[slaffko]

Все сделал как было написанно выше…

вот лог combofix’а:

ComboFix 10-06-09.02 — Администратор 10.06.2010 15:56:45.2.1 — FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.767.441 [GMT 6:00]
Running from: c:d&sАдминистраторРабочий столComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100610-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall Pro *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))
.

2010-06-10 09:54 . 2010-06-10 09:54

---

d

---

w- c:tempWPDNSE
2010-06-10 09:53 . 2010-06-10 09:53 16384 —-a-w- c:tempPerflib_Perfdata_52c.dat
2010-06-10 05:24 . 2009-08-06 13:23 274288 —-a-w- c:windowssystem32mucltui.dll
2010-06-08 11:59 . 2010-06-08 11:59

---

d

---

w- C:rsit
2010-06-08 11:59 . 2010-06-08 11:59

---

d

---

w- c:program filestrend micro
2010-06-08 11:50 . 2010-06-08 11:50

---

d

---

w- c:windowssystem32wbemsnmp
2010-06-08 11:50 . 2010-06-08 11:50

---

d

---

w- c:windowssystem32xircom
2010-06-08 11:50 . 2010-06-08 11:50

---

d

---

w- c:program filesmicrosoft frontpage
2010-06-07 05:20 . 2010-06-07 05:20

---

d—h—w- c:windowssystem32GroupPolicy
2010-06-06 08:47 . 2010-06-06 08:47

---

d

---

w- c:temp4S52IEM
2010-06-04 15:05 . 2010-06-04 15:05

---

d

---

w- c:d&sАдминистраторLocal SettingsApplication DataOpera
2010-06-04 15:03 . 2010-06-04 15:03

---

d

---

w- c:program filesOpera
2010-06-04 15:02 . 2010-06-04 15:02

---

d

---

w- c:d&sАдминистраторLocal SettingsApplication DataTemp
2010-06-04 12:57 . 2010-06-04 12:57

---

d

---

w- C:FOUND.009
2010-06-04 11:23 . 2010-06-04 11:23

---

d

---

w- C:FOUND.008
2010-06-03 00:47 . 2010-06-03 00:48

---

d

---

w- c:tempCR_5.tmp
2010-05-27 00:48 . 2010-05-27 00:48

---

d

---

w- C:FOUND.007
2010-05-21 08:56 . 2010-05-21 08:56

---

d

---

w- c:program filesSoft Gold
2010-05-21 08:56 . 2010-05-21 08:56

---

d

---

w- c:d&sАдминистраторApplication DataSoft Gold
2010-05-21 08:48 . 2010-05-21 08:48

---

d

---

w- c:program filesDipTrace

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-10 09:52 . 2010-02-24 11:01 12 —-a-w- c:windowsbthservsdp.dat
2010-06-08 12:40 . 2008-07-29 17:32 1 —-a-w- c:d&sАдминистраторApplication DataOpenOffice.org2useruno_packagescachestamp.sys
2010-05-21 08:56 . 2008-07-24 16:06 75568 —-a-w- c:d&sАдминистраторLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-05-03 10:19 . 2010-05-03 10:19

---

d

---

w- c:d&sАдминистраторApplication DataMathWorks
2010-05-03 10:06 . 2010-05-03 10:06 2678 —-a-w- c:windowsjavaPackagesDataW0K57RFZ.DAT
2010-05-03 10:06 . 2010-05-03 10:06 2678 —-a-w- c:windowsjavaPackagesDataPFZZ9FFL.DAT
2010-05-03 10:06 . 2010-05-03 10:06 2678 —-a-w- c:windowsjavaPackagesDataP7LBXJBP.DAT
2010-05-03 10:06 . 2010-05-03 10:06 2678 —-a-w- c:windowsjavaPackagesDataLNLF3LRB.DAT
2010-05-03 10:06 . 2010-05-03 10:06 2678 —-a-w- c:windowsjavaPackagesDataETV9NTJ7.DAT
2010-04-12 13:29 . 2010-04-12 13:29

---

d

---

w- c:program filesQIP 2010
2010-03-18 03:17 . 2010-03-18 03:17 152576 —-a-w- c:d&sАдминистраторApplication DataSunJavajre1.6.0_17lzma.dll
2010-03-18 03:17 . 2010-03-18 03:16 79488 —-a-w- c:d&sАдминистраторApplication DataSunJavajre1.6.0_17gtapi.dll
.

