Созданные ответы форума
-
Сообщения
-
и снова здравствуйте! огромное спасибо, все получилось, но после удаления комбофикса в моем браузере гугл хром стали появлятся всплывающие окна с рекламой, которые ползут вниз по движению окна ((. Может подскажете как победить? С ув. Василий.
ComboFix 09-10-01.05 — Мюллер 07.10.2009 18:33.2.2 — NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1251.7.1049.18.3326.2452 [GMT 4:00]
Running from: c:usersМюллерDesktopComboFix.exe
Command switches used :: c:usersМюллерDesktopCFScript.txt
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:programdataMicrosoftNetworkDownloaderqmgr0.dat
c:programdataMicrosoftNetworkDownloaderqmgr1.dat
c:usersМюллерAppDataRoamingAdRiver
c:usersМюллерAppDataRoamingAdRiverAdRiver.dat
c:usersМюллерAppDataRoamingAdRiverAdRiver.dll
c:usersМюллерAppDataRoamingAdRiverFeed.jpg
c:usersМюллерAppDataRoamingAdRiverFeed1.jpg
c:usersМюллерAppDataRoamingAdRiverFeed10.jpg
c:usersМюллерAppDataRoamingAdRiverFeed11.jpg
c:usersМюллерAppDataRoamingAdRiverFeed12.jpg
c:usersМюллерAppDataRoamingAdRiverFeed13.jpg
c:usersМюллерAppDataRoamingAdRiverFeed14.jpg
c:usersМюллерAppDataRoamingAdRiverFeed15.jpg
c:usersМюллерAppDataRoamingAdRiverFeed2.jpg
c:usersМюллерAppDataRoamingAdRiverFeed3.jpg
c:usersМюллерAppDataRoamingAdRiverFeed4.jpg
c:usersМюллерAppDataRoamingAdRiverFeed5.jpg
c:usersМюллерAppDataRoamingAdRiverFeed6.jpg
c:usersМюллерAppDataRoamingAdRiverFeed7.jpg
c:usersМюллерAppDataRoamingAdRiverFeed8.jpg
c:usersМюллерAppDataRoamingAdRiverFeed9.jpg
c:usersМюллерAppDataRoamingAdRiverFeedfeed.xml
c:usersМюллерAppDataRoamingAdRiverg.fla
c:usersМюллерAppDataRoamingAdRiverUninstall.exe
BITS: Possible infected sites
hxxp://soft.export.yandex.ru
hxxp://download.yandex.ru
.
((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.2009-10-07 14:37 . 2009-10-07 14:37
d
w- c:usersМюллерAppDataLocaltemp
2009-10-07 14:37 . 2009-10-07 14:37
d
w- c:usersPublicAppDataLocaltemp
2009-10-07 14:37 . 2009-10-07 14:37
d
w- c:usersDefaultAppDataLocaltemp
2009-09-30 06:00 . 2009-09-30 06:00
d
w- C:rsit
2009-09-30 06:00 . 2009-09-30 06:00
d
w- c:program filestrend micro
2009-09-30 05:19 . 2009-09-30 05:24
d
w- c:program filesAd Muncher
2009-09-29 04:54 . 2009-09-29 04:54
d
w- c:programdataSUPERAntiSpyware.com
2009-09-29 04:52 . 2009-09-29 04:52
d
w- c:program filesSUPERAntiSpyware
2009-09-29 04:52 . 2009-09-29 04:52
d
w- c:usersМюллерAppDataRoamingSUPERAntiSpyware.com
2009-09-29 04:52 . 2009-09-29 04:52
d
w- c:program filesCommon FilesWise Installation Wizard
2009-09-19 09:05 . 2009-09-19 09:07
d
w- c:usersМюллерAppDataRoamingLuntik
2009-09-19 08:54 . 2009-09-19 08:54
d
w- c:programdataAlawarWrapper
2009-09-19 08:54 . 2009-09-19 08:54
d
w- c:programdataEgoset
2009-09-19 08:53 . 2009-09-19 09:04
d
w- c:program filesGamerOnline.ru.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 14:36 . 2008-09-26 18:53 2883584 —sha-w- c:usersМюллерNTUSER.DAT
2009-10-07 14:32 . 2009-09-05 07:51
d
w- c:usersМюллерAppDataRoaminguTorrent
2009-10-07 13:24 . 2008-02-05 16:29 656154 —-a-w- c:windowssystem32perfh019.dat
2009-10-07 13:24 . 2008-02-05 16:29 126450 —-a-w- c:windowssystem32perfc019.dat
2009-10-07 13:19 . 2008-09-26 19:23 9 —-a-w- c:windowsmvraidver.dat
2009-10-07 04:19 . 2008-09-27 18:52 12 —-a-w- c:windowsbthservsdp.dat
2009-10-04 02:41 . 2009-09-24 03:58 87414 —-a-w- c:usersМюллерAppDataRoamingfieryads.dat
2009-10-02 00:40 . 2009-03-21 15:54 189184 —-a-w- c:windowssystem32PnkBstrB.exe
2009-10-02 00:21 . 2009-03-21 15:56 138064 —-a-w- c:windowssystem32driversPnkBstrK.sys
2009-09-29 10:11 . 2008-10-15 07:21
d
w- c:program filesSteam
2009-09-29 04:52 . 2009-09-29 04:52
d
w- c:usersМюллерAppDataRoamingSUPERAntiSpyware.com
2009-09-27 13:04 . 2008-09-28 03:03
d
w- c:program filesCommon FilesAdobe
2009-09-19 09:07 . 2009-09-19 09:05
d
w- c:usersМюллерAppDataRoamingLuntik
2009-09-18 12:00 . 2008-09-27 20:22
d
w- c:programdataMicrosoft Help
2009-09-18 12:00 . 2008-09-26 18:53
d-s—w- c:usersМюллерAppDataRoamingMicrosoft
2009-09-05 07:52 . 2009-09-05 07:52
d
w- c:program filesuTorrent
2009-09-03 05:06 . 2009-08-11 09:43
d
w- c:usersМюллерAppDataRoamingImage Zone Express
2009-09-02 12:41 . 2009-09-02 12:40
d
w- c:usersМюллерAppDataRoamingSuper-Cow
2009-09-02 07:55 . 2009-09-02 07:55
d
w- c:usersМюллерAppDataRoamingYandex
2009-09-02 07:55 . 2009-09-02 07:55
d
w- c:usersМюллерAppDataRoamingMozilla
2009-09-02 07:55 . 2009-09-02 07:55
