

---

c:documents and settingsAdminApplication DataMagic Academy
2008-11-01 23:32 . 2008-11-01 23:32 d

---

c:documents and settingsAll UsersApplication DataChristmasville
2008-11-01 20:49 . 2008-11-08 22:13 d

---

c:program filesИгры от NevoSoft
2008-11-01 17:44 . 2008-11-01 17:44 d

---

c:documents and settingsAll UsersApplication DataAstar Games
2008-11-01 12:44 . 2008-11-01 12:44 d

---

c:program filesMyCentria
2008-10-26 21:27 . 2008-10-26 21:27 d

---

c:documents and settingsAdminApplication DataQIP
2008-10-20 18:13 . 2008-10-20 18:13 d

---

c:program filesNero
2008-10-20 18:13 . 2008-10-20 18:15 d

---

c:program filesCommon FilesAhead
2008-10-20 18:07 . 2008-10-20 18:08 d

---

c:tempNero-7.2.0.3b_rus_no_yt
2008-10-20 18:07 . 2008-10-20 18:07 d

---

C:temp
2008-10-20 17:38 . 2008-10-20 20:59 d

---

C:Downloads
2008-10-18 11:29 . 2008-10-18 11:29 d

---

c:documents and settingsAll UsersApplication DataSandlot Games
2008-10-18 09:15 . 2008-10-18 09:15 d

---

c:documents and settingsAll UsersApplication DataPlayFirst
2008-10-18 09:15 . 2008-10-18 09:15 d

---

c:documents and settingsAdminApplication DataPlayFirst
2008-10-14 18:53 . 2008-10-14 18:53 d

---

c:documents and settingsAdminApplication DataWindows Search
2008-10-14 18:48 . 2008-10-14 18:48 d

---

c:windowssystem32GroupPolicy
2008-10-14 18:48 . 2008-10-14 18:48 d

---

c:program filesWindows Desktop Search
2008-10-14 18:48 . 2007-09-27 10:48 23,856 —a

---

c:windowssystem32spupdsvc.exe
2008-10-13 22:28 . 2008-11-02 00:32 d

---

c:documents and settingsAdminGoogle
2008-10-13 22:27 . 2008-11-10 20:18 d

---

c:program filesGoogle
2008-10-11 22:07 . 2008-10-11 22:07 d

---

c:documents and settingsAdminApplication DataMy Games
2008-10-11 21:07 . 2008-10-11 21:07 d

---

c:documents and settingsAll UsersApplication DataNevoSoft Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 20:20

---

d

---

w c:program filesИгры
2008-11-08 19:26

---

d

---

w c:documents and settingsAll UsersApplication DataAlawarWrapper
2008-11-08 14:00

---

d

---

w c:program filesAlawar.ru
2008-11-06 23:01

---

d

---

w c:program filesESET
2008-11-06 22:48

---

d

---

w c:documents and settingsAdminApplication DataSkype
2008-11-06 17:49

---

d

---

w c:program filesAIMP2
2008-10-29 17:40

---

d

---

w c:program filesFreeGamePick.com
2008-10-23 13:41

---

d

---

w c:documents and settingsAdminApplication DataAhead
2008-10-20 16:06

---

d

---

w c:program filesAhead
2008-10-14 16:51

---

d

---

w c:documents and settingsAll UsersApplication DataMicrosoft Help
2008-10-09 15:44

---

d

---

w c:program filesMyRealGames.com
2008-10-08 09:07

---

d

---

w c:documents and settingsAll UsersApplication DataAlawar Stargaze
2008-10-06 19:34

---

d

---

w c:program filesAskTBar
2008-10-05 05:59

---

d

---

w c:documents and settingsAll UsersApplication DataВеселаяФерма2
2008-10-02 09:39

---

d

---

w c:program filesThe KMPlayer
2008-09-28 11:33

---

d

---

w c:documents and settingsAdminApplication Datacerasus.media
2008-09-27 10:47

---

d

---

w c:documents and settingsAll UsersApplication DataEgoset
2008-09-26 17:43

---

d

---

w c:documents and settingsAdminApplication DataHPAppData
2008-09-25 13:58

---

d

---

w c:documents and settingsAdminApplication DataHP
2008-09-25 12:04 360,960 —-a-w c:windowssystem32pjzlib.dll
2008-09-23 10:50

---

d

---

w c:program filesTotal Commander
2008-09-23 10:02

---

d

---

w c:program filesCommon FilesAgnitum Shared
2008-09-23 10:02

---

d

---

w c:program filesAgnitum
2008-09-23 09:54

---

d

---

w c:documents and settingsAdminApplication DataMedia Player Classic
2008-09-23 09:50

---

d

---

w c:program filesDownload Master
2008-09-23 09:49

---

d

---

w c:program filesWindows Sidebar
2008-09-23 09:49

---

d

---

w c:program filesVista Games
2008-09-23 09:48

---

d

---

w c:program filesSkype
2008-09-23 09:48

---

d

---

w c:program filesQIP Infium
2008-09-23 09:47

---

d

---

w c:program filesK-Lite Codec Pack
2008-09-23 09:47

---

d

---

w c:program filesCommon FilesInstallShield
2008-09-23 09:47

---

d

---

w c:program filesCommon FilesArsenal Shared
2008-09-23 09:47

---

d

---

w c:program filesArsenal Company
2008-09-23 09:41

---

d

---

w c:program filesMicrosoft.NET
2008-09-23 09:41

---

d

---

w c:program filesMicrosoft Works
2008-09-23 09:38

---

d

---

w c:program filesFoxit Reader
2008-09-23 09:29 502,208 —-a-w c:windowssystem32driversamon.sys
2008-09-23 09:29 270,336 —-a-w c:windowssystem32imon.dll
2008-09-23 09:27

---

d

---

w c:program filesmicrosoft frontpage
2008-09-23 09:26 717,296 —-a-w c:windowssystem32driverssptd.sys
2008-09-23 09:26

---

d

---

w c:program filesVistaDriveIcon
2008-09-23 09:26

---

d

---

w c:program filesJava
2008-09-23 09:26

---

d

---

w c:program filesCommon FilesJava
2008-09-23 09:23

---

d—a-w c:program filesAmlMaple
2008-09-23 09:23

---

d

---

w c:documents and settingsAll UsersApplication DataWEBREG
2008-09-23 09:22

---

d

---

w c:documents and settingsAll UsersApplication DataHewlett-Packard
2008-09-23 09:20

---

d

---

w c:program filesHP
2008-09-23 09:20

---

d

---

w c:documents and settingsAll UsersApplication DataHPSSUPPLY
2008-09-23 09:19

---

d

---

w c:program filesHewlett-Packard
2008-09-23 09:19

---

d

---

w c:program filesCommon FilesHP
2008-09-23 09:19

---

d

---

w c:program filesCommon FilesHewlett-Packard
2008-09-23 09:19

---

d

---

w c:documents and settingsAll UsersApplication DataHP Product Assistant
2008-09-23 09:19

---

d

---

w c:documents and settingsAll UsersApplication DataHP
2008-09-23 09:18

---

d

---

w c:program filesWindows Media Connect 2
2008-09-23 09:18

---

d

---

w c:program filesPaint.NET
2008-09-23 09:14

---

d—h—w c:program filesInstallShield Installation Information
2008-09-23 09:14

---

d

---

w c:program filesAtheros WLAN Client
2008-09-23 09:14

---

d

---

w c:documents and settingsAll UsersApplication DataWLAN
2008-09-23 09:14

---

d

---

w c:documents and settingsAdminApplication DataInstallShield
.

