[82]

Спасибо Вам большое, радости моей нет предела))) Наконец в интернет можно зайти с удовольствием!!!!
Вот только антивирусник выдает угрозу «модифицированный win32/Hexzone.AL троянская программа «

ComboFix 09-04-28.07 — Олег 29.04.2009 20:04.2 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.512.274 [GMT 4:00]
Running from: c:documents and settingsОлегРабочий столComboFix.exe
Command switches used :: c:documents and settingsОлегРабочий столCFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:documents and settingsAll UsersApplication DataMicrosoftMedia Playeryvqdiqu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:documents and settingsОлегLocal SettingsTemporary Internet Files0EB9F12C_6E6B_4c03_AEBA_8C04CFA98AA4.gif
c:documents and settingsОлегLocal SettingsTemporary Internet Files15913497_F86C_4218_8817_F50940D1E1B2.jpg
c:documents and settingsОлегLocal SettingsTemporary Internet Files29887DDE_00B9_4011_9CF7_59511F1ECC1B.gif
c:documents and settingsОлегLocal SettingsTemporary Internet Files35B7DFFA_884F_4fbc_8E60_DA601BDC7BF7.gif
c:documents and settingsОлегLocal SettingsTemporary Internet Files3DF04940_9866_4241_A998_0CDDFAFD147A.jpg
c:documents and settingsОлегLocal SettingsTemporary Internet Files426500D7_0FF3_426c_828D_065DBAEA0581.jpg
c:documents and settingsОлегLocal SettingsTemporary Internet Files5C6C645F_BAA8_4149_BFEB_2031230FF0FD.gif
c:documents and settingsОлегLocal SettingsTemporary Internet Files777FDAFB_83CF_4960_AA71_4E5D7BCD8E57.jpg
c:documents and settingsОлегLocal SettingsTemporary Internet Files8DA878D5_E80B_4721_B75A_17EFFAF1A700.jpg
c:documents and settingsОлегLocal SettingsTemporary Internet FilesC75CEF8D_5AF4_4563_8594_C45A45E14E63.gif
c:documents and settingsОлегLocal SettingsTemporary Internet FilesE21285C1_40E6_435c_A69F_3387E7BD89CB.jpg
c:documents and settingsAll UsersApplication DataMicrosoftMedia Playeryvqdiqu.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 20:33 . 2009-04-28 20:33

---

d

---

w c:documents and settingsОлегApplication DataSmart Panel
2009-04-28 20:21 . 2001-10-19 08:19 57344 —-a-w c:windowssystem32PyWinTypes21.dll
2009-04-28 20:21 . 2001-10-19 08:18 290919 —-a-w c:windowssystem32pythoncom21.dll
2009-04-28 20:21 . 2001-10-19 08:18 708696 —-a-w c:windowssystem32python21.dll
2009-04-28 20:21 . 2009-04-28 20:21

---

d

---

w c:program filesCommon FilesPython
2009-04-28 20:19 . 1999-12-06 22:03 73216 —-a-w c:windowsADE.DLL
2009-04-28 20:19 . 1999-04-26 20:17 3136 —-a-w c:windowsAde001.bin
2009-04-28 20:19 . 1999-06-15 07:31 96768 —-a-w c:windowsSlantAdj.dll
2009-04-28 20:18 . 2009-04-28 20:21

---

d

---

w c:program filesSmart Panel
2009-04-28 20:17 . 2003-03-28 12:56 176128 —-a-w c:windowssystem32ESWIA30.dll
2009-04-28 20:17 . 2003-03-28 12:57 278528 —-a-w c:windowssystem32esint30.dll
2009-04-28 20:17 . 2003-03-28 12:50 64000 —-a-w c:windowssystem32ESFW30.BIN
2009-04-28 20:00 . 2009-04-28 20:00

---

d

---

w c:documents and settingsОлегApplication DataEPSON
2009-04-28 19:58 . 1999-09-10 10:09 385024 —-a-w c:windowssystem32Vbar332.dll
2009-04-28 19:58 . 1998-06-30 11:13 78608 —-a-w c:windowssystem32Vb5db.dll
2009-04-28 19:58 . 1999-05-05 18:22 430080 —-a-w c:windowssystem32Msrepl35.dll
2009-04-28 19:58 . 1999-08-04 10:00 294912 —-a-w c:windowssystem32Msxbse35.dll
2009-04-28 19:58 . 1999-08-04 10:00 176128 —-a-w c:windowssystem32Mstext35.dll
2009-04-28 19:58 . 1999-08-04 10:00 262144 —-a-w c:windowssystem32Msrd2x35.dll
2009-04-28 19:58 . 1998-06-30 11:13 250128 —-a-w c:windowssystem32mspdox35.dll
2009-04-28 19:58 . 1998-06-30 11:13 166160 —-a-w c:windowssystem32msltus35.dll
2009-04-28 19:58 . 1999-05-05 18:22 1056768 —-a-w c:windowssystem32Msjet35.dll
2009-04-28 19:58 . 1999-08-04 10:00 262144 —-a-w c:windowssystem32Msexcl35.dll
2009-04-28 19:58 . 1998-07-28 10:54 24848 —-a-w c:windowssystem32msjter35.dll
2009-04-28 19:58 . 1998-07-28 10:54 123664 —-a-w c:windowssystem32msjint35.dll
2009-04-28 19:57 . 2009-04-28 19:57 39936 —-a-w c:windowssystem32driversCDAC11BA.EXE
2009-04-28 19:57 . 2009-04-28 19:57

---

d

---

w c:documents and settingsОлегLocal SettingsApplication DataABBYY
2009-04-28 19:57 . 2009-04-28 19:57

---

d

---

w c:documents and settingsОлегApplication DataABBYY
2009-04-28 19:56 . 2009-04-28 19:56

---

d

---

w c:program filesABBYY
2009-04-28 19:56 . 2001-11-02 11:26 163840 —-a-w c:windowssystem32PhotoImpression Screen Saver.scr
2009-04-28 19:55 . 2009-04-28 19:55

---

d

---

w c:program filesArcSoft
2009-04-28 19:55 . 1999-05-26 05:46 212480 —-a-w c:windowspcdlib32.dll
2009-04-28 19:51 . 2003-03-09 20:00 217088 —-a-w c:windowssystem32ESDTR.dll
2009-04-28 19:51 . 2009-04-28 20:17

---

d

---

w c:program filesEPSON
2009-04-27 07:38 . 2009-04-27 07:38

---

d

---

w c:documents and settingsAll UsersApplication DataAlawarWrapper
2009-04-27 07:26 . 2009-04-27 07:26

---

d

---

w c:documents and settingsОлегApplication DataIntenium
2009-04-27 07:25 . 2009-04-27 07:25

