[Alice]

вот лог
ComboFix 10-08-31.02 — Алиса 02.09.2010 19:35:35.1.1 — x86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1251.7.1049.18.1013.620 [GMT 4:00]
Running from: c:usersАлисаDownloadsComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:program filesDef Group
c:program filesDef GroupPC Defenderpcdef.exe
c:program filesDef GroupPC Defenderproccheck.exe
c:program filesDef GroupPC Defenderprockill32.exe
c:program filesDef GroupPC Defenderprockill64.exe
c:program filesDef GroupPC Defenderrundelay.exe
c:program filesDef GroupPC Defenderuninstall.bat
c:programdataMicrosoftNetworkDownloaderqmgr0.dat
c:programdataMicrosoftNetworkDownloaderqmgr1.dat

---

BITS: Possible infected sites

---

hxxp://soft.export.yandex.ru
.
((((((((((((((((((((((((( Files Created from 2010-08-02 to 2010-09-02 )))))))))))))))))))))))))))))))
.

2010-09-02 15:41 . 2010-09-02 15:42

---

d

---

w- c:usersАлисаAppDataLocaltemp
2010-09-02 15:41 . 2010-09-02 15:41

---

d

---

w- c:usersDefaultAppDataLocaltemp
2010-09-02 15:41 . 2010-09-02 15:41

---

d

---

w- c:usersDBAF~1AppDataLocaltemp
2010-09-02 12:29 . 2010-09-02 12:29 680 —-a-w- c:usersАлисаAppDataLocald3d9caps.dat
2010-09-01 18:48 . 2010-01-26 11:01 81920 —-a-w- c:windowseSellerateControl350.dll
2010-09-01 18:48 . 2010-01-26 11:01 356352 —-a-w- c:windowseSellerateEngine.dll
2010-09-01 18:48 . 2010-09-01 18:49

---

d

---

w- c:program filesPCDefender Removal Tool (2)
2010-09-01 10:42 . 2010-09-01 10:53

---

d

---

w- c:program filestrend micro
2010-09-01 10:42 . 2010-09-01 10:43

---

d

---

w- C:rsit
2010-09-01 09:28 . 2010-09-01 09:28

---

d

---

w- c:usersАлисаAppDataRoamingMalwarebytes
2010-09-01 09:27 . 2010-04-29 11:39 38224 —-a-w- c:windowssystem32driversmbamswissarmy.sys
2010-09-01 09:27 . 2010-09-01 09:27

---

d

---

w- c:programdataMalwarebytes
2010-09-01 09:27 . 2010-04-29 11:39 20952 —-a-w- c:windowssystem32driversmbam.sys
2010-09-01 09:27 . 2010-09-02 15:33

---

d

---

w- c:program filesMalwarebytes’ Anti-Malware
2010-08-28 18:14 . 2010-08-28 18:14

---

d

---

w- c:usersАлисаAppDataRoamingMOVAVI
2010-08-28 18:05 . 2010-08-28 18:05 87392 —-a-r- c:usersАлисаAppDataRoamingMicrosoftInstaller{EB5A636B-BA04-427A-A743-6E6B3D86237B}VideoConverter5_St_10EBE4A00F514DB49EA9B218A1E9D3F5.exe
2010-08-28 18:05 . 2010-08-28 18:05 71008 —-a-r- c:usersАлисаAppDataRoamingMicrosoftInstaller{EB5A636B-BA04-427A-A743-6E6B3D86237B}VideoConverter5_St_BF4E5749C8A942ACA48E229C02AC7D3D.exe
2010-08-28 18:05 . 2010-08-28 18:05 136544 —-a-r- c:usersАлисаAppDataRoamingMicrosoftInstaller{EB5A636B-BA04-427A-A743-6E6B3D86237B}VideoConverter5_St_10DC5EE43E6C49468EFA2A41EEB146CA.exe
2010-08-28 18:05 . 2010-08-28 18:05 87392 —-a-r- c:usersАлисаAppDataRoamingMicrosoftInstaller{EB5A636B-BA04-427A-A743-6E6B3D86237B}NewShortcut4_941FA141AAB14924B185046EE8E1BDD9.exe
2010-08-28 18:05 . 2010-08-28 18:05 71008 —-a-r- c:usersАлисаAppDataRoamingMicrosoftInstaller{EB5A636B-BA04-427A-A743-6E6B3D86237B}ARPPRODUCTICON.exe
2010-08-28 18:05 . 2010-08-28 18:05