---

Sigcheck

---

2008-05-20 17:54 579072 23b7d3f3f5ec8feea75ec381c71cbd5e c:windowssystem32user32.dll

2008-05-20 17:54 952320 7a737e1453d01ff94801272f13497362 c:windowssystem32wininet.dll

2008-05-20 17:52 361344 030dc4d48cc2b894fee2f390d8e66ad5 c:windowssystem32driverstcpip.sys

2008-05-20 17:53 1721344 dc5d73a9809b66026231a9d49de6987f c:windowsexplorer.exe

2008-05-20 17:53 30208 ae0db25ee10900c73d923ad5880564cf c:windowssystem32ctfmon.exe

2008-05-20 17:55 80216 5f38b1b965527c6f5c30dedab0ab0550 c:windowssystem32wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~Browser Helper Objects{6C3BDD12-4B6F-44F1-87CB-4D94E1ED38A5}]
2008-10-14 15:49 736256 —a

---

c:progra~1WebaltaWEBALT~2.DLL

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{D4C56A33-3488-495B-8033-9BF834E276D8}»= «c:progra~1WebaltaWEBALT~1.DLL» [2008-10-14 1691136]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2008-06-02 1553672]

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2008-06-02 1553672]

[HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-05-20 30208]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096]
«Download Master»=»c:program filesDownload Masterdmaster.exe» [2008-01-26 3266560]
«Google Update»=»c:documents and settingsAdminLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe» [2008-10-20 133104]
«BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}»=»c:program filesCommon FilesAheadLibNMBgMonitor.exe» [2006-04-21 94208]
«Yupdate!»=»c:program filesCommon FilesYandexYupdateyupdate.exe» [2008-05-30 460040]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«AmlMaple»=»c:program filesAmlMapleAmlMaple.exe» [2008-04-24 91648]
«HP Software Update»=»c:program filesHPHP Software UpdateHPWuSchd2.exe» [2007-03-11 49152]
«nod32kui»=»c:program filesEsetnod32kui.exe» [2008-09-23 917504]
«Outpost Firewall»=»c:program filesAgnitumOutpost Firewalloutpost.exe» [2006-02-13 91648]
«OutpostFeedBack»=»c:program filesAgnitumOutpost Firewallfeedback.exe» [2006-02-14 352324]
«NeroFilterCheck»=»c:program filesCommon FilesAheadLibNeroCheck.exe» [2006-01-12 155648]
«Google Desktop Search»=»c:program filesGoogleGoogle Desktop SearchGoogleDesktop.exe» [2008-11-07 30192]
«NevoDRM»=»c:program filesИгры от NevoSoftNevoDRMNevoDRM.exe» [2008-07-29 201728]
«RTHDCPL»=»RTHDCPL.EXE» [2008-04-10 c:windowsRTHDCPL.EXE]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-05-20 30208]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«ZZZZ2_FirstLogonSetting»=»advpack.dll» [2008-05-20 c:windowssystem32advpack.dll]
«IE7_012″=»advpack.dll» [2008-05-20 c:windowssystem32advpack.dll]

c:documents and settingsAll Usersѓ« ў­®Ґ ¬Ґ­оЏа®Ја ¬¬лЂўв®§ Јаг§Є 
HP Digital Imaging Monitor.lnk — c:program filesHPDigital Imagingbinhpqtra08.exe [11.03.2007 19:26:24 210520]

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)

[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«FirewallOverride»=dword:00000001
«UpdatesDisableNotify»=dword:00000001
«UpdatesOverride»=dword:00000001
«AntiVirusDisableNotify»=dword:00000001
«AntiVirusOverride»=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=

S2 WebaltaController;Webalta Controller;c:program filesWebaltaWebaltaUpdaterService.exe [2008-10-14 86528]
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);c:program filesAgnitumOutpost FirewallkernelADBLOCK.DLL [2006-02-13 33600]
S3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);c:program filesAgnitumOutpost FirewallkernelARP.DLL [2006-02-13 17440]
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);c:program filesAgnitumOutpost FirewallkernelCONTENT.DLL [2006-02-13 4896]
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);c:program filesAgnitumOutpost FirewallkernelDNSCACHE.DLL [2006-02-13 14304]
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);c:program filesAgnitumOutpost FirewallkernelFTPFILT.DLL [2006-02-13 9024]
S3 GoogleDesktopManager-092308-165331;Диспетчер Google Desktop 5.8.809.23506;c:program filesGoogleGoogle Desktop SearchGoogleDesktop.exe [2008-11-07 30192]
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);c:program filesAgnitumOutpost FirewallkernelHTMLFILT.DLL [2006-02-13 11552]
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);c:program filesAgnitumOutpost FirewallkernelHTTPFILT.DLL [2006-02-13 13248]
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);c:program filesAgnitumOutpost FirewallkernelIMAPFILT.DLL [2006-02-13 7200]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);c:program filesAgnitumOutpost FirewallkernelMAILFILT.DLL [2006-02-13 14912]
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);c:program filesAgnitumOutpost FirewallkernelNNTPFILT.DLL [2006-02-13 6752]
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);c:program filesAgnitumOutpost FirewallkernelPOP3FILT.DLL [2006-02-13 9984]
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);c:program filesAgnitumOutpost FirewallkernelPROTECT.DLL [2006-02-13 16960]
S3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);c:program filesAgnitumOutpost FirewallkernelSECRET.DLL [2006-02-13 9696]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* — WUAUSERV

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled componentsWindows Sidebar]
c:windowssystem32hidec /W c:program filesWindows SidebarVAIOToolsREGTLIB.EXE «c:program filesWindows Sidebarsidebar.exe»

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{34A19196-274E-4D75-9D30-D7A45A0A4178}]
«c:program filesWindows Sidebar.regsvr32.exe» /s wlsrvc.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{6B9228DA-9C15-419e-856C-19E768A13BDC}]
«c:program filesWindows Sidebar.regsvr32.exe» /s sbdrop.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{BADA65A0-86B7-462B-B720-CE66655C73F5}]
regsvr32 /s c:program filesWindows SidebarVAIO.vshellext.dll
.
Contents of the ‘Scheduled Tasks’ folder

2008-11-10 c:windowsTasksGoogleUpdateTaskUser.job
— c:documents and settingsAdminLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe [2008-10-20 17:38]
.
— — — — ORPHANS REMOVED — — — —

BHO-{0696F721-79BC-455A-970C-28B97FC1F9EE} — c:windowssystem32wljlib.dll
BHO-{27A21DF4-318D-4F98-8668-AF04DFBB5B4C} — c:windowssystem32arylib.dll
BHO-{55E0286E-1193-4B77-B3F5-BFB6846113C5} — c:windowssystem32dtjlib.dll
BHO-{B006887D-E351-4D64-8C77-8BBFC5B8E325} — c:windowssystem32kfclib.dll
BHO-{EBD8D326-CFE2-4FDE-9F1B-C44696D16D5C} — c:windowssystem32tpilib.dll
BHO-{ED04A368-E90F-43CF-BB44-6490F1C294E6} — c:documents and settingsAdminРабочий столupdater_15_52942131pjzlib.dll
BHO-{F6AC332A-0B72-4E32-A255-42957CB1EC0C} — c:windowssystem32gqalib.dll
BHO-{FC421820-FF29-4EBB-800F-59A7B3BBB00C} — c:windowssystem32qoylib.dll

.

---

Supplementary Scan

---

.
FireFox -: Profile — c:documents and settingsAdminApplication DataMozillaFirefoxProfiles4gnh65qv.default
FF -: plugin — c:documents and settingsAdminLocal SettingsApplication DataGoogleUpdate1.2.131.25npGoogleOneClick6.dll
FF -: plugin — c:program filesK-Lite Codec PackRealbrowserpluginsnppl3260.dll
FF -: plugin — c:program filesK-Lite Codec PackRealbrowserpluginsnprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 20:20:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

PROCESS: c:windowssystem32lsass.exe
-> c:program filesEsetpr_imon.dll
.

---

Other Running Processes

---

.
c:windowssystem32ati2evxx.exe
c:windowssystem32ati2evxx.exe
c:program filesESETnod32krn.exe
c:program filesc:program filesHPDigital Imagingbinhpqste08.exe
.
**************************************************************************
.
Completion time: 2008-11-10 20:23:01 — machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 18:22:56

Pre-Run: 16 634 396 672 байт свободно
Post-Run: 18,189,115,392 байт свободно

281

[Admin]

Combofix лог выглядит нормально. Ваша проблема была решена ?

[aquapa9]

Проблема абсолютно не решена. Как выезжали окна с порно рекламой и Гранд Казино (извините, что не указал в своих сообщениях) при работе в и-нете, так и выезжают. По поводу трояна в экранном меню (какой то фаил ZENKOREA), NOD 32 пока не сообщал. Подскажите пожалуйста, что мне делать. Программы Hijack This и Combofix еще не удалял. Извините за настойчивость. Просто, переживаю, если что то случится с компом, то не переживу!

