Здравствуйте! выкладываю результат:
ComboFix 08-12-14.05 — Шу 2009-06-20 2:09:06.1 — NTFSx86
Running from: c:documents and settingsШуРабочий столComboFix.exe
Command switches used :: c:documents and settingsШуРабочий столCFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
— REDUCED FUNCTIONALITY MODE —
FILE ::
c:documents and settingsШуApplication Databpfeed.dll
c:windowssystem32SiteAccess.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:documents and settingsШуApplication Databpfeed.dll
c:windowssystem32SiteAccess.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.
2009-06-18 06:23 . 2009-06-18 06:23 1,374 —a—c— c:windowsimsins.BAK
2009-06-18 06:22 . 2009-06-18 06:23 d—h-c— c:windowsie8
2009-06-18 02:01 . 2009-06-20 02:06 dr-h-c— c:documents and settingsШуRecent
2009-06-18 02:01 . 2009-06-20 02:06 dr-h-c— c:documents and settingsШуRecent
2009-06-18 00:13 . 2009-06-18 00:13 d—-c— c:documents and settingsAll Users.WINDOWSApplication DataFreshGames
2009-06-17 21:02 . 2009-06-17 21:03 d—-c— C:rsit
2009-06-17 21:02 . 2009-06-20 01:58 d—-c— c:program filestrend micro
2009-06-17 05:11 . 2009-06-17 05:15 d—-c— c:program filesSuperAX
2009-06-17 02:45 . 2009-06-17 02:45 d—hsc— C:Recycled
2009-06-16 23:27 . 2009-06-16 23:27 d—-c— c:documents and settingsШуApplication DataOpera
2009-06-16 17:20 . 2009-06-17 02:42 d—-c— c:program filesTrojan Remover
2009-06-16 17:20 . 2009-06-16 17:20 d—-c— c:documents and settingsAll Users.WINDOWSApplication DataSimply Super Software
2009-06-16 15:56 . 2009-06-17 02:42 d—hsc— C:RECYCLER(3)
2009-06-16 04:01 . 2009-06-17 02:45 d—-c— C:RECYCLER(2)
2009-06-15 04:21 . 2009-06-20 02:09 6,815,744 —a
c:documents and settingsШуntuser.dat
2009-06-15 04:21 . 2009-06-20 02:09 6,815,744 —a
c:documents and settingsШуntuser.dat
2009-06-15 01:31 . 2009-06-15 01:31 d—-c— c:program filesSiteAccess
2009-06-12 03:09 . 2009-06-12 03:09 d—-c— c:documents and settingsAll Users.WINDOWSApplication DataВеселаяФерма2
2009-06-12 03:00 . 2009-06-18 00:44 d—-c— c:program filesAlawar.ru
2009-06-11 23:30 . 2009-05-01 01:16 246,272
c— c:windowssystem32dllcacheieproxy.dll
2009-06-11 23:30 . 2009-05-01 01:16 12,800
c— c:windowssystem32dllcachexpshims.dll
2009-06-08 03:17 . 2009-06-15 03:57 d—-c— c:program filesWebTV
2009-06-08 03:17 . 2005-03-14 18:27 338,432 —a—c— c:windowssystem323dabm7u.ocx
2009-06-08 03:17 . 2003-04-21 14:09 245,408 —a—c— c:windowssystem32unicows.dll
2009-06-08 03:17 . 2005-09-17 02:34 227,840
c— c:windowssystem32tssOfficeMenu1d.ocx
2009-06-08 03:17 . 1998-06-24 00:00 115,016 —a—c— c:windowssystem32MSINET.OCX
2009-06-08 03:17 . 2000-12-06 01:00 109,248 —a—c— c:windowssystem32MSWINSCK.OCX
2009-06-08 03:17 . 2002-12-11 20:38 47,104
c— c:windowssystem32declrds.ax
2009-06-02 01:50 . 2009-06-17 02:46 d—-c— c:program filesLoviVkontakte
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 22:14
dc—-w c:documents and settingsШуApplication DataOrbit
2009-06-18 02:41
dc—-w c:documents and settingsШуApplication DataLavasoft
2009-06-18 01:09 721,904 —-a-w c:windowssystem32driverssptd.sys
2009-06-18 01:04
dc—-w c:documents and settingsШуApplication DatauTorrent
2009-06-17 01:16
dc—-w c:program filesAdStoper
2009-06-16 22:42
dc—-w c:program filesJava
2009-06-16 13:51
dc—-w c:program filesMail.Ru
2009-06-14 23:57
dc-h—w c:program filesInstallShield Installation Information
2009-06-14 23:03
dc—-w c:documents and settingsAll Users.WINDOWSApplication DataMicrosoft Help
2009-06-13 22:41
dc—-w c:program filesWinamp Remote
2009-06-11 23:06
dc—-w c:documents and settingsAll Users.WINDOWSApplication DataAlawarWrapper
2009-05-17 22:42
dc—-w c:program filesPRMT8
2009-05-17 22:29
dc—-w c:documents and settingsAll Users.WINDOWSApplication DataPRMT
2009-05-05 20:26
dc—-w c:program filesRambler Assistant
2009-05-04 16:02
dc—-w c:documents and settingsШуApplication DataICQ
2009-05-04 12:25
dc—-w c:program filesICQ6.5
2009-05-04 11:25
