[G-Gurda]

я могу его как-то восстановить своими силами или хотя бы как-то данные с него копировать?

[G-Gurda]

Правый клик- песочные часы- бесконечность.
Иногда когда его вынимаешь предлагается его форматнуть

[G-Gurda]

Да как была так и осталась- подключаешь-минутку тупит, потом отображает его в моем компьютере — открыть невозможно -окно зависнет, если выдернуть- предложит его отформатировать — подобная картина на 2 компах. Я не понимаю зачем мы делаем сканирования комбофиксом раз за разом если на накопителе( ну так мое скромное предположение) не всё ок с файловой системой.

[G-Gurda]

у нас с накопителем еще есть шансы?

[G-Gurda]

У меня вирус оказался скрытым файлом и валялся просто в системной папке, ну а потом все комбофиксом дотер)

[G-Gurda]

почитал форум — у меня в C:Documents and SettingsAll UsersApplication Data нет никакой папки вроде 36234235 или что-то такого

[G-Gurda]

ComboFix 10-07-24.04 — user 26.07.2010 11:31:17.13.2 — x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2046.1464 [GMT 4:00]
Running from: h:documents and settingsuserРабочий столComboFix.exe
Command switches used :: h:documents and settingsuserРабочий столCFScript.txt
AV: Doctor Web Anti-Virus *On-access scanning enabled* (Updated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:windowssystem32grpconv.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.

2010-07-23 13:38 . 2010-07-23 13:38

---

d

---

w- h:documents and settingsuserfxprops
2010-07-17 18:03 . 2010-07-17 18:04 100 —-a-w- h:windowssystem32tmplog294034.dat
2010-07-08 14:58 . 2008-04-15 12:00 361344 -c—a-w- h:windowssystem32dllcachetcpip.sys
2010-07-08 14:58 . 2008-04-15 12:00 361344 —-a-w- h:windowssystem32driverstcpip.sys
2010-07-03 18:19 . 2010-07-03 18:18 107384 —-a-w- h:windowssystem32driversdwprot.sys
2010-07-03 13:35 . 2010-07-26 07:42

---

d

---

w- h:program filesDrWeb AV-Desk
2010-06-29 23:12 . 2010-06-29 23:12

---

d

---

w- h:program filesCommon FilesJava
2010-06-29 23:12 . 2010-06-29 23:12 503808 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-4c27dc25-nmsvcp71.dll
2010-06-29 23:12 . 2010-06-29 23:12 499712 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-4c27dc25-njmc.dll
2010-06-29 23:12 . 2010-06-29 23:12 348160 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-4c27dc25-nmsvcr71.dll
2010-06-29 23:12 . 2010-06-29 23:12 61440 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.0505535ab32-20182f63-ndecora-sse.dll
2010-06-29 23:12 . 2010-06-29 23:12 12800 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.0505535ab32-20182f63-ndecora-d3d.dll
2010-06-29 23:12 . 2010-04-12 13:29 411368 —-a-w- h:windowssystem32deployJava1.dll
2010-06-28 09:20 . 2010-07-09 19:52

---

d

---

w- h:program filesLight Alloy
2010-06-27 21:06 . 2010-06-27 21:10

---

d

---

w- h:documents and settingsuserApplication DataFileZilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 07:27 . 2009-02-11 13:38

---

d

---

w- h:program filesuTorrent
2010-07-26 07:26 . 2008-08-26 10:43 16608 —-a-w- h:windowsgdrv.sys
2010-07-26 07:26 . 2008-08-27 14:31

---

d

---

w- h:documents and settingsuserApplication DatauTorrent
2010-07-25 20:17 . 2009-03-03 20:28

---

d

---

w- h:documents and settingsuserApplication Datadvdcss
2010-07-03 12:53 . 2010-05-28 09:14

---

d

---

w- h:program filesFishki.net
2010-06-29 23:12 . 2009-06-09 19:22

---

d

---

w- h:program filesJava
2010-06-29 20:37 . 2010-02-19 18:15

---

d

---

w- h:program filestrend micro
2010-06-28 13:17 . 2009-06-02 02:21

---

d

---

w- h:program filesICQ6.5
2010-06-28 09:18 . 2009-02-28 13:26

---

d

---

w- h:program filesAutochartist
2010-06-28 09:18 . 2008-08-26 10:44

---

d—h—w- h:program filesInstallShield Installation Information
2010-06-24 13:35 . 2009-07-30 09:04

---

d

---

w- h:program filesFLV Player
2010-06-23 16:36 . 2010-06-23 16:36 2944904 —-a-w- h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionstoolbar@ask.comchrometempaskToolbar.exe
2010-06-16 09:00 . 2010-06-16 08:59

---

d

---

w- h:program filesMetaTrader — Alpari
2010-06-09 11:58 . 2010-06-15 16:40 14336 —-a-w- h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionsradiobar@toolbarcomponentstoolbarhomewmp.dll
2010-06-08 11:38 . 2010-06-08 11:38

---

d

---

w- h:program filesQuickTime
2010-06-08 11:38 . 2010-06-08 11:38

---

d

---

w- h:documents and settingsAll UsersApplication DataApple Computer
2010-06-04 11:35 . 2010-06-04 11:35

---

d

---

w- h:documents and settingsuserApplication DataFriday’s games
2010-06-04 11:34 . 2009-12-21 23:21

---

d

---

w- h:program filesAlawar
2010-05-31 21:49 . 2010-04-26 21:39

---

d

---

w- h:program filesCommon FilesWise Installation Wizard
2010-05-28 09:22 . 2010-05-28 09:19

---

d

---

w- h:documents and settingsuserApplication Dataтанчики
2010-05-27 12:27 . 2010-05-27 12:27

---

d

---

w- h:documents and settingsAll UsersApplication Data3-D HUNTING 2010
2010-05-12 19:57 . 2008-08-26 10:40 73336 —-a-w- h:documents and settingsuserLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-05-08 09:17 . 2010-05-08 09:17 12 —-a-w- h:documents and settingsuserApplication Dataypgovd.dat
2009-05-13 21:55 . 2009-05-13 21:55 1044480 —-a-w- h:program filesmozilla firefoxpluginslibdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 —-a-w- h:program filesmozilla firefoxpluginsssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-06-23_16.28.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-26 07:28 . 2010-07-26 07:28 16384 h:windowstempPerflib_Perfdata_e4.dat
+ 2008-08-26 10:38 . 2010-07-17 11:15 32768 h:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
— 2008-08-26 10:38 . 2010-02-22 13:42 32768 h:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
+ 2010-06-29 23:12 . 2010-04-12 13:29 153376 h:windowssystem32javaws.exe
+ 2010-06-29 23:12 . 2010-04-12 13:29 145184 h:windowssystem32javaw.exe
+ 2010-06-29 23:12 . 2010-04-12 13:29 145184 h:windowssystem32java.exe
+ 2010-06-29 23:12 . 2010-06-29 23:12 180224 h:windowsInstaller15dc20.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«AlcoholAutomount»=»h:program filesAlcohol SoftAlcohol 120axcmd.exe» [2009-04-24 203928]
«AlSrvN»=»h:program filesAlcohol SoftAlcohol 120PluginsHelperAlSrvN.exe» [2009-04-17 53248]
«uTorrent»=»h:program filesuTorrentuTorrent.exe» [2010-07-24 327472]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«NokiaMServer»=»h:program filesCommon FilesNokiaMPlatformNokiaMServer» [X]
«GEST»=»h:program filesGIGABYTEGESTRUN.exe» [2007-12-14 236040]
«JMB36X IDE Setup»=»h:windowsRaidToolxInsIDE.exe» [2007-03-20 36864]
«36X Raid Configurer»=»h:windowssystem32xRaidSetup.exe» [2007-08-29 1966080]
«Acronis True Image Monitor»=»h:program filesAcronisTrueImageTrueImageMonitor.exe» [2008-08-26 417536]
«Acronis Scheduler2 Service»=»h:program filesCommon FilesAcronisSchedule2schedhlp.exe» [2008-08-26 61440]
«NeroFilterCheck»=»h:windowssystem32NeroCheck.exe» [2001-07-09 155648]
«Adobe Reader Speed Launcher»=»h:program filesAdobeReader 9.0ReaderReader_sl.exe» [2008-06-11 34672]
«Nokia FastStart»=»h:program filesNokiaNokia MusicNokiaMusic.exe» [2008-12-03 2372840]
«SunJavaUpdateSched»=»h:program filesCommon FilesJavaJava Updatejusched.exe» [2010-02-18 248040]
«StartCCC»=»h:program filesATI TechnologiesATI.ACECore-StaticCLIStart.exe» [2009-04-28 61440]
«RTHDCPL»=»RTHDCPL.EXE» [2007-09-19 16844800]
«QuickTime Task»=»h:program filesQuickTimeQTTask.exe» [2010-03-17 421888]
«DrWebAgentUI»=»h:program filesDrWeb AV-Deskdrwagnui.exe» [2010-07-03 1692976]
«SpIDerMail»=»h:program filesDrWeb AV-DeskSPIDERML.EXE» [2010-07-03 644336]
«SpIDerNT»=»h:program filesDrWeb AV-DeskSPIDERUI.EXE» [2010-07-03 231816]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»h:windowssystem32CTFMON.EXE» [2008-04-15 15360]

