ComboFix 11-01-29.03 - Admin 31.01.2011 19:42:59.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.1023.532 [GMT 2:00] Running from: c:\documents and settings\Admin\Рабочий стол\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Admin\Мои документы\GF\Calendars\Desktop_.ini c:\documents and settings\Admin\Мои документы\GF\Contacts\Desktop_.ini c:\documents and settings\Admin\Мои документы\GF\iPod_Control\Desktop_.ini c:\documents and settings\Admin\Мои документы\GF\iPod_Control\Device\Desktop_.ini c:\documents and settings\Admin\Мои документы\GF\iPod_Control\iTunes\Desktop_.ini c:\documents and settings\Admin\Мои документы\GF\iPod_Control\Music\Desktop_.ini c:\documents and settings\Admin\Мои документы\GF\Notes\Desktop_.ini c:\documents and settings\Admin\KTOD.exe c:\documents and settings\All Users\Главное меню\Программы\VKSaver c:\documents and settings\All Users\Главное меню\Программы\VKSaver\Readme.txt.lnk c:\documents and settings\All Users\Главное меню\Программы\VKSaver\Uninstall.lnk c:\progra~1\QIP\Users\469868~1\RCVDFI~1\397298~1\4DA5~1.exe c:\program files\VKSaver c:\program files\VKSaver\Readme.txt c:\program files\VKSaver\uninstall.exe c:\windows\system32\Пузыри.scr d:\миша\program\GP\gaMEplay.exe c:\windows\regedit.exe . . . is infected!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF ((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-31 ))))))))))))))))))))))))))))))) . 2011-01-27 19:14 . 2011-01-27 19:14 -------- d-----w- c:\documents and settings\Admin\Application Data\HdO Adventure 2011-01-23 23:38 . 2011-01-23 23:38 -------- d-----w- c:\documents and settings\Admin\Application Data\tank-o-box.wrp 2011-01-23 22:59 . 2011-01-23 22:59 -------- d-----w- c:\documents and settings\Admin\Application Data\танчики 2011-01-23 22:59 . 2011-01-23 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper 2011-01-23 22:58 . 2011-01-27 19:12 -------- d-----w- c:\program files\Alawar 2011-01-06 20:13 . 2011-01-06 20:13 165232 ---ha-w- c:\documents and settings\Admin\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll 2011-01-06 20:12 . 2011-01-06 20:12 -------- d-----w- c:\program files\Microsoft Virtual PC . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-12-02 03:35 . 2010-12-02 03:35 4280320 -c--a-w- c:\windows\system32\GPhotos.scr 2010-11-05 12:54 . 2010-11-05 12:21 2386240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1049\ResourceCache.dll 2010-11-05 12:21 . 2010-11-05 12:21 18432 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1049\ResourceCache.dll 2010-11-05 12:21 . 2010-11-05 12:21 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll . ------- Sigcheck ------- [-] 2009-02-19 . 6A104BA98D99D53AB0C91825CE659FC6 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys [-] 2009-02-19 17:17 . 741FBE6EC177F09F49A448DE2FBF8F01 . 855040 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll [-] 2009-02-19 . 0717E8AF3CD28E24C7A0903BFE60B1B0 . 78360 . . [7.2.6001.788] . . c:\windows\system32\wuauclt.exe [-] 2009-02-19 . 23B7D3F3F5EC8FEEA75EC381C71CBD5E . 579072 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll [-] 2009-02-19 . 8D462CDD4769F07C7A03384436B45C0B . 952832 . . [7.00.6000.20978] . . c:\windows\system32\wininet.dll [-] 2009-02-19 . DD08EDC9648AFF1E064B2FAF24743BF6 . 1721344 . . [6.00.2900.5512] . . c:\windows\explorer.exe [-] 2009-02-19 . 8F51D3D08E9FFF9113EFDFA7A7511F2C . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll [-] 2009-02-19 . 0C03910993057CC8BD5762441F5ABDF6 . 30208 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2009-12-24 8729864] [HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}] [HKEY_CLASSES_ROOT\Yandex.Toolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}] [HKEY_CLASSES_ROOT\Yandex.Toolbar] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\YandexBarIE\yndbar.dll" [2009-12-24 8729864] [HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}] [HKEY_CLASSES_ROOT\Yandex.Toolbar.1] [HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}] [HKEY_CLASSES_ROOT\Yandex.Toolbar] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2008-01-02 132096] "Download Master"="c:\program files\Download Master\dmaster.exe" [2007-06-22 3086848] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-06-08 23233576] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696] "louderit.exe"="c:\program files\louderit\LouderIt.exe" [2008-02-19 41472] "LClock"="c:\program files\LClock\LClock.exe" [2007-12-14 86016] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640] "nwiz"="nwiz.exe" [2009-01-15 1657376] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352] "Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440] "Pragma5"="c:\program files\Trident Software\Pragma\pragma.exe" [2007-09-26 380928] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600] "USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2009-12-19 819200] "PEOPLEnet_CCU550"="c:\program files\PEOPLEnet\CCU-550\Bin\CMTNFCM.exe" [2006-05-06 208896] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2008-01-02 132096] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "IE7_011"="shell32" [X] "ZZZZ2_FirstLogonSetting"="advpack.dll" [2009-02-19 124928] "IE7_012"="advpack.dll" [2009-02-19 124928] c:\documents and settings\Admin\ѓ« ў­®Ґ ¬Ґ­о\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] Punto Switcher.lnk - c:\program files\Yandex\Punto Switcher\punto.exe [2010-9-28 830248] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\vksaver.