---

d

---

w- c:program filesMovavi Видео Конвертер 10
2010-08-28 18:02 . 2010-08-28 18:02

---

d

---

w- c:usersАлисаAppDataLocalDownloaded Installations
2010-08-23 16:38 . 2010-08-23 16:39

---

d

---

w- c:usersАлисаAppDataRoaminguTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-02 15:42 . 2009-09-13 17:32 1310720 —sha-w- c:usersАлисаNTUSER.DAT
2010-09-02 12:29 . 2010-09-02 12:29 680 —-a-w- c:usersАлисаAppDataLocald3d9caps.dat
2010-09-01 18:29 . 2009-09-20 08:11

---

d

---

w- c:usersАлисаAppDataRoamingvlc
2010-09-01 09:28 . 2010-09-01 09:28

---

d

---

w- c:usersАлисаAppDataRoamingMalwarebytes
2010-08-29 17:16 . 2009-10-24 16:28

---

d

---

w- c:usersАлисаAppDataRoamingdvdcss
2010-08-29 09:26 . 2008-01-21 05:59 653312 —-a-w- c:windowssystem32perfh019.dat
2010-08-29 09:26 . 2008-01-21 05:59 125800 —-a-w- c:windowssystem32perfc019.dat
2010-08-28 18:14 . 2010-08-28 18:14

---

d

---

w- c:usersАлисаAppDataRoamingMOVAVI
2010-08-28 18:05 . 2010-08-28 18:05 71008 —-a-r- c:usersАлисаAppDataRoamingMicrosoftInstaller{EB5A636B-BA04-427A-A743-6E6B3D86237B}ARPPRODUCTICON.exe
2010-08-28 18:05 . 2009-09-13 17:32

---

d-s—w- c:usersАлисаAppDataRoamingMicrosoft
2010-08-28 18:05 . 2010-08-28 18:05

---

d

---

w- c:program filesMovavi Видео Конвертер 10
2010-08-24 13:07 . 2009-09-20 14:23

---

d

---

w- c:program filesLoviVkontakte
2010-08-23 16:40 . 2010-07-28 15:24

---

d

---

w- c:program filesuTorrent
2010-08-23 16:39 . 2010-08-23 16:38

---

d

---

w- c:usersАлисаAppDataRoaminguTorrent
2010-08-20 05:00 . 2009-09-14 18:15 1 —-a-w- c:usersАлисаAppDataRoamingOpenOffice.org3useruno_packagescachestamp.sys
2010-07-28 18:30 . 2010-07-28 15:25

---

d

---

w- c:usersАлисаAppDataRoamingYandex
2010-07-28 15:25 . 2010-07-28 15:25

---

d

---

w- c:programdataYandex
2010-07-28 15:25 . 2010-07-28 15:25

---

d

---

w- c:program filesYandex
2010-07-28 15:25 . 2010-07-28 15:25

---

d

---

w- c:usersАлисаAppDataRoamingOpera
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{1208AB5D-4748-49fe-A74A-484AE2FA5D34}»= «c:program filesYandexYandexBarIEbarsbarietorrentyndbar.dll» [2010-03-10 8887624]

[HKEY_CLASSES_ROOTclsid{1208ab5d-4748-49fe-a74a-484ae2fa5d34}]
[HKEY_CLASSES_ROOTYandexTorrent.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{50EBFBE3-CEAE-4567-884E-C58C12E91F4C}]
[HKEY_CLASSES_ROOTYandexTorrent.Toolbar]

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{1208AB5D-4748-49fe-A74A-484AE2FA5D34}»= «c:program filesYandexYandexBarIEbarsbarietorrentyndbar.dll» [2010-03-10 8887624]

[HKEY_CLASSES_ROOTclsid{1208ab5d-4748-49fe-a74a-484ae2fa5d34}]
[HKEY_CLASSES_ROOTYandexTorrent.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{50EBFBE3-CEAE-4567-884E-C58C12E91F4C}]
[HKEY_CLASSES_ROOTYandexTorrent.Toolbar]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«WMPNSCFG»=»c:program filesWindows Media PlayerWMPNSCFG.exe» [2008-01-21 202240]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«IAAnotif»=»c:program filesIntelIntel Matrix Storage ManagerIaanotif.exe» [2007-07-12 178712]
«HotKeysCmds»=»c:windowssystem32hkcmd.exe» [2008-01-22 166424]
«Persistence»=»c:windowssystem32igfxpers.exe» [2008-01-22 133656]
«LManager»=»c:progra~1LAUNCH~1LManager.exe» [2008-05-13 768520]
«WarReg_PopUp»=»c:program fileseMachinesWR_PopUpWarReg_PopUp.exe» [2008-05-09 49152]
«Apoint»=»c:program filesApoint2KApoint.exe» [2007-07-21 159744]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2009-02-06 2021400]
«iTunesHelper»=»c:program filesiTunesiTunesHelper.exe» [2009-10-28 141600]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce]
«GrpConv»=»grpconv -o» [X]
«Malwarebytes’ Anti-Malware»=»c:program filesMalwarebytes’ Anti-Malwarembamgui.exe» [2010-04-29 437584]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
«EnableLUA»= 0 (0x0)
«EnableUIADesktopToggle»= 0 (0x0)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
«AppInit_DLLs»=c:progra~1GoogleGOOGLE~1GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«aux»=wdmaud.drv