h:documents and settingsAll Usersѓ« ў­®Ґ ¬Ґ­оЏа®Ја ¬¬лЂўв®§ Јаг§Є 
Nokia Ovi Suite.lnk — h:program filesNokiaOviSuiteRunLauncher.exe [2008-11-28 946176]

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«h:\Program Files\GIGABYTE\GEST\run.exe»=
«h:\Program Files\QIP\qip.exe»=
«h:\WINDOWS\system32\PnkBstrA.exe»=
«h:\WINDOWS\system32\PnkBstrB.exe»=
«h:\WINDOWS\system32\CNAB4RPK.EXE»=
«h:\WINDOWS\system32\dplaysvr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«h:\Program Files\uTorrent\utorrent.exe»=
«h:\Program Files\ICQ6.5\ICQ.exe»=
«h:\Program Files\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe»=
«h:\Program Files\DrWeb AV-Desk\drwagntd.exe»=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«19553:TCP»= 19553:TCP

R0 DwProt;DrWeb Protection;h:windowssystem32driversdwprot.sys [03.07.2010 22:19 107384]
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);h:windowssystem32driverssfdrv01a.sys [05.07.2006 16:46 63352]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;h:program filesCommon FilesABBYYFineReader9.00LicensingPENetworkLicenseServer.exe [06.12.2007 22:03 660768]
R2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);h:program filesDrWeb AV-DeskDWENGINE.EXE [03.07.2010 17:35 1094048]
R2 SpIDer;SpIDer Guard (R) File System Monitor;h:program filesDrWeb AV-DeskSPIDER.SYS [03.07.2010 22:18 312504]
R2 spidernt;SpIDer Guard (R) for Windows;h:program filesDrWeb AV-DeskSPIDERNT.EXE [03.07.2010 22:18 231816]
R3 drwagntd;Dr.Web AV-Desk Agent;h:program filesDrWeb AV-DeskDRWAGNTD.EXE [03.07.2010 22:18 2340144]
S0 sptd;sptd;h:windowssystem32driverssptd.sys [31.01.2009 19:22 721904]
S2 drwupgrade;Dr.Web AV-Desk Upgrade Service;h:program filesDrWeb AV-Desk1drwupgrade.exe [03.07.2010 22:18 828720]
S2 gupdate1ca1104ee4fa4be;Служба Google Update (gupdate1ca1104ee4fa4be);h:program filesGoogleUpdateGoogleUpdate.exe [30.07.2009 15:00 133104]
S3 GEST Service;GEST Service for program management.;h:program filesGIGABYTEGESTGSvr.exe [26.08.2008 14:44 47624]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
DcomLaunch REG_MULTI_SZ DcomLaunch TermService Netprotocol
.
Contents of the ‘Scheduled Tasks’ folder

2010-07-19 h:windowsTasksAppleSoftwareUpdate.job
— h:program filesApple Software UpdateSoftwareUpdate.exe [2008-07-30 09:34]

2010-07-26 h:windowsTasksGoogleUpdateTaskMachineCore.job
— h:program filesGoogleUpdateGoogleUpdate.exe [2009-07-30 11:00]

2010-07-26 h:windowsTasksGoogleUpdateTaskMachineUA.job
— h:program filesGoogleUpdateGoogleUpdate.exe [2009-07-30 11:00]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://yandex.ru/
IE: &Экспорт в Microsoft Excel — h:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
LSP: h:program filesDrWeb AV-DeskDRWEBSP.DLL
FF — ProfilePath — h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.default
FF — prefs.js: browser.search.selectedEngine — Яндекс
FF — prefs.js: browser.startup.homepage — hxxp://ru.ask.com?o=15003&l=dis
FF — prefs.js: keyword.URL — hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=SPC2&o=15000&locale=ru_RU&q=
FF — component: h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionsradiobar@toolbarcomponentstoolbarhomewmp.dll
FF — plugin: h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionsfirefox@tvunetworks.compluginsnpTVUAx.dll
FF — plugin: h:program filesGoogleUpdate1.2.183.23npGoogleOneClick8.dll
FF — plugin: h:program filesMozilla FirefoxpluginsnpdeployJava1.dll

—- FIREFOX POLICIES —-
h:program filesMozilla Firefoxgreprefsall.js — pref(«ui.use_native_colors», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.lu», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.nu», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.nz», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.xn--mgbaam7a8h», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.xn--mgberp4a5d4ar», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.xn--p1ai», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.xn--mgbayh7gpa», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.tel», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.auth.force-generic-ntlm», false);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.proxy.type», 5);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.buffer.cache.count», 24);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.buffer.cache.size», 4096);
h:program filesMozilla Firefoxgreprefsall.js — pref(«dom.ipc.plugins.timeoutSecs», 45);
h:program filesMozilla Firefoxgreprefsall.js — pref(«svg.smil.enabled», false);
h:program filesMozilla Firefoxgreprefsall.js — pref(«accelerometer.enabled», true);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref», true);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.renego_unrestricted_hosts», «»);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.treat_unsafe_negotiation_as_broken», false);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.require_safe_negotiation», false);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name», «chrome://browser/locale/browser.properties»);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description», «chrome://browser/locale/browser.properties»);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«plugins.update.notifyUser», false);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.nptest.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.npswf32.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.npctrl.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.npqtplugin.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled», false);
.
— — — — ORPHANS REMOVED — — — —

HKCU-Run-googlemapp.exe — h:googlemapp.exegooglemapp.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 11:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AA80C38]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
DriverDisk -> CLASSPNP.SYS @ 0xba0fcf28
DriverACPI -> ACPI.sys @ 0xb9f7fcb8
Driveratapi -> 0x8aa80c38
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
DeviceHarddisk0DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.SYS @ 0xb9d7cbb0
PacketIndicateHandler -> NDIS.SYS @ 0xb9d89a21
SendHandler -> NDIS.SYS @ 0xb9d6787b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

— — — — — — — > ‘winlogon.exe'(760)
h:windowssystem32Ati2evxx.dll

— — — — — — — > ‘lsass.exe'(828)
h:program filesDrWeb AV-DeskDRWEBSP.DLL
.
Completion time: 2010-07-26 11:48:31
ComboFix-quarantined-files.txt 2010-07-26 07:48
ComboFix2.txt 2010-07-19 11:06
ComboFix3.txt 2010-07-17 12:18
ComboFix4.txt 2010-07-16 18:33
ComboFix5.txt 2010-07-26 07:22

Pre-Run: 7 591 510 016 байт свободно
Post-Run: 7 583 973 376 байт свободно

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
— — End Of File — — 02F45D583A84A86B4C1F0B30888CCD06

[G-Gurda]

что дальше друзья?