dc—-w c:documents and settingsШуApplication Datarambler.ru
2009-04-27 20:05
dc—-w c:program filesK-Lite Codec Pack
2009-04-27 20:05
dc—-w c:documents and settingsШуApplication DataDivX
2009-04-23 18:02
dc—-w c:documents and settingsШуApplication DataThe Path
2009-04-23 00:44
dc—-w c:program filesXavior
2009-04-23 00:41
dc—-w c:documents and settingsШуApplication DataAgelong Tree
2008-03-26 21:38 87,608 -c—a-w c:documents and settingsАдминистраторApplication Datainst.exe
2008-03-26 21:38 47,360 -c—a-w c:documents and settingsАдминистраторApplication Datapcouffin.sys
2008-03-26 21:07 556 -c-ha-w c:program filespcdocpro.exe.manifest
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks]
«{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}»= «c:program filesWinamp Toolbarwinamptb.dll» [2008-07-17 1266992]
[HKEY_CLASSES_ROOTclsid{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOTWINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOTTypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOTWINAMPTB.AOLTBSearch]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2009-04-15 3699488]
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2009-04-15 3699488]
[HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar]
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-04-14 15360]
«SpybotSD TeaTimer»=»c:program filesSpybot — Search & DestroyTeaTimer.exe» [2008-01-28 2097488]
«Orb»=»c:program filesWinamp RemotebinOrbTray.exe» [2008-04-01 507904]
«ICQ»=»c:progra~1ICQ6.5ICQ.exe» [2009-03-01 172792]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2006-06-01 7618560]
«DSLSTATEXE»=»c:program filesD-LinkDSL-200dslstat.exe» [2005-12-12 344064]
«DSLAGENTEXE»=»c:program filesD-LinkDSL-200dslagent.exe» [2005-08-25 65536]
«MAgent»=»c:program filesMail.RuAgentMAgent.exe» [2009-01-24 5603000]
«Vetton Wallpapers»=»c:downloadsvw.exe» [2007-05-03 1172480]
«GrooveMonitor»=»d:program filesOffice12GrooveMonitor.exe» [2007-08-24 33648]
«WinampAgent»=»c:program filesWinampwinampa.exe» [2008-08-04 36352]
«HP Software Update»=»c:program filesHPHP Software UpdateHPWuSchd2.exe» [2007-05-08 54840]
«SunJavaUpdateSched»=»c:program filesJavajre6binjusched.exe» [2009-05-07 148888]
«avast!»=»c:progra~1ALWILS~1Avast4ashDisp.exe» [2009-02-06 81000]
«LoviVkontakte»=»c:program filesLoviVkontaktelovivkontakte.exe» [2009-03-26 726016]
«nwiz»=»nwiz.exe» [2006-06-01 c:windowssystem32nwiz.exe]
«NvMediaCenter»=»NvMCTray.dll» [2006-06-01 c:windowssystem32nvmctray.dll]
«SoundMan»=»SOUNDMAN.EXE» [2006-03-01 c:windowssoundman.exe]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-14 15360]
c:documents and settingsгѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
‚л१Є нЄа Ё Їа®Ја ¬¬ § ЇгбЄ ¤«п OneNote 2007.lnk — d:program filesOffice12ONENOTEM.EXE [2007-12-07 101440]
€д®а¬Ґа ®в rp5.ru.lnk — c:program filesrp5.rurp5.exe [2008-12-13 600576]
c:documents and settingsAll Users.WINDOWSѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
HP Digital Imaging Monitor.lnk — c:program filesHPDigital Imagingbinhpqtra08.exe [2006-02-19 288472]
Orbit.lnk — c:program filesOrbitdownloaderorbitdm.exe [2008-08-01 1719496]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«msacm.divxa32″= msaud32_divx.acm
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\Hfs\Hfs.exe»=
«c:\Program Files\Orbitdownloader\orbitdm.exe»=
«c:\Program Files\Orbitdownloader\orbitnet.exe»=
«c:\Program Files\Internet Explorer\iexplore.exe»=
«c:\Program Files\uTorrent\utorrent.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\Program Files\QIP\qip.exe»=
«d:\Program Files\Office12\OUTLOOK.EXE»=
«d:\Program Files\Office12\GROOVE.EXE»=
«d:\Program Files\Office12\ONENOTE.EXE»=
«c:\Program Files\ICQLite\ICQ.exe»=
«c:\Program Files\Winamp Remote\bin\Orb.exe»=
«c:\Program Files\Winamp Remote\bin\OrbTray.exe»=
«c:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe»=