[Admin]

Ваша проблема проявляется в каком браузере ? Firefox или InternetExplorer, или в обоих ?

[aquapa9]

В обоих. Но так как постоянно пользуюсь Firefox, то в нем меня больше беспокоит зта проблема.

[Admin]

Выскакивающие окна появляются только в браузерах ?
То есть запустить компьютер, но не открывать браузер. Появляются ли окна самостоятельно ?
Пожалуйста свежий Combofix лог приложите.

[aquapa9]

Выскакивающие окна Проявляются только в браузерах! Самостоятельно, при работе вне и-нета, они никак не проявляются. Да, еще! Позавчера (уже после первого сканирования Combofix) проводил глубокий анализ (сканирование) C и D дисков по удалению вирусов с помощью NOD32. Был заражен Outpost Firewall Pro и антивирус его удалил. Могу ли я его с и-нета скачать? Или он мне, к примеру, вообще не нужен. Прилагаю новый лог сканирования Combofix: ComboFix 08-11-12.01 — Admin 2008-11-13 20:35:44.3 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.1258 [GMT 2:00]
Running from: c:documents and settingsAdminРабочий столComboFix.exe
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.

2008-11-13 13:56 . 2008-11-13 13:56

d

---

c:documents and settingsAdminApplication DataGames
2008-11-13 12:57 . 2008-11-13 12:57 d

---

c:documents and settingsAll UsersApplication DataFriday’s games
2008-11-09 21:15 . 2008-11-09 21:15 d

---

c:program filesTrend Micro
2008-11-09 20:53 . 2008-11-09 20:47 102,664 —a

---

c:windowssystem32driverstmcomm.sys
2008-11-09 20:46 . 2008-11-09 20:55 d

---

c:documents and settingsAdmin.housecall6.6
2008-11-09 10:31 . 2008-11-13 11:18 632 —a

---

C:settings.dat
2008-11-08 21:26 . 2008-11-08 21:26 d

---

c:documents and settingsAdminApplication DataBeezzle
2008-11-08 20:56 . 2008-11-08 20:56 d

---

c:documents and settingsAdminApplication DataBeachPartyCraze
2008-11-08 16:04 . 2008-11-08 16:04 d

---

c:program filesYandex
2008-11-08 16:04 . 2008-11-08 16:04 d

---

c:program filesCommon FilesYandex
2008-11-08 16:04 . 2008-11-08 16:04 d

---

c:documents and settingsAdminApplication DataYandex
2008-11-08 04:38 . 2008-11-08 04:50 d

---

c:documents and settingsAdminApplication DataLegends of pirates
2008-11-02 17:49 . 2008-11-02 17:49 d

---

c:program filesNevoSoft
2008-11-02 17:39 . 2008-11-08 22:09 d

---

c:program filesWebalta
2008-11-02 17:39 . 2008-11-02 17:39 d

---

c:documents and settingsAdminApplication DataWebalta
2008-11-02 16:33 . 2008-11-02 16:33 d

---

c:documents and settingsAdminApplication DataTemp App Data
2008-11-02 16:33 . 2008-11-02 16:33 d

---

c:documents and settingsAdminApplication DataMagic Academy
2008-11-01 23:32 . 2008-11-01 23:32 d

---

c:documents and settingsAll UsersApplication DataChristmasville
2008-11-01 20:49 . 2008-11-08 22:13 d

---

c:program filesИгры от NevoSoft
2008-11-01 17:44 . 2008-11-01 17:44 d

---

c:documents and settingsAll UsersApplication DataAstar Games
2008-11-01 12:44 . 2008-11-01 12:44 d

---

c:program filesMyCentria
2008-10-26 21:27 . 2008-10-26 21:27 d

---

c:documents and settingsAdminApplication DataQIP
2008-10-20 18:13 . 2008-10-20 18:13 d

---

c:program filesNero
2008-10-20 18:13 . 2008-10-20 18:15 d

---

c:program filesCommon FilesAhead
2008-10-20 18:07 . 2008-10-20 18:08 d

---

c:tempNero-7.2.0.3b_rus_no_yt
2008-10-20 18:07 . 2008-10-20 18:07 d

---

C:temp
2008-10-20 17:38 . 2008-10-20 20:59 d

---

C:Downloads
2008-10-18 11:29 . 2008-10-18 11:29 d

---

c:documents and settingsAll UsersApplication DataSandlot Games
2008-10-18 09:15 . 2008-10-18 09:15 d

---

c:documents and settingsAll UsersApplication DataPlayFirst
2008-10-18 09:15 . 2008-10-18 09:15 d

---

c:documents and settingsAdminApplication DataPlayFirst
2008-10-14 18:53 . 2008-10-14 18:53 d

---

c:documents and settingsAdminApplication DataWindows Search
2008-10-14 18:48 . 2008-10-14 18:48 d

---

c:windowssystem32GroupPolicy
2008-10-14 18:48 . 2008-10-14 18:48 d

---

c:program filesWindows Desktop Search
2008-10-14 18:48 . 2007-09-27 10:48 23,856 —a

---

c:windowssystem32spupdsvc.exe
2008-10-13 22:28 . 2008-11-10 21:52 d

---

c:documents and settingsAdminGoogle
2008-10-13 22:27 . 2008-11-10 20:18 d

---

c:program filesGoogle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 11:50

---

d

---

w c:program filesAlawar.ru
2008-11-11 21:18

---

d

---

w c:documents and settingsAdminApplication DataSkype
2008-11-11 19:02

---

d

---

w c:program filesAIMP2
2008-11-08 20:20

---

d

---

w c:program filesИгры
2008-11-08 19:26

---

d

---

w c:documents and settingsAll UsersApplication DataAlawarWrapper
2008-11-06 23:01

---

d

---

w c:program filesESET
2008-10-29 17:40

---

d

---

w c:program filesFreeGamePick.com
2008-10-23 13:41

---

d

---

w c:documents and settingsAdminApplication DataAhead
2008-10-20 16:06

---

d

---

w c:program filesAhead
2008-10-14 16:51

---

d

---

w c:documents and settingsAll UsersApplication DataMicrosoft Help
2008-10-11 20:07

---

d

---

w c:documents and settingsAdminApplication DataMy Games
2008-10-11 19:07

---

d

---

w c:documents and settingsAll UsersApplication DataNevoSoft Games
2008-10-09 15:44

---

d

---

w c:program filesMyRealGames.com
2008-10-08 09:07

---

d

---

w c:documents and settingsAll UsersApplication DataAlawar Stargaze
2008-10-06 19:34

---

d

---

w c:program filesAskTBar
2008-10-05 05:59

---

d

---

w c:documents and settingsAll UsersApplication DataВеселаяФерма2
2008-10-02 09:39

---

d

---

w c:program filesThe KMPlayer
2008-09-28 11:33

---

d

---

w c:documents and settingsAdminApplication Datacerasus.media
2008-09-27 10:47

---

d

---

w c:documents and settingsAll UsersApplication DataEgoset
2008-09-26 17:43

---

d

---

w c:documents and settingsAdminApplication DataHPAppData
2008-09-25 13:58

---

d

---

w c:documents and settingsAdminApplication DataHP
2008-09-23 10:50

---

d

---

w c:program filesTotal Commander
2008-09-23 10:02

---

d

---

w c:program filesCommon FilesAgnitum Shared
2008-09-23 10:02

---

d

---

w c:program filesAgnitum
2008-09-23 09:54

---

d

---

w c:documents and settingsAdminApplication DataMedia Player Classic
2008-09-23 09:50