---

d

---

w c:documents and settingsAll UsersApplication DataEgoset
2009-04-27 07:22 . 2009-04-27 07:22

---

d

---

w c:documents and settingsОлегLocal SettingsApplication DataAstar Games
2009-04-27 07:19 . 2009-04-27 07:19

---

d

---

w c:documents and settingsОлегApplication DataBig Fish Games
2009-04-27 06:56 . 2008-08-24 12:38 5632 —-a-w c:windowssystem32ptpusb.dll
2009-04-27 06:56 . 2008-08-24 12:38 159232 —-a-w c:windowssystem32ptpusd.dll
2009-04-27 06:56 . 2008-08-24 12:38 15104 —-a-w c:windowssystem32driversusbscan.sys
2009-04-04 09:07 . 2009-04-04 09:07

---

d

---

w C:_OTMoveIt
2009-03-31 18:56 . 2009-04-09 17:58

---

d

---

w c:program filestrend micro
2009-03-31 18:55 . 2009-03-31 18:58

---

d

---

w C:rsit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 20:21 . 2009-01-26 18:10

---

d—h—w c:program filesInstallShield Installation Information
2009-04-28 19:13 . 2009-02-05 10:10 10 —-a-w c:windowspopcinfo.dat
2009-04-26 08:51 . 2009-03-14 19:27

---

d

---

w c:program filesVKLife
2009-04-24 18:30 . 2009-03-10 16:16 64760 —-a-w c:documents and settingsОлегLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-03-30 18:26 . 2008-04-15 12:00 60268 —-a-w c:windowssystem32perfc019.dat
2009-03-30 18:26 . 2008-04-15 12:00 382690 —-a-w c:windowssystem32perfh019.dat
2009-03-20 15:15 . 2009-01-26 19:29

---

d

---

w c:program filesCommon FilesAdobe
2009-03-14 14:51 . 2009-03-14 14:51 1075727 —-a-w C:VKLife_1.7.2.exe
2009-03-13 12:08 . 2009-03-13 12:08

---

d

---

w c:program filesPiter
2009-02-06 15:05 . 2009-01-22 20:48 86327 —-a-w c:windowspchealthhelpctrOfflineCacheindex.dat
.

---

Sigcheck

---

[7] 2008-04-14 17:40 579072 A9CDF92EA1CFFB67448EF26F5DF21A6F c:windowsResPatchBackupuser32.dll
[-] 2008-08-24 11:42 584192 A7FDF871519A3D737D917B04D2542BE8 c:windowssystem32user32.dll

[-] 2008-08-24 08:33 361344 68F06FE0021B01E670AF37B8C5964FDF c:windowssystem32driverstcpip.sys

[-] 2008-08-24 11:41 2207104 A641FA92BC7FA1CEFAD6D65C1F81F9F5 c:windowssystem32ntkrnlpa.exe

[-] 2008-08-24 08:33 2330240 65D8AF7191E4178ADFECE79A6921A7D0 c:windowssystem32ntoskrnl.exe

[-] 2009-01-22 20:56 1571840 5C3EF45F905CF96C4E17E842BB5FD4E7 c:windowssystem32SfcFiles.dll
[-] 2009-01-22 20:56 1571840 5C3EF45F905CF96C4E17E842BB5FD4E7 c:windowssystem32dllcacheSfcFiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-04-23_18.19.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 20:17 . 2003-03-31 07:55 29696 c:windowstwain_32ESCNDVffmtEptifres.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 86016 c:windowstwain_32ESCNDVffmtEptif.dll
+ 2009-04-28 20:17 . 2003-04-04 14:02 30208 c:windowstwain_32ESCNDVffmtEppdfres.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 90112 c:windowstwain_32ESCNDVffmtEpPdf.dll
+ 2009-04-28 20:17 . 2003-03-31 07:54 29696 c:windowstwain_32ESCNDVffmtEpmtfres.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 90112 c:windowstwain_32ESCNDVffmtEpmtf.dll
+ 2009-04-28 20:17 . 2003-03-31 07:54 29696 c:windowstwain_32ESCNDVffmtEpjpgres.dll
+ 2009-04-28 20:17 . 2002-06-24 20:00 94208 c:windowstwain_32ESCNDVffmtEpIpd.dll
+ 2009-04-28 20:17 . 2003-03-31 07:53 29184 c:windowstwain_32ESCNDVffmtEpbmpres.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 69632 c:windowstwain_32ESCNDVffmtEpBmp.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 98304 c:windowstwain_32ESCNDVEsUtwb.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 40960 c:windowstwain_32ESCNDVestwm.exe
+ 2009-04-28 20:17 . 2000-10-10 20:00 53248 c:windowstwain_32ESCNDVESICM.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 53248 c:windowstwain_32ESCNDVEsDsCl.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 98304 c:windowstwain_32ESCNDVEsDevIF.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 65536 c:windowstwain_32ESCNDVEscndv.exe
+ 2009-04-28 19:56 . 2009-04-28 19:56 40960 c:windowsInstaller{D1696920-9794-4BBC-8A30-7A88763DE5A2}_484CB0295F08_478A_B1B2_10A83BCE8075.exe
+ 2009-04-28 19:57 . 2009-04-28 19:57 25214 c:windowsInstaller{AF600F7B-67A7-48D9-BA3B-0FF97F35F970}FR.exe
+ 2009-04-28 20:17 . 2002-08-13 04:19 110592 c:windowstwain_32ESCNDVpfudsrv.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 143360 c:windowstwain_32ESCNDVffmtEpjpg.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 499712 c:windowstwain_32ESCNDVEsUI.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 184320 c:windowstwain_32ESCNDVEsTWPMG.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 192512 c:windowstwain_32ESCNDVEsScnCl.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 204800 c:windowstwain_32ESCNDVESIMGCTL.DLL
+ 2009-04-28 20:17 . 2002-09-10 20:00 233472 c:windowstwain_32ESCNDVEsImFl.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 114688 c:windowstwain_32ESCNDVESFIT.DLL
+ 2009-04-28 20:17 . 2003-02-26 20:00 151552 c:windowstwain_32ESCNDVEsDevCl.dll
+ 2009-04-28 20:17 . 2003-02-26 20:00 114688 c:windowstwain_32ESCNDVEscfg.exe
+ 2009-04-25 20:30 . 2009-04-29 15:02 202141 c:windowssystem32inetsrvMetaBase.bin
+ 2009-04-25 20:30 . 2009-04-25 20:30 286720 c:windowssystem32configsystemprofilentuser.dat
+ 2009-04-28 19:57 . 2009-04-28 19:57 294912 c:windowsInstaller{AF600F7B-67A7-48D9-BA3B-0FF97F35F970}_BF8B559013DF_491F_B1F5_D330A0E77264.exe
+ 2009-04-28 20:17 . 2003-05-28 13:45 2029056 c:windowstwain_32ESCNDVesres.dll
+ 2009-04-26 08:42 . 2009-04-26 08:52 3118256 c:windowssystem32Restorerstrlog.dat
.
— Snapshot reset to current date —
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-04-15 15360]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«TaskSwitchXP»=»c:program filesTaskSwitchXPTaskSwitchXP.exe» [2007-03-09 62976]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2008-05-16 13529088]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2008-05-16 86016]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2008-07-01 1447168]
«Adobe Reader Speed Launcher»=»c:program filesAdobeReader 8.0ReaderReader_sl.exe» [2008-10-14 39792]
«NwOpenMS»=»c:program filesCommon FilesMicrosoft SharedWeb Foldersuqidqvy.dll» [2007-04-29 609280]
«nwiz»=»nwiz.exe» — c:windowssystem32nwiz.exe [2005-10-28 1519616]
«SoundMan»=»soundman.exe» — c:windowsSOUNDMAN.EXE [2007-05-11 569344]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-15 15360]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«IE7_012″=»advpack.dll» — c:windowssystem32advpack.dll [2008-08-24 124928]
«IE7_013″=»rebuild.exe» — c:windowssystem32rebuild.exe [2007-11-01 114280]

