Re: Re: Помогите избавиться от….

[luna696]

Добрый вечер!
Вот что получилось..

ComboFix 10-11-25.05 — Admin 26.11.2010 16:38:09.1.1 — FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.383.197 [GMT 3:00]
Running from: c:documents and settingsAdminРабочий столComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:documents and settingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr0.dat
c:documents and settingsAll UsersApplication DataMicrosoftNetworkDownloaderqmgr1.dat
c:program filesCommon Fileskeylog.txt
c:program filesCommon FilesWM
c:program filesMail.RuAgentMradllnewmrasearch.dll
c:windowssystem32Пузыри.scr

---

BITS: Possible infected sites

---

hxxp://soft.export.yandex.ru
.
((((((((((((((((((((((((( Files Created from 2010-10-26 to 2010-11-26 )))))))))))))))))))))))))))))))
.

2010-11-25 17:30 . 2010-11-25 17:30

---

d

---

w- C:FOUND.011
2010-11-23 14:10 . 2010-11-23 14:10

---

d

---

w- c:documents and settingsAdminLocal SettingsApplication DataApple Computer
2010-11-23 14:10 . 2010-11-23 14:10

---

d

---

w- c:documents and settingsAdminApplication DataApple Computer
2010-11-23 14:10 . 2010-11-23 14:10

---

d

---

w- c:program filesSafari
2010-11-23 14:10 . 2010-11-23 14:10

---

d

---

w- c:documents and settingsAll UsersApplication DataApple Computer
2010-11-23 14:09 . 2010-11-23 14:10

---

d

---

w- c:program filesBonjour
2010-11-23 14:09 . 2010-11-23 14:09

---

d

---

w- c:program filesCommon FilesApple
2010-11-23 14:09 . 2010-11-23 14:09

---

d

---

w- c:documents and settingsAdminLocal SettingsApplication DataApple
2010-11-23 14:09 . 2010-11-23 14:09

---

d

---

w- c:program filesApple Software Update
2010-11-23 14:09 . 2010-11-23 14:09

---

d

---

w- c:documents and settingsAll UsersApplication DataApple
2010-11-22 17:42 . 2010-11-22 17:42

---

d

---

w- c:program filestrend micro
2010-11-22 17:42 . 2010-11-22 17:42

---

d

---

w- C:rsit
2010-11-22 12:53 . 2010-11-22 12:53

---

d

---

w- c:program filesIObit
2010-11-21 08:32 . 2010-11-21 08:32

---

d

---

w- c:documents and settingsAll UsersApplication DataIObit
2010-11-20 22:16 . 2010-11-20 22:16

---

d

---

w- c:documents and settingsAll UsersApplication DataRegSERVO
2010-11-20 22:16 . 2010-11-20 22:16

---

d

---

w- c:program filesREGSERVO
2010-11-14 15:57 . 2010-11-14 15:57

---

d

---

w- C:FOUND.010
2010-11-07 10:31 . 2010-11-07 10:31

---

d

---

w- C:FOUND.009
2010-11-06 16:22 . 2010-11-06 16:22

---

d

---

w- c:documents and settingsAll UsersApplication DataPrincess Isabella
2010-10-31 17:21 . 2010-10-31 17:21

---

d

---

w- c:program filesiColorFolder
2010-10-31 17:21 . 2010-10-31 17:21

---

d

---

w- c:program filesOO Software
2010-10-31 17:20 . 2010-10-31 17:20

---

d

---

w- c:program filesPower Data Recovery
2010-10-31 17:20 . 2010-10-31 17:20

---

d

---

w- c:program filesDriver-soft
2010-10-31 17:20 . 2010-10-31 17:20

---

d

---

w- c:program filesEverest
2010-10-31 17:20 . 2010-10-31 17:20

---

d

---

w- c:documents and settingsAdminApplication DataFastStone
2010-10-31 17:19 . 2010-10-31 17:19