---

d

---

w c:program filesDownload Master
2008-09-23 09:49

---

d

---

w c:program filesWindows Sidebar
2008-09-23 09:49

---

d

---

w c:program filesVista Games
2008-09-23 09:48

---

d

---

w c:program filesSkype
2008-09-23 09:48

---

d

---

w c:program filesQIP Infium
2008-09-23 09:47

---

d

---

w c:program filesK-Lite Codec Pack
2008-09-23 09:47

---

d

---

w c:program filesCommon FilesInstallShield
2008-09-23 09:47

---

d

---

w c:program filesCommon FilesArsenal Shared
2008-09-23 09:47

---

d

---

w c:program filesArsenal Company
2008-09-23 09:41

---

d

---

w c:program filesMicrosoft.NET
2008-09-23 09:41

---

d

---

w c:program filesMicrosoft Works
2008-09-23 09:38

---

d

---

w c:program filesFoxit Reader
2008-09-23 09:29 502,208 —-a-w c:windowssystem32driversamon.sys
2008-09-23 09:29 270,336 —-a-w c:windowssystem32imon.dll
2008-09-23 09:27

---

d

---

w c:program filesmicrosoft frontpage
2008-09-23 09:26 717,296 —-a-w c:windowssystem32driverssptd.sys
2008-09-23 09:26

---

d

---

w c:program filesVistaDriveIcon
2008-09-23 09:26

---

d

---

w c:program filesJava
2008-09-23 09:26

---

d

---

w c:program filesCommon FilesJava
2008-09-23 09:23

---

d—a-w c:program filesAmlMaple
2008-09-23 09:23

---

d

---

w c:documents and settingsAll UsersApplication DataWEBREG
2008-09-23 09:22

---

d

---

w c:documents and settingsAll UsersApplication DataHewlett-Packard
2008-09-23 09:20

---

d

---

w c:program filesHP
2008-09-23 09:20

---

d

---

w c:documents and settingsAll UsersApplication DataHPSSUPPLY
2008-09-23 09:19

---

d

---

w c:program filesHewlett-Packard
2008-09-23 09:19

---

d

---

w c:program filesCommon FilesHP
2008-09-23 09:19

---

d

---

w c:program filesCommon FilesHewlett-Packard
2008-09-23 09:19

---

d

---

w c:documents and settingsAll UsersApplication DataHP Product Assistant
2008-09-23 09:19

---

d

---

w c:documents and settingsAll UsersApplication DataHP
2008-09-23 09:18

---

d

---

w c:program filesWindows Media Connect 2
2008-09-23 09:18

---

d

---

w c:program filesPaint.NET
2008-09-23 09:14

---

d—h—w c:program filesInstallShield Installation Information
2008-09-23 09:14

---

d

---

w c:program filesAtheros WLAN Client
2008-09-23 09:14

---

d

---

w c:documents and settingsAll UsersApplication DataWLAN
2008-09-23 09:14

---

d

---

w c:documents and settingsAdminApplication DataInstallShield
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~Browser Helper Objects{6C3BDD12-4B6F-44F1-87CB-4D94E1ED38A5}]
2008-10-14 15:49 736256 —a

---

c:progra~1WebaltaWEBALT~2.DLL

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{D4C56A33-3488-495B-8033-9BF834E276D8}»= «c:progra~1WebaltaWEBALT~1.DLL» [2008-10-14 1691136]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2008-06-02 1553672]

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2008-06-02 1553672]

[HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-05-20 30208]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096]
«Download Master»=»c:program filesDownload Masterdmaster.exe» [2008-01-26 3266560]
«Google Update»=»c:documents and settingsAdminLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe» [2008-10-20 133104]
«BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}»=»c:program filesCommon FilesAheadLibNMBgMonitor.exe» [2006-04-21 94208]
«Yupdate!»=»c:program filesCommon FilesYandexYupdateyupdate.exe» [2008-05-30 460040]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«AmlMaple»=»c:program filesAmlMapleAmlMaple.exe» [2008-04-24 91648]
«HP Software Update»=»c:program filesHPHP Software UpdateHPWuSchd2.exe» [2007-03-11 49152]
«nod32kui»=»c:program filesEsetnod32kui.exe» [2008-09-23 917504]
«Outpost Firewall»=»c:program filesAgnitumOutpost Firewalloutpost.exe» [2006-02-13 91648]
«OutpostFeedBack»=»c:program filesAgnitumOutpost Firewallfeedback.exe» [2006-02-14 352324]
«NeroFilterCheck»=»c:program filesCommon FilesAheadLibNeroCheck.exe» [2006-01-12 155648]
«Google Desktop Search»=»c:program filesGoogleGoogle Desktop SearchGoogleDesktop.exe» [2008-11-07 30192]
«NevoDRM»=»c:program filesИгры от NevoSoftNevoDRMNevoDRM.exe» [2008-07-29 201728]
«RTHDCPL»=»RTHDCPL.EXE» [2008-04-10 c:windowsRTHDCPL.EXE]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-05-20 30208]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«ZZZZ2_FirstLogonSetting»=»advpack.dll» [2008-05-20 c:windowssystem32advpack.dll]
«IE7_012″=»advpack.dll» [2008-05-20 c:windowssystem32advpack.dll]

c:documents and settingsAll Usersѓ« ў­®Ґ ¬Ґ­оЏа®Ја ¬¬лЂўв®§ Јаг§Є 
HP Digital Imaging Monitor.lnk — c:program filesHPDigital Imagingbinhpqtra08.exe [11.03.2007 19:26:24 210520]

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)

[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«FirewallOverride»=dword:00000001
«UpdatesDisableNotify»=dword:00000001
«UpdatesOverride»=dword:00000001
«AntiVirusDisableNotify»=dword:00000001
«AntiVirusOverride»=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=

S2 WebaltaController;Webalta Controller;c:program filesWebaltaWebaltaUpdaterService.exe [2008-10-14 86528]
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);c:program filesAgnitumOutpost FirewallkernelADBLOCK.DLL [2006-02-13 33600]
S3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);c:program filesAgnitumOutpost FirewallkernelARP.DLL [2006-02-13 17440]
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);c:program filesAgnitumOutpost FirewallkernelCONTENT.DLL [2006-02-13 4896]
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);c:program filesAgnitumOutpost FirewallkernelDNSCACHE.DLL [2006-02-13 14304]
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);c:program filesAgnitumOutpost FirewallkernelFTPFILT.DLL [2006-02-13 9024]
S3 GoogleDesktopManager-092308-165331;Диспетчер Google Desktop 5.8.809.23506;c:program filesGoogleGoogle Desktop SearchGoogleDesktop.exe [2008-11-07 30192]
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);c:program filesAgnitumOutpost FirewallkernelHTMLFILT.DLL [2006-02-13 11552]
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);c:program filesAgnitumOutpost FirewallkernelHTTPFILT.DLL [2006-02-13 13248]
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);c:program filesAgnitumOutpost FirewallkernelIMAPFILT.DLL [2006-02-13 7200]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);c:program filesAgnitumOutpost FirewallkernelMAILFILT.DLL [2006-02-13 14912]
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);c:program filesAgnitumOutpost FirewallkernelNNTPFILT.DLL [2006-02-13 6752]
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);c:program filesAgnitumOutpost FirewallkernelPOP3FILT.DLL [2006-02-13 9984]
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);c:program filesAgnitumOutpost FirewallkernelPROTECT.DLL [2006-02-13 16960]
S3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);c:program filesAgnitumOutpost FirewallkernelSECRET.DLL [2006-02-13 9696]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled componentsWindows Sidebar]
c:windowssystem32hidec /W c:program filesWindows SidebarVAIOToolsREGTLIB.EXE «c:program filesWindows Sidebarsidebar.exe»

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{34A19196-274E-4D75-9D30-D7A45A0A4178}]
«c:program filesWindows Sidebar.regsvr32.exe» /s wlsrvc.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{6B9228DA-9C15-419e-856C-19E768A13BDC}]
«c:program filesWindows Sidebar.regsvr32.exe» /s sbdrop.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{BADA65A0-86B7-462B-B720-CE66655C73F5}]
regsvr32 /s c:program filesWindows SidebarVAIO.vshellext.dll
.
Contents of the ‘Scheduled Tasks’ folder

2008-11-13 c:windowsTasksGoogleUpdateTaskUser.job
— c:documents and settingsAdminLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe [2008-10-20 17:38]
.
.