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdf01000.sys]
@=»Driver»

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinDefend]
@=»Service»

[HKLM~startupfolderC:^Users^Алиса^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:usersАлисаAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupOpenOffice.org 3.0.lnk
backup=c:windowspssOpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAdobe Reader Speed Launcher]
2007-03-08 00:38 40048 —-a-w- c:program filesAdobeReader 8.0Readerreader_sl.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregGoogle Desktop Search]
2008-05-19 13:48 29744 —-a-w- c:program filesGoogleGoogle Desktop SearchGoogleDesktop.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregiTunesHelper]
2009-10-28 17:21 141600 —-a-w- c:program filesiTunesiTunesHelper.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuickTime Task]
2009-09-04 22:54 417792 —-a-w- c:program filesQuickTimeQTTask.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRtHDVCpl]
2008-04-24 09:25 6111232 —-a-w- c:windowsRtHDVCpl.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSunJavaUpdateSched]
2008-06-10 00:27 144784 —-a-w- c:program filesJavajre1.6.0_07binjusched.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregWindows Defender]
2008-01-21 02:33 1008184 —-a-w- c:program filesWindows DefenderMSASCui.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregWindowsWelcomeCenter]
2008-01-21 02:33 2153472 —-a-w- c:windowsSystem32oobefldr.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
«DisableMonitoring»=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
«DisableMonitoring»=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
«DisableMonitoring»=dword:00000001

R1 ehdrv;ehdrv;c:windowssystem32DRIVERSehdrv.sys [2009-02-06 106208]
R2 ekrn;ESET Service;c:program filesESETESET NOD32 Antivirusekrn.exe [2009-02-06 727720]
R2 epfwwfpr;epfwwfpr;c:windowssystem32DRIVERSepfwwfpr.sys [2009-02-06 92800]
R2 ETService;Empowering Technology Service;c:program filesEMACHINESeMachines Recovery ManagementServiceETService.exe [2008-04-03 24576]
R2 LoviVkontakteService;LoviVkontake Service;c:program filesLoviVkontakteVkontakteService.exe [x]
R2 regi;regi;c:windowssystem32driversregi.sys [2007-04-17 11032]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet — NDIS 6.0;c:windowssystem32DRIVERSb57nd60x.sys [2007-07-22 180736]
R3 GoogleDesktopManager-022208-143751;Диспетчер Google Desktop 5.7.802.22438;c:program filesGoogleGoogle Desktop SearchGoogleDesktop.exe [2008-05-19 29744]
R3 MBAMSwissArmy;MBAMSwissArmy;c:windowssystem32driversmbamswissarmy.sys [2010-04-29 38224]

— Other Services/Drivers In Memory —

*NewlyCreated* — ECACHE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
rsmsvcs REG_MULTI_SZ ntmssvc
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.yandex.ru/?clid=40488
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=EM&Loc=RUS_RU&Sys=PTB&M=eMachines E510
uInternet Settings,ProxyOverride = *.local;vkontakte.ru;www.vkontakte.ru;vk.com;www.vk.com
FF — ProfilePath — c:usersАлисаAppDataRoamingMozillaFirefoxProfilesv0peh5ep.default
FF — prefs.js: browser.startup.homepage — hxxp://www.yandex.ru/?clid=40795
FF — prefs.js: keyword.URL — hxxp://yandex.ru/yandsearch?clid=142340&yasoft=barff&text=
.
— — — — ORPHANS REMOVED — — — —

HKLM-Run-eRecoveryService — (no file)
HKLM-RunOnce- — (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-02 19:42
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-09-02 19:45:28
ComboFix-quarantined-files.txt 2010-09-02 15:45

Pre-Run: 36 164 370 432 байт свободно
Post-Run: 36 084 862 976 байт свободно

— — End Of File — — F7858B893059F9749C9934DF4656AB20

что делать дальше?

[Автор]

Сообщения