d
w- c:program filesYandex
2009-08-29 14:07 . 2009-08-29 14:07
d
w- c:usersМюллерAppDataRoamingWinRAR
2009-08-18 03:42 . 2009-08-18 03:42
d
w- c:usersМюллерAppDataRoamingScreenSeven
2009-08-11 09:43 . 2009-08-11 09:43
d
w- c:usersМюллерAppDataRoamingPrinter Info Cache
2009-08-11 09:43 . 2009-03-06 05:30
d
w- c:usersМюллерAppDataRoamingHP
2009-08-04 14:56 . 2009-03-21 15:53 75064 —-a-w- c:windowssystem32PnkBstrA.exe
2009-07-31 02:09 . 2009-03-21 15:55 22328 —-a-w- c:usersМюллерAppDataRoamingPnkBstrK.sys
2009-07-31 02:09 . 2009-03-21 15:53 682280 —-a-w- c:windowssystem32pbsvc.exe
.((((((((((((((((((((((((((((( SnapShot@2009-10-04_02.47.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-10-07 13:20 38370 c:windowsSystem32WDIShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-07 13:20 64078 c:windowsSystem32WDIBootPerformanceDiagnostics_SystemData.bin
— 2008-09-26 18:52 . 2009-10-04 02:28 16384 c:windowsSystem32configsystemprofileAppDataRoamingMicrosoftWindowsCookiesindex.dat
+ 2008-09-26 18:52 . 2009-10-07 13:39 16384 c:windowsSystem32configsystemprofileAppDataRoamingMicrosoftWindowsCookiesindex.dat
— 2008-09-26 18:52 . 2009-10-04 02:28 32768 c:windowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5index.dat
+ 2008-09-26 18:52 . 2009-10-07 13:39 32768 c:windowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5index.dat
— 2008-09-26 18:52 . 2009-10-04 02:28 16384 c:windowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5index.dat
+ 2008-09-26 18:52 . 2009-10-07 13:39 16384 c:windowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsHistoryHistory.IE5index.dat
+ 2008-09-26 18:57 . 2009-10-07 13:20 8936 c:windowsSystem32WDI{86432a0b-3c7d-4ddf-a89c-172faa90485d}S-1-5-21-1019601049-4187624012-3535808926-1000_UserData.bin
— 2009-10-04 01:39 . 2009-10-04 01:39 2048 c:windowsServiceProfilesLocalServiceAppDataLocallastalive1.dat
+ 2009-10-07 13:19 . 2009-10-07 13:19 2048 c:windowsServiceProfilesLocalServiceAppDataLocallastalive1.dat
— 2009-10-04 01:39 . 2009-10-04 01:39 2048 c:windowsServiceProfilesLocalServiceAppDataLocallastalive0.dat
+ 2009-10-07 13:19 . 2009-10-07 13:19 2048 c:windowsServiceProfilesLocalServiceAppDataLocallastalive0.dat
+ 2006-11-02 10:33 . 2009-10-07 13:24 589884 c:windowsSystem32perfh009.dat
— 2006-11-02 10:33 . 2009-10-04 01:45 589884 c:windowsSystem32perfh009.dat
+ 2006-11-02 10:33 . 2009-10-07 13:24 101896 c:windowsSystem32perfc009.dat
— 2006-11-02 10:33 . 2009-10-04 01:45 101896 c:windowsSystem32perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2009-07-24 5586208][HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar][HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2009-07-24 5586208][HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar][HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«Google Update»=»c:usersМюллерAppDataLocalGoogleUpdateGoogleUpdate.exe» [2009-08-10 133104]
«uTorrent»=»c:program filesuTorrentuTorrent.exe» [2009-09-05 288048]
«NevoDRM»=»c:игрыNevoDRMNevoDRM.exe» [2008-12-11 41984]
«SUPERAntiSpyware»=»c:program filesSUPERAntiSpywareSUPERAntiSpyware.exe» [2009-09-15 1998576]
«WMPNSCFG»=»c:program filesWindows Media PlayerWMPNSCFG.exe» [2008-01-21 202240][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«Windows Defender»=»c:program filesWindows DefenderMSASCui.exe» [2008-01-21 1008184]
«StartCCC»=»c:program filesATI TechnologiesATI.ACECore-StaticCLIStart.exe» [2008-01-21 61440]
«avast!»=»c:progra~1ALWILS~1Avast4ashDisp.exe» [2009-02-05 81000]
«HP Software Update»=»c:program filesHPHP Software UpdateHPWuSchd2.exe» [2006-12-10 49152]
«PCSuiteTrayApplication»=»c:program filesNokiaNokia PC Suite 6LaunchApplication.exe» [2007-06-18 271360]
«Ad Muncher»=»c:program filesAd MuncherAdMunch.exe» [2007-01-18 751616]
«RtHDVCpl»=»RtHDVCpl.exe» — c:windowsRtHDVCpl.exe [2007-03-23 4423680][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«Nokia.PCSync»=»c:program filesNokiaNokia PC Suite 6PcSync2.exe» [2007-06-19 1241088][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
«EnableLUA»= 0 (0x0)
«EnableUIADesktopToggle»= 0 (0x0)[hkey_local_machinesoftwaremicrosoftwindowscurrentversionexplorerShellExecuteHooks]
«{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}»= «c:program filesSUPERAntiSpywareSASSEH.DLL» [2008-05-13 77824][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotify!SASWinLogon]