---

Supplementary Scan

---

.
FireFox -: Profile — c:documents and settingsAdminApplication DataMozillaFirefoxProfiles4gnh65qv.default
FF -: plugin — c:documents and settingsAdminLocal SettingsApplication DataGoogleUpdate1.2.131.27npGoogleOneClick6.dll
FF -: plugin — c:program filesK-Lite Codec PackRealbrowserpluginsnppl3260.dll
FF -: plugin — c:program filesK-Lite Codec PackRealbrowserpluginsnprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 20:36:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

PROCESS: c:windowssystem32lsass.exe
-> c:program filesEsetpr_imon.dll
.
Completion time: 2008-11-13 20:37:13
ComboFix-quarantined-files.txt 2008-11-13 18:37:00
ComboFix2.txt 2008-11-10 18:23:02

Pre-Run: 17,599,217,664 байт свободно
Post-Run: 17,601,490,944 байт свободно

225

[Admin]

Был заражен Outpost Firewall Pro и антивирус его удалил

Combofix показывает что удалил, но не весь. В автозагрузке и в драйверах он всё равно прописан. Сейчас, после лечения NODом, проблема осталась ?
И ещё, запустите InternetExplorer, а затем Firefox. Есть ли какие-либо отличия между всплывающими окнами ?

[aquapa9]

Всплывающие окна одинаковы как в Explorer, так и в Mozilla. Различий нет. Проблема остается той же.

[Admin]

1. Пожалуйста сделайте скриншот в момент когда на экране всплывающее окно. Если рекламируется контент для взрослых, то скиньте эту картинку в личку, в другом случае присоедините к вашему следующему сообщению.

2. Вы можете примерно определить дату, когда впервые столкнулись с этой проблемой ?

[aquapa9]

Предоставляю один из вариантов всплывающих окон…

[картинка удалена]

[Admin]

Глянул ваше вложение.
Продолжим поиск паразита.

Скачайте OTViewIt кликнув по этой ссылке.
— Запишите файл на ваш Рабочий стол.
— Запустите программу.
— Отметьте галочкой «Scan All Users»
— Кликните по кнопке «Run Scan»
По завершении процесса сканирования откроется два лога, OTViewIt.txt будет открыт, второй Extra.txt будет свёрнут.

Так же запустите ещё раз Combofix.

Жду от вас три лога:
— два OTViewIt лога
— Combofix лог

[aquapa9]

OTViewIt Extras logfile created on: 24.11.2008 19:53:45 — Run
OTViewIt by OldTimer — Version 1.0.20.0 Folder = C:Documents and SettingsAdminРабочий стол
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) — Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000422 | Country: Украина | Language: UKR | Date Format: dd.MM.yyyy

1,75 Gb Total Physical Memory | 1,20 Gb Available Physical Memory | 68,81% Memory free
3,60 Gb Paging File | 3,21 Gb Available in Paging File | 89,23% Paging File free
Paging file location(s): C:pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:WINDOWS | %ProgramFiles% = C:Program Files
Drive C: | 27,16 Gb Total Space | 15,45 Gb Free Space | 56,90% Space Free | Partition Type: NTFS
Drive D: | 84,62 Gb Total Space | 68,30 Gb Free Space | 80,71% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MICROSOF-311F14
Current User Name: Admin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINESOFTWAREClasses]
.html [@ = Reg Error: Value does not exist or could not be read.] — Reg Error: Key does not exist or could not be opened. File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
«FirstRunDisabled»=1
«FirewallDisableNotify»=0
«FirewallOverride»=1
«UpdatesDisableNotify»=1
«UpdatesOverride»=1
«AntiVirusDisableNotify»=1
«AntiVirusOverride»=1
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoring]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringAhnlabAntiVirus]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringKasperskyAntiVirus]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringMcAfeeAntiVirus]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringMcAfeeFirewall]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringPandaAntiVirus]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringPandaFirewall]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringSophosAntiVirus]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringSymantecAntiVirus]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringSymantecFirewall]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringTinyFirewall]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringTrendAntiVirus]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringTrendFirewall]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterMonitoringZoneLabsFirewall]

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile
«EnableFirewall»=0
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplications]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileGloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfileAuthorizedApplicationsList]
[2008.04.15 14:00:00 | 00,558,080 | —- | M] (Microsoft Corporation) — %windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008.04.15 14:00:00 | 00,141,824 | —- | M] (Корпорация Майкрософт) — %windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
[2008.04.15 14:00:00 | 00,558,080 | —- | M] (Microsoft Corporation) — %windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008.04.15 14:00:00 | 00,141,824 | —- | M] (Корпорация Майкрософт) — %windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008.04.23 15:45:34 | 22,058,792 | R— | M] (Skype Technologies S.A.) — C:Program FilesSkypePhoneSkype.exe:*:Enabled:Skype

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinSock2Parameters]
NameSpace_Catalog5Catalog_Entries00000000001 [TCP/IP] — C:WINDOWSsystem32mswsock.dll (Корпорация Майкрософт)
NameSpace_Catalog5Catalog_Entries00000000003 [Пространство имен службы сетевого расположения (NLA)] — C:WINDOWSsystem32mswsock.dll (Корпорация Майкрософт)
Protocol_Catalog9Catalog_Entries00000000001 — File not found
Protocol_Catalog9Catalog_Entries00000000002 — File not found
Protocol_Catalog9Catalog_Entries00000000003 — File not found
Protocol_Catalog9Catalog_Entries00000000004 — File not found
Protocol_Catalog9Catalog_Entries00000000005 — File not found
Protocol_Catalog9Catalog_Entries00000000006 — File not found
Protocol_Catalog9Catalog_Entries00000000007 — File not found
Protocol_Catalog9Catalog_Entries00000000008 — File not found
Protocol_Catalog9Catalog_Entries00000000009 — File not found
Protocol_Catalog9Catalog_Entries00000000010 — File not found
Protocol_Catalog9Catalog_Entries00000000011 — File not found
Protocol_Catalog9Catalog_Entries00000000012 — File not found
Protocol_Catalog9Catalog_Entries00000000013 — File not found
Protocol_Catalog9Catalog_Entries00000000014 — File not found
Protocol_Catalog9Catalog_Entries00000000015 — File not found
Protocol_Catalog9Catalog_Entries00000000016 — File not found
Protocol_Catalog9Catalog_Entries00000000017 — File not found
Protocol_Catalog9Catalog_Entries00000000018 — File not found
Protocol_Catalog9Catalog_Entries00000000019 — File not found
Protocol_Catalog9Catalog_Entries00000000020 — File not found
Protocol_Catalog9Catalog_Entries00000000021 — File not found

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandler]
[2008.04.15 14:00:00 | 01,431,552 | —- | M] (Корпорация Майкрософт) C:WINDOWSsystem32msvidctl.dll (dvd:{12D51199-0DB5-46FE-A120-47A3D7D937CC} (HKLM) [DVD: подключаемый протокол])

[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandler]
ipp: [HKLM — No CLSID value]

[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandler] — Protocol Handlers
[2006.10.26 16:49:48 | 01,011,488 | —- | M] (Microsoft Corporation) C:Program FilesCommon FilesSystemOle DBMSDAIPP.DLL ippx00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM — MSDAMON.BINDER]

[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandler]
msdaipp: [HKLM — No CLSID value]

[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandler] — Protocol Handlers
[2006.10.26 16:49:48 | 01,011,488 | —- | M] (Microsoft Corporation) C:Program FilesCommon FilesSystemOle DBMSDAIPP.DLL msdaippx00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM — MSDAMON.BINDER]

[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandler] — Protocol Handlers
[2006.10.26 16:49:48 | 01,011,488 | —- | M] (Microsoft Corporation) C:Program FilesCommon FilesSystemOle DBMSDAIPP.DLL msdaippoledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM — MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandler]
[2006.10.26 11:45:02 | 00,873,216 | —- | M] (Microsoft Corporation) C:Program FilesCommon FilesMicrosoft SharedHelphxds.dll (ms-help:{314111c7-a502-11d2-bbca-00c04f8ec294} (HKLM) [HxProtocol Class])