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«DisableUnicastResponsesToMulticastBroadcast»= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=

S1 epfwtdir;epfwtdir;c:windowssystem32DRIVERSepfwtdir.sys [2008-07-01 34312]
S2 ekrn;Eset Service;c:program filesESETESET NOD32 Antivirusekrn.exe [2008-07-01 468224]

.
— — — — ORPHANS REMOVED — — — —

Toolbar-ITBar7Position — (no file)

.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.mail.ru/
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~1OFFICE11EXCEL.EXE/3000
TCP: {87290F9F-6768-4AF1-8E10-BE57BCB3355D} = 91.192.189.2,91.192.189.3
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 20:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-29 20:08
ComboFix-quarantined-files.txt 2009-04-29 16:08
ComboFix2.txt 2009-04-23 18:20

Pre-Run: 34 562 416 640 байт свободно
Post-Run: 34 607 484 928 байт свободно

187

[82]

Вот, всё сделала.

ComboFix 09-04-23.A3 — Олег 23.04.2009 22:16.1 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.512.274 [GMT 4:00]
Running from: c:documents and settingsОлегРабочий столComboFix.exe
Command switches used :: c:documents and settingsОлегРабочий столWindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:documents and settingsОлегLocal SettingsTemporary Internet Files0EB9F12C_6E6B_4c03_AEBA_8C04CFA98AA4.gif
c:documents and settingsОлегLocal SettingsTemporary Internet Files15913497_F86C_4218_8817_F50940D1E1B2.jpg
c:documents and settingsОлегLocal SettingsTemporary Internet Files29887DDE_00B9_4011_9CF7_59511F1ECC1B.gif
c:documents and settingsОлегLocal SettingsTemporary Internet Files35B7DFFA_884F_4fbc_8E60_DA601BDC7BF7.gif
c:documents and settingsОлегLocal SettingsTemporary Internet Files3DF04940_9866_4241_A998_0CDDFAFD147A.jpg
c:documents and settingsОлегLocal SettingsTemporary Internet Files426500D7_0FF3_426c_828D_065DBAEA0581.jpg
c:documents and settingsОлегLocal SettingsTemporary Internet Files5C6C645F_BAA8_4149_BFEB_2031230FF0FD.gif
c:documents and settingsОлегLocal SettingsTemporary Internet Files777FDAFB_83CF_4960_AA71_4E5D7BCD8E57.jpg
c:documents and settingsОлегLocal SettingsTemporary Internet Files8DA878D5_E80B_4721_B75A_17EFFAF1A700.jpg
c:documents and settingsОлегLocal SettingsTemporary Internet FilesC75CEF8D_5AF4_4563_8594_C45A45E14E63.gif
c:documents and settingsОлегLocal SettingsTemporary Internet FilesE21285C1_40E6_435c_A69F_3387E7BD89CB.jpg
c:windowssystem32Cache

.
((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 )))))))))))))))))))))))))))))))
.

2009-04-04 09:07 . 2009-04-04 09:07

---

d

---

w C:_OTMoveIt
2009-04-04 08:52 . 2009-04-04 08:52

---

d-sha-r C:autorun.inf
2009-03-31 18:55 . 2009-03-31 18:58

---

d

---

w C:rsit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 17:58 . 2009-03-31 18:56

---

d

---

w c:program filestrend micro
2009-04-04 08:47 . 2009-04-04 08:45 5040 —-a-w C:avenger.txt
2009-03-30 18:26 . 2008-04-15 12:00 60268 —-a-w c:windowssystem32perfc019.dat
2009-03-30 18:26 . 2008-04-15 12:00 382690 —-a-w c:windowssystem32perfh019.dat
2009-03-20 15:15 . 2009-01-26 19:29

---

d

---

w c:program filesCommon FilesAdobe
2009-03-14 19:27 . 2009-03-14 19:27

---

d

---

w c:program filesVKLife
2009-03-14 14:51 . 2009-03-14 14:51 1075727 —-a-w C:VKLife_1.7.2.exe
2009-03-13 12:08 . 2009-03-13 12:08

---

d

---

w c:program filesPiter
2009-03-10 16:16 . 2009-03-10 16:16 64760 —-a-w c:documents and settingsОлегLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-02-22 22:27 . 2009-02-22 22:27

---

d

---

w c:program filesИгры от NevoSoft
2009-02-06 15:05 . 2009-01-22 20:48 86327 —-a-w c:windowspchealthhelpctrOfflineCacheindex.dat
2009-01-22 20:53 . 2009-01-22 20:53 16384 —sha-w c:windowssystem32configsystemprofileCookiesindex.dat
2009-01-22 20:53 . 2009-01-22 20:53 32768 —sha-w c:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
2009-01-22 20:53 . 2009-01-22 20:53 32768 —sha-w c:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5MSHist012009012220090123index.dat
2009-01-22 20:53 . 2009-01-22 20:53 32768 —sha-w c:windowssystem32configsystemprofileLocal SettingsTemporary Internet FilesContent.IE5index.dat
.