[G-Gurda]

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 19.07.2010 23:46:19 for strings:
; ‘netprotocol’
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E20FCDC0-B983-47D5-9BF9-CEEA40C06EF0}]
@=»PhonetProtocol Class»

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E20FCDC0-B983-47D5-9BF9-CEEA40C06EF0}ProgID]
@=»NclPhonet.PhonetProtocol.1″

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{E20FCDC0-B983-47D5-9BF9-CEEA40C06EF0}VersionIndependentProgID]
@=»NclPhonet.PhonetProtocol»

[HKEY_LOCAL_MACHINESOFTWAREClassesNclPhonet.PhonetProtocol]

[HKEY_LOCAL_MACHINESOFTWAREClassesNclPhonet.PhonetProtocol]
@=»PhonetProtocol Class»

[HKEY_LOCAL_MACHINESOFTWAREClassesNclPhonet.PhonetProtocolCLSID]

[HKEY_LOCAL_MACHINESOFTWAREClassesNclPhonet.PhonetProtocolCurVer]

[HKEY_LOCAL_MACHINESOFTWAREClassesNclPhonet.PhonetProtocolCurVer]
@=»NclPhonet.PhonetProtocol.1″

[HKEY_LOCAL_MACHINESOFTWAREClassesNclPhonet.PhonetProtocol.1]

[HKEY_LOCAL_MACHINESOFTWAREClassesNclPhonet.PhonetProtocol.1]
@=»PhonetProtocol Class»

[HKEY_LOCAL_MACHINESOFTWAREClassesNclPhonet.PhonetProtocol.1CLSID]

[HKEY_LOCAL_MACHINESOFTWAREClassesrloginshellopencommand]
@=»rundll32.exe url.dll,TelnetProtocolHandler %l»

[HKEY_LOCAL_MACHINESOFTWAREClassestelnetshellopencommand]
@=»rundll32.exe url.dll,TelnetProtocolHandler %l»

[HKEY_LOCAL_MACHINESOFTWAREClassestn3270shellopencommand]
@=»rundll32.exe url.dll,TelnetProtocolHandler %l»

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftNetprotocol]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost]
; Contents of value:
; DcomLaunch
; TermService
; Netprotocol
;
«DcomLaunch»=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,68,
00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,
00,00,4e,00,65,00,74,00,70,00,72,00,6f,00,74,00,6f,00,63,00,6f,00,6c,00,00,
00,00,00

; End Of The Log…

[G-Gurda]

ComboFix 10-07-18.02 — user 19.07.2010 14:48:44.12.2 — x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2046.1465 [GMT 4:00]
Running from: h:documents and settingsuserРабочий столComboFix.exe
Command switches used :: h:documents and settingsuserРабочий столCFScript.txt
AV: Doctor Web Anti-Virus *On-access scanning enabled* (Updated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B}
* Resident AV is active

FILE ::
«h:windowssystem32dfhclfhd.dll»
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:documents and settingsuserГлавное менюПрограммыАвтозагрузкаsyscron.exe
h:documents and settingsuserb.exe
h:documents and settingsuserhurun.exe
h:documents and settingsuseryiukam.exe
h:windowssystem32dfhclfhd.dll

h:windowssystem32grpconv.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-17 18:03 . 2010-07-17 18:04 100 —-a-w- h:windowssystem32tmplog294034.dat
2010-07-08 14:58 . 2008-04-15 12:00 361344 -c—a-w- h:windowssystem32dllcachetcpip.sys
2010-07-08 14:58 . 2008-04-15 12:00 361344 —-a-w- h:windowssystem32driverstcpip.sys
2010-07-03 18:19 . 2010-07-03 18:18 107384 —-a-w- h:windowssystem32driversdwprot.sys
2010-07-03 13:35 . 2010-07-19 10:50

---

d

---

w- h:program filesDrWeb AV-Desk
2010-06-29 23:12 . 2010-06-29 23:12

---

d

---

w- h:program filesCommon FilesJava
2010-06-29 23:12 . 2010-06-29 23:12 503808 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-4c27dc25-nmsvcp71.dll
2010-06-29 23:12 . 2010-06-29 23:12 499712 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-4c27dc25-njmc.dll
2010-06-29 23:12 . 2010-06-29 23:12 348160 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-4c27dc25-nmsvcr71.dll
2010-06-29 23:12 . 2010-06-29 23:12 61440 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.0505535ab32-20182f63-ndecora-sse.dll
2010-06-29 23:12 . 2010-06-29 23:12 12800 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.0505535ab32-20182f63-ndecora-d3d.dll
2010-06-29 23:12 . 2010-04-12 13:29 411368 —-a-w- h:windowssystem32deployJava1.dll
2010-06-28 09:20 . 2010-07-09 19:52

---

d

---

w- h:program filesLight Alloy
2010-06-27 21:06 . 2010-06-27 21:10

---

d

---

w- h:documents and settingsuserApplication DataFileZilla
2010-06-23 16:36 . 2010-06-23 16:36 2944904 —-a-w- h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionstoolbar@ask.comchrometempaskToolbar.exe
2010-06-23 14:57 . 2010-06-23 15:54

---

d

---

w- h:documents and settingsАдминистратор

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-19 10:43 . 2008-08-26 10:43 16608 —-a-w- h:windowsgdrv.sys
2010-07-19 10:33 . 2008-08-27 14:31

---

d

---

w- h:documents and settingsuserApplication DatauTorrent
2010-07-03 12:53 . 2010-05-28 09:14

---

d

---

w- h:program filesFishki.net
2010-06-29 23:12 . 2009-06-09 19:22

---

d

---

w- h:program filesJava
2010-06-29 20:37 . 2010-02-19 18:15

---

d

---

w- h:program filestrend micro
2010-06-28 13:17 . 2009-06-02 02:21

---

d

---

w- h:program filesICQ6.5
2010-06-28 09:18 . 2009-02-28 13:26

---

d

---

w- h:program filesAutochartist
2010-06-28 09:18 . 2008-08-26 10:44

---

d—h—w- h:program filesInstallShield Installation Information
2010-06-24 13:35 . 2009-07-30 09:04

---

d

---

w- h:program filesFLV Player
2010-06-22 10:20 . 2009-03-03 20:28

---

d

---

w- h:documents and settingsuserApplication Datadvdcss
2010-06-16 09:00 . 2010-06-16 08:59

---

d

---

w- h:program filesMetaTrader — Alpari
2010-06-09 11:58 . 2010-06-15 16:40 14336 —-a-w- h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionsradiobar@toolbarcomponentstoolbarhomewmp.dll
2010-06-08 11:38 . 2010-06-08 11:38

---

d

---

w- h:program filesQuickTime
2010-06-08 11:38 . 2010-06-08 11:38

---

d

---

w- h:documents and settingsAll UsersApplication DataApple Computer
2010-06-04 11:35 . 2010-06-04 11:35

---

d

---

w- h:documents and settingsuserApplication DataFriday’s games
2010-06-04 11:34 . 2009-12-21 23:21

---

d

---

w- h:program filesAlawar
2010-05-31 21:49 . 2010-04-26 21:39

---

d

---

w- h:program filesCommon FilesWise Installation Wizard
2010-05-28 09:22 . 2010-05-28 09:19

---

d

---

w- h:documents and settingsuserApplication Dataтанчики
2010-05-27 12:27 . 2010-05-27 12:27