[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandler]
[2008.04.15 14:00:00 | 01,431,552 | —- | M] (Корпорация Майкрософт) C:WINDOWSsystem32msvidctl.dll (tv:{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} (HKLM) [ТВ: подключаемый протокол])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSFilter] — Protocol Filters
[2008.05.20 17:54:45 | 26,688,512 | —- | M] (Корпорация Майкрософт) C:WINDOWSsystem32shell32.dll text/webviewhtml:{733AC4CB-F1A4-11d0-B951-00A0C90312E1} (HKLM) [WebView MIME Filter]

[HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSFilter] — Protocol Filters
[2006.10.26 19:41:48 | 00,044,344 | —- | M] (Microsoft Corporation) C:Program FilesCommon FilesMicrosoft SharedOFFICE12MSOXMLMF.DLL text/xml:{807563E5-5146-11D5-A672-00B0D022E945} (HKLM) [Microsoft Office InfoPath XML Mime Filter]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall]
«{10E1E87C-656C-4D08-86D6-5443D28583BE}»=TrayApp
«{13F00518-807A-4B3A-83B0-A7CD90F3A398}»=MarketResearch
«{1753255A-0AEB-4220-8C75-607B73F0C133}»=Copy
«{22466889-7642-488d-AA0E-F619704CF7AB}»=DeviceDiscovery
«{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}»=WebReg
«{2BB372D9-52B4-410A-BC1A-FEAB63181EEF}»=Microsoft .NET Framework 1.1 Russian Language Pack
«{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}»=Scan
«{3248F0A8-6813-11D6-A77B-00B0D0160060}»=Java(TM) 6 Update 6
«{350C9419-3D7C-4EE8-BAA9-00BCB3D54227}»=WebFldrs XP
«{415CDA53-9100-476F-A7B2-476691E117C7}»=HP Smart Web Printing
«{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}»=HPSSupply
«{543E938C-BDC4-4933-A612-01293996845F}»=UnloadSupport
«{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}»=eSupportQFolder
«{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}»=CustomerResearchQFolder
«{824D3839-DAA1-4315-A822-7AE3E620E528}»=VideoToolkit01
«{8389382B-53BA-4A87-8854-91E3D80A5AC7}»=HP Photosmart Essential2.01
«{90120000-0010-0419-0000-0000000FF1CE}»=Microsoft Software Update for Web Folders (Russian) 12
«{90120000-0016-0000-0000-0000000FF1CE}»=Microsoft Office Excel 2007
«{90120000-0016-0000-0000-0000000FF1CE}_EXCEL_{C5060182-C90D-4314-9AE9-5C0DCF8FD1EF}»=
«{90120000-0016-0419-0000-0000000FF1CE}»=Microsoft Office Excel MUI (Russian) 2007
«{90120000-001A-0000-0000-0000000FF1CE}»=Microsoft Office Outlook 2007
«{90120000-001A-0000-0000-0000000FF1CE}_OUTLOOK_{2A33A0C2-2B09-446E-9022-1508A85ECD2D}»=
«{90120000-001A-0419-0000-0000000FF1CE}»=Microsoft Office Outlook MUI (Russian) 2007
«{90120000-001B-0000-0000-0000000FF1CE}»=Microsoft Office Word 2007
«{90120000-001B-0000-0000-0000000FF1CE}_WORD_{3520B304-0EF8-475D-8C52-47ABCCC75FC6}»=
«{90120000-001B-0419-0000-0000000FF1CE}»=Microsoft Office Word MUI (Russian) 2007
«{90120000-001F-0407-0000-0000000FF1CE}»=Microsoft Office Proof (German) 2007
«{90120000-001F-0409-0000-0000000FF1CE}»=Microsoft Office Proof (English) 2007
«{90120000-001F-0419-0000-0000000FF1CE}»=Microsoft Office Proof (Russian) 2007
«{90120000-001F-0422-0000-0000000FF1CE}»=Microsoft Office Proof (Ukrainian) 2007
«{90120000-002C-0419-0000-0000000FF1CE}»=Microsoft Office Proofing (Russian) 2007
«{90120000-006E-0419-0000-0000000FF1CE}»=Microsoft Office Shared MUI (Russian) 2007
«{9C395AAF-F3DB-FA42-2ADF-9CC22B281049}»=Nero 7 Premium
«{9CD789E2-B7CE-11D5-B7E9-00A0C9449F99}»=Сократ Персональный 4.1
«{AB40272D-92AB-4F30-B36B-22EDE16F8FE5}»=HP Update
«{AB5D51AE-EBC3-438D-872C-705C7C2084B0}»=DeviceManagementQFolder
«{AEA07F97-9088-497c-8821-0F36BD5DC251}»=HPProductAssistant
«{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}»=AIO_Scan
«{B4F35A00-24FD-4fb3-BF5E-413D5423434D}»=DJ_AIO_Software_min
«{B508B3F1-A24A-32C0-B310-85786919EF28}»=Microsoft .NET Framework 2.0 Service Pack 1
«{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}»=SolutionCenter
«{C1920D73-7374-49d9-8C37-58A6E49078A5}»=F2100_Help
«{C5EF81AC-FE4C-4157-97E3-2E08B000742A}»=F2100_doccd
«{CA50045C-5119-48e7-9BA7-6B317379857A}»=DJ_AIO_Software
«{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}»=Microsoft .NET Framework 1.1
«{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}»=Destination Component
«{E2662C24-B31E-4349-A084-32EB76E8B760}»=BufferChm
«{E548726E-F4E8-459f-BAB8-45551BC071E9}»=DJ_AIO_ProductContext
«{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}»=Toolbox
«{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}»=Realtek High Definition Audio Driver
«{F1C409F0-8322-4c87-BD08-2F62777D490D}»=F2100
«{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}»=32 Bit HP CIO Components Installer
«{F4D0F248-2BF7-4912-814E-4FD751923838}»=Microsoft .NET Framework 2.0 Language Pack — RUS
«{F4F41D14-E0DD-4FB4-AA09-A14225C769BD}»=Atheros WLAN Client
«{F72E2DDC-3DB8-4190-A21D-63883D955FE7}»=PSSWCORE
«{FA8A44D7-3E8A-4034-9C4F-088FA6B72BC4}»=HP Deskjet All-In-One Software 9.0
«{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}»=Status
«4_elements»=NevoSoft 4 Elements (remove only)
«Adobe Flash Player ActiveX»=Adobe Flash Player ActiveX
«Adobe Flash Player Plugin»=Adobe Flash Player 10 Plugin
«Adventure Match_is1″=Adventure Match
«Agnitum Outpost Firewall Pro_is1″=Agnitum Outpost Firewall Pro
«AIMP2″=AIMP2
«Amazing Jigsaw_is1″=Amazing Jigsaw
«AmlMaple_addon»=AmlMaple
«atelier»=NevoSoft Atelier (remove only)
«ATI Display Driver»=ATI Display Driver
«beach_party_craze»=NevoSoft Beach Party Craze (remove only)
«cake_mania»=NevoSoft Cake Mania (remove only)
«christmasville»=NevoSoft Christmasville (remove only)
«detective_stories»=NevoSoft Detective Stories (remove only)
«Download Master_is1″=Download Master 5.5.3.1131
«escape_the_museum»=NevoSoft Escape The Museum (remove only)
«EXCEL»=Microsoft Office Excel 2007
«farm_frenzy»=NevoSoft Farm Frenzy (remove only)
«farmcraft»=NevoSoft FarmCraft (remove only)
«Foxit Reader»=Foxit Reader
«Google Desktop»=Google Desktop
«HP Imaging Device Functions»=HP Imaging Device Functions 9.0
«HP Photosmart Essential»=HP Photosmart Essential 2.01
«HP Solution Center & Imaging Support Tools»=HP Solution Center 9.0
«HPExtendedCapabilities»=HP Customer Participation Program 9.0
«jigsaw_world»=NevoSoft Jigsaw World (remove only)
«KLiteCodecPack_is1″=K-Lite Mega Codec Pack 3.9.0
«lara_johns»=NevoSoft Lara Johns (remove only)
«legends_of_pirates»=NevoSoft Legends of Pirates (remove only)
«Magic Crystals_is1″=Magic Crystals
«magic_academy»=NevoSoft Magic Academy (remove only)
«Mahjong Infinity 2_is1″=Mahjong Infinity 2
«Microsoft .NET Framework 1.1 (1033)»=Microsoft .NET Framework 1.1
«Mozilla Firefox (3.0.4)»=Mozilla Firefox (3.0.4)
«mushroom_age»=NevoSoft Mushroom Age (remove only)
«MyCentria»=Интернет помощник MyCentria
«mystery_cookbook»=NevoSoft Mystery Cookbook (remove only)
«NOD32″=Антивирусная система NOD32
«OUTLOOK»=Microsoft Office Outlook 2007
«Paint.NET_addon»=Paint.NET v3.31
«Pearl Hunter_is1″=Pearl Hunter
«posh_shop_2″=NevoSoft Posh Shop 2 (remove only)
«poshshop»=NevoSoft PoshShop (remove only)
«pyramid_runner»=NevoSoft Pyramid Runner (remove only)
«QIP Infium_is1″=QIP Infium 1.0.9008 RC1
«Skype»=Skype
«The KMPlayer»=The KMPlayer
«Tomb Of Giza_is1″=Tomb Of Giza
«Total Commander»=Total Commander
«unicorn_castle»=NevoSoft Unicorn Castle (remove only)
«Vista Drive Icon_addon»=Vista Drive Icon
«Vista Games»=Vista Games 1.3 XP
«wedding_dash»=NevoSoft Wedding Dash (remove only)
«Windows Sidebar»=Боковая панель Windows
«WinRAR archiver»=Архиватор WinRAR
«WORD»=Microsoft Office Word 2007
«Веселая ферма»=Веселая ферма
«Веселая ферма II»=Веселая ферма II
«Луксор»=Луксор
«Модный бутик 2. Эксклюзив»=Модный бутик 2. Эксклюзив
«Натали Брукс. Тайна наследства»=Натали Брукс. Тайна наследства
«Панель инструментов Webalta_is1″=Панель инструментов Webalta 1.0
«Пляжный переполох»=Пляжный переполох
«Помощники для зверюшек»=Помощники для зверюшек
«Пчеловоломка»=Пчеловоломка
«Солнечная ферма»=Солнечная ферма
«Шерлок Холмс. Тайна персидского ковра»=Шерлок Холмс. Тайна персидского ковра
«Яндекс.Бар для Internet Explorer_is1″=Яндекс.Бар для Internet Explorer 3.5.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionUninstall]
«Google Chrome»=Google Chrome