---

Sigcheck

---

[7] 2008-04-14 17:40 579072 A9CDF92EA1CFFB67448EF26F5DF21A6F c:windowsResPatchBackupuser32.dll
[-] 2008-08-24 11:42 584192 A7FDF871519A3D737D917B04D2542BE8 c:windowssystem32user32.dll

[-] 2008-08-24 08:33 361344 68F06FE0021B01E670AF37B8C5964FDF c:windowssystem32driverstcpip.sys

[-] 2008-08-24 11:41 2207104 A641FA92BC7FA1CEFAD6D65C1F81F9F5 c:windowssystem32ntkrnlpa.exe

[-] 2008-08-24 08:33 2330240 65D8AF7191E4178ADFECE79A6921A7D0 c:windowssystem32ntoskrnl.exe

[-] 2009-01-22 20:56 1571840 5C3EF45F905CF96C4E17E842BB5FD4E7 c:windowssystem32SfcFiles.dll
[-] 2009-01-22 20:56 1571840 5C3EF45F905CF96C4E17E842BB5FD4E7 c:windowssystem32dllcacheSfcFiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~Browser Helper Objects{068119DB-00E9-416A-AC2E-9F837E6FB3C3}]
2007-04-19 15:20 609280 —-a-w c:documents and settingsAll UsersApplication DataMicrosoftMedia Playeryvqdiqu.dll

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-04-15 15360]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«TaskSwitchXP»=»c:program filesTaskSwitchXPTaskSwitchXP.exe» [2007-03-09 62976]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2008-05-16 13529088]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2008-05-16 86016]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2008-07-01 1447168]
«Adobe Reader Speed Launcher»=»c:program filesAdobeReader 8.0ReaderReader_sl.exe» [2008-10-14 39792]
«nwiz»=»nwiz.exe» — c:windowssystem32nwiz.exe [2005-10-28 1519616]
«SoundMan»=»soundman.exe» — c:windowsSOUNDMAN.EXE [2007-05-11 569344]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-15 15360]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«IE7_012″=»advpack.dll» — c:windowssystem32advpack.dll [2008-08-24 124928]
«IE7_013″=»rebuild.exe» — c:windowssystem32rebuild.exe [2007-11-01 114280]

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)
«DisableUnicastResponsesToMulticastBroadcast»= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=

S1 epfwtdir;epfwtdir;c:windowssystem32DRIVERSepfwtdir.sys [2008-07-01 34312]
S2 ekrn;Eset Service;c:program filesESETESET NOD32 Antivirusekrn.exe [2008-07-01 468224]

.
— — — — ORPHANS REMOVED — — — —

Toolbar-ITBar7Position — (no file)
HKLM-Run-NwOpenMS — c:program filesCommon FilesMicrosoft SharedWeb Foldersuqidqvy.dll

.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.mail.ru/
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~1OFFICE11EXCEL.EXE/3000
TCP: {87290F9F-6768-4AF1-8E10-BE57BCB3355D} = 91.192.189.2,91.192.189.3
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 22:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-23 22:20
ComboFix-quarantined-files.txt 2009-04-23 18:20

Pre-Run: 37 660 778 496 байт свободно
Post-Run: 37 684 895 744 байт свободно

WindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT=»Microsoft Windows Recovery Console» /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS=»Microsoft Windows XP Professional RU» /noexecute=optin /fastdetect

119

[82]

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{068119DB-00E9-416A-AC2E-9F837E6FB3C3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{AAF01C24-2681-4FE6-9EDC-F7772F810E73}\ deleted successfully.
========== FILES ==========
C:Documents and SettingsAll UsersApplication DataMicrosoftMedia Playeryvqdiqu.dll unregistered successfully.
C:Documents and SettingsAll UsersApplication DataMicrosoftMedia Playeryvqdiqu.dll moved successfully.
========== COMMANDS ==========
User’s Temp folder emptied.
User’s Internet Explorer cache folder emptied.
File delete failed. C:Documents and SettingsОлегLocal SettingsTemporary Internet FilesContent.IE5W4ZFSFV0viewtopic[1].htm scheduled to be deleted on reboot.
File delete failed. C:Documents and SettingsОлегLocal SettingsTemporary Internet FilesContent.IE5index.dat scheduled to be deleted on reboot.
User’s Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:Documents and SettingsLocalServiceLocal SettingsTemporary Internet FilesContent.IE5index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer — Version 1.0.10.0 log created on 04092009_215212

Files moved on Reboot…
C:Documents and SettingsОлегLocal SettingsTemporary Internet FilesContent.IE5W4ZFSFV0viewtopic[1].htm moved successfully.

и RSIT лог

Logfile of random’s system information tool 1.06 (written by random/random)
Run by Олег at 2009-04-09 21:58:33
Microsoft Windows XP Professional Service Pack 3
System drive C: has 36 GB (89%) free of 40 GB
Total RAM: 512 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:58:36, on 09.04.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesESETESET NOD32 Antivirusekrn.exe
C:WINDOWSsystem32inetsrvinetinfo.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSnotepad.exe
C:Program FilesTaskSwitchXPTaskSwitchXP.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesESETESET NOD32 Antivirusegui.exe
C:Program FilesAdobeReader 8.0ReaderReader_sl.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingsОлегРабочий столRSIT.exe
C:Program Filestrend microОлег.exe