---

d

---

w- h:documents and settingsAll UsersApplication Data3-D HUNTING 2010
2010-05-12 19:57 . 2008-08-26 10:40 73336 —-a-w- h:documents and settingsuserLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-05-08 09:17 . 2010-05-08 09:17 12 —-a-w- h:documents and settingsuserApplication Dataypgovd.dat
2009-05-13 21:55 . 2009-05-13 21:55 1044480 —-a-w- h:program filesmozilla firefoxpluginslibdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 —-a-w- h:program filesmozilla firefoxpluginsssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-06-23_16.28.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-19 10:46 . 2010-07-19 10:46 16384 h:windowstempPerflib_Perfdata_d4.dat
+ 2008-08-26 10:38 . 2010-07-17 11:15 32768 h:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
— 2008-08-26 10:38 . 2010-02-22 13:42 32768 h:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
+ 2010-06-29 23:12 . 2010-04-12 13:29 153376 h:windowssystem32javaws.exe
+ 2010-06-29 23:12 . 2010-04-12 13:29 145184 h:windowssystem32javaw.exe
+ 2010-06-29 23:12 . 2010-04-12 13:29 145184 h:windowssystem32java.exe
+ 2010-06-29 23:12 . 2010-06-29 23:12 180224 h:windowsInstaller15dc20.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«AlcoholAutomount»=»h:program filesAlcohol SoftAlcohol 120axcmd.exe» [2009-04-24 203928]
«AlSrvN»=»h:program filesAlcohol SoftAlcohol 120PluginsHelperAlSrvN.exe» [2009-04-17 53248]
«uTorrent»=»h:program filesuTorrentuTorrent.exe» [2010-07-04 306480]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«NokiaMServer»=»h:program filesCommon FilesNokiaMPlatformNokiaMServer» [X]
«GEST»=»h:program filesGIGABYTEGESTRUN.exe» [2007-12-14 236040]
«JMB36X IDE Setup»=»h:windowsRaidToolxInsIDE.exe» [2007-03-20 36864]
«36X Raid Configurer»=»h:windowssystem32xRaidSetup.exe» [2007-08-29 1966080]
«Acronis True Image Monitor»=»h:program filesAcronisTrueImageTrueImageMonitor.exe» [2008-08-26 417536]
«Acronis Scheduler2 Service»=»h:program filesCommon FilesAcronisSchedule2schedhlp.exe» [2008-08-26 61440]
«NeroFilterCheck»=»h:windowssystem32NeroCheck.exe» [2001-07-09 155648]
«Adobe Reader Speed Launcher»=»h:program filesAdobeReader 9.0ReaderReader_sl.exe» [2008-06-11 34672]
«Nokia FastStart»=»h:program filesNokiaNokia MusicNokiaMusic.exe» [2008-12-03 2372840]
«SunJavaUpdateSched»=»h:program filesCommon FilesJavaJava Updatejusched.exe» [2010-02-18 248040]
«StartCCC»=»h:program filesATI TechnologiesATI.ACECore-StaticCLIStart.exe» [2009-04-28 61440]
«RTHDCPL»=»RTHDCPL.EXE» [2007-09-19 16844800]
«QuickTime Task»=»h:program filesQuickTimeQTTask.exe» [2010-03-17 421888]
«DrWebAgentUI»=»h:program filesDrWeb AV-Deskdrwagnui.exe» [2010-07-03 1692976]
«SpIDerMail»=»h:program filesDrWeb AV-DeskSPIDERML.EXE» [2010-07-03 644336]
«SpIDerNT»=»h:program filesDrWeb AV-DeskSPIDERUI.EXE» [2010-07-03 231816]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»h:windowssystem32CTFMON.EXE» [2008-04-15 15360]

h:documents and settingsAll Usersѓ« ў­®Ґ ¬Ґ­оЏа®Ја ¬¬лЂўв®§ Јаг§Є 
Nokia Ovi Suite.lnk — h:program filesNokiaOviSuiteRunLauncher.exe [2008-11-28 946176]

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«h:\Program Files\GIGABYTE\GEST\run.exe»=
«h:\Program Files\QIP\qip.exe»=
«h:\WINDOWS\system32\PnkBstrA.exe»=
«h:\WINDOWS\system32\PnkBstrB.exe»=
«h:\WINDOWS\system32\CNAB4RPK.EXE»=
«h:\WINDOWS\system32\dplaysvr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«h:\Program Files\uTorrent\utorrent.exe»=
«h:\Program Files\ICQ6.5\ICQ.exe»=
«h:\Program Files\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe»=
«h:\Program Files\DrWeb AV-Desk\drwagntd.exe»=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«19553:TCP»= 19553:TCP

R0 DwProt;DrWeb Protection;h:windowssystem32driversdwprot.sys [03.07.2010 22:19 107384]
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);h:windowssystem32driverssfdrv01a.sys [05.07.2006 16:46 63352]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;h:program filesCommon FilesABBYYFineReader9.00LicensingPENetworkLicenseServer.exe [06.12.2007 22:03 660768]
R2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);h:program filesDrWeb AV-DeskDWENGINE.EXE [03.07.2010 17:35 1094048]
R2 SpIDer;SpIDer Guard (R) File System Monitor;h:program filesDrWeb AV-DeskSPIDER.SYS [03.07.2010 22:18 312504]
R2 spidernt;SpIDer Guard (R) for Windows;h:program filesDrWeb AV-DeskSPIDERNT.EXE [03.07.2010 22:18 231816]
R3 drwagntd;Dr.Web AV-Desk Agent;h:program filesDrWeb AV-DeskDRWAGNTD.EXE [03.07.2010 22:18 2340144]
S0 sptd;sptd;h:windowssystem32driverssptd.sys [31.01.2009 19:22 721904]
S2 drwupgrade;Dr.Web AV-Desk Upgrade Service;h:program filesDrWeb AV-Desk1drwupgrade.exe [03.07.2010 22:18 828720]
S2 gupdate1ca1104ee4fa4be;Служба Google Update (gupdate1ca1104ee4fa4be);h:program filesGoogleUpdateGoogleUpdate.exe [30.07.2009 15:00 133104]
S3 GEST Service;GEST Service for program management.;h:program filesGIGABYTEGESTGSvr.exe [26.08.2008 14:44 47624]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
DcomLaunch REG_MULTI_SZ DcomLaunch TermService Netprotocol
.
Contents of the ‘Scheduled Tasks’ folder

2010-07-05 h:windowsTasksAppleSoftwareUpdate.job
— h:program filesApple Software UpdateSoftwareUpdate.exe [2008-07-30 09:34]

2010-07-19 h:windowsTasksGoogleUpdateTaskMachineCore.job
— h:program filesGoogleUpdateGoogleUpdate.exe [2009-07-30 11:00]

2010-07-19 h:windowsTasksGoogleUpdateTaskMachineUA.job
— h:program filesGoogleUpdateGoogleUpdate.exe [2009-07-30 11:00]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://yandex.ru/
IE: &Экспорт в Microsoft Excel — h:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
LSP: h:program filesDrWeb AV-DeskDRWEBSP.DLL
FF — ProfilePath — h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.default
FF — prefs.js: browser.search.selectedEngine — Яндекс
FF — prefs.js: browser.startup.homepage — hxxp://ru.ask.com?o=15003&l=dis
FF — prefs.js: keyword.URL — hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=SPC2&o=15000&locale=ru_RU&q=
FF — component: h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionsradiobar@toolbarcomponentstoolbarhomewmp.dll
FF — plugin: h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionsfirefox@tvunetworks.compluginsnpTVUAx.dll
FF — plugin: h:program filesGoogleUpdate1.2.183.23npGoogleOneClick8.dll
FF — plugin: h:program filesMozilla FirefoxpluginsnpdeployJava1.dll