2009-09-03 11:21 548352 —-a-w- c:program filesSUPERAntiSpywareSASWINLO.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«aux»=wdmaud.drv[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolsession manager]
BootExecute REG_MULTI_SZ autocheck autochk /p ??F:autocheck autochk *[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinDefend]
@=»Service»[HKLM~startupfolderC:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:programdataMicrosoftWindowsStart MenuProgramsStartupHP Digital Imaging Monitor.lnk
backup=c:windowspssHP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup[HKLM~startupfolderC:^Users^Мюллер^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MarvellTrayStartup.lnk]
path=c:usersМюллерAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupMarvellTrayStartup.lnk
backup=c:windowspssMarvellTrayStartup.lnk.Startup
backupExtension=.Startup[HKLM~startupfolderC:^Users^Мюллер^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Вырезка экрана и программа запуска для OneNote 2007.lnk]
path=c:usersМюллерAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupВырезка экрана и программа запуска для OneNote 2007.lnk
backup=c:windowspssВырезка экрана и программа запуска для OneNote 2007.lnk.Startup
backupExtension=.Startup[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerSvc]
«AntiVirusOverride»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerSvcS-1-5-21-1019601049-4187624012-3535808926-1000]
«EnableNotifications»=dword:00000001
«EnableNotificationsRef»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicyFirewallRules]
«{FF7E13AB-DB40-4DA8-8C29-57969F8489CD}»= Disabled:TCP:6004|c:program filesMicrosoft OfficeOffice12outlook.exe:Microsoft Office Outlook
«{0753B0E6-1263-4935-B6C5-8F6FE81951DF}»= UDP:c:program filesMicrosoft GamesGears of WarBinariesWarGame-G4WLive.exe:Gears of War
«{23EA3B29-221F-4827-83E9-779AF1CB0A30}»= TCP:c:program filesMicrosoft GamesGears of WarBinariesWarGame-G4WLive.exe:Gears of War
«TCP Query User{845FE12B-7B53-423A-BB5D-EAF048CD58DE}c:\program files\pcgame\call of duty world at war\codwaw.exe»= UDP:c:program filespcgamecall of duty world at warcodwaw.exe:Call of Duty(R): World at War Campaign/Coop
«UDP Query User{6A5C952D-AEDB-4660-A301-F6C447A05DD4}c:\program files\pcgame\call of duty world at war\codwaw.exe»= TCP:c:program filespcgamecall of duty world at warcodwaw.exe:Call of Duty(R): World at War Campaign/Coop
«TCP Query User{F3417F39-DAE7-43F5-9760-FE4EBD1A752F}c:\program files\codwaw\codwaw.exe»= UDP:c:program filescodwawcodwaw.exe:Call of Duty(R): World at War Campaign/Coop
«UDP Query User{4B3ECA4E-68BE-44DA-99ED-DEE7253AFAAA}c:\program files\codwaw\codwaw.exe»= TCP:c:program filescodwawcodwaw.exe:Call of Duty(R): World at War Campaign/Coop
«{E4EF1C89-6DED-4293-89F5-56C154520AF9}»= UDP:Profile=Private|990:LocalSubnet:LocalSubnet|IF={74570CBA-52A8-4362-A857-3FE710B3FE1E}|c:windowssystem32svchost.exe|Svc=rapimgr:Возможности подключения устройств на платформе Windows Mobile
«TCP Query User{420DF1C3-82FE-4F0D-8090-9B92F985F87B}c:\program files\marvell\61xx\apache2\bin\apache.exe»= Disabled:UDP:c:program filesmarvell61xxapache2binapache.exe:Apache HTTP Server
«UDP Query User{D91E8EFB-C7F1-4EB7-90CF-0E35E532E522}c:\program files\marvell\61xx\apache2\bin\apache.exe»= Disabled:TCP:c:program filesmarvell61xxapache2binapache.exe:Apache HTTP Server
«{39A0559D-3B1B-4BE3-8896-4034651FDC9C}»= Disabled:UDP:c:program filesMicrosoft OfficeOffice12GROOVE.EXE:Microsoft Office Groove
«{10456C03-F374-4CE8-9C44-A5CCCEBC8DAA}»= Disabled:TCP:c:program filesMicrosoft OfficeOffice12GROOVE.EXE:Microsoft Office Groove
«{AE52AB3D-31B2-4FFD-9945-1398981D2FED}»= Disabled:UDP:c:program filesMicrosoft OfficeOffice12ONENOTE.EXE:Microsoft Office OneNote
«{E42E90E9-93F4-44C0-A15D-012F4B39347E}»= Disabled:TCP:c:program filesMicrosoft OfficeOffice12ONENOTE.EXE:Microsoft Office OneNote
«{74DB3C9A-8523-4C67-9E17-7F34079DFF7C}»= Disabled:UDP:990:LocalSubnet:LocalSubnet|IF={74570CBA-52A8-4362-A857-3FE710B3FE1E}|c:windowssystem32svchost.exe|Svc=rapimgr:Возможности подключения устройств на платформе Windows Mobile
«{FA3849A3-FFA0-430C-8690-A52A38CCFF72}»= UDP:c:windowsSystem32PnkBstrA.exe:PnkBstrA
«{39CB083B-4D09-474A-A665-0A6FD2EE5C54}»= TCP:c:windowsSystem32PnkBstrA.exe:PnkBstrA
«{EDAE9076-39C6-48EC-A967-534975E85768}»= UDP:c:windowsSystem32PnkBstrB.exe:PnkBstrB
«{8892897E-7CA0-4DDB-A258-A61699D77E43}»= TCP:c:windowsSystem32PnkBstrB.exe:PnkBstrB