---

d

---

w- c:program filesFSImgViewer
2010-10-31 17:19 . 2010-10-31 17:19

---

d

---

w- c:program filesUninstall Tool
2010-10-31 13:33 . 2010-10-31 13:33

---

d

---

w- c:program filesRealtek Sound Manager
2010-10-31 13:33 . 2010-10-31 13:33

---

d

---

w- c:program filesAvRack
2010-10-31 13:33 . 2010-10-31 13:33

---

d

---

w- c:program filesRealtek AC97
2010-10-31 13:33 . 2005-05-18 05:38 40960

---

r- c:windowssystem32ChCfg.exe
2010-10-31 13:33 . 2005-06-02 08:31 294912

---

r- c:windowsalcupd.exe
2010-10-31 13:31 . 2005-03-04 18:10 74496 —-a-w- c:windowssystem32driversRtlnicxp.sys
2010-10-31 13:31 . 2010-10-31 13:31

---

d

---

w- c:windowsOPTIONS
2010-10-31 13:31 . 2010-10-31 13:31

---

d

---

w- c:program filesCommon FilesInstallShield
2010-10-31 13:23 . 2010-10-31 13:23

---

d

---

w- c:program filesIntel
2010-10-31 13:21 . 2005-01-19 01:45 778752

---

w- c:windowssystem32autorun.exe
2010-10-30 18:04 . 2010-10-30 18:04

---

d

---

w- C:FOUND.008
2010-10-29 22:36 . 2010-10-29 22:36

---

d

---

w- C:FOUND.007
2010-10-29 22:24 . 2010-10-29 22:24

---

d

---

w- C:FOUND.006
2010-10-29 13:05 . 2010-10-29 13:05

---

d

---

w- c:documents and settingsAdminLocal SettingsApplication DataMicrosoft Help
2010-10-29 13:05 . 2010-10-29 13:05

---

d

---

w- c:documents and settingsAll UsersApplication DataMicrosoft Help
2010-10-29 13:04 . 2010-10-29 13:04

---

d

---

r- C:MSOCache
2010-10-29 13:02 . 2010-10-29 13:02

---

d

---

w- c:program filesFoxit Reader
2010-10-29 13:02 . 2010-10-29 13:02

---

d

---

w- c:windowssystem32AkelFiles
2010-10-29 13:02 . 2010-10-29 13:02

---

d

---

w- c:program filesPunto Switcher
2010-10-28 18:40 . 2010-10-28 18:40

---

d

---

w- c:program filesCarambis
2010-10-28 18:40 . 2010-10-28 18:40

---

d—h—w- c:program filesInstallShield Installation Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

---

Sigcheck

---

[-] 2009-09-13 . 6A104BA98D99D53AB0C91825CE659FC6 . 361600 . . [5.1.2600.5625] . . c:windowssystem32driverstcpip.sys

[-] 2009-09-13 . 85315C6F61092584BCD96A1EF8A02B4C . 78360 . . [7.2.6001.788] . . c:windowssystem32wuauclt.exe

[-] 2009-09-13 . 23B7D3F3F5EC8FEEA75EC381C71CBD5E . 579072 . . [5.1.2600.5512] . . c:windowssystem32user32.dll

[-] 2009-09-13 . 7BF5762CE65A58B7C15B78673F3C3DD3 . 1040384 . . [8.00.6001.22896] . . c:windowssystem32wininet.dll

[-] 2009-09-13 . B8D3A575A3C0E1A4B724E2BD05394E60 . 1721344 . . [6.00.2900.5512] . . c:windowsexplorer.exe

[-] 2009-09-13 . AB778E794E8F39D0D387A440AD356944 . 1571840 . . [5.1.2600.5512] . . c:windowssystem32sfcfiles.dll

[-] 2009-09-13 . C4C2628D119D2FF1B7723E084F4B181E . 30208 . . [5.1.2600.5512] . . c:windowssystem32ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096]
«uTorrent»=»c:program filesuTorrentuTorrent.exe» [2010-08-19 327472]
«Floomby»=»d:floombyfloomby.exe» [2008-10-27 611328]
«Driver Updater»=»c:program filesCarambisDriver Updaterdupdater.exe» [2009-12-04 4822016]
«Punto Switcher»=»c:program filesPunto Switcherps.exe» [2007-11-14 201728]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2009-08-17 13877248]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2009-08-17 86016]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2009-03-19 2029640]
«Guard.Mail.ru.gui»=»c:program filesMail.RuGuardGuardMailRu.exe» [2010-08-19 973168]
«MAgent»=»c:program filesMail.RuAgentMAgent.exe» [2010-08-19 7975608]
«BluetoothAuthenticationAgent»=»bthprops.cpl» [2008-04-15 110592]
«Adobe Reader Speed Launcher»=»c:program filesAdobeReader 9.0ReaderReader_sl.exe» [2010-09-23 35760]
«Adobe ARM»=»c:program filesCommon FilesAdobeARM1.0AdobeARM.exe» [2010-09-20 932288]
«SoundMan»=»SOUNDMAN.EXE» [2005-06-20 77824]
«OODefragTray»=»c:windowssystem32oodtray.exe» [2007-05-10 2512392]
«IObit Security 360″=»g:программыIObitIObit Security 360IS360tray.exe» [2009-12-24 1280272]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2009-09-13 30208]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE8_01″=»shell32» [X]
«ZZZZ2_FirstLogonSetting»=»advpack.dll» [2009-09-13 128512]
«IE8_02″=»advpack.dll» [2009-09-13 128512]