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 "UpdatesOverride"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6221:TCP"= 6221:TCP:sbhkxn R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14.11.2009 18:15 691696] R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [23.04.2007 18:08 81688] R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [19.08.2010 21:32 33824] R2 DCService.exe;DCService.exe;c:\documents and settings\All Users\Application Data\DatacardService\DCService.exe [08.05.2010 13:48 229376] R3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [14.11.2009 19:13 58352] R3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [14.11.2009 19:13 8304] R3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [14.11.2009 19:13 93904] R3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [14.11.2009 19:13 73696] R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [13.12.2010 18:40 63616] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.03.2010 13:16 130384] S2 dmdrag;lgcjmnxx;c:\windows\system32\svchost.exe -k netsvcs [15.04.2008 18:00 14336] S2 PTsup5;PsViatau;c:\program files\Trident Software\Pragma\PTsup5.exe [16.03.2007 16:59 73728] S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Everest\kerneld.wnt [03.10.2010 10:31 27248] S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [13.12.2010 18:40 101504] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.03.2010 13:16 753504] S4 MSSQLServerADHelper100;Служба поддержки Active Directory сервера SQL Server;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [21.07.2009 4:44 47128] S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [30.03.2009 3:09 239336] S4 SQLAgent$SQLEXPRESS;Агент SQL Server (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [30.03.2009 3:23 366936] --- Other Services/Drivers In Memory --- *NewlyCreated* - WUAUSERV HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs dmdrag . Contents of the 'Scheduled Tasks' folder 2011-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.microsoft.com uDefault_Search_URL = hxxp://search.qip.ru mStart Page = hxxp://www.microsoft.com mWindow Title = Microsoft Internet Explorer uInternet Connection Wizard,ShellNext = hxxp://www.winamp.com/player uSearchAssistant = hxxp://search.qip.ru/ie uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Закачать ВСЕ при помощи Download Master - c:\program files\Download Master\dmieall.htm IE: Закачать при помощи Download Master - c:\program files\Download Master\dmie.htm . - - - - ORPHANS REMOVED - - - - HKCU-Run-1st Calculator - (no file) HKLM-Run-kav - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe AddRemove-AP Guitar Tuner 1.02 - c:\program files\Audio Phonics AddRemove-VKSaver - c:\program files\VKSaver\uninstall.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-01-31 20:02 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver] "ImagePath"="\??\c:\program files\Everest\kerneld.wnt" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmdrag] "ServiceDll"="c:\windows\system32\huohu.dll" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(948) c:\windows\system32\cscui.dll - - - - - - - > 'explorer.exe'(556) c:\windows\system32\SHDOCVW.dll c:\program files\Yandex\Punto Switcher\pshook.dll c:\windows\system32\COMRes.dll c:\windows\System32\cscui.dll c:\program files\louderit\LHook.dll c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll c:\program files\Common Files\Ahead\Lib\MFC71U.DLL c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll c:\windows\system32\msi.dll c:\windows\system32\NETSHELL.dll c:\program files\LClock\LC.dll c:\windows\system32\wpdshserviceobj.dll c:\program files\Microsoft Virtual PC\VPCShExH.DLL c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe c:\program files\NetLimiter 2 Monitor\nlsvc.exe c:\windows\system32\nvsvc32.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\NetLimiter 2 Monitor\NLClient.exe c:\windows\system32\wscntfy.exe c:\windows\system32\RUNDLL32.EXE c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Skype\Plugin Manager\skypePM.exe . ************************************************************************** . Completion time: 2011-01-31 20:06:33 - machine was rebooted ComboFix-quarantined-files.txt 2011-01-31 18:06 Pre-Run: 946 475 008 байт свободно Post-Run: 3 308 068 864 байт свободно WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional RU" /execute /fastdetect multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 6E256EF1D1E03FC836E2E30393C608AE