«{8185E953-BDDB-43D3-B572-D27C144D0E97}»= UDP:c:program filesActivisionCall of Duty — World at WarCoDWaW.exe:Call of Duty(R) — World at War(TM)
«{9CC3123A-30EF-4DC0-A70B-2C0716BC0EF3}»= TCP:c:program filesActivisionCall of Duty — World at WarCoDWaW.exe:Call of Duty(R) — World at War(TM)
«{4925D697-A059-45C7-9410-74DCF65FB7DD}»= UDP:c:program filesActivisionCall of Duty — World at WarCoDWaWmp.exe:Call of Duty(R) — World at War(TM)
«{4446AB3A-FA48-47AE-8328-8D5A2C4E2BEC}»= TCP:c:program filesActivisionCall of Duty — World at WarCoDWaWmp.exe:Call of Duty(R) — World at War(TM)
«{4AA1A7E8-8231-4EC7-B2F1-7D9A2344F6B0}»= UDP:c:program filesuTorrentuTorrent.exe:µTorrent (TCP-In)
«{459ED6D2-AEA6-4622-976F-A447CC65FBE5}»= TCP:c:program filesuTorrentuTorrent.exe:µTorrent (UDP-In)[HKLM~servicessharedaccessparametersfirewallpolicyPublicProfile]
«EnableFirewall»= 0 (0x0)
«DisabledInterfaces»= {C5312F4D-1C7B-4C93-AC51-0C6E3A207659},{F9FF4D7C-7C5F-4F48-91BC-44385D9880E1},{563723C9-6D6C-45B5-8988-15D90FB2215B},{3935CAB3-C8D6-4157-B588-381BF341BB83}R0 mv61xx;mv61xx;c:windowsSystem32driversmv61xx.sys [15.06.2007 11:52 143256]
R1 aswSP;avast! Self Protection;c:windowsSystem32driversaswSP.sys [06.03.2009 9:07 114768]
R1 SASDIFSV;SASDIFSV;c:program filesSUPERAntiSpywaresasdifsv.sys [15.09.2009 11:42 9968]
R1 SASKUTIL;SASKUTIL;c:program filesSUPERAntiSpywareSASKUTIL.SYS [15.09.2009 11:42 74480]
R2 aswFsBlk;aswFsBlk;c:windowsSystem32driversaswFsBlk.sys [06.03.2009 9:07 20560]
R2 aswMonFlt;aswMonFlt;c:windowsSystem32driversaswMonFlt.sys [06.03.2009 9:06 51792]
R2 Marvell RAID;Marvell RAID Event Agent;c:program filesMarvell61xxsvcmvraidsvc.exe [12.06.2007 22:54 61440]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:windowsSystem32driversl160x86.sys [26.09.2008 23:13 46592]
R3 SASENUM;SASENUM;c:program filesSUPERAntiSpywareSASENUM.SYS [15.09.2009 11:42 7408]
S2 MRUWebService;MRU Web Service;c:program filesMarvell61xxApache2binApache.exe [23.05.2007 4:17 20539][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
Supplementary Scan
.
uStart Page = hxxp://www.rambler.ru/
mStart Page = hxxp://www.rambler.ru/ra/
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2Office12EXCEL.EXE/3000
IE: Block frame with Ad Muncher — http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=333N582O&id=menu_ie_frame
IE: Block image with Ad Muncher — http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=333N582O&id=menu_ie_image
IE: Block link with Ad Muncher — http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=333N582O&id=menu_ie_link
IE: Don’t filter page with Ad Muncher — http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=333N582O&id=menu_ie_exclude
IE: Report page to the Ad Muncher developers — http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=333N582O&id=menu_ie_report
IE: Добавить в Rambler-Закладки — c:program filesRambler AssistantramblertoolbarU5950.dll/zakladki.htm
IE: Найти с помощью Рамблера — c:program filesRambler AssistantramblertoolbarU5950.dll/search.htm
IE: Перевести с помощью словарей Рамблера — c:program filesRambler AssistantramblertoolbarU5950.dll/dic.htm
TCP: {C5312F4D-1C7B-4C93-AC51-0C6E3A207659} = 10.42.100.12 10.42.100.14
.
— — — — ORPHANS REMOVED — — — —AddRemove-AdRiver — c:usersМюллерAppDataRoamingAdRiverUninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 18:37
Windows 6.0.6001 Service Pack 1 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERSS-1-5-21-1019601049-4187624012-3535808926-1000SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*>]
@Class=»Shell»
@Allowed: (Read) (RestrictedCode)[HKEY_USERSS-1-5-21-1019601049-4187624012-3535808926-1000SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*>OpenWithList]
@Class=»Shell»[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}000AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
«BlindDial»=dword:00000000[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}001AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
«BlindDial»=dword:00000000[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}002AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
«BlindDial»=dword:00000000[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}003AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
«BlindDial»=dword:00000000[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}004AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
«BlindDial»=dword:00000000
.