R1 — HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 — HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.mail.ru/
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 — HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 — HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 — HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R0 — HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Ссылки
O2 — BHO: yvqdiquP — {068119DB-00E9-416A-AC2E-9F837E6FB3C3} — C:Documents and SettingsAll UsersApplication DataMicrosoftMedia Playeryvqdiqu.dll
O2 — BHO: Adobe PDF Reader Link Helper — {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} — C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O4 — HKLM..Run: [TaskSwitchXP] C:Program FilesTaskSwitchXPTaskSwitchXP.exe
O4 — HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 — HKLM..Run: [nwiz] nwiz.exe /install
O4 — HKLM..Run: [SoundMan] soundman.exe
O4 — HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 — HKLM..Run: [egui] «C:Program FilesESETESET NOD32 Antivirusegui.exe» /hide /waitservice
O4 — HKLM..Run: [Adobe Reader Speed Launcher] «C:Program FilesAdobeReader 8.0ReaderReader_sl.exe»
O4 — HKLM..Run: [NwOpenMS] rundll32.exe «C:Program FilesCommon FilesMicrosoft SharedWeb Foldersuqidqvy.dll»,DllRegisterServer
O4 — HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 — HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 — HKUSS-1-5-19..RunOnce: [IE7_011] regsvr32 /s /n /i:u shell32 (User ‘LOCAL SERVICE’)
O4 — HKUSS-1-5-19..RunOnce: [IE7_013] rebuild.exe (User ‘LOCAL SERVICE’)
O4 — HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 — HKUSS-1-5-20..RunOnce: [IE7_011] regsvr32 /s /n /i:u shell32 (User ‘NETWORK SERVICE’)
O4 — HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘SYSTEM’)
O4 — HKUSS-1-5-18..RunOnce: [IE7_011] regsvr32 /s /n /i:u shell32 (User ‘SYSTEM’)
O4 — HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘Default user’)
O4 — HKUS.DEFAULT..RunOnce: [IE7_011] regsvr32 /s /n /i:u shell32 (User ‘Default user’)
O8 — Extra context menu item: &Экспорт в Microsoft Excel — res://C:PROGRA~1MICROS~1OFFICE11EXCEL.EXE/3000
O9 — Extra button: Справочные материалы — {92780B25-18CC-41C8-B9BE-3C9C571A8263} — C:PROGRA~1MICROS~1OFFICE11REFIEBAR.DLL
O9 — Extra button: (no name) — {e2e2dd38-d088-4134-82b7-f2ba38496583} — C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 — Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 — {e2e2dd38-d088-4134-82b7-f2ba38496583} — C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 — Extra button: Messenger — {FB5F1910-F110-11d2-BB9E-00C04F795683} — C:Program FilesMessengermsmsgs.exe
O9 — Extra ‘Tools’ menuitem: Windows Messenger — {FB5F1910-F110-11d2-BB9E-00C04F795683} — C:Program FilesMessengermsmsgs.exe
O17 — HKLMSystemCCSServicesTcpip..{87290F9F-6768-4AF1-8E10-BE57BCB3355D}: NameServer = 91.192.189.2,91.192.189.3
O17 — HKLMSystemCS1ServicesTcpip..{87290F9F-6768-4AF1-8E10-BE57BCB3355D}: NameServer = 91.192.189.2,91.192.189.3
O17 — HKLMSystemCS2ServicesTcpip..{87290F9F-6768-4AF1-8E10-BE57BCB3355D}: NameServer = 91.192.189.2,91.192.189.3
O23 — Service: Eset HTTP Server (EhttpSrv) — ESET — C:Program FilesESETESET NOD32 AntivirusEHttpSrv.exe
O23 — Service: Eset Service (ekrn) — ESET — C:Program FilesESETESET NOD32 Antivirusekrn.exe
O23 — Service: Журнал событий (Eventlog) — Корпорация Майкрософт — C:WINDOWSsystem32services.exe
O23 — Service: Служба COM записи компакт-дисков IMAPI (ImapiService) — Корпорация Майкрософт — C:WINDOWSsystem32imapi.exe
O23 — Service: NetMeeting Remote Desktop Sharing (mnmsrvc) — Корпорация Майкрософт — C:WINDOWSsystem32mnmsrvc.exe
O23 — Service: NVIDIA Display Driver Service (NVSvc) — NVIDIA Corporation — C:WINDOWSsystem32nvsvc32.exe
O23 — Service: Plug and Play (PlugPlay) — Корпорация Майкрософт — C:WINDOWSsystem32services.exe
O23 — Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) — Корпорация Майкрософт — C:WINDOWSsystem32sessmgr.exe
O23 — Service: Смарт-карты (SCardSvr) — Корпорация Майкрософт — C:WINDOWSSystem32SCardSvr.exe
O23 — Service: Журналы и оповещения производительности (SysmonLog) — Корпорация Майкрософт — C:WINDOWSsystem32smlogsvc.exe
O23 — Service: Теневое копирование тома (VSS) — Корпорация Майкрософт — C:WINDOWSSystem32vssvc.exe
O23 — Service: Адаптер производительности WMI (WmiApSrv) — Корпорация Майкрософт — C:WINDOWSsystem32wbemwmiapsrv.exe

—
End of file — 6284 bytes

======Registry dump======

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{068119DB-00E9-416A-AC2E-9F837E6FB3C3}]
LA Data Provider — C:Documents and SettingsAll UsersApplication DataMicrosoftMedia Playeryvqdiqu.dll [2007-04-09 609280]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper — C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
«TaskSwitchXP»=C:Program FilesTaskSwitchXPTaskSwitchXP.exe [2007-03-09 62976]
«NvCplDaemon»=C:WINDOWSsystem32NvCpl.dll [2008-05-16 13529088]
«nwiz»=nwiz.exe /install []
«SoundMan»=C:WINDOWSsoundman.exe [2007-05-11 569344]
«NvMediaCenter»=C:WINDOWSsystem32NvMcTray.dll [2008-05-16 86016]
«egui»=C:Program FilesESETESET NOD32 Antivirusegui.exe [2008-07-01 1447168]
«Adobe Reader Speed Launcher»=C:Program FilesAdobeReader 8.0ReaderReader_sl.exe [2008-10-15 39792]
«NwOpenMS»=C:Program FilesCommon FilesMicrosoft SharedWeb Foldersuqidqvy.dll [2007-04-09 609280]

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=C:WINDOWSsystem32ctfmon.exe [2008-04-15 15360]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
«dontdisplaylastusername»=0
«legalnoticecaption»=
«legalnoticetext»=
«shutdownwithoutlogon»=1
«undockwithoutlogon»=1

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesexplorer]
«NoDriveTypeAutoRun»=36
«NoDriveAutoRun»=FFFFFFFF

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist]
«%windir%Network Diagnosticxpnetdiag.exe»=»%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000»
«%windir%system32sessmgr.exe»=»%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019»

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicydomainprofileauthorizedapplicationslist]
«%windir%Network Diagnosticxpnetdiag.exe»=»%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000»
«%windir%system32sessmgr.exe»=»%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019»

======List of files/folders created in the last 1 months======

2009-04-04 13:07:58 —-D—- C:_OTMoveIt
2009-04-04 12:52:24 —-RASHD—- C:autorun.inf
2009-04-04 12:45:35 —-A—- C:avenger.txt
2009-03-31 22:56:00 —-D—- C:Program Filestrend micro
2009-03-31 22:55:47 —-D—- C:rsit
2009-03-20 19:15:01 —-D—- C:Program FilesAdobe
2009-03-14 23:27:01 —-D—- C:Program FilesVKLife
2009-03-14 18:51:11 —-A—- C:VKLife_1.7.2.exe
2009-03-13 16:08:39 —-D—- C:Program FilesPiter

