ComboFix 11-01-10.04 - Администратор 19.01.2011 1:18.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.1524.1160 [GMT 2:00] Running from: c:\documents and settings\Администратор\Рабочий стол\ComboFix.exe AV: Kaspersky Internet Security *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . - REDUCED FUNCTIONALITY MODE - . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\rEdNuht c:\rednuht\sEliF\Desktop.ini c:\windows\regedit.exe . . . is infected!! . ((((((((((((((((((((((((( Files Created from 2010-12-18 to 2011-01-18 ))))))))))))))))))))))))))))))) . 2011-01-18 22:09 . 2011-01-18 22:09 11264 ----a-w- c:\windows\system32\drivers\uze4nju5.sys 2011-01-18 15:49 . 2011-01-18 15:49 -------- d-----w- c:\program files\trend micro 2011-01-18 15:48 . 2011-01-18 15:49 -------- d-----w- C:\rsit 2011-01-14 21:37 . 2011-01-14 21:37 -------- d-----w- c:\documents and settings\Администратор\Local Settings\Application Data\Opera 2011-01-14 21:37 . 2011-01-14 21:37 -------- d-----w- c:\program files\Opera . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . ------- Sigcheck ------- [-] 2009-01-17 . F6AD47C48E30CDEB941A1B620BFA7C02 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys [-] 2008-04-15 . D422B1A1819E2114C491D893923E47CD . 653312 . . [5.82] . . c:\windows\system32\comctl32.dll [-] 2008-04-15 . D422B1A1819E2114C491D893923E47CD . 653312 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll [-] 2008-04-15 . E20F39C1963D967B0C4BC8111070A8E9 . 875008 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll [-] 2008-04-15 . E6B912F7F8A0CF27974C12B2C5DE8DF1 . 1007616 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll [-] 2009-01-06 . A46326FFE00FF90CB9A372B94E571438 . 631808 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll [-] 2009-01-06 . 9CA2A8437D6C26D64FCD860A94006401 . 884224 . . [7.00.6000.20935] . . c:\windows\system32\wininet.dll [-] 2009-01-06 . 62D407BE2A83388EC4B9BF995D5D9BB7 . 1926144 . . [6.00.2900.5512] . . c:\windows\explorer.exe [-] 2009-11-24 . D00F774793DB80C85E82437E8AEA836E . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll [-] 2009-11-24 . D00F774793DB80C85E82437E8AEA836E . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\sfcfiles.dll [-] 2009-01-06 . 39711DCE601173989D5631755048C703 . 111104 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe [-] 2009-01-06 . C5B4D14012A98BFC02CDFA81B8EAD2DB . 2165248 . . [5.1.2600.5657] . . c:\windows\system32\ntkrnlpa.exe [-] 2009-01-06 . C5B4D14012A98BFC02CDFA81B8EAD2DB . 2165248 . . [5.1.2600.5657] . . c:\windows\system32\dllcache\ntkrnlpa.exe [-] 2009-01-05 . CFFB5804D6C42B37941F654DF656DDB6 . 2286592 . . [5.1.2600.5657] . . c:\windows\system32\ntoskrnl.exe [-] 2009-01-05 . CFFB5804D6C42B37941F654DF656DDB6 . 2286592 . . [5.1.2600.5657] . . c:\windows\system32\dllcache\ntoskrnl.exe c:\windows\System32\qmgr.dll ... is missing !! c:\windows\System32\wuauclt.exe ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LClock"="c:\program files\LClock\lclock.exe" [2004-09-20 139264] "VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2009-01-07 132096] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-11-23 1250304] "ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-03-01 172792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2009-09-11 18717696] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-09-26 1122304] "PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 223768] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 244248] "Persistence"="c:\windows\system32\igfxpers.exe" [2010-09-26 211480] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2009-01-06 111104] "LClock"="c:\program files\LClock\LClock.exe" [2004-09-20 139264] "VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2009-01-07 132096] "Sidebar"="c:\program files\Windows Sidebar\Install.exe" [2008-12-19 338716] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "IE7_011"="shell32" [X] "IE7_012"="advpack.dll" [2009-01-05 124928] c:\documents and settings\Ђ¤¬Ё­Ёбва в®а\ѓ« ў­®Ґ ¬Ґ­о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \ Punto Switcher.lnk - c:\program files\Yandex\Punto Switcher\punto.exe [2009-11-24 831272] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders schannel.dll, digest.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\Explorer.EXE"= "c:\\Program Files\\PC Connectivity Solution\\Transports\\NclIrSrv.exe"= "c:\\Program Files\\PC Connectivity Solution\\Transports\\NclMSBTSrv.exe"= "c:\\WINDOWS\\system32\\igfxtray.exe"= "c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"= "c:\\WINDOWS\\PLFSetL.exe"= "c:\\WINDOWS\\system32\\igfxpers.exe"= "c:\\Program Files\\PC Connectivity Solution\\ServiceLayer.exe"= "c:\\WINDOWS\\system32\\hkcmd.exe"= "c:\\Program Files\\PC Connectivity Solution\\Transports\\NclUSBSrv.exe"= "c:\\WINDOWS\\system32\\ctfmon.exe"= "c:\\WINDOWS\\RTHDCPL.EXE"= "c:\\Program Files\\Light Alloy\\LA.exe"= "c:\\Program Files\\LClock\\lclock.exe"= "c:\\Documents and Settings\\Администратор\\Рабочий стол\\anti autorun.exe"= "c:\\Program Files\\ICQ6.5\\ICQ.exe"= R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [24.11.2009 20:49 717296] R1 uze4nju5;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uze4nju5.sys [19.01.2011 0:09 11264] R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [06.12.2010 23:28 222456] R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [06.08.2008 2:15 345336] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [24.11.2009 22:20 1684736] S3 amsint32;amsint32;\??