Completion time: 2009-10-07 18:38
ComboFix-quarantined-files.txt 2009-10-07 14:38
ComboFix2.txt 2009-10-04 02:48Pre-Run: 30 116 360 192 байт свободно
Post-Run: 29 892 300 800 байт свободно281
ComboFix 09-10-01.05 — Мюллер 04.10.2009 6:43.1.2 — NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1251.7.1049.18.3326.2469 [GMT 4:00]
Running from: c:usersМюллерDesktopComboFix.exe
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:programdataMicrosoftNetworkDownloaderqmgr0.dat
c:programdataMicrosoftNetworkDownloaderqmgr1.dat
c:recyclerS-1-5-21-1645522239-1078081533-725345543-1003
c:usersМюллерAppDataRoamingFieryAds
c:usersМюллерAppDataRoamingFieryAdsFiERyads.dll
c:usersМюллерAppDataRoamingFieryAdsFieryAdsUninstall.exe
c:windowsktkm1.dll
c:windowsktkm10.dll
c:windowsktkm11.dll
c:windowsktkm12.dll
c:windowsktkm13.dll
c:windowsktkm14.dll
c:windowsktkm15.dll
c:windowsktkm16.dll
c:windowsktkm17.dll
c:windowsktkm18.dll
c:windowsktkm19.dll
c:windowsktkm2.dll
c:windowsktkm20.dll
c:windowsktkm21.dll
c:windowsktkm22.dll
c:windowsktkm23.dll
c:windowsktkm24.dll
c:windowsktkm25.dll
c:windowsktkm26.dll
c:windowsktkm27.dll
c:windowsktkm28.dll
c:windowsktkm29.dll
c:windowsktkm3.dll
c:windowsktkm30.dll
c:windowsktkm31.dll
c:windowsktkm32.dll
c:windowsktkm33.dll
c:windowsktkm34.dll
c:windowsktkm35.dll
c:windowsktkm36.dll
c:windowsktkm37.dll
c:windowsktkm4.dll
c:windowsktkm5.dll
c:windowsktkm6.dll
c:windowsktkm7.dll
c:windowsktkm8.dll
c:windowsktkm9.dll
BITS: Possible infected sites
hxxp://soft.export.yandex.ru
.
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.2009-10-04 02:47 . 2009-10-04 02:47
d
w- c:usersDefaultAppDataLocaltemp
2009-09-30 06:00 . 2009-09-30 06:00
d
w- C:rsit
2009-09-30 06:00 . 2009-09-30 06:00
d
w- c:program filestrend micro
2009-09-30 05:19 . 2009-09-30 05:24
d
w- c:program filesAd Muncher
2009-09-29 04:54 . 2009-09-29 04:54
d
w- c:programdataSUPERAntiSpyware.com
2009-09-29 04:52 . 2009-09-29 04:52
d
w- c:program filesSUPERAntiSpyware
2009-09-29 04:52 . 2009-09-29 04:52
d
w- c:usersМюллерAppDataRoamingSUPERAntiSpyware.com
2009-09-29 04:52 . 2009-09-29 04:52
d
w- c:program filesCommon FilesWise Installation Wizard
2009-09-24 03:58 . 2009-09-24 03:59
d
w- c:usersМюллерAppDataRoamingAdRiver
2009-09-19 09:05 . 2009-09-19 09:07
d
w- c:usersМюллерAppDataRoamingLuntik
2009-09-19 08:54 . 2009-09-19 08:54
d
w- c:programdataAlawarWrapper
2009-09-19 08:54 . 2009-09-19 08:54
d
w- c:programdataEgoset
2009-09-19 08:53 . 2009-09-19 09:04
d
w- c:program filesGamerOnline.ru
2009-09-05 07:52 . 2009-09-05 07:52
d
w- c:program filesuTorrent
2009-09-05 07:51 . 2009-10-04 02:40
d
w- c:usersМюллерAppDataRoaminguTorrent.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 02:46 . 2008-09-26 18:53 2883584 —sha-w- c:usersМюллерNTUSER.DAT
2009-10-04 02:41 . 2009-09-24 03:58 87414 —-a-w- c:usersМюллерAppDataRoamingfieryads.dat
2009-10-04 02:40 . 2009-09-05 07:51
d
w- c:usersМюллерAppDataRoaminguTorrent
2009-10-04 01:45 . 2008-02-05 16:29 656154 —-a-w- c:windowssystem32perfh019.dat
2009-10-04 01:45 . 2008-02-05 16:29 126450 —-a-w- c:windowssystem32perfc019.dat
2009-10-04 01:39 . 2008-09-26 19:23 9 —-a-w- c:windowsmvraidver.dat
2009-10-03 14:20 . 2008-09-27 18:52 12 —-a-w- c:windowsbthservsdp.dat
2009-10-02 00:40 . 2009-03-21 15:54 189184 —-a-w- c:windowssystem32PnkBstrB.exe
2009-10-02 00:21 . 2009-03-21 15:56 138064 —-a-w- c:windowssystem32driversPnkBstrK.sys
2009-09-29 10:11 . 2008-10-15 07:21
d
w- c:program filesSteam
2009-09-29 04:52 . 2009-09-29 04:52
d
w- c:usersМюллерAppDataRoamingSUPERAntiSpyware.com
2009-09-27 13:04 . 2008-09-28 03:03
d
w- c:program filesCommon FilesAdobe
2009-09-24 03:59 . 2009-09-24 03:58
d
w- c:usersМюллерAppDataRoamingAdRiver
2009-09-19 09:07 . 2009-09-19 09:05
d
w- c:usersМюллерAppDataRoamingLuntik
2009-09-18 12:00 . 2008-09-27 20:22
d
w- c:programdataMicrosoft Help
2009-09-18 12:00 . 2008-09-26 18:53
d-s—w- c:usersМюллерAppDataRoamingMicrosoft
2009-09-03 05:06 . 2009-08-11 09:43
d
w- c:usersМюллерAppDataRoamingImage Zone Express
2009-09-02 12:41 . 2009-09-02 12:40
d
w- c:usersМюллерAppDataRoamingSuper-Cow
2009-09-02 07:55 . 2009-09-02 07:55
d
w- c:usersМюллерAppDataRoamingYandex
2009-09-02 07:55 . 2009-09-02 07:55
d
w- c:usersМюллерAppDataRoamingMozilla
2009-09-02 07:55 . 2009-09-02 07:55
d
w- c:program filesYandex
2009-08-29 14:07 . 2009-08-29 14:07
d
w- c:usersМюллерAppDataRoamingWinRAR