========== HKEY_USERS Uninstall List ==========

[HKEY_USERSS-1-5-21-329068152-1229272821-1177238915-500SOFTWAREMicrosoftWindowsCurrentVersionUninstall]
«Google Chrome»=Google Chrome

========== Last 10 Event Log Errors ==========

[ System Events ]
Error — 16.10.2008 2:39:17 | Computer Name = MICROSOF-311F14 | Source = Service Control Manager | ID = 7034
Description = Служба «Outpost Firewall Service» неожиданно прервана. Это произошло
(раз): 1.

Error — 16.10.2008 15:59:53 | Computer Name = MICROSOF-311F14 | Source = Service Control Manager | ID = 7034
Description = Служба «Outpost Firewall Service» неожиданно прервана. Это произошло
(раз): 1.

Error — 17.10.2008 15:37:59 | Computer Name = MICROSOF-311F14 | Source = Service Control Manager | ID = 7034
Description = Служба «Outpost Firewall Service» неожиданно прервана. Это произошло
(раз): 1.

< End of report >

ComboFix 08-11-23.02 — Admin 2008-11-24 20:03:02.4 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.1268 [GMT 2:00]
Running from: c:documents and settingsAdminРабочий столComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.

2008-11-23 20:45 . 2008-11-23 20:45

d

---

c:documents and settingsAdminApplication DataGaijin Ent
2008-11-23 19:13 . 2008-11-23 19:13 d

---

c:documents and settingsAdminApplication DataMeridian93
2008-11-22 16:07 . 2008-11-22 16:07 d

---

c:documents and settingsAll UsersApplication DataPlayrix Entertainment
2008-11-21 22:36 . 2008-11-21 22:36 d

---

c:documents and settingsAll UsersApplication DataEscapeTheMuseum
2008-11-13 20:52 . 2008-11-13 20:52 d

---

c:documents and settingsLocalServiceApplication DataWebalta
2008-11-13 13:56 . 2008-11-13 13:56 d

---

c:documents and settingsAdminApplication DataGames
2008-11-13 12:57 . 2008-11-13 12:57 d

---

c:documents and settingsAll UsersApplication DataFriday’s games
2008-11-09 21:15 . 2008-11-09 21:15 d

---

c:program filesTrend Micro
2008-11-09 20:53 . 2008-11-09 20:47 102,664 —a

---

c:windowssystem32driverstmcomm.sys
2008-11-09 20:46 . 2008-11-09 20:55 d

---

c:documents and settingsAdmin.housecall6.6
2008-11-09 10:31 . 2008-11-13 23:30 632 —a

---

C:settings.dat
2008-11-08 21:26 . 2008-11-08 21:26 d

---

c:documents and settingsAdminApplication DataBeezzle
2008-11-08 20:56 . 2008-11-08 20:56 d

---

c:documents and settingsAdminApplication DataBeachPartyCraze
2008-11-08 16:04 . 2008-11-08 16:04 d

---

c:program filesYandex
2008-11-08 16:04 . 2008-11-08 16:04 d

---

c:program filesCommon FilesYandex
2008-11-08 16:04 . 2008-11-08 16:04 d

---

c:documents and settingsAdminApplication DataYandex
2008-11-08 04:38 . 2008-11-08 04:50 d

---

c:documents and settingsAdminApplication DataLegends of pirates
2008-11-02 17:49 . 2008-11-02 17:49 d

---

c:program filesNevoSoft
2008-11-02 17:39 . 2008-11-24 19:41 d

---

c:program filesWebalta
2008-11-02 17:39 . 2008-11-02 17:39 d

---

c:documents and settingsAdminApplication DataWebalta
2008-11-02 16:33 . 2008-11-02 16:33 d

---

c:documents and settingsAdminApplication DataTemp App Data
2008-11-02 16:33 . 2008-11-02 16:33 d

---

c:documents and settingsAdminApplication DataMagic Academy
2008-11-01 23:32 . 2008-11-01 23:32 d

---

c:documents and settingsAll UsersApplication DataChristmasville
2008-11-01 20:49 . 2008-11-08 22:13 d

---

c:program filesИгры от NevoSoft
2008-11-01 17:44 . 2008-11-01 17:44 d

---

c:documents and settingsAll UsersApplication DataAstar Games
2008-11-01 12:44 . 2008-11-01 12:44 d

---

c:program filesMyCentria
2008-10-26 21:27 . 2008-10-26 21:27 d

---

c:documents and settingsAdminApplication DataQIP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 18:45

---

d

---

w c:program filesИгры
2008-11-22 18:42

---

d

---

w c:program filesAIMP2
2008-11-21 19:02

---

d

---

w c:program filesAlawar.ru
2008-11-11 21:18

---

d

---

w c:documents and settingsAdminApplication DataSkype
2008-11-10 18:18

---

d

---

w c:program filesGoogle
2008-11-08 19:26

---

d

---

w c:documents and settingsAll UsersApplication DataAlawarWrapper
2008-11-06 23:01

---

d

---

w c:program filesESET
2008-10-29 17:40

---

d

---

w c:program filesFreeGamePick.com
2008-10-23 13:41

---

d

---

w c:documents and settingsAdminApplication DataAhead
2008-10-20 16:15

---

d

---

w c:program filesCommon FilesAhead
2008-10-20 16:13

---

d

---

w c:program filesNero
2008-10-20 16:06

---

d

---

w c:program filesAhead
2008-10-18 09:29

---

d

---

w c:documents and settingsAll UsersApplication DataSandlot Games
2008-10-18 07:15

---

d

---

w c:documents and settingsAll UsersApplication DataPlayFirst
2008-10-18 07:15

---

d

---

w c:documents and settingsAdminApplication DataPlayFirst
2008-10-14 16:53

---

d

---

w c:documents and settingsAdminApplication DataWindows Search
2008-10-14 16:51

---

d

---

w c:documents and settingsAll UsersApplication DataMicrosoft Help
2008-10-14 16:48