---

Sigcheck

---

[-] 2009-04-26 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:windowssystem32driverstcpip.sys

[-] 2008-05-30 . 99899FB9138987708CD47BA7BF1EB308 . 2188800 . . [5.1.2600.5512] . . c:windowssystem32ntoskrnl.exe

[-] 2008-05-30 . A7FDF871519A3D737D917B04D2542BE8 . 584192 . . [5.1.2600.5512] . . c:windowssystem32user32.dll
[7] 2008-04-14 . A9CDF92EA1CFFB67448EF26F5DF21A6F . 579072 . . [5.1.2600.5512] . . c:windowsResPatchBackupuser32.dll

[-] 2008-05-30 . 7220FD31EB02BAEE72EDD516939D637C . 1571840 . . [5.1.2600.5512] . . c:windowssystem32sfcfiles.dll

[-] 2008-05-30 . A0F981D28A6A7811ABC18F7053F27667 . 2065664 . . [5.1.2600.5512] . . c:windowssystem32ntkrnlpa.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-06-08_11.47.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-27 03:16 . 2009-08-06 13:24 44768 c:windowssystem32wups2.dll
+ 2008-07-24 15:33 . 2009-08-06 13:24 35552 c:windowssystem32wups.dll
+ 2008-07-24 15:33 . 2009-08-06 13:24 53472 c:windowssystem32wuauclt.exe
+ 2010-06-10 05:24 . 2009-08-06 13:24 44768 c:windowssystem32SoftwareDistributionSetupServiceStartupwups2.dll7.4.7600.226wups2.dll
+ 2010-06-10 05:24 . 2009-08-06 13:24 35552 c:windowssystem32SoftwareDistributionSetupServiceStartupwups.dll7.4.7600.226wups.dll
+ 2008-07-24 15:33 . 2009-08-06 13:24 35552 c:windowssystem32dllcachewups.dll
+ 2008-07-24 15:33 . 2009-08-06 13:24 53472 c:windowssystem32dllcachewuauclt.exe
+ 2008-05-30 22:19 . 2009-08-06 13:24 96480 c:windowssystem32dllcachecdm.dll
+ 2008-05-30 22:19 . 2009-08-06 13:24 96480 c:windowssystem32cdm.dll
+ 2008-07-24 15:33 . 2009-08-06 13:24 209632 c:windowssystem32wuweb.dll
+ 2008-07-24 15:33 . 2009-08-06 13:24 327896 c:windowssystem32wucltui.dll
+ 2008-07-24 15:33 . 2009-08-06 13:23 575704 c:windowssystem32wuapi.dll
+ 2008-07-24 15:31 . 2009-08-06 13:23 215920 c:windowssystem32muweb.dll
+ 2008-07-24 15:33 . 2009-08-06 13:24 209632 c:windowssystem32dllcachewuweb.dll
+ 2008-07-24 15:33 . 2009-08-06 13:24 327896 c:windowssystem32dllcachewucltui.dll
+ 2008-07-24 15:33 . 2009-08-06 13:23 575704 c:windowssystem32dllcachewuapi.dll
+ 2008-07-24 15:33 . 2009-08-06 13:23 1929952 c:windowssystem32wuaueng.dll
+ 2008-07-24 15:33 . 2009-08-06 13:23 1929952 c:windowssystem32dllcachewuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«AlcoholAutomount»=»c:program filesAlcohol SoftAlcohol 120AxAutoMntSrv.exe» [2009-11-15 33120]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«nwiz»=»nwiz.exe» [2008-05-16 1630208]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2008-05-16 13529088]
«BluetoothAuthenticationAgent»=»bthprops.cpl» [2008-04-15 110592]
«ISUSPM»=»c:program filesCommon FilesInstallShieldUpdateServiceISUSPM.exe» [2006-03-20 213936]
«SoundMan»=»SOUNDMAN.EXE» [2007-04-16 577536]
«avast!»=»c:progra~1ALWILS~1Avast4ashDisp.exe» [2009-11-24 81000]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-15 15360]
«Nokia.PCSync»=»c:program filesNokiaNokia PC Suite 6PcSync2.exe» [2007-03-27 1744896]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«nltide_3″=»advpack.dll» [2008-05-30 124928]
«IE7_012″=»advpack.dll» [2008-05-30 124928]

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)
«NoLogoff»= 1 (0x1)

[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)

[HKLM~startupfolderC:^D&S^All Users^Главное меню^Программы^Автозагрузка^Matrix.lnk]
path=c:d&sAll UsersГлавное менюПрограммыАвтозагрузкаMatrix.lnk
backup=c:windowspssMatrix.lnkCommon Startup

[HKLM~startupfolderC:^D&S^Администратор^Главное меню^Программы^Автозагрузка^healm_voje.lnk]
path=c:d&sАдминистраторГлавное менюПрограммыАвтозагрузкаhealm_voje.lnk
backup=c:windowspsshealm_voje.lnkStartup