2009-08-18 03:42 . 2009-08-18 03:42
d
w- c:usersМюллерAppDataRoamingScreenSeven
2009-08-11 09:43 . 2009-08-11 09:43
d
w- c:usersМюллерAppDataRoamingPrinter Info Cache
2009-08-11 09:43 . 2009-03-06 05:30
d
w- c:usersМюллерAppDataRoamingHP
2009-08-06 13:45 . 2009-08-06 13:30
d
w- c:usersМюллерAppDataRoamingGrym
2009-08-06 13:45 . 2009-08-06 13:28
d
w- c:programdata2GIS
2009-08-06 13:28 . 2009-08-06 13:28
d
w- c:program files2gis
2009-08-06 04:57 . 2008-09-26 19:00
d—h—w- c:program filesInstallShield Installation Information
2009-08-05 11:56 . 2009-08-05 11:56
d
w- c:usersМюллерAppDataRoamingrambler.ru
2009-08-05 11:56 . 2009-08-05 11:56
d
w- c:program filesRambler Assistant
2009-08-04 14:56 . 2009-03-21 15:53 75064 —-a-w- c:windowssystem32PnkBstrA.exe
2009-07-31 02:09 . 2009-03-21 15:55 22328 —-a-w- c:usersМюллерAppDataRoamingPnkBstrK.sys
2009-07-31 02:09 . 2009-03-21 15:53 682280 —-a-w- c:windowssystem32pbsvc.exe
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2009-07-24 5586208][HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar][HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2009-07-24 5586208][HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionexplorershelliconoverlayidentifiersAdRiver]
@=»{6B830884-20E3-4AB6-B672-2629F0F72071}»
[HKEY_CLASSES_ROOTCLSID{6B830884-20E3-4AB6-B672-2629F0F72071}]
2009-09-24 03:58 748544 —-a-w- c:usersМюллерAppDataRoamingAdRiverAdRiver.dll[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«Google Update»=»c:usersМюллерAppDataLocalGoogleUpdateGoogleUpdate.exe» [2009-08-10 133104]
«uTorrent»=»c:program filesuTorrentuTorrent.exe» [2009-09-05 288048]
«NevoDRM»=»c:игрыNevoDRMNevoDRM.exe» [2008-12-11 41984]
«SUPERAntiSpyware»=»c:program filesSUPERAntiSpywareSUPERAntiSpyware.exe» [2009-09-15 1998576]
«WMPNSCFG»=»c:program filesWindows Media PlayerWMPNSCFG.exe» [2008-01-21 202240][HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«Windows Defender»=»c:program filesWindows DefenderMSASCui.exe» [2008-01-21 1008184]
«StartCCC»=»c:program filesATI TechnologiesATI.ACECore-StaticCLIStart.exe» [2008-01-21 61440]
«avast!»=»c:progra~1ALWILS~1Avast4ashDisp.exe» [2009-02-05 81000]
«HP Software Update»=»c:program filesHPHP Software UpdateHPWuSchd2.exe» [2006-12-10 49152]
«PCSuiteTrayApplication»=»c:program filesNokiaNokia PC Suite 6LaunchApplication.exe» [2007-06-18 271360]
«Ad Muncher»=»c:program filesAd MuncherAdMunch.exe» [2007-01-18 751616]
«RtHDVCpl»=»RtHDVCpl.exe» — c:windowsRtHDVCpl.exe [2007-03-23 4423680][HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«Nokia.PCSync»=»c:program filesNokiaNokia PC Suite 6PcSync2.exe» [2007-06-19 1241088][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
«EnableLUA»= 0 (0x0)
«EnableUIADesktopToggle»= 0 (0x0)[hkey_local_machinesoftwaremicrosoftwindowscurrentversionexplorerShellExecuteHooks]
«{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}»= «c:program filesSUPERAntiSpywareSASSEH.DLL» [2008-05-13 77824][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotify!SASWinLogon]
2009-09-03 11:21 548352 —-a-w- c:program filesSUPERAntiSpywareSASWINLO.dll[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«aux»=wdmaud.drv[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolsession manager]
BootExecute REG_MULTI_SZ autocheck autochk /p ??F:autocheck autochk *[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinDefend]
@=»Service»[HKLM~startupfolderC:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:programdataMicrosoftWindowsStart MenuProgramsStartupHP Digital Imaging Monitor.lnk
backup=c:windowspssHP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup[HKLM~startupfolderC:^Users^Мюллер^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MarvellTrayStartup.lnk]
path=c:usersМюллерAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupMarvellTrayStartup.lnk
backup=c:windowspssMarvellTrayStartup.lnk.Startup
backupExtension=.Startup[HKLM~startupfolderC:^Users^Мюллер^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Вырезка экрана и программа запуска для OneNote 2007.lnk]
path=c:usersМюллерAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupВырезка экрана и программа запуска для OneNote 2007.lnk
backup=c:windowspssВырезка экрана и программа запуска для OneNote 2007.lnk.Startup
backupExtension=.Startup[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerSvc]
