ComboFix 10-06-11.01 - Рома 12.06.2010  16:51:10.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1251.7.1049.18.1023.603 [GMT 3:00]
Running from: c:\documents and settings\Рома\Рабочий стол\combo-fix.exe.exe
Command switches used :: c:\documents and settings\Рома\Рабочий стол\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Outpost Firewall Pro *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://soft.export.yandex.ru
.
(((((((((((((((((((((((((   Files Created from 2010-05-12 to 2010-06-12  )))))))))))))))))))))))))))))))
.

2010-06-12 12:54 . 2010-06-12 12:54	--------	d-----w-	C:\rsit
2010-06-12 12:46 . 2010-06-12 12:54	--------	d-----w-	c:\program files\trend micro
2010-06-12 11:08 . 2010-06-12 11:08	--------	d--h--w-	c:\windows\PIF
2010-06-12 11:00 . 2008-04-14 16:10	26624	----a-w-	c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-06-12 10:54 . 2010-06-12 10:54	--------	d-----w-	c:\documents and settings\LocalService\Рабочий стол
2010-06-12 07:53 . 2010-06-12 07:53	--------	d-----w-	c:\documents and settings\Рома\DoctorWeb
2010-06-12 07:50 . 2010-05-06 20:39	164048	----a-w-	c:\windows\system32\drivers\aswSP.sys
2010-06-12 07:50 . 2010-05-06 20:33	19024	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2010-06-12 07:50 . 2010-05-06 20:34	23376	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2010-06-12 07:50 . 2010-05-06 20:39	46672	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2010-06-12 07:50 . 2010-05-06 20:33	100432	----a-w-	c:\windows\system32\drivers\aswmon2.sys
2010-06-12 07:50 . 2010-05-06 20:33	94800	----a-w-	c:\windows\system32\drivers\aswmon.sys
2010-06-12 07:50 . 2010-05-06 20:33	28880	----a-w-	c:\windows\system32\drivers\aavmker4.sys
2010-06-12 07:50 . 2010-05-06 20:59	38848	----a-w-	c:\windows\system32\avastSS.scr
2010-06-12 07:50 . 2010-05-06 20:59	165032	----a-w-	c:\windows\system32\aswBoot.exe
2010-06-12 07:49 . 2010-06-12 07:49	--------	d-----w-	c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-12 07:35 . 2003-03-18 20:20	1060864	----a-w-	c:\windows\system32\MFC71.dll
2010-06-12 07:35 . 2003-03-18 19:14	499712	----a-w-	c:\windows\system32\MSVCP71.dll
2010-06-12 07:35 . 2003-02-21 03:42	348160	----a-w-	c:\windows\system32\MSVCR71.dll
2010-06-12 07:35 . 2010-06-12 07:49	--------	d-----w-	c:\program files\Alwil Software
2010-06-11 23:56 . 2010-06-12 13:17	--------	d-----w-	c:\program files\CCleaner
2010-06-11 23:27 . 2010-06-11 23:27	--------	d-----w-	c:\documents and settings\All Users\Application Data\AltrixSoft
2010-06-11 23:27 . 2010-06-11 23:27	--------	d-----w-	c:\program files\Hard Drive Inspector
2010-06-11 23:27 . 2010-06-11 23:27	--------	d-----w-	c:\program files\Common Files\AltrixSoft