c:documents and settingsAll Usersѓ« ў­®Ґ ¬Ґ­оЏа®Ја ¬¬лЂўв®§ Јаг§Є 
BlueSoleil.lnk — c:program filesIVT CorporationBlueSoleilBlueSoleil.exe [2006-7-16 626176]

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)

[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolsession manager]
BootExecute REG_MULTI_SZ autocheck autochk *OODBS

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«FirewallOverride»=dword:00000001
«UpdatesOverride»=dword:00000001
«AntiVirusOverride»=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=

R0 sptd;sptd;c:windowssystem32driverssptd.sys [02.10.2005 19:57 722416]
R1 ehdrv;ehdrv;c:windowssystem32driversehdrv.sys [19.03.2009 11:44 107256]
R1 epfwtdir;epfwtdir;c:windowssystem32driversepfwtdir.sys [19.03.2009 11:45 93848]
R2 ekrn;ESET Service;c:program filesESETESET NOD32 Antivirusekrn.exe [19.03.2009 11:44 731840]
S2 Guard.Mail.ru;Guard.Mail.ru;c:program filesMail.RuGuardGuardMailRu.exe [20.08.2010 1:14 973168]
S2 IS360service;IS360service;c:program filesIObitIObit Security 360is360srv.exe [22.11.2010 15:53 312152]

— Other Services/Drivers In Memory —

*NewlyCreated* — SRSERVICE
.
Contents of the ‘Scheduled Tasks’ folder

2010-11-21 c:windowsTasksRegSERVO.job
— c:program filesREGSERVORegSERVO.exe [2010-08-19 16:45]

2010-11-23 c:windowsTasksAppleSoftwareUpdate.job
— c:program filesApple Software UpdateSoftwareUpdate.exe [2008-07-30 09:34]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.yandex.ru/?clid=155842
uInternet Settings,ProxyOverride = *.local
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~1OFFICE11EXCEL.EXE/3000
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe
TCP: {D6965B2B-0D69-484F-B385-E5D9734EC993} = 212.48.193.36,212.48.193.37
.
— — — — ORPHANS REMOVED — — — —

Toolbar-{91397D20-1446-11D4-8AF4-0040CA1127B6} — (no file)
Toolbar-ITBar7Position — (no file)
HKCU-Run-Praetorian — c:documents and settingsAdminLocal SettingsApplication DataYandexUpdaterpraetorian.exe
HKLM-Run-AutoRun — e:autorunAutoRun.exe
AddRemove-BFG-Feeding Frenzy 2 Shipwreck Showdown — c:program filesFeeding Frenzy 2 Shipwreck ShowdownUninstall.exe
AddRemove-Everest — c:program filesEverestUninstall.exe
AddRemove-Power Data Recovery 4.1.1 — c:program filesPower Data RecoveryUninstall.exe
AddRemove-Фишдом 2 — c:program filesAlawarФишдом 2Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-26 16:42
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

— — — — — — — > ‘winlogon.exe'(868)
c:windowssystem32cscui.dll
.
Completion time: 2010-11-26 16:43:55
ComboFix-quarantined-files.txt 2010-11-26 13:43

Pre-Run: 4 351 729 664 байт свободно
Post-Run: 6 778 421 248 байт свободно

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT=»Microsoft Windows Recovery Console» /cmdcons
UnsupportedDebug=»do not select this» /debug
multi(0)disk(0)rdisk(0)partition(1)WINDOWS=»Microsoft Windows XP Professional RU» /execute /fastdetect

— — End Of File — — 07069891ECA20877601F282553748E5A