«AntiVirusOverride»=dword:00000001[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerSvcS-1-5-21-1019601049-4187624012-3535808926-1000]
«EnableNotifications»=dword:00000001
«EnableNotificationsRef»=dword:00000001[HKLM~servicessharedaccessparametersfirewallpolicyFirewallRules]
«{FF7E13AB-DB40-4DA8-8C29-57969F8489CD}»= Disabled:TCP:6004|c:program filesMicrosoft OfficeOffice12outlook.exe:Microsoft Office Outlook
«{0753B0E6-1263-4935-B6C5-8F6FE81951DF}»= UDP:c:program filesMicrosoft GamesGears of WarBinariesWarGame-G4WLive.exe:Gears of War
«{23EA3B29-221F-4827-83E9-779AF1CB0A30}»= TCP:c:program filesMicrosoft GamesGears of WarBinariesWarGame-G4WLive.exe:Gears of War
«TCP Query User{845FE12B-7B53-423A-BB5D-EAF048CD58DE}c:\program files\pcgame\call of duty world at war\codwaw.exe»= UDP:c:program filespcgamecall of duty world at warcodwaw.exe:Call of Duty(R): World at War Campaign/Coop
«UDP Query User{6A5C952D-AEDB-4660-A301-F6C447A05DD4}c:\program files\pcgame\call of duty world at war\codwaw.exe»= TCP:c:program filespcgamecall of duty world at warcodwaw.exe:Call of Duty(R): World at War Campaign/Coop
«TCP Query User{F3417F39-DAE7-43F5-9760-FE4EBD1A752F}c:\program files\codwaw\codwaw.exe»= UDP:c:program filescodwawcodwaw.exe:Call of Duty(R): World at War Campaign/Coop
«UDP Query User{4B3ECA4E-68BE-44DA-99ED-DEE7253AFAAA}c:\program files\codwaw\codwaw.exe»= TCP:c:program filescodwawcodwaw.exe:Call of Duty(R): World at War Campaign/Coop
«{E4EF1C89-6DED-4293-89F5-56C154520AF9}»= UDP:Profile=Private|990:LocalSubnet:LocalSubnet|IF={74570CBA-52A8-4362-A857-3FE710B3FE1E}|c:windowssystem32svchost.exe|Svc=rapimgr:Возможности подключения устройств на платформе Windows Mobile
«TCP Query User{420DF1C3-82FE-4F0D-8090-9B92F985F87B}c:\program files\marvell\61xx\apache2\bin\apache.exe»= Disabled:UDP:c:program filesmarvell61xxapache2binapache.exe:Apache HTTP Server
«UDP Query User{D91E8EFB-C7F1-4EB7-90CF-0E35E532E522}c:\program files\marvell\61xx\apache2\bin\apache.exe»= Disabled:TCP:c:program filesmarvell61xxapache2binapache.exe:Apache HTTP Server
«{39A0559D-3B1B-4BE3-8896-4034651FDC9C}»= Disabled:UDP:c:program filesMicrosoft OfficeOffice12GROOVE.EXE:Microsoft Office Groove
«{10456C03-F374-4CE8-9C44-A5CCCEBC8DAA}»= Disabled:TCP:c:program filesMicrosoft OfficeOffice12GROOVE.EXE:Microsoft Office Groove
«{AE52AB3D-31B2-4FFD-9945-1398981D2FED}»= Disabled:UDP:c:program filesMicrosoft OfficeOffice12ONENOTE.EXE:Microsoft Office OneNote
«{E42E90E9-93F4-44C0-A15D-012F4B39347E}»= Disabled:TCP:c:program filesMicrosoft OfficeOffice12ONENOTE.EXE:Microsoft Office OneNote
«{74DB3C9A-8523-4C67-9E17-7F34079DFF7C}»= Disabled:UDP:990:LocalSubnet:LocalSubnet|IF={74570CBA-52A8-4362-A857-3FE710B3FE1E}|c:windowssystem32svchost.exe|Svc=rapimgr:Возможности подключения устройств на платформе Windows Mobile
«{FA3849A3-FFA0-430C-8690-A52A38CCFF72}»= UDP:c:windowsSystem32PnkBstrA.exe:PnkBstrA
«{39CB083B-4D09-474A-A665-0A6FD2EE5C54}»= TCP:c:windowsSystem32PnkBstrA.exe:PnkBstrA
«{EDAE9076-39C6-48EC-A967-534975E85768}»= UDP:c:windowsSystem32PnkBstrB.exe:PnkBstrB
«{8892897E-7CA0-4DDB-A258-A61699D77E43}»= TCP:c:windowsSystem32PnkBstrB.exe:PnkBstrB
«{8185E953-BDDB-43D3-B572-D27C144D0E97}»= UDP:c:program filesActivisionCall of Duty — World at WarCoDWaW.exe:Call of Duty(R) — World at War(TM)
«{9CC3123A-30EF-4DC0-A70B-2C0716BC0EF3}»= TCP:c:program filesActivisionCall of Duty — World at WarCoDWaW.exe:Call of Duty(R) — World at War(TM)
«{4925D697-A059-45C7-9410-74DCF65FB7DD}»= UDP:c:program filesActivisionCall of Duty — World at WarCoDWaWmp.exe:Call of Duty(R) — World at War(TM)
«{4446AB3A-FA48-47AE-8328-8D5A2C4E2BEC}»= TCP:c:program filesActivisionCall of Duty — World at WarCoDWaWmp.exe:Call of Duty(R) — World at War(TM)
«{9B84B81E-0D21-42F6-BF65-FB8A2D3A24CB}»= UDP:c:program filesuTorrentuTorrent.exe:µTorrent (TCP-In)
«{C6A4F964-7E78-4B00-A332-32E1DDEE2BCA}»= TCP:c:program filesuTorrentuTorrent.exe:µTorrent (UDP-In)[HKLM~servicessharedaccessparametersfirewallpolicyPublicProfile]
«EnableFirewall»= 0 (0x0)
«DisabledInterfaces»= {C5312F4D-1C7B-4C93-AC51-0C6E3A207659},{F9FF4D7C-7C5F-4F48-91BC-44385D9880E1},{563723C9-6D6C-45B5-8988-15D90FB2215B},{3935CAB3-C8D6-4157-B588-381BF341BB83}R0 mv61xx;mv61xx;c:windowsSystem32driversmv61xx.sys [15.06.2007 11:52 143256]
R1 aswSP;avast! Self Protection;c:windowsSystem32driversaswSP.sys [06.03.2009 9:07 114768]