[HKLM~startupfolderC:^D&S^Администратор^Главное меню^Программы^Автозагрузка^Total Commander.lnk]
path=c:d&sАдминистраторГлавное менюПрограммыАвтозагрузкаTotal Commander.lnk
backup=c:windowspssTotal Commander.lnkStartup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregManualRun]
e:autorunAutoRun [X]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregGoogle Update]
2010-06-04 15:02 136176 —-a-w- c:d&sАдминистраторLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvCplDaemon]
2008-05-16 08:01 13529088 —-a-w- c:windowssystem32nvcpl.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvMediaCenter]
2008-05-16 08:01 86016 —-a-w- c:windowssystem32nvmctray.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPCSuiteTrayApplication]
2007-03-23 07:20 227328 —-a-w- c:program filesNokiaNokia PC Suite 6LaunchApplication.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuickTime Task]
2006-09-01 09:57 282624 —-a-w- c:program filesQuickTimeqttask.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSamsung Common SM]
2005-07-03 07:20 372736

---

w- c:windowsSamsungComSMMgrSSMMgr.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSoundMan]
2007-04-16 09:28 577536 —-a-w- c:windowssoundman.exe

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\uTorrent\utorrent.exe»=
«c:\Program Files\Shareman\Shareman.exe»=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«67:UDP»= 67:UDP:DHCP Discovery Service

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:windowssystem32driversnvcchflt.sys [24.07.2008 21:26 16640]
R1 aswSP;avast! Self Protection;c:windowssystem32driversaswSP.sys [31.07.2009 18:37 114768]
R2 2GIS UpdateClientService;2GIS UpdateClientService;c:program files2gisUpdateClientWin32UpdateClientService.exe [17.09.2008 12:03 1134592]
R2 aswFsBlk;aswFsBlk;c:windowssystem32driversaswFsBlk.sys [31.07.2009 18:37 20560]
R2 hl_mull;hl_mull;c:windowssystem32drivershl_mull.sys [22.06.2009 22:20 67712]
R3 PSXGamepadEnabler;Psx Hid to Gamepad Port Enabler;c:windowssystem32driverspsxpad.sys [28.07.2008 21:32 14592]
R3 PsxPortEnumerator;Psx Port Enumerator;c:windowssystem32driverspsxenum.sys [28.07.2008 21:32 19840]
S0 sptd;sptd;c:windowssystem32driverssptd.sys [25.07.2008 17:59 691696]
.
Contents of the ‘Scheduled Tasks’ folder

2010-06-10 c:windowsTasksAppleSoftwareUpdate.job
— c:program filesApple Software UpdateSoftwareUpdate.exe [2006-08-29 08:21]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.apeha.ru
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: SoftwareMicrosoftInternet ExplorerSearchUrl; ValueType: string; ValueName: ‘; ValueData: ‘; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~1OFFICE11EXCEL.EXE/3000
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} — c:program filesPartyGamingPartyCasinoRunApp.exe
Handler: solores — {8FA1F4E9-444B-48BF-98CD-B8ECA88E6BA5} — c:progra~1Solo9SoloRes.dll
FF — ProfilePath — c:d&sАдминистраторApplication DataMozillaFirefoxProfilesb8y8cysi.default
FF — prefs.js: browser.search.selectedEngine — Яндекс
FF — prefs.js: keyword.URL — hxxp://search.qip.ru/search?from=FF&query=
FF — plugin: c:program filesK-Lite Codec PackRealbrowserpluginsnppl3260.dll
FF — plugin: c:program filesK-Lite Codec PackRealbrowserpluginsnprpjplug.dll

—- FIREFOX POLICIES —-
c:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref», true);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.renego_unrestricted_hosts», «»);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.treat_unsafe_negotiation_as_broken», false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.require_safe_negotiation», false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-10 16:00
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_USERSS-1-5-21-515967899-1343024091-1801674531-500SoftwareMicrosoftSystemCertificatesAddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERSS-1-5-21-515967899-1343024091-1801674531-500SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*e0x*e0]
@Class=»Shell»

[HKEY_USERSS-1-5-21-515967899-1343024091-1801674531-500SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*e0x*e0OpenWithList]
@Class=»Shell»
.

---

DLLs Loaded Under Running Processes

---

— — — — — — — > ‘explorer.exe'(1996)
c:windowssystem32wpdshserviceobj.dll
c:program filesNokiaNokia PC Suite 6PhoneBrowser.dll
c:program filesNokiaNokia PC Suite 6PCSCM.dll
c:program filesNokiaNokia PC Suite 6LangPhoneBrowser_rus.nlr
c:program filesNokiaNokia PC Suite 6ResourcePhoneBrowser_Nokia.ngr
c:windowssystem32portabledevicetypes.dll
c:windowssystem32portabledeviceapi.dll
.
Completion time: 2010-06-10 16:02:10
ComboFix-quarantined-files.txt 2010-06-10 10:02
ComboFix2.txt 2010-06-08 11:48

Pre-Run: 2 888 654 848 байт свободно
Post-Run: 2 870 239 232 байт свободно

— — End Of File — — 3C7E0CD828DBED213A230FAE6ABB7A78

[Автор]

Сообщения