\c:\windows\system32\drivers\msmni.sys --> c:\windows\system32\drivers\msmni.sys [?] S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [02.11.2010 18:26 100736] S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [25.11.2009 1:44 96856] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a7441b2-0364-11df-b2a8-001e68b16324}] \Shell\AutoRun\command - D:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fd629e8-0449-11df-b2a9-001e68b16324}] \Shell\AutoRun\command - D:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33f08dec-c5b3-11df-b362-0022690d7f0e}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33f08ded-c5b3-11df-b362-0022690d7f0e}] \Shell\AutoRun\command - G:\autorun.js \Shell\explore\Command - WScript.exe .\autorun.js \Shell\open\Command - WScript.exe .\autorun.js [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{484834d5-e59e-11df-b395-0022690d7f0e}] \Shell\AutoRun\command - D:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48483772-e59e-11df-b395-0022690d7f0e}] \Shell\AutoRun\command - D:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51ab65ba-d176-11df-b373-0022690d7f0e}] \SheLl\AuToplay\COmmand - D:\mkljsx.pif \SheLl\AutoRun\command - D:\mkljsx.pif \SheLl\eXplorE\commAnd - D:\mkljsx.pif \SheLl\opEn\CommaNd - D:\mkljsx.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51ab6788-d176-11df-b373-0022690d7f0e}] \Shell\AutoRun\command - D:\LAUSGANG///alzamalo.exe \Shell\explore\command - D:\LAUSGANG///alzamalo.exe \Shell\open\command - D:\LAUSGANG///alzamalo.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6387c1a7-1fc9-11e0-b3c3-0022690d7f0e}] \Shell\AutoRun\command - d:\rednuht\sEliF\ReDNuHt.exe \Shell\open\command - d:\rednuht\sEliF\ReDNuHt.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a3c867c-d964-11de-b278-0022690d7f0e}] \Shell\AutoRun\command - D:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a3c867d-d964-11de-b278-0022690d7f0e}] \Shell\AutoRun\command - D:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ef753e4-fae3-11df-b3b6-0022690d7f0e}] \Shell\AutoRun\command - d:\rednuht\sEliF\ReDNuHt.exe \Shell\open\command - d:\rednuht\sEliF\ReDNuHt.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82cd757a-c969-11df-b366-0022690d7f0e}] \Shell\AUTOpLAY\Command - D:\ifonim.pif \Shell\AutoRun\command - D:\ifonim.pif \Shell\explorE\cOMMand - D:\ifonim.pif \Shell\opEN\cOmMand - D:\ifonim.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab9fe2b6-de94-11df-b38b-0022690d7f0e}] \Shell\AutoRun\command - D:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab9fe2c3-de94-11df-b38b-0022690d7f0e}] \sHelL\AutoplaY\comManD - D:\nrrn.exe \sHelL\AutoRun\command - D:\nrrn.exe \sHelL\expLorE\coMmaNd - D:\nrrn.exe \sHelL\open\coMMaND - D:\nrrn.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c609ed7a-d9e6-11de-b27e-001e68b16324}] \Shell\AutoRun\command - f:\rednuht\sEliF\ReDNuHt.exe \Shell\open\command - f:\rednuht\sEliF\ReDNuHt.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca1dc28c-a468-11df-b340-0022690d7f0e}] \Shell\AutoRun\command - D:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca1dc6a9-a468-11df-b340-0022690d7f0e}] \shell\AutoRun\command - f:\sejo\\\kalac.exe \shell\explore\command - f:\sejo\\kalac.exe \shell\open\command - f:\sejo\\\kalac.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8be8cb2-2c1e-11df-b2df-0022690d7f0e}] \Shell\AutoRun\command - F1\X1\trx.exe \Shell\open\command - F1\X1\trx.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4c16752-d46a-11df-b37c-0022690d7f0e}] \shell\AutoPlAy\CoMMANd - D:\wqlpu.pif \shell\AutoRun\command - D:\wqlpu.pif \shell\EXPLORe\CoMmANd - D:\wqlpu.pif \shell\opeN\cOmMaND - D:\wqlpu.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e603f532-e024-11de-b282-001e68b16324}] \Shell\AutoRun\command - CHK\diske.exe \Shell\open\command - CHK\diske.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5428a38-c59e-11df-b361-0022690d7f0e}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5428a3f-c59e-11df-b361-0022690d7f0e}] \Shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5428a40-c59e-11df-b361-0022690d7f0e}] \Shell\AutoRun\command - G:\autorun.js \Shell\explore\Command - WScript.exe .\autorun.js \Shell\open\Command - WScript.exe .\autorun.js [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5428b97-c59e-11df-b361-0022690d7f0e}] \Shell\AutoRun\command - F:\AutoRun.exe . . ------- Supplementary Scan ------- . uStart Page = hxxp://start.icq.com/ IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - HKCU-Run-SERVICEHENTECH - c:\rednuht\sEliF\ReDNuHt.exe HKLM-Run-snp2uvc - c:\windows\vsnp2uvc.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-01-19 01:19 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(748) c:\windows\system32\SETUPAPI.dll c:\windows\system32\cscui.dll c:\windows\system32\igfxdev.dll - - - - - - - > 'lsass.exe'(804) c:\windows\system32\setupapi.dll . Completion time: 2011-01-19 01:21:20 ComboFix-quarantined-files.txt 2011-01-18 23:21 Pre-Run: 36 475 904 000 байт свободно Post-Run: 36 446 253 056 байт свободно - - End Of File - - EC006773ADDAC38CB3314246FEC550F9