—- FIREFOX POLICIES —-
h:program filesMozilla Firefoxgreprefsall.js — pref(«ui.use_native_colors», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.lu», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.nu», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.nz», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.xn--mgberp4a5d4ar», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.xn--p1ai», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.xn--mgbayh7gpa», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.tel», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.auth.force-generic-ntlm», false);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.proxy.type», 5);
h:program filesMozilla Firefoxgreprefsall.js — pref(«dom.ipc.plugins.timeoutSecs», 45);
h:program filesMozilla Firefoxgreprefsall.js — pref(«svg.smil.enabled», false);
h:program filesMozilla Firefoxgreprefsall.js — pref(«accelerometer.enabled», true);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref», true);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.renego_unrestricted_hosts», «»);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.treat_unsafe_negotiation_as_broken», false);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.require_safe_negotiation», false);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name», «chrome://browser/locale/browser.properties»);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description», «chrome://browser/locale/browser.properties»);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«plugins.update.notifyUser», false);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.nptest.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.npswf32.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.npctrl.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.npqtplugin.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled», false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 15:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AA872F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
DriverDisk -> CLASSPNP.SYS @ 0xba0fcf28
DriverACPI -> ACPI.sys @ 0xb9f7fcb8
Driveratapi -> 0x8aa872f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
DeviceHarddisk0DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.SYS @ 0xb9d7cbb0
PacketIndicateHandler -> NDIS.SYS @ 0xb9d89a21
SendHandler -> NDIS.SYS @ 0xb9d6787b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

— — — — — — — > ‘winlogon.exe'(760)
h:windowssystem32Ati2evxx.dll

— — — — — — — > ‘lsass.exe'(828)
h:program filesDrWeb AV-DeskDRWEBSP.DLL
.
Completion time: 2010-07-19 15:06:19
ComboFix-quarantined-files.txt 2010-07-19 11:06
ComboFix2.txt 2010-07-17 12:18
ComboFix3.txt 2010-07-16 18:33
ComboFix4.txt 2010-07-09 14:08
ComboFix5.txt 2010-07-19 10:39

Pre-Run: 3 060 940 800 байт свободно
Post-Run: 3 045 916 672 байт свободно

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
— — End Of File — — 7BF6ED20A54D40A7CE3CBBCE6963D7CC

Второе действие —

Том в устройстве H не имеет метки.
Серийный номер тома: 5032-CF71

[G-Gurda]

Как видно из лога файл grpconv.exe отсутствует, о чем выскакивает ошибка при запуске комбы. И еще маленький вопрос — почему комба всегда light alloy выносит?

[G-Gurda]

ComboFix 10-07-07.02 — user 09.07.2010 17:51:05.9.2 — x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2046.1466 [GMT 4:00]
Running from: h:documents and settingsuserРабочий столComboFix.exe
Command switches used :: h:documents and settingsuserРабочий столCFScript.txt
AV: Doctor Web Anti-Virus *On-access scanning enabled* (Updated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B}
* Resident AV is active

FILE ::
«h:windowssystem321h43Z8O.exe»
«h:windowssystem3271139df6.exe»
«h:windowssystem32d542de00.exe»
«h:windowssystem32IflW0Xf.exe»
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:program filesLight AlloyLA.exe

h:windowssystem32grpconv.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-06-09 to 2010-07-09 )))))))))))))))))))))))))))))))
.

2010-07-08 14:58 . 2008-04-15 12:00 361344 -c—a-w- h:windowssystem32dllcachetcpip.sys
2010-07-08 14:58 . 2008-04-15 12:00 361344 —-a-w- h:windowssystem32driverstcpip.sys
2010-07-03 19:17 . 2010-07-03 19:17 65536 —-a-w- h:windowssystem32dfhclfhd.dll
2010-07-03 18:19 . 2010-07-03 18:18 107384 —-a-w- h:windowssystem32driversdwprot.sys
2010-07-03 13:35 . 2010-07-09 13:51

---

d

---

w- h:program filesDrWeb AV-Desk
2010-06-29 23:12 . 2010-06-29 23:12

---

d

---

w- h:program filesCommon FilesJava
2010-06-29 23:12 . 2010-06-29 23:12 503808 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-4c27dc25-nmsvcp71.dll
2010-06-29 23:12 . 2010-06-29 23:12 499712 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-4c27dc25-njmc.dll
2010-06-29 23:12 . 2010-06-29 23:12 348160 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-4c27dc25-nmsvcr71.dll
2010-06-29 23:12 . 2010-06-29 23:12 61440 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.0505535ab32-20182f63-ndecora-sse.dll
2010-06-29 23:12 . 2010-06-29 23:12 12800 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.0505535ab32-20182f63-ndecora-d3d.dll
2010-06-29 23:12 . 2010-04-12 13:29 411368 —-a-w- h:windowssystem32deployJava1.dll
2010-06-28 09:20 . 2010-07-09 14:06

---

d

---

w- h:program filesLight Alloy
2010-06-27 21:06 . 2010-06-27 21:10

---

d

---

w- h:documents and settingsuserApplication DataFileZilla
2010-06-23 16:36 . 2010-06-23 16:36 2944904 —-a-w- h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionstoolbar@ask.comchrometempaskToolbar.exe
2010-06-23 14:57 . 2010-06-23 15:54

---

d

---

w- h:documents and settingsАдминистратор
2010-06-16 08:59 . 2010-06-16 09:00

---

d

---

w- h:program filesMetaTrader — Alpari
2010-06-15 16:40 . 2010-06-09 11:58 14336 —-a-w- h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionsradiobar@toolbarcomponentstoolbarhomewmp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 13:46 . 2008-08-26 10:43 16608 —-a-w- h:windowsgdrv.sys
2010-07-09 13:46 . 2008-08-27 14:31

---

d

---

w- h:documents and settingsuserApplication DatauTorrent
2010-07-03 12:53 . 2010-05-28 09:14

---

d

---

w- h:program filesFishki.net
2010-06-29 23:12 . 2009-06-09 19:22

---

d

---

w- h:program filesJava
2010-06-29 20:37 . 2010-02-19 18:15

---

d

---

w- h:program filestrend micro
2010-06-28 13:17 . 2009-06-02 02:21

---

d

---

w- h:program filesICQ6.5
2010-06-28 09:18 . 2009-02-28 13:26

---

d

---

w- h:program filesAutochartist
2010-06-28 09:18 . 2008-08-26 10:44

---

d—h—w- h:program filesInstallShield Installation Information
2010-06-24 13:35 . 2009-07-30 09:04

---

d

---

w- h:program filesFLV Player
2010-06-22 10:20 . 2009-03-03 20:28

---

d

---

w- h:documents and settingsuserApplication Datadvdcss
2010-06-08 11:38 . 2010-06-08 11:38

---

d

---

w- h:program filesQuickTime
2010-06-08 11:38 . 2010-06-08 11:38

---

d

---

w- h:documents and settingsAll UsersApplication DataApple Computer
2010-06-04 11:35 . 2010-06-04 11:35

---

d

---

w- h:documents and settingsuserApplication DataFriday’s games
2010-06-04 11:34 . 2009-12-21 23:21

---

d

---

w- h:program filesAlawar
2010-05-31 21:49 . 2010-04-26 21:39

---

d

---

w- h:program filesCommon FilesWise Installation Wizard
2010-05-28 09:22 . 2010-05-28 09:19

---

d

---

w- h:documents and settingsuserApplication Dataтанчики
2010-05-27 12:27 . 2010-05-27 12:27

---

d

---

w- h:documents and settingsAll UsersApplication Data3-D HUNTING 2010
2010-05-12 19:57 . 2008-08-26 10:40 73336 —-a-w- h:documents and settingsuserLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-05-10 16:16 . 2010-05-10 16:16