R1 SASDIFSV;SASDIFSV;c:program filesSUPERAntiSpywaresasdifsv.sys [15.09.2009 11:42 9968]
R1 SASKUTIL;SASKUTIL;c:program filesSUPERAntiSpywareSASKUTIL.SYS [15.09.2009 11:42 74480]
R2 aswFsBlk;aswFsBlk;c:windowsSystem32driversaswFsBlk.sys [06.03.2009 9:07 20560]
R2 aswMonFlt;aswMonFlt;c:windowsSystem32driversaswMonFlt.sys [06.03.2009 9:06 51792]
R2 Marvell RAID;Marvell RAID Event Agent;c:program filesMarvell61xxsvcmvraidsvc.exe [12.06.2007 22:54 61440]
R2 MRUWebService;MRU Web Service;c:program filesMarvell61xxApache2binApache.exe [23.05.2007 4:17 20539]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:windowsSystem32driversl160x86.sys [26.09.2008 23:13 46592]
R3 SASENUM;SASENUM;c:program filesSUPERAntiSpywareSASENUM.SYS [15.09.2009 11:42 7408][HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the ‘Scheduled Tasks’ folder
.
.
Supplementary Scan
.
uStart Page = hxxp://www.rambler.ru/
mStart Page = hxxp://www.rambler.ru/ra/
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2Office12EXCEL.EXE/3000
IE: Block frame with Ad Muncher — http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=333N582O&id=menu_ie_frame
IE: Block image with Ad Muncher — http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=333N582O&id=menu_ie_image
IE: Block link with Ad Muncher — http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=333N582O&id=menu_ie_link
IE: Don’t filter page with Ad Muncher — http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=333N582O&id=menu_ie_exclude
IE: Report page to the Ad Muncher developers — http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=333N582O&id=menu_ie_report
IE: Добавить в Rambler-Закладки — c:program filesRambler AssistantramblertoolbarU5950.dll/zakladki.htm
IE: Найти с помощью Рамблера — c:program filesRambler AssistantramblertoolbarU5950.dll/search.htm
IE: Перевести с помощью словарей Рамблера — c:program filesRambler AssistantramblertoolbarU5950.dll/dic.htm
TCP: {C5312F4D-1C7B-4C93-AC51-0C6E3A207659} = 10.42.100.12 10.42.100.14
.
— — — — ORPHANS REMOVED — — — —AddRemove-diamond_drop — c:игрыDiamond Dropuninstall.exe
AddRemove-Giza_is1 — c:gamesGizaunins000.exe
AddRemove-super_cow — c:игрыSuper Cowuninstall.exe**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 06:47
Windows 6.0.6001 Service Pack 1 NTFSscanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERSS-1-5-21-1019601049-4187624012-3535808926-1000SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*>]
@Class=»Shell»
@Allowed: (Read) (RestrictedCode)[HKEY_USERSS-1-5-21-1019601049-4187624012-3535808926-1000SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.*>OpenWithList]
@Class=»Shell»[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@=»FlashBroker»
«LocalizedString»=»@c:\Windows\system32\Macromed\Flash\FlashUtil10c.exe,-101»[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}Elevation]
«Enabled»=dword:00000001[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}LocalServer32]
@=»c:\Windows\system32\Macromed\Flash\FlashUtil10c.exe»[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}TypeLib]
@=»{FAB3E735-69C7-453B-A446-B6823C6DF1C9}»[HKEY_LOCAL_MACHINESOFTWAREClassesInterface{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@=»IFlashBroker3″[HKEY_LOCAL_MACHINESOFTWAREClassesInterface{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}ProxyStubClsid32]
@=»{00020424-0000-0000-C000-000000000046}»[HKEY_LOCAL_MACHINESOFTWAREClassesInterface{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}TypeLib]
@=»{FAB3E735-69C7-453B-A446-B6823C6DF1C9}»
«Version»=»1.0»[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}000AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
«BlindDial»=dword:00000000[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}001AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
«BlindDial»=dword:00000000[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}002AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
«BlindDial»=dword:00000000[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}003AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
«BlindDial»=dword:00000000[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}004AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
«BlindDial»=dword:00000000
.
Completion time: 2009-10-04 6:48
ComboFix-quarantined-files.txt 2009-10-04 02:48Pre-Run: 22 390 919 168 байт свободно
Post-Run: 30 631 124 992 байт свободно310
