ComboFix 08-09-30.02 - Администратор 2008-10-01 1:39:10.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.585 [GMT 4:00] Running from: C:\Documents and Settings\Администратор\Рабочий стол\ComboFix.exe * Resident AV is active [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Администратор\Cookies\администратор@2o7[1].txt C:\Documents and Settings\Администратор\Cookies\администратор@specificclick[2].txt C:\Documents and Settings\Администратор\Cookies\администратор@statcounter[2].txt C:\Documents and Settings\Администратор\Cookies\администратор@www35.vzw[1].txt . ((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 ))))))))))))))))))))))))))))))) . 2008-10-01 00:36 . 2008-10-01 00:37 d-------- C:\WINDOWS\ERUNT 2008-10-01 00:25 . 2008-10-01 00:52 d-------- C:\SDFix 2008-09-30 20:26 . 2008-09-30 20:32 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-09-30 20:26 . 2008-09-30 20:26 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-30 20:26 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-30 20:26 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-30 16:44 . 2008-10-01 01:44 146,354,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-09-30 16:44 . 2008-10-01 01:41 1,714,364 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-09-29 15:58 . 2008-07-08 14:54 148,496 --a------ C:\WINDOWS\system32\drivers\[u]0[/u]9647850.sys 2008-09-28 22:15 . 2008-09-28 22:15 (2) -rahs-ot- C:\WINDOWS\winstart.bat 2008-09-28 17:02 . 2008-09-28 17:22 d-------- C:\Program Files\RegSupreme Pro 2008-09-28 02:45 . C:\Documents and Settings\Администратор\DoctorWeb 2008-09-27 17:41 . 2008-09-27 17:41 d-------- C:\Program Files\Act-3D 2008-09-24 17:55 . 2008-09-24 17:56 d-------- C:\temp\kontrolnaya.ru 2008-09-23 02:07 . 2008-09-23 02:07 d-------- C:\Program Files\Mindjet 2008-09-23 02:07 . 2008-09-23 02:07 d-------- C:\Documents and Settings\All Users\Application Data\Mindjet 2008-09-21 20:02 . 2008-09-28 14:48 d-------- C:\WebServers 2008-09-05 21:57 . 2006-01-13 19:00 3,638 --a------ C:\WINDOWS\Pagelet.ico 2008-09-05 21:56 . 2008-09-05 21:56 d-------- C:\Program Files\SourceTec 2008-09-05 21:56 . 2008-09-05 21:56 d-------- C:\Program Files\Common Files\SourceTec 2008-09-04 18:55 . 2008-09-04 18:55 d-------- C:\Program Files\GlobalSCAPE 2008-09-04 18:20 . 2008-09-04 18:20 d-------- C:\Program Files\Simple FTP Client 2008-08-28 00:38 . 2008-08-28 00:38 d-------- C:\Program Files\Studio V5 2008-08-04 15:10 . 2008-09-25 21:48 d-------- C:\PROMO PACK . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-30 20:29 --------- d-----w C:\Program Files\Unlocker 2008-09-30 15:58 --------- d-----w C:\Program Files\Punto Switcher 2008-09-29 13:26 --------- d-----w C:\Program Files\Radmin 2008-09-28 20:00 --------- d-----w C:\Program Files\Common Files\Adobe 2008-09-28 18:27 --------- d-----w C:\Program Files\ACDSee32 2008-09-28 18:26 --------- d-----w C:\Program Files\Download Master 2008-09-28 13:30 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-09-28 11:33 --------- d-----w C:\Program Files\Kerish Doctor 2007 2008-09-28 10:52 --------- d-----w C:\Program Files\Your Uninstaller 2006 2008-09-28 10:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-09-23 21:59 --------- d-----w C:\Program Files\Hfs 2008-09-09 19:26 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-09-06 17:13 --------- d-----w C:\Program Files\Gertrudis Pro 2.2 2008-08-28 15:10 --------- d-----w C:\Program Files\The Logo Creator v5 2008-03-28 13:49 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2006-06-23 22:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe 2007-10-13 20:18 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat 2007-10-13 20:18 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat 2007-10-13 20:18 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007101420071015\index.dat 2007-10-13 20:18 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat . ------- Sigcheck ------- 2007-09-16 09:45 578560 5231f1983829611637e9493105e84751 C:\WINDOWS\system32\user32.dll 2008-10-01 00:38 578560 5231f1983829611637e9493105e84751 C:\WINDOWS\system32\dllcache\user32.dll 2007-09-16 10:16 360576 bb4d3a8e6f7eb1d370bc4ad27ab23368 C:\WINDOWS\system32\drivers\tcpip.sys 2007-09-16 10:02 2007040 70318a97031fa153ac28c7524f006290 C:\WINDOWS\system32\ntkrnlpa.exe 2007-09-16 10:01 2127360 4f29685cfb7e8fef2cf1599a05730efc C:\WINDOWS\system32\ntoskrnl.exe 2007-09-16 09:44 1608704 f25d244a1bcd750b2df997541b9c5b51 C:\WINDOWS\explorer.exe 2007-09-16 09:44 30208 a368c82398cfb9fec588116bad461547 C:\WINDOWS\system32\ctfmon.exe 2007-09-16 09:45 80216 fbee8f6463ddd91db250bf718ecc782e C:\WINDOWS\system32\wuauclt.