---

d

---

w- h:program filesMSECache
2010-05-08 09:17 . 2010-05-08 09:17 12 —-a-w- h:documents and settingsuserApplication Dataypgovd.dat
2010-04-19 20:37 . 2008-08-26 16:20 444952 —-a-w- h:windowssystem32wrap_oal.dll
2009-05-13 21:55 . 2009-05-13 21:55 1044480 —-a-w- h:program filesmozilla firefoxpluginslibdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 —-a-w- h:program filesmozilla firefoxpluginsssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-06-23_16.28.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-09 13:48 . 2010-07-09 13:48 16384 h:windowstempPerflib_Perfdata_d4.dat
+ 2010-07-06 14:07 . 2010-07-06 14:07 42436 h:windowssystem32DirectXsvchost.exe
+ 2008-08-26 10:38 . 2010-07-09 13:13 32768 h:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
— 2008-08-26 10:38 . 2010-02-22 13:42 32768 h:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
+ 2010-07-08 22:12 . 2010-07-09 13:13 16384 h:windowssystem32configsystemprofileCookiesindex.dat
+ 2010-06-29 23:12 . 2010-04-12 13:29 153376 h:windowssystem32javaws.exe
+ 2010-06-29 23:12 . 2010-04-12 13:29 145184 h:windowssystem32javaw.exe
+ 2010-06-29 23:12 . 2010-04-12 13:29 145184 h:windowssystem32java.exe
+ 2010-06-29 23:12 . 2010-06-29 23:12 180224 h:windowsInstaller15dc20.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«AlcoholAutomount»=»h:program filesAlcohol SoftAlcohol 120axcmd.exe» [2009-04-24 203928]
«AlSrvN»=»h:program filesAlcohol SoftAlcohol 120PluginsHelperAlSrvN.exe» [2009-04-17 53248]
«uTorrent»=»h:program filesuTorrentuTorrent.exe» [2010-07-04 306480]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«NokiaMServer»=»h:program filesCommon FilesNokiaMPlatformNokiaMServer» [X]
«GEST»=»h:program filesGIGABYTEGESTRUN.exe» [2007-12-14 236040]
«JMB36X IDE Setup»=»h:windowsRaidToolxInsIDE.exe» [2007-03-20 36864]
«36X Raid Configurer»=»h:windowssystem32xRaidSetup.exe» [2007-08-29 1966080]
«Acronis True Image Monitor»=»h:program filesAcronisTrueImageTrueImageMonitor.exe» [2008-08-26 417536]
«Acronis Scheduler2 Service»=»h:program filesCommon FilesAcronisSchedule2schedhlp.exe» [2008-08-26 61440]
«NeroFilterCheck»=»h:windowssystem32NeroCheck.exe» [2001-07-09 155648]
«Adobe Reader Speed Launcher»=»h:program filesAdobeReader 9.0ReaderReader_sl.exe» [2008-06-11 34672]
«Nokia FastStart»=»h:program filesNokiaNokia MusicNokiaMusic.exe» [2008-12-03 2372840]
«SunJavaUpdateSched»=»h:program filesCommon FilesJavaJava Updatejusched.exe» [2010-02-18 248040]
«StartCCC»=»h:program filesATI TechnologiesATI.ACECore-StaticCLIStart.exe» [2009-04-28 61440]
«RTHDCPL»=»RTHDCPL.EXE» [2007-09-19 16844800]
«QuickTime Task»=»h:program filesQuickTimeQTTask.exe» [2010-03-17 421888]
«DrWebAgentUI»=»h:program filesDrWeb AV-Deskdrwagnui.exe» [2010-07-03 1692976]
«SpIDerMail»=»h:program filesDrWeb AV-DeskSPIDERML.EXE» [2010-07-03 644336]
«SpIDerNT»=»h:program filesDrWeb AV-DeskSPIDERUI.EXE» [2010-07-03 231816]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»h:windowssystem32CTFMON.EXE» [2008-04-15 15360]

h:documents and settingsAll Usersѓ« ў­®Ґ ¬Ґ­оЏа®Ја ¬¬лЂўв®§ Јаг§Є 
Nokia Ovi Suite.lnk — h:program filesNokiaOviSuiteRunLauncher.exe [2008-11-28 946176]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
«AppInit_DLLs»=h:windowssystem32dfhclfhd.dll

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«h:\Program Files\GIGABYTE\GEST\run.exe»=
«h:\Program Files\QIP\qip.exe»=
«h:\WINDOWS\system32\PnkBstrA.exe»=
«h:\WINDOWS\system32\PnkBstrB.exe»=
«h:\WINDOWS\system32\CNAB4RPK.EXE»=
«h:\WINDOWS\system32\dplaysvr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«h:\Program Files\uTorrent\utorrent.exe»=
«h:\Program Files\ICQ6.5\ICQ.exe»=
«h:\Program Files\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe»=
«h:\Program Files\DrWeb AV-Desk\drwagntd.exe»=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«19553:TCP»= 19553:TCP

R0 DwProt;DrWeb Protection;h:windowssystem32driversdwprot.sys [03.07.2010 22:19 107384]
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);h:windowssystem32driverssfdrv01a.sys [05.07.2006 16:46 63352]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;h:program filesCommon FilesABBYYFineReader9.00LicensingPENetworkLicenseServer.exe [06.12.2007 22:03 660768]
R2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);h:program filesDrWeb AV-DeskDWENGINE.EXE [03.07.2010 17:35 1094048]
R2 SpIDer;SpIDer Guard (R) File System Monitor;h:program filesDrWeb AV-DeskSPIDER.SYS [03.07.2010 22:18 312504]
R2 spidernt;SpIDer Guard (R) for Windows;h:program filesDrWeb AV-DeskSPIDERNT.EXE [03.07.2010 22:18 231816]
R3 drwagntd;Dr.Web AV-Desk Agent;h:program filesDrWeb AV-DeskDRWAGNTD.EXE [03.07.2010 22:18 2340144]
S0 sptd;sptd;h:windowssystem32driverssptd.sys [31.01.2009 19:22 721904]
S2 drwupgrade;Dr.Web AV-Desk Upgrade Service;h:program filesDrWeb AV-Desk1drwupgrade.exe [03.07.2010 22:18 828720]
S2 gupdate1ca1104ee4fa4be;Служба Google Update (gupdate1ca1104ee4fa4be);h:program filesGoogleUpdateGoogleUpdate.exe [30.07.2009 15:00 133104]
S3 GEST Service;GEST Service for program management.;h:program filesGIGABYTEGESTGSvr.exe [26.08.2008 14:44 47624]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
DcomLaunch REG_MULTI_SZ DcomLaunch TermService Netprotocol
.
Contents of the ‘Scheduled Tasks’ folder

2010-07-05 h:windowsTasksAppleSoftwareUpdate.job
— h:program filesApple Software UpdateSoftwareUpdate.exe [2008-07-30 09:34]

2010-07-09 h:windowsTasksGoogleUpdateTaskMachineCore.job
— h:program filesGoogleUpdateGoogleUpdate.exe [2009-07-30 11:00]

2010-07-08 h:windowsTasksGoogleUpdateTaskMachineUA.job
— h:program filesGoogleUpdateGoogleUpdate.exe [2009-07-30 11:00]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://yandex.ru/
IE: &Экспорт в Microsoft Excel — h:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
LSP: h:program filesDrWeb AV-DeskDRWEBSP.DLL
FF — ProfilePath — h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.default
FF — prefs.js: browser.search.selectedEngine — Яндекс
FF — prefs.js: browser.startup.homepage — hxxp://ru.ask.com?o=15003&l=dis
FF — prefs.js: keyword.URL — hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=SPC2&o=15000&locale=ru_RU&q=
FF — component: h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionsradiobar@toolbarcomponentstoolbarhomewmp.dll
FF — plugin: h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionsfirefox@tvunetworks.compluginsnpTVUAx.dll
FF — plugin: h:program filesGoogleUpdate1.2.183.23npGoogleOneClick8.dll
FF — plugin: h:program filesMozilla FirefoxpluginsnpdeployJava1.dll

—- FIREFOX POLICIES —-
h:program filesMozilla Firefoxgreprefsall.js — pref(«ui.use_native_colors», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.lu», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.nu», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.nz», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.xn--mgberp4a5d4ar», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.xn--p1ai», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.xn--mgbayh7gpa», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.tel», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.auth.force-generic-ntlm», false);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.proxy.type», 5);
h:program filesMozilla Firefoxgreprefsall.js — pref(«dom.ipc.plugins.timeoutSecs», 45);
h:program filesMozilla Firefoxgreprefsall.js — pref(«svg.smil.enabled», false);
h:program filesMozilla Firefoxgreprefsall.js — pref(«accelerometer.enabled», true);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref», true);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.renego_unrestricted_hosts», «»);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.treat_unsafe_negotiation_as_broken», false);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.require_safe_negotiation», false);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name», «chrome://browser/locale/browser.properties»);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description», «chrome://browser/locale/browser.properties»);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«plugins.update.notifyUser», false);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.nptest.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.npswf32.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.npctrl.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.npqtplugin.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled», false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-09 18:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AA472F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
DriverDisk -> CLASSPNP.SYS @ 0xba0fcf28
DriverACPI -> ACPI.sys @ 0xb9f7fcb8
Driveratapi -> 0x8aa472f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
DeviceHarddisk0DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.SYS @ 0xb9d7cbb0
PacketIndicateHandler -> NDIS.SYS @ 0xb9d89a21
SendHandler -> NDIS.SYS @ 0xb9d6787b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