«c:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe»=
«c:\Program Files\HP\Digital Imaging\bin\hpqste08.exe»=
«c:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe»=
«c:\Program Files\HP\Digital Imaging\bin\hposfx08.exe»=
«c:\Program Files\HP\Digital Imaging\bin\hposid01.exe»=
«c:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe»=
«c:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe»=
«c:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe»=
«c:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe»=
«c:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe»=
«c:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe»=
«c:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe»=
«c:\Program Files\HP\Digital Imaging\bin\hpoews01.exe»=
«c:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe»=
«c:\Program Files\ICQ6.5\ICQ.exe»=
R1 aswSP;avast! Self Protection;c:windowssystem32driversaswSP.sys [2009-05-15 114768]
R2 aswFsBlk;aswFsBlk;c:windowssystem32DRIVERSaswFsBlk.sys [2009-05-15 20560]
R2 ICQ Service;ICQ Service;c:program filesICQ6ToolbarICQ Service.exe [2008-12-12 222456]
R2 LoviVkontakteService;LoviVkontake Service;c:program filesLoviVkontakteVkontakteService.exe [2009-06-02 476672]
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{8c99498b-a424-11dc-8ef7-806d6172696f}]
ShellAutoRuncommand — E:Setup.exe
.
Contents of the ‘Scheduled Tasks’ folder
2009-06-19 c:windowsTasksUser_Feed_Synchronization-{7E654ACB-1BBB-4723-8E60-902208151B9F}.job
— c:windowssystem32msfeedssync.exe [2009-03-08 04:31]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.yandex.ru/?clid=48084
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit — c:program filesOrbitdownloaderorbitmxt.dll/201
IE: &Grab video by Orbit — c:program filesOrbitdownloaderorbitmxt.dll/204
IE: &Winamp Search — c:documents and settingsAll Users.WINDOWSApplication DataWinamp ToolbarieToolbarresourcesen-USlocalsearch.html
IE: &Экспорт в Microsoft Excel — d:progra~1Office12EXCEL.EXE/3000
IE: Do&wnload selected by Orbit — c:program filesOrbitdownloaderorbitmxt.dll/203
IE: Down&load all by Orbit — c:program filesOrbitdownloaderorbitmxt.dll/202
IE: Добавить в Rambler-Закладки — c:program filesRambler AssistantramblertoolbarU0.dll/zakladki.htm
IE: Найти с помощью Рамблера — c:program filesRambler AssistantramblertoolbarU0.dll/search.htm
IE: Перевести с помощью словарей Рамблера — c:program filesRambler AssistantramblertoolbarU0.dll/dic.htm
IE: Поиск@Mail.Ru — c:program filesMail.RuSputnikMailRuSputnik.dll/282
IE: Словари@Mail.Ru — c:program filesMail.RuSputnikMailRuSputnik.dll/283
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} — c:program filesMail.RuAgentmagent.exe —
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} — —
TCP: {27A7621B-6FE8-4F15-9489-99DF7384949D} = 212.48.193.36 212.48.193.38
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 02:12:43
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
c:windowsTEMP_av_proI.tm~a02324
c:windowsTEMP_av_proI.tm~a02324setup.lok 0 bytes
scan completed successfully
hidden files: 2
**************************************************************************
.
Other Running Processes
.
c:program filesAlwil SoftwareAvast4aswUpdSv.exe
c:program filesAlwil SoftwareAvast4ashServ.exe
c:program filesJavajre6binjqs.exe
c:windowssystem32nvsvc32.exe
c:program filesAlwil SoftwareAvast4ashMaiSv.exe
c:program filesAlwil SoftwareAvast4ashWebSv.exe
c:windowssystem32rundll32.exe
c:program filesOrbitdownloaderorbitnet.exe
c:program filesWinamp RemotebinOrb.exe
c:program filesHPDigital Imagingbinhpqste08.exe
.
**************************************************************************
.
Completion time: 2009-06-20 2:18:45 — machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 22:18:23
ComboFix2.txt 2009-06-15 23:29:36
Pre-Run: 1 864 918 016 байт свободно
Post-Run: 1,859,033,600 байт свободно
222 — E O F — 2009-06-18 09:39:48