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-19 65536] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 21718312] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-07-13 8466432] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-07-13 81920] "VolumeControl"="C:\program files\VolumeControl\volume.exe" [2003-09-15 36864] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 155648] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-14 949376] "nwiz"="nwiz.exe" [2007-07-13 C:\WINDOWS\system32\nwiz.exe] "RTHDCPL"="RTHDCPL.EXE" [2007-03-21 C:\WINDOWS\RTHDCPL.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Punto Switcher"="C:\Program Files\Punto Switcher\ps.exe" [2007-01-25 201728] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "IE7_012"="advpack.dll" [2007-09-16 C:\WINDOWS\system32\advpack.dll] "IE7_013"="rebuild.exe" [2007-07-05 C:\WINDOWS\system32\rebuild.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12"= yv12vfw.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "4899:TCP"= 4899:TCP:4899 "4899:UDP"= 4899:UDP:4899u R1 BC_BFish;BC_BFish;C:\WINDOWS\system32\drivers\BC_BFish.sys [2004-11-25 12747] R1 BC_DES;BC_DES;C:\WINDOWS\system32\drivers\BC_DES.sys [2004-11-25 18023] R1 BC_Gost;BC_Gost;C:\WINDOWS\system32\drivers\BC_Gost.sys [2004-11-25 8121] R1 BC_RIJN;BC_RIJN;C:\WINDOWS\system32\drivers\BC_RIJN.sys [2004-11-25 33369] R1 BC_TFISH;BC_TFISH;C:\WINDOWS\system32\drivers\BC_TFISH.sys [2004-11-25 19243] R1 bcbus;BestCrypt bus driver;C:\WINDOWS\system32\DRIVERS\bcbus.sys [2005-06-24 30382] R1 fsh;fsh;C:\WINDOWS\system32\drivers\fsh.sys [2003-04-18 8448] R1 is-1TR2Hdrv;is-1TR2Hdrv;C:\WINDOWS\system32\DRIVERS\[u]0[/u]9647850.sys [2008-07-08 14:54 148496] R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 38656] R3 mhk;mhk;C:\WINDOWS\system32\drivers\mhk.sys [2002-09-11 6272] R3 moh;moh;C:\WINDOWS\system32\drivers\moh.sys [2002-09-11 3328] S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [ ] S3 usbprint;Класс принтеров Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856] S3 USBSTOR;Драйвер запоминающих устройств для USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496] S4 BCSWAP;BCSWAP;C:\WINDOWS\system32\drivers\BCSWAP.sys [2004-11-15 88080] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}] "C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}] "C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BADA65A0-86B7-462B-B720-CE66655C73F5}] regsvr32 /s C:\Program Files\Windows Sidebar\VAIO\.\vshellext.dll . - - - - ORPHANS REMOVED - - - - HKCU-Run-VistaIcon - C:\Program Files\VistaDriveIcon\VistaDrv.exe HKLM-Run-UnlockerAssistant - C:\Program Files\Unlocker\UnlockerAssistant.exe HKU-Default-Run-VistaIcon - C:\Program Files\VistaDriveIcon\VistaDrv.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.ru/ O8 -: &Экспорт в Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 -: Advanced Email Extractor - c:\program files\advanced email extractor\aeemsie.dll/page.html O8 -: Scan link with AEE - c:\program files\advanced email extractor\aeemsie.dll/link.html O8 -: Закачать ВСЕ при помощи Download Master - C:\Program Files\Download Master\dmieall.htm O8 -: Закачать при помощи Download Master - C:\Program Files\Download Master\dmie.htm O8 -: Отправить в 'Ссылки Интернета' - C:\WINDOWS\system\sendurl.htm O9 -: {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:\Program Files\Download Master\dmaster.exe O9 -: {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:\Program Files\Download Master\dmaster.exe - O17 -: HKLM\CCS\Interface\{BF0E110F-8F15-41F4-B204-B9D1973758E4}: NameServer = 91.151.197.34,195.135.235.5 . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-01 01:44:46 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\Documents and Settings\Администратор\Application Data\Skype\pointpro\config.tmp 22504 bytes scan completed successfully hidden files: 1 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\Program Files\Eset\pr_imon.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\ESET\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Jetico\BestCrypt\BCResident.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\ComboFix\pv.cfexe . ************************************************************************** . Completion time: 2008-10-01 1:46:45 - machine was rebooted [Ђ¤¬Ё­Ёбва в®а] ComboFix-quarantined-files.txt 2008-09-30 21:46:41 Pre-Run: 1 950 318 592 байт свободно Post-Run: 2,179,190,784 Ў ©в бў®Ў®¤­® 178