— — — — — — — > ‘winlogon.exe'(760)
h:windowssystem32Ati2evxx.dll

— — — — — — — > ‘lsass.exe'(828)
h:program filesDrWeb AV-DeskDRWEBSP.DLL
.
Completion time: 2010-07-09 18:08:35
ComboFix-quarantined-files.txt 2010-07-09 14:08
ComboFix2.txt 2010-07-08 15:25
ComboFix3.txt 2010-07-03 13:25
ComboFix4.txt 2010-06-28 09:13
ComboFix5.txt 2010-07-09 13:41

Pre-Run: 4 184 109 056 байт свободно
Post-Run: 4 170 547 200 байт свободно

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
— — End Of File — — 863A552D8E0B5E231451FD88FC14B8B4

[G-Gurda]

что дальше делать?

[G-Gurda]

Да, ничего не происходит. Просто белое окно мой компьютер зависает иногда просто — мой комп.( не отвечает) , когда вынимаешь провод usb предлагает произвести форматирование этого накопителя.

ComboFix 10-07-01.02 — user 03.07.2010 17:09:02.7.2 — x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2046.1675 [GMT 4:00]
Running from: h:documents and settingsuserМои документыЗагрузкиComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:program filesCommon Fileskeylog.txt
h:program filesLight AlloyLA.exe
h:windowssystem32aZuK2iP.exe
h:windowssystem32nj0NAdI.exe
h:windowssystem32oYKFhsQ.exe

h:windowssystem32grpconv.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
.

2010-07-02 21:22 . 2010-07-02 21:22 114176 —-a-w- h:windowssystem32IflW0Xf.exe
2010-07-02 21:22 . 2010-07-02 21:22 48128 —-a-w- h:windowssystem3271139df6.exe
2010-06-29 23:12 . 2010-06-29 23:12

---

d

---

w- h:program filesCommon FilesJava
2010-06-29 23:12 . 2010-06-29 23:12 503808 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-4c27dc25-nmsvcp71.dll
2010-06-29 23:12 . 2010-06-29 23:12 499712 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-4c27dc25-njmc.dll
2010-06-29 23:12 . 2010-06-29 23:12 348160 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.046f84c6ae-4c27dc25-nmsvcr71.dll
2010-06-29 23:12 . 2010-06-29 23:12 61440 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.0505535ab32-20182f63-ndecora-sse.dll
2010-06-29 23:12 . 2010-06-29 23:12 12800 —-a-w- h:documents and settingsuserApplication DataSunJavaDeploymentSystemCache6.0505535ab32-20182f63-ndecora-d3d.dll
2010-06-29 23:12 . 2010-04-12 13:29 411368 —-a-w- h:windowssystem32deployJava1.dll
2010-06-28 09:20 . 2010-07-03 13:20

---

d

---

w- h:program filesLight Alloy
2010-06-27 21:06 . 2010-06-27 21:10

---

d

---

w- h:documents and settingsuserApplication DataFileZilla
2010-06-23 16:36 . 2010-06-23 16:36 2944904 —-a-w- h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionstoolbar@ask.comchrometempaskToolbar.exe
2010-06-23 14:57 . 2010-06-23 15:54

---

d

---

w- h:documents and settingsАдминистратор
2010-06-16 08:59 . 2010-06-16 09:00

---

d

---

w- h:program filesMetaTrader — Alpari
2010-06-15 16:40 . 2010-06-09 11:58 14336 —-a-w- h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionsradiobar@toolbarcomponentstoolbarhomewmp.dll
2010-06-08 11:38 . 2010-06-08 11:38

---

d

---

w- h:program filesQuickTime
2010-06-08 11:38 . 2010-06-08 11:38

---

d

---

w- h:documents and settingsAll UsersApplication DataApple Computer
2010-06-04 11:35 . 2010-06-04 11:35

---

d

---

w- h:documents and settingsuserApplication DataFriday’s games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 13:04 . 2008-08-26 10:43 16608 —-a-w- h:windowsgdrv.sys
2010-07-03 12:53 . 2010-05-28 09:14

---

d

---

w- h:program filesFishki.net
2010-07-03 12:50 . 2008-08-27 14:31

---

d

---

w- h:documents and settingsuserApplication DatauTorrent
2010-06-29 23:12 . 2009-06-09 19:22

---

d

---

w- h:program filesJava
2010-06-29 20:37 . 2010-02-19 18:15

---

d

---

w- h:program filestrend micro
2010-06-28 13:17 . 2009-06-02 02:21

---

d

---

w- h:program filesICQ6.5
2010-06-28 09:18 . 2009-02-28 13:26

---

d

---

w- h:program filesAutochartist
2010-06-28 09:18 . 2008-08-26 10:44

---

d—h—w- h:program filesInstallShield Installation Information
2010-06-24 13:35 . 2009-07-30 09:04

---

d

---

w- h:program filesFLV Player
2010-06-22 10:20 . 2009-03-03 20:28

---

d

---

w- h:documents and settingsuserApplication Datadvdcss
2010-06-04 11:34 . 2009-12-21 23:21

---

d

---

w- h:program filesAlawar
2010-05-31 21:49 . 2010-04-26 21:39

---

d

---

w- h:program filesCommon FilesWise Installation Wizard
2010-05-28 09:22 . 2010-05-28 09:19

---

d

---

w- h:documents and settingsuserApplication Dataтанчики
2010-05-27 12:27 . 2010-05-27 12:27

---

d

---

w- h:documents and settingsAll UsersApplication Data3-D HUNTING 2010
2010-05-12 19:57 . 2008-08-26 10:40 73336 —-a-w- h:documents and settingsuserLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-05-10 16:16 . 2010-05-10 16:16