======List of files/folders modified in the last 1 months======

2009-04-09 21:55:44 —-D—- C:WINDOWSsystem32inetsrv
2009-04-09 21:54:17 —-D—- C:WINDOWSTemp
2009-04-09 21:52:36 —-A—- C:WINDOWSSchedLgU.Txt
2009-04-09 21:52:23 —-D—- C:WINDOWSPrefetch
2009-04-08 21:45:03 —-D—- C:WINDOWSsystem32CatRoot2
2009-04-04 12:47:45 —-D—- C:WINDOWS
2009-04-04 12:46:40 —-AD—- C:Program Files
2009-04-04 12:45:35 —-AD—- C:WINDOWSsystem32
2009-03-30 22:26:55 —-A—- C:WINDOWSsystem32PerfStringBackup.INI
2009-03-21 16:12:12 —-SHD—- C:WINDOWSInstaller
2009-03-21 02:36:04 —-D—- C:WINDOWSRegistration
2009-03-20 19:15:41 —-D—- C:Program FilesCommon FilesAdobe
2009-03-20 19:15:32 —-D—- C:WINDOWSWinSxS
2009-03-20 19:15:26 —-D—- C:Documents and SettingsAll UsersApplication DataAdobe
2009-03-15 02:13:25 —-SD—- C:Documents and SettingsAll UsersApplication DataMicrosoft
2009-03-14 19:52:55 —-D—- C:Documents and SettingsОлегApplication DataAdobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 easdrv;easdrv; C:WINDOWSsystem32DRIVERSeasdrv.sys [2008-07-01 53256]
R1 epfwtdir;epfwtdir; C:WINDOWSsystem32DRIVERSepfwtdir.sys [2008-07-01 34312]
R1 intelppm;Драйвер Intel процессора; C:WINDOWSsystem32DRIVERSintelppm.sys [2008-04-15 40704]
R2 eamon;EAMON; C:WINDOWSsystem32DRIVERSeamon.sys [2008-07-01 39944]
R2 rspndr;Ответчик обнаружения топологии уровня связи; C:WINDOWSsystem32DRIVERSrspndr.sys [2008-07-08 62848]
R3 aeaudio;aeaudio; C:WINDOWSsystem32driversaeaudio.sys [2002-04-01 4816]
R3 ltmodem5;LT Modem Driver; C:WINDOWSsystem32DRIVERSltmdmnt.sys [2008-08-24 606940]
R3 nv;nv; C:WINDOWSsystem32DRIVERSnv4_mini.sys [2008-05-16 6557408]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:WINDOWSsystem32DRIVERSsisnic.sys [2003-04-10 32256]
R3 smwdm;smwdm; C:WINDOWSsystem32driverssmwdm.sys [2003-08-29 578304]
R3 usbehci;Драйвер минипорта Microsoft USB 2.0 расширенного хост-контроллера; C:WINDOWSsystem32DRIVERSusbehci.sys [2008-04-15 30208]
R3 usbhub;USB2 концентратор; C:WINDOWSsystem32DRIVERSusbhub.sys [2008-04-15 59520]
R3 usbohci;Драйвер минипорта Microsoft USB открытого хост-контроллера; C:WINDOWSsystem32DRIVERSusbohci.sys [2008-04-15 17152]
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:WINDOWSsystem32driversALCXWDM.SYS [2007-10-26 4124352]
S3 hidusb;Драйвер класса HID Microsoft; C:WINDOWSsystem32DRIVERShidusb.sys [2008-04-15 10368]
S3 mouhid;Драйвер мыши HID; C:WINDOWSsystem32DRIVERSmouhid.sys [2008-08-24 12160]
S3 USBSTOR;Драйвер запоминающих устройств для USB; C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2008-08-24 26368]
S4 IntelIde;IntelIde; C:WINDOWSsystem32driversIntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;Eset Service; C:Program FilesESETESET NOD32 Antivirusekrn.exe [2008-07-01 468224]
R2 IISADMIN;IIS Admin; C:WINDOWSsystem32inetsrvinetinfo.exe [2008-04-15 15872]
R2 MDM;Machine Debug Manager; C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE [2003-06-19 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:WINDOWSsystem32nvsvc32.exe [2008-05-16 159812]
R2 W3SVC;Веб-публикации; C:WINDOWSsystem32inetsrvinetinfo.exe [2008-04-15 15872]
S3 EhttpSrv;Eset HTTP Server; C:Program FilesESETESET NOD32 AntivirusEHttpSrv.exe [2008-07-01 19200]
S3 ose;Office Source Engine; C:Program FilesCommon FilesMicrosoft SharedSource EngineOSE.EXE [2003-07-28 89136]
S4 UMWdf;Компонент драйверов пользовательского режима Windows; C:WINDOWSsystem32wdfmgr.exe [2005-01-28 38912]

---

EOF

---

Спасибо большое за то, что вы помогаете!

[82]

Так же RSIT log

Logfile of random’s system information tool 1.06 (written by random/random)
Run by Олег at 2009-04-04 13:28:31
Microsoft Windows XP Professional Service Pack 3
System drive C: has 36 GB (89%) free of 40 GB
Total RAM: 512 MB (54% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:28:35, on 04.04.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesESETESET NOD32 Antivirusekrn.exe
C:WINDOWSsystem32inetsrvinetinfo.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesTaskSwitchXPTaskSwitchXP.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesESETESET NOD32 Antivirusegui.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingsОлегРабочий столRSIT.exe
C:Program Filestrend microОлег.exe