---

d

---

w c:program filesWindows Desktop Search
2008-10-11 20:07

---

d

---

w c:documents and settingsAdminApplication DataMy Games
2008-10-11 19:07

---

d

---

w c:documents and settingsAll UsersApplication DataNevoSoft Games
2008-10-09 15:44

---

d

---

w c:program filesMyRealGames.com
2008-10-08 09:07

---

d

---

w c:documents and settingsAll UsersApplication DataAlawar Stargaze
2008-10-06 19:34

---

d

---

w c:program filesAskTBar
2008-10-05 05:59

---

d

---

w c:documents and settingsAll UsersApplication DataВеселаяФерма2
2008-10-02 09:39

---

d

---

w c:program filesThe KMPlayer
2008-09-28 11:33

---

d

---

w c:documents and settingsAdminApplication Datacerasus.media
2008-09-27 10:47

---

d

---

w c:documents and settingsAll UsersApplication DataEgoset
2008-09-26 17:43

---

d

---

w c:documents and settingsAdminApplication DataHPAppData
2008-09-25 13:58

---

d

---

w c:documents and settingsAdminApplication DataHP
2008-09-23 09:29 270,336 —-a-w c:windowssystem32imon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~Browser Helper Objects{6C3BDD12-4B6F-44F1-87CB-4D94E1ED38A5}]
2008-11-13 20:52 738306 —a

---

c:progra~1WebaltaWEBALT~2.DLL

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2008-06-02 1553672]
«{D4C56A33-3488-495B-8033-9BF834E276D8}»= «c:progra~1WebaltaWEBALT~1.DLL» [2008-11-13 1693186]

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2008-06-02 1553672]

[HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-05-20 30208]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096]
«Download Master»=»c:program filesDownload Masterdmaster.exe» [2008-01-26 3266560]
«Google Update»=»c:documents and settingsAdminLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe» [2008-10-20 133104]
«BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}»=»c:program filesCommon FilesAheadLibNMBgMonitor.exe» [2006-04-21 94208]
«Yupdate!»=»c:program filesCommon FilesYandexYupdateyupdate.exe» [2008-05-30 460040]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«AmlMaple»=»c:program filesAmlMapleAmlMaple.exe» [2008-04-24 91648]
«HP Software Update»=»c:program filesHPHP Software UpdateHPWuSchd2.exe» [2007-03-11 49152]
«nod32kui»=»c:program filesEsetnod32kui.exe» [2008-09-23 917504]
«Outpost Firewall»=»c:program filesAgnitumOutpost Firewalloutpost.exe» [2006-02-13 91648]
«OutpostFeedBack»=»c:program filesAgnitumOutpost Firewallfeedback.exe» [2006-02-14 352324]
«NeroFilterCheck»=»c:program filesCommon FilesAheadLibNeroCheck.exe» [2006-01-12 155648]
«Google Desktop Search»=»c:program filesGoogleGoogle Desktop SearchGoogleDesktop.exe» [2008-11-07 30192]
«NevoDRM»=»c:program filesИгрыNevoDRMNevoDRM.exe» [2008-07-29 201728]
«RTHDCPL»=»RTHDCPL.EXE» [2008-04-10 c:windowsRTHDCPL.EXE]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-05-20 30208]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«ZZZZ2_FirstLogonSetting»=»advpack.dll» [2008-05-20 c:windowssystem32advpack.dll]
«IE7_012″=»advpack.dll» [2008-05-20 c:windowssystem32advpack.dll]

c:documents and settingsAll Usersѓ« ў­®Ґ ¬Ґ­оЏа®Ја ¬¬лЂўв®§ Јаг§Є 
HP Digital Imaging Monitor.lnk — c:program filesHPDigital Imagingbinhpqtra08.exe [11.03.2007 19:26:24 210520]

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)

[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«FirewallOverride»=dword:00000001
«UpdatesDisableNotify»=dword:00000001
«UpdatesOverride»=dword:00000001
«AntiVirusDisableNotify»=dword:00000001
«AntiVirusOverride»=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=

S2 WebaltaController;Webalta Controller;»c:program filesWebaltaWebaltaUpdaterService.exe» -service [14.10.2008 15:16:00 97794]
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);??c:program filesAgnitumOutpost FirewallkernelADBLOCK.DLL [23.09.2008 12:02:41 33600]
S3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);??c:program filesAgnitumOutpost FirewallkernelARP.DLL [23.09.2008 12:02:41 17440]
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);??c:program filesAgnitumOutpost FirewallkernelCONTENT.DLL [23.09.2008 12:02:41 4896]
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);??c:program filesAgnitumOutpost FirewallkernelDNSCACHE.DLL [23.09.2008 12:02:41 14304]
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);??c:program filesAgnitumOutpost FirewallkernelFTPFILT.DLL [23.09.2008 12:02:41 9024]
S3 GoogleDesktopManager-092308-165331;Диспетчер Google Desktop 5.8.809.23506;»c:program filesGoogleGoogle Desktop SearchGoogleDesktop.exe» [22.10.2008 20:46:09 30192]
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);??c:program filesAgnitumOutpost FirewallkernelHTMLFILT.DLL [23.09.2008 12:02:41 11552]
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);??c:program filesAgnitumOutpost FirewallkernelHTTPFILT.DLL [23.09.2008 12:02:41 13248]
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);??c:program filesAgnitumOutpost FirewallkernelIMAPFILT.DLL [23.09.2008 12:02:41 7200]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);??c:program filesAgnitumOutpost FirewallkernelMAILFILT.DLL [23.09.2008 12:02:41 14912]
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);??c:program filesAgnitumOutpost FirewallkernelNNTPFILT.DLL [23.09.2008 12:02:41 6752]
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);??c:program filesAgnitumOutpost FirewallkernelPOP3FILT.DLL [23.09.2008 12:02:41 9984]
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);??c:program filesAgnitumOutpost FirewallkernelPROTECT.DLL [23.09.2008 12:02:41 16960]
S3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);??c:program filesAgnitumOutpost FirewallkernelSECRET.DLL [23.09.2008 12:02:41 9696]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled componentsWindows Sidebar]
c:windowssystem32hidec /W c:program filesWindows SidebarVAIOToolsREGTLIB.EXE «c:program filesWindows Sidebarsidebar.exe»

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{34A19196-274E-4D75-9D30-D7A45A0A4178}]
«c:program filesWindows Sidebar.regsvr32.exe» /s wlsrvc.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{6B9228DA-9C15-419e-856C-19E768A13BDC}]
«c:program filesWindows Sidebar.regsvr32.exe» /s sbdrop.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{BADA65A0-86B7-462B-B720-CE66655C73F5}]
regsvr32 /s c:program filesWindows SidebarVAIO.vshellext.dll
.
Contents of the ‘Scheduled Tasks’ folder

2008-11-23 c:windowsTasksGoogleUpdateTaskUser.job
— c:documents and settingsAdminLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe [2008-10-20 17:38]
.
.

---

Supplementary Scan

---

.
FireFox -: Profile — c:documents and settingsAdminApplication DataMozillaFirefoxProfiles4gnh65qv.default
FF -: plugin — c:documents and settingsAdminLocal SettingsApplication DataGoogleUpdate1.2.131.27npGoogleOneClick6.dll
FF -: plugin — c:program filesK-Lite Codec PackRealbrowserpluginsnppl3260.dll
FF -: plugin — c:program filesK-Lite Codec PackRealbrowserpluginsnprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-24 20:04:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

— — — — — — — > ‘winlogon.exe'(728)
c:windowssystem32SETUPAPI.dll
c:windowssystem32Ati2evxx.dll
c:windowssystem32cscui.dll
c:windowssystem32COMRes.dll

— — — — — — — > ‘lsass.exe'(784)
c:windowssystem32SETUPAPI.dll
c:windowssystem32imon.dll
c:program filesEsetpr_imon.dll
.
Completion time: 2008-11-24 20:05:00
ComboFix-quarantined-files.txt 2008-11-24 18:04:41
ComboFix2.txt 2008-11-13 18:37:14

Pre-Run: 16 525 176 832 байт свободно
Post-Run: 16,842,780,672 байт свободно

194

[Автор]

Сообщения