---

d

---

w- h:program filesMSECache
2010-05-08 09:17 . 2010-05-08 09:17 12 —-a-w- h:documents and settingsuserApplication Dataypgovd.dat
2010-04-19 20:37 . 2008-08-26 16:20 444952 —-a-w- h:windowssystem32wrap_oal.dll
2009-05-13 21:55 . 2009-05-13 21:55 1044480 —-a-w- h:program filesmozilla firefoxpluginslibdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 —-a-w- h:program filesmozilla firefoxpluginsssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-06-23_16.28.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-03 13:06 . 2010-07-03 13:06 16384 h:windowstempPerflib_Perfdata_7a8.dat
+ 2010-06-26 14:46 . 2010-07-03 13:06 32768 h:windowssystem32configsystemprofileLocal SettingsTemporary Internet FilesContent.IE5index.dat
+ 2008-08-26 10:38 . 2010-07-03 13:06 32768 h:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
— 2008-08-26 10:38 . 2010-02-22 13:42 32768 h:windowssystem32configsystemprofileLocal SettingsHistoryHistory.IE5index.dat
+ 2010-07-02 21:22 . 2010-07-03 13:06 16384 h:windowssystem32configsystemprofileCookiesindex.dat
+ 2010-06-29 23:12 . 2010-04-12 13:29 153376 h:windowssystem32javaws.exe
+ 2010-06-29 23:12 . 2010-04-12 13:29 145184 h:windowssystem32javaw.exe
+ 2010-06-29 23:12 . 2010-04-12 13:29 145184 h:windowssystem32java.exe
+ 2010-06-29 23:12 . 2010-06-29 23:12 180224 h:windowsInstaller15dc20.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«AlcoholAutomount»=»h:program filesAlcohol SoftAlcohol 120axcmd.exe» [2009-04-24 203928]
«AlSrvN»=»h:program filesAlcohol SoftAlcohol 120PluginsHelperAlSrvN.exe» [2009-04-17 53248]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«NokiaMServer»=»h:program filesCommon FilesNokiaMPlatformNokiaMServer» [X]
«GEST»=»h:program filesGIGABYTEGESTRUN.exe» [2007-12-14 236040]
«JMB36X IDE Setup»=»h:windowsRaidToolxInsIDE.exe» [2007-03-20 36864]
«36X Raid Configurer»=»h:windowssystem32xRaidSetup.exe» [2007-08-29 1966080]
«Acronis True Image Monitor»=»h:program filesAcronisTrueImageTrueImageMonitor.exe» [2008-08-26 417536]
«Acronis Scheduler2 Service»=»h:program filesCommon FilesAcronisSchedule2schedhlp.exe» [2008-08-26 61440]
«NeroFilterCheck»=»h:windowssystem32NeroCheck.exe» [2001-07-09 155648]
«Adobe Reader Speed Launcher»=»h:program filesAdobeReader 9.0ReaderReader_sl.exe» [2008-06-11 34672]
«Nokia FastStart»=»h:program filesNokiaNokia MusicNokiaMusic.exe» [2008-12-03 2372840]
«SunJavaUpdateSched»=»h:program filesCommon FilesJavaJava Updatejusched.exe» [2010-02-18 248040]
«StartCCC»=»h:program filesATI TechnologiesATI.ACECore-StaticCLIStart.exe» [2009-04-28 61440]
«RTHDCPL»=»RTHDCPL.EXE» [2007-09-19 16844800]
«QuickTime Task»=»h:program filesQuickTimeQTTask.exe» [2010-03-17 421888]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»h:windowssystem32CTFMON.EXE» [2008-04-15 15360]

h:documents and settingsAll Usersѓ« ў­®Ґ ¬Ґ­оЏа®Ја ¬¬лЂўв®§ Јаг§Є 
Nokia Ovi Suite.lnk — h:program filesNokiaOviSuiteRunLauncher.exe [2008-11-28 946176]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogon]
«Userinit»=»h:windowssystem32userinit.exe,h:windowssystem32d542de00.exe,\?globalrootsystemrootsystem321h43Z8O.exe,h:windowssystem3271139df6.exe,\?globalrootsystemrootsystem32IflW0Xf.exe,»

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\system32\sessmgr.exe»=
«h:\Program Files\GIGABYTE\GEST\run.exe»=
«h:\Program Files\QIP\qip.exe»=
«h:\WINDOWS\system32\PnkBstrA.exe»=
«h:\WINDOWS\system32\PnkBstrB.exe»=
«h:\WINDOWS\system32\CNAB4RPK.EXE»=
«h:\WINDOWS\system32\dplaysvr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«h:\Program Files\uTorrent\utorrent.exe»=
«h:\Program Files\ICQ6.5\ICQ.exe»=
«h:\Program Files\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe»=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«19553:TCP»= 19553:TCP

R0 sptd;sptd;h:windowsSystem32Driverssptd.sys [2009-11-12 721904]
R2 gupdate1ca1104ee4fa4be;Служба Google Update (gupdate1ca1104ee4fa4be);h:program filesGoogleUpdateGoogleUpdate.exe [2009-07-30 133104]
R3 GEST Service;GEST Service for program management.;h:program filesGIGABYTEGESTGSvr.exe [2007-12-14 47624]
S0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);h:windowsSystem32driverssfdrv01a.sys [2006-07-05 63352]
S2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;h:program filesCommon FilesABBYYFineReader9.00LicensingPENetworkLicenseServer.exe [2007-12-06 660768]

— Other Services/Drivers In Memory —

*Deregistered* — spider

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
DcomLaunch REG_MULTI_SZ DcomLaunch TermService Netprotocol
.
Contents of the ‘Scheduled Tasks’ folder

2010-06-28 h:windowsTasksAppleSoftwareUpdate.job
— h:program filesApple Software UpdateSoftwareUpdate.exe [2008-07-30 09:34]

2010-07-03 h:windowsTasksGoogleUpdateTaskMachineCore.job
— h:program filesGoogleUpdateGoogleUpdate.exe [2009-07-30 11:00]

2010-07-03 h:windowsTasksGoogleUpdateTaskMachineUA.job
— h:program filesGoogleUpdateGoogleUpdate.exe [2009-07-30 11:00]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://yandex.ru/
IE: &Экспорт в Microsoft Excel — h:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
FF — ProfilePath — h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.default
FF — prefs.js: browser.search.selectedEngine — Яндекс
FF — prefs.js: browser.startup.homepage — hxxp://ru.ask.com?o=15003&l=dis
FF — prefs.js: keyword.URL — hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=SPC2&o=15000&locale=ru_RU&q=
FF — component: h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionsradiobar@toolbarcomponentstoolbarhomewmp.dll
FF — plugin: h:documents and settingsuserApplication DataMozillaFirefoxProfilesi1vdypvy.defaultextensionsfirefox@tvunetworks.compluginsnpTVUAx.dll
FF — plugin: h:program filesGoogleUpdate1.2.183.23npGoogleOneClick8.dll
FF — plugin: h:program filesMozilla FirefoxpluginsnpdeployJava1.dll

—- FIREFOX POLICIES —-
h:program filesMozilla Firefoxgreprefsall.js — pref(«ui.use_native_colors», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.lu», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.nu», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.nz», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.xn--mgberp4a5d4ar», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.xn--p1ai», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.xn--mgbayh7gpa», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.IDN.whitelist.tel», true);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.auth.force-generic-ntlm», false);
h:program filesMozilla Firefoxgreprefsall.js — pref(«network.proxy.type», 5);
h:program filesMozilla Firefoxgreprefsall.js — pref(«dom.ipc.plugins.timeoutSecs», 45);
h:program filesMozilla Firefoxgreprefsall.js — pref(«svg.smil.enabled», false);
h:program filesMozilla Firefoxgreprefsall.js — pref(«accelerometer.enabled», true);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref», true);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.renego_unrestricted_hosts», «»);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.treat_unsafe_negotiation_as_broken», false);
h:program filesMozilla Firefoxgreprefssecurity-prefs.js — pref(«security.ssl.require_safe_negotiation», false);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name», «chrome://browser/locale/browser.properties»);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description», «chrome://browser/locale/browser.properties»);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«plugins.update.notifyUser», false);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.nptest.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.npswf32.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.npctrl.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled.npqtplugin.dll», true);
h:program filesMozilla Firefoxdefaultspreffirefox.js — pref(«dom.ipc.plugins.enabled», false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-03 17:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AA0D4B0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
DriverDisk -> CLASSPNP.SYS @ 0xba0fcf28
DriverACPI -> ACPI.sys @ 0xb9f7fcb8
Driveratapi -> 0x8aa0d4b0
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
DeviceHarddisk0DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb9cdebb0
PacketIndicateHandler -> NDIS.sys @ 0xb9ceba21
SendHandler -> NDIS.sys @ 0xb9cc987b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

— — — — — — — > ‘winlogon.exe'(760)
h:windowssystem32Ati2evxx.dll
.
Completion time: 2010-07-03 17:25:49
ComboFix-quarantined-files.txt 2010-07-03 13:25
ComboFix2.txt 2010-06-28 09:13
ComboFix3.txt 2010-06-23 16:32
ComboFix4.txt 2010-04-24 18:05
ComboFix5.txt 2010-07-03 13:00

Pre-Run: 3 747 381 248 байт свободно
Post-Run: 4 611 076 096 байт свободно

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
— — End Of File — — 109A12AD5CFD4728A3DB63151147D33A

[G-Gurda]

Ну как вам мой лог господа?

[Автор]

Сообщения