R1 — HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 — HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.mail.ru/
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 — HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 — HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 — HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 — HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R0 — HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Ссылки
O2 — BHO: yvqdiquP — {068119DB-00E9-416A-AC2E-9F837E6FB3C3} — C:Documents and SettingsAll UsersApplication DataMicrosoftMedia Playeryvqdiqu.dll
O2 — BHO: Adobe PDF Reader Link Helper — {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} — C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 — BHO: eurrvquP — {AAF01C24-2681-4FE6-9EDC-F7772F810E73} — C:Documents and SettingsAll UsersApplication Dataeurrvqu.dll (file missing)
O4 — HKLM..Run: [TaskSwitchXP] C:Program FilesTaskSwitchXPTaskSwitchXP.exe
O4 — HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 — HKLM..Run: [nwiz] nwiz.exe /install
O4 — HKLM..Run: [SoundMan] soundman.exe
O4 — HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 — HKLM..Run: [egui] «C:Program FilesESETESET NOD32 Antivirusegui.exe» /hide /waitservice
O4 — HKLM..Run: [Adobe Reader Speed Launcher] «C:Program FilesAdobeReader 8.0ReaderReader_sl.exe»
O4 — HKLM..Run: [NwOpenMS] rundll32.exe «C:Program FilesCommon FilesMicrosoft SharedWeb Foldersuqidqvy.dll»,DllRegisterServer
O4 — HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 — HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 — HKUSS-1-5-19..RunOnce: [IE7_011] regsvr32 /s /n /i:u shell32 (User ‘LOCAL SERVICE’)
O4 — HKUSS-1-5-19..RunOnce: [IE7_013] rebuild.exe (User ‘LOCAL SERVICE’)
O4 — HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 — HKUSS-1-5-20..RunOnce: [IE7_011] regsvr32 /s /n /i:u shell32 (User ‘NETWORK SERVICE’)
O4 — HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘SYSTEM’)
O4 — HKUSS-1-5-18..RunOnce: [IE7_011] regsvr32 /s /n /i:u shell32 (User ‘SYSTEM’)
O4 — HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ‘Default user’)
O4 — HKUS.DEFAULT..RunOnce: [IE7_011] regsvr32 /s /n /i:u shell32 (User ‘Default user’)
O8 — Extra context menu item: &Экспорт в Microsoft Excel — res://C:PROGRA~1MICROS~1OFFICE11EXCEL.EXE/3000
O9 — Extra button: Справочные материалы — {92780B25-18CC-41C8-B9BE-3C9C571A8263} — C:PROGRA~1MICROS~1OFFICE11REFIEBAR.DLL
O9 — Extra button: (no name) — {e2e2dd38-d088-4134-82b7-f2ba38496583} — C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 — Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 — {e2e2dd38-d088-4134-82b7-f2ba38496583} — C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 — Extra button: Messenger — {FB5F1910-F110-11d2-BB9E-00C04F795683} — C:Program FilesMessengermsmsgs.exe
O9 — Extra ‘Tools’ menuitem: Windows Messenger — {FB5F1910-F110-11d2-BB9E-00C04F795683} — C:Program FilesMessengermsmsgs.exe
O17 — HKLMSystemCCSServicesTcpip..{87290F9F-6768-4AF1-8E10-BE57BCB3355D}: NameServer = 91.192.189.2,91.192.189.3
O17 — HKLMSystemCS1ServicesTcpip..{87290F9F-6768-4AF1-8E10-BE57BCB3355D}: NameServer = 91.192.189.2,91.192.189.3
O17 — HKLMSystemCS2ServicesTcpip..{87290F9F-6768-4AF1-8E10-BE57BCB3355D}: NameServer = 91.192.189.2,91.192.189.3
O23 — Service: Eset HTTP Server (EhttpSrv) — ESET — C:Program FilesESETESET NOD32 AntivirusEHttpSrv.exe
O23 — Service: Eset Service (ekrn) — ESET — C:Program FilesESETESET NOD32 Antivirusekrn.exe
O23 — Service: Журнал событий (Eventlog) — Корпорация Майкрософт — C:WINDOWSsystem32services.exe
O23 — Service: Служба COM записи компакт-дисков IMAPI (ImapiService) — Корпорация Майкрософт — C:WINDOWSsystem32imapi.exe
O23 — Service: NetMeeting Remote Desktop Sharing (mnmsrvc) — Корпорация Майкрософт — C:WINDOWSsystem32mnmsrvc.exe
O23 — Service: NVIDIA Display Driver Service (NVSvc) — NVIDIA Corporation — C:WINDOWSsystem32nvsvc32.exe
O23 — Service: Plug and Play (PlugPlay) — Корпорация Майкрософт — C:WINDOWSsystem32services.exe
O23 — Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) — Корпорация Майкрософт — C:WINDOWSsystem32sessmgr.exe
O23 — Service: Смарт-карты (SCardSvr) — Корпорация Майкрософт — C:WINDOWSSystem32SCardSvr.exe
O23 — Service: Журналы и оповещения производительности (SysmonLog) — Корпорация Майкрософт — C:WINDOWSsystem32smlogsvc.exe
O23 — Service: Теневое копирование тома (VSS) — Корпорация Майкрософт — C:WINDOWSSystem32vssvc.exe
O23 — Service: Адаптер производительности WMI (WmiApSrv) — Корпорация Майкрософт — C:WINDOWSsystem32wbemwmiapsrv.exe

—
End of file — 6396 bytes

======Registry dump======

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{068119DB-00E9-416A-AC2E-9F837E6FB3C3}]
LA Data Provider — C:Documents and SettingsAll UsersApplication DataMicrosoftMedia Playeryvqdiqu.dll [2007-04-04 609280]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper — C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{AAF01C24-2681-4FE6-9EDC-F7772F810E73}]
Crypted Video Helper — C:Documents and SettingsAll UsersApplication Dataeurrvqu.dll []

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
«TaskSwitchXP»=C:Program FilesTaskSwitchXPTaskSwitchXP.exe [2007-03-09 62976]
«NvCplDaemon»=C:WINDOWSsystem32NvCpl.dll [2008-05-16 13529088]
«nwiz»=nwiz.exe /install []
«SoundMan»=C:WINDOWSsoundman.exe [2007-05-11 569344]
«NvMediaCenter»=C:WINDOWSsystem32NvMcTray.dll [2008-05-16 86016]
«egui»=C:Program FilesESETESET NOD32 Antivirusegui.exe [2008-07-01 1447168]
«Adobe Reader Speed Launcher»=C:Program FilesAdobeReader 8.0ReaderReader_sl.exe [2008-10-15 39792]
«NwOpenMS»=C:Program FilesCommon FilesMicrosoft SharedWeb Foldersuqidqvy.dll [2007-04-04 609280]

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=C:WINDOWSsystem32ctfmon.exe [2008-04-15 15360]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
«dontdisplaylastusername»=0
«legalnoticecaption»=
«legalnoticetext»=
«shutdownwithoutlogon»=1
«undockwithoutlogon»=1

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesexplorer]
«NoDriveTypeAutoRun»=36
«NoDriveAutoRun»=FFFFFFFF

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslist]
«%windir%Network Diagnosticxpnetdiag.exe»=»%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000»
«%windir%system32sessmgr.exe»=»%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019»

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicydomainprofileauthorizedapplicationslist]
«%windir%Network Diagnosticxpnetdiag.exe»=»%windir%Network Diagnosticxpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000»
«%windir%system32sessmgr.exe»=»%windir%system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019»

======List of files/folders created in the last 1 months======

2009-04-04 13:07:58 —-D—- C:_OTMoveIt
2009-04-04 12:52:24 —-RASHD—- C:autorun.inf
2009-04-04 12:45:35 —-A—- C:avenger.txt
2009-03-31 22:56:00 —-D—- C:Program Filestrend micro
2009-03-31 22:55:47 —-D—- C:rsit
2009-03-20 19:15:01 —-D—- C:Program FilesAdobe
2009-03-14 23:27:01 —-D—- C:Program FilesVKLife
2009-03-14 18:51:11 —-A—- C:VKLife_1.7.2.exe
2009-03-13 16:08:39 —-D—- C:Program FilesPiter
2009-03-07 17:24:00 —-D—- C:Documents and SettingsОлегApplication DataWinRAR