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 22:24 . 2004-08-18 12:00	84082	----a-w-	c:\windows\system32\perfc019.dat
2010-06-11 22:24 . 2004-08-18 12:00	484362	----a-w-	c:\windows\system32\perfh019.dat
2010-06-11 22:15 . 2010-06-11 22:15	--------	d-----w-	c:\program files\Agnitum
2010-06-11 22:14 . 2010-06-11 22:14	--------	d-----w-	c:\documents and settings\All Users\Application Data\Agnitum
2010-06-11 22:02 . 2010-06-11 22:02	13104	----a-w-	c:\documents and settings\Рома\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-11 22:01 . 2010-06-11 22:01	--------	d-----w-	c:\documents and settings\All Users\Application Data\ATI
2010-06-11 22:01 . 2010-06-11 22:01	--------	d-----w-	c:\documents and settings\Рома\Application Data\ATI
2010-06-11 22:01 . 2010-06-11 22:01	0	----a-w-	c:\windows\ativpsrm.bin
2010-06-11 21:56 . 2010-06-11 21:56	--------	d-----w-	c:\program files\My Company Name
2010-06-11 21:55 . 2010-06-11 21:51	--------	d-----w-	c:\program files\ATI Technologies
2010-06-11 21:53 . 2010-06-11 19:55	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-06-11 21:53 . 2010-06-11 21:53	9158	----a-r-	c:\documents and settings\Рома\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2010-06-11 21:53 . 2010-06-11 21:53	--------	d-----w-	c:\program files\Common Files\ATI Technologies
2010-06-11 21:50 . 2010-06-11 19:55	--------	d-----w-	c:\program files\Common Files\InstallShield
2010-06-11 21:42 . 2010-06-11 21:42	--------	d-----w-	c:\program files\MSBuild
2010-06-11 21:42 . 2010-06-11 21:42	--------	d-----w-	c:\program files\Reference Assemblies
2010-06-11 21:40 . 2010-06-11 21:40	--------	d-----w-	c:\program files\Windows Media Connect 2
2010-06-11 21:28 . 2010-06-11 21:28	--------	d-----w-	c:\documents and settings\Рома\Application Data\COWON
2010-06-11 21:28 . 2010-06-11 21:28	--------	d-----w-	c:\program files\JetAudio
2010-06-11 21:28 . 2010-06-11 21:28	--------	d-----w-	c:\program files\Common Files\COWON
2010-06-11 21:26 . 2010-06-11 21:26	0	----a-w-	c:\windows\nsreg.dat
2010-06-11 20:51 . 2010-06-11 20:51	--------	d-----w-	c:\program files\QIP
2010-06-11 20:48 . 2010-06-11 20:48	--------	d-----w-	c:\documents and settings\Рома\Application Data\QIP
2010-06-11 20:45 . 2010-06-11 20:45	--------	d-----w-	c:\program files\TuneUp Utilities 2010
2010-06-11 20:45 . 2010-06-11 20:45	--------	d-----w-	c:\documents and settings\Рома\Application Data\TuneUp Software
2010-06-11 20:45 . 2010-06-11 20:45	--------	d-----w-	c:\documents and settings\All Users\Application Data\TuneUp Software
2010-05-06 10:35 . 2004-08-18 12:00	916480	----a-w-	c:\windows\system32\wininet.dll
2010-05-02 08:09 . 2004-08-18 12:00	1851392	----a-w-	c:\windows\system32\win32k.sys
2010-04-20 13:05 . 2010-06-11 22:15	34280	----a-w-	c:\windows\system32\drivers\afw.sys
2010-04-20 05:32 . 2004-08-18 12:00	285696	----a-w-	c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2010-04-16 16:09	81920	------w-	c:\windows\system32\ieencode.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Outpost]
@="{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
[HKEY_CLASSES_ROOT\CLSID\{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}]
2010-05-25 05:56	283224	----a-w-	c:\program files\Agnitum\Outpost Firewall Pro\op_shell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-22 17881600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2010-05-25 2814656]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2010-05-25 490760]
"HDInspector.exe"="c:\program files\Hard Drive Inspector\HDInspector.exe" [2010-06-11 3145408]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\ђ®¬ \ѓ« ў­®Ґ ¬Ґ­о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \
Punto Switcher.lnk - c:\program files\Yandex\Punto Switcher\punto.exe [2010-6-11 831272]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12.06.2010 10:50 164048]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [12.06.2010 1:15 713672]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [12.06.2010 1:15 2023128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12.06.2010 10:50 19024]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [07.05.2010 18:04 1051976]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [12.06.2010 1:15 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [12.06.2010 1:15 267624]
R3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [12.06.2010 1:15 31528]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [25.02.2010 11:18 10064]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11.06.2010 22:55 1684736]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
TCP: {BDD9EE54-B02B-49CA-A23D-71CD57074492} = 172.16.0.1
FF - ProfilePath - c:\documents and settings\Рома\Application Data\Mozilla\Firefox\Profiles\kok7phfe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ua/firefox

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-12 16:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1792)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3240)
c:\windows\system32\WININET.dll
c:\program files\Yandex\Punto Switcher\pshook.dll
c:\program files\Agnitum\Outpost Firewall Pro\op_shell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\AltrixSoft\HDDInfoService\HDDSvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Alwil Software\Avast5\setup\avast.setup
.
**************************************************************************
.
Completion time: 2010-06-12  16:58:10 - machine was rebooted
ComboFix-quarantined-files.txt  2010-06-12 13:58

Pre-Run: 32 145 461 248 байт свободно
Post-Run: 32 210 403 328 байт свободно

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional RU" /noexecute=optin /fastdetect

- - End Of File - - 4191BEAD1A5EE59B7969995D5451B837