ComboFix 11-03-31.04 - User 01.04.2011 18:03:21.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2013.1609 [GMT 4:00] Running from: c:\documents and settings\User\Рабочий стол\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\User\Application Data\Adobe\AdobeUpdate .exe c:\documents and settings\User\Application Data\Adobe\plugs c:\documents and settings\User\Application Data\Adobe\plugs\KB51094484.exe c:\documents and settings\User\Application Data\mchagw.dat c:\documents and settings\User\Application Data\mdjaw.dat c:\windows\system32\setup.exe c:\windows\Sysvxd.exe . ----- BITS: Possible infected sites ----- . hxxp://download.yandex.ru c:\windows\system32\winlogon.exe . . . is infected!! . c:\windows\explorer.exe . . . is infected!! . c:\windows\system32\proquota.exe . . . is missing!! . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_SVCHOST32 . . ((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 ))))))))))))))))))))))))))))))) . . 2011-04-01 13:28 . 2011-04-01 13:28 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Mail.Ru 2011-03-31 11:41 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-23 14:04 . 2010-12-22 19:18 40648 ----a-w- c:\windows\avastSS.scr 2011-02-23 14:04 . 2010-12-22 19:18 190016 ----a-w- c:\windows\system32\aswBoot.exe 2011-02-23 13:56 . 2010-12-22 19:18 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys 2011-02-23 13:55 . 2010-12-22 19:18 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2011-02-23 13:55 . 2010-12-22 19:18 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2011-02-23 13:55 . 2010-12-22 19:18 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys 2011-02-23 13:55 . 2010-12-22 19:18 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2011-02-23 13:54 . 2010-12-22 19:18 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2011-02-23 13:54 . 2010-12-22 19:18 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys . . ------- Sigcheck ------- . [-] 2008-04-15 . 1F39C7BDBA4C5F3F01C4EABF7EDBF4B3 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys . [-] 2008-04-15 . E61D16A5D90E3A33844C2AC184592FEC . 509440 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe . [-] 2008-04-15 . AC23CF5D73E19F836172C490DB87593A . 634368 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll [7] 2008-04-14 . A9CDF92EA1CFFB67448EF26F5DF21A6F . 579072 . . [5.1.2600.5512] . . c:\windows\ResPatch\Backup\user32.dll . [-] 2008-04-15 . E28DA858291E48464EF7ED4AF9977F8B . 1034240 . . [6.00.2900.5512] . . c:\windows\explorer.exe . [-] 2008-04-15 . 2F570318793E6C8AAB52700E92A7C105 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aml Maple"="c:\program files\AmlMaple\AmlMaple.exe" [2007-12-18 74240] "VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2009-01-11 132096] "louderit.exe"="c:\program files\VolumeControl2\LouderIt.exe" [2008-02-19 41472] "LClock"="c:\program files\LClock\LClock.exe" [2007-12-14 86016] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2007-03-09 62976] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648] "ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-03-30 418816] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-25 134656] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-25 166912] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-25 136192] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312] "Guard.Mail.ru.gui"="c:\program files\Mail.Ru\Guard\GuardMailRu.exe" [2011-01-01 1041088] "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] "Aml Maple"="c:\program files\AmlMaple\AmlMaple.exe" [2007-12-18 74240] "VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2009-01-11 132096] "louderit.exe"="c:\program files\VolumeControl2\LouderIt.exe" [2008-02-19 41472] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "IE7_00"="shell32" [X] "Rebuild Icon Cache"="REBUILDI.EXE" [2009-08-25 278200] "IE7_01"="advpack.dll" [2008-04-15 124928] . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) "InternetOpenWith"= 0 (0x0) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) "ForceClassicControlPanel"= 1 (0x1) "InternetOpenWith"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\uTorrent\\utorrent.exe"= "%windir%\\system32\\lsass.exe"= "c:\\Program Files\\Mail.Ru\\Sputnik\\SputnikHelper.exe"= "c:\\Program Files\\Mail.Ru\\Sputnik\\SputnikFlashPlayer.exe"= . R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [31.03.2011 15:41 371544] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [22.12.2010 23:18 301528] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22.12.2010 23:18 19544] R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [04.11.2010 22:16 129024] R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [05.11.2010 0:19 878976] S2 Guard.Mail.ru;Guard.Mail.ru;c:\program files\Mail.Ru\Guard\GuardMailRu.exe [22.12.2010 23:17 1041088] S2 gupdate;Служба Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [22.12.2010 23:18 136176] S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [07.04.2008 15:00 6656] S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?] S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys --> c:\windows\system