======List of files/folders modified in the last 1 months======

2009-04-04 13:16:35 —-D—- C:WINDOWSTemp
2009-04-04 13:11:43 —-D—- C:WINDOWSsystem32inetsrv
2009-04-04 13:08:34 —-A—- C:WINDOWSSchedLgU.Txt
2009-04-04 12:52:24 —-D—- C:WINDOWSPrefetch
2009-04-04 12:47:45 —-D—- C:WINDOWS
2009-04-04 12:46:40 —-AD—- C:Program Files
2009-04-04 12:45:35 —-AD—- C:WINDOWSsystem32
2009-04-03 20:45:20 —-D—- C:WINDOWSsystem32CatRoot2
2009-03-30 22:26:55 —-A—- C:WINDOWSsystem32PerfStringBackup.INI
2009-03-21 16:12:12 —-SHD—- C:WINDOWSInstaller
2009-03-21 02:36:04 —-D—- C:WINDOWSRegistration
2009-03-20 19:15:41 —-D—- C:Program FilesCommon FilesAdobe
2009-03-20 19:15:32 —-D—- C:WINDOWSWinSxS
2009-03-20 19:15:26 —-D—- C:Documents and SettingsAll UsersApplication DataAdobe
2009-03-15 02:13:25 —-SD—- C:Documents and SettingsAll UsersApplication DataMicrosoft
2009-03-14 19:52:55 —-D—- C:Documents and SettingsОлегApplication DataAdobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 easdrv;easdrv; C:WINDOWSsystem32DRIVERSeasdrv.sys [2008-07-01 53256]
R1 epfwtdir;epfwtdir; C:WINDOWSsystem32DRIVERSepfwtdir.sys [2008-07-01 34312]
R1 intelppm;Драйвер Intel процессора; C:WINDOWSsystem32DRIVERSintelppm.sys [2008-04-15 40704]
R2 eamon;EAMON; C:WINDOWSsystem32DRIVERSeamon.sys [2008-07-01 39944]
R2 rspndr;Ответчик обнаружения топологии уровня связи; C:WINDOWSsystem32DRIVERSrspndr.sys [2008-07-08 62848]
R3 aeaudio;aeaudio; C:WINDOWSsystem32driversaeaudio.sys [2002-04-01 4816]
R3 ltmodem5;LT Modem Driver; C:WINDOWSsystem32DRIVERSltmdmnt.sys [2008-08-24 606940]
R3 nv;nv; C:WINDOWSsystem32DRIVERSnv4_mini.sys [2008-05-16 6557408]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:WINDOWSsystem32DRIVERSsisnic.sys [2003-04-10 32256]
R3 smwdm;smwdm; C:WINDOWSsystem32driverssmwdm.sys [2003-08-29 578304]
R3 usbehci;Драйвер минипорта Microsoft USB 2.0 расширенного хост-контроллера; C:WINDOWSsystem32DRIVERSusbehci.sys [2008-04-15 30208]
R3 usbhub;USB2 концентратор; C:WINDOWSsystem32DRIVERSusbhub.sys [2008-04-15 59520]
R3 usbohci;Драйвер минипорта Microsoft USB открытого хост-контроллера; C:WINDOWSsystem32DRIVERSusbohci.sys [2008-04-15 17152]
R3 USBSTOR;Драйвер запоминающих устройств для USB; C:WINDOWSsystem32DRIVERSUSBSTOR.SYS [2008-08-24 26368]
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:WINDOWSsystem32driversALCXWDM.SYS [2007-10-26 4124352]
S3 hidusb;Драйвер класса HID Microsoft; C:WINDOWSsystem32DRIVERShidusb.sys [2008-04-15 10368]
S3 mouhid;Драйвер мыши HID; C:WINDOWSsystem32DRIVERSmouhid.sys [2008-08-24 12160]
S4 IntelIde;IntelIde; C:WINDOWSsystem32driversIntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;Eset Service; C:Program FilesESETESET NOD32 Antivirusekrn.exe [2008-07-01 468224]
R2 IISADMIN;IIS Admin; C:WINDOWSsystem32inetsrvinetinfo.exe [2008-04-15 15872]
R2 MDM;Machine Debug Manager; C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE [2003-06-19 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:WINDOWSsystem32nvsvc32.exe [2008-05-16 159812]
R2 W3SVC;Веб-публикации; C:WINDOWSsystem32inetsrvinetinfo.exe [2008-04-15 15872]
S3 EhttpSrv;Eset HTTP Server; C:Program FilesESETESET NOD32 AntivirusEHttpSrv.exe [2008-07-01 19200]
S3 ose;Office Source Engine; C:Program FilesCommon FilesMicrosoft SharedSource EngineOSE.EXE [2003-07-28 89136]
S4 UMWdf;Компонент драйверов пользовательского режима Windows; C:WINDOWSsystem32wdfmgr.exe [2005-01-28 38912]

---

EOF

---

[82]

Сделала все, как требовалось.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{068119DB-00E9-416A-AC2E-9F837E6FB3C3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{068119DB-00E9-416A-AC2E-9F837E6FB3C3}\ not found.
Registry key HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{a6e06888-f22e-11dd-a562-000ea699b0cb}\ deleted successfully.
Registry key HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{c7f09682-ebdb-11dd-a55e-d61c39358380}\ deleted successfully.
========== FILES ==========
C:Documents and SettingsAll UsersApplication Datayvqdiqu.dll unregistered successfully.
C:Documents and SettingsAll UsersApplication Datayvqdiqu.dll moved successfully.
C:Documents and SettingsAll UsersApplication Dataeurrvqu.dll unregistered successfully.
C:Documents and SettingsAll UsersApplication Dataeurrvqu.dll moved successfully.
========== COMMANDS ==========
User’s Temp folder emptied.
User’s Internet Explorer cache folder emptied.
File delete failed. C:Documents and SettingsОлегLocal SettingsTemporary Internet FilesContent.IE5NU2CIYMTflash_disinfector[1].htm scheduled to be deleted on reboot.
File delete failed. C:Documents and SettingsОлегLocal SettingsTemporary Internet FilesContent.IE5NU2CIYMTviewtopic[2].htm scheduled to be deleted on reboot.
File delete failed. C:Documents and SettingsОлегLocal SettingsTemporary Internet FilesContent.IE5index.dat scheduled to be deleted on reboot.
User’s Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:Documents and SettingsLocalServiceLocal SettingsTemporary Internet FilesContent.IE5index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer — Version 1.0.10.0 log created on 04042009_130758

Files moved on Reboot…
File C:Documents and SettingsОлегLocal SettingsTemporary Internet FilesContent.IE5NU2CIYMTflash_disinfector[1].htm not found!
File C:Documents and SettingsОлегLocal SettingsTemporary Internet FilesContent.IE5NU2CIYMTviewtopic[2].htm not found!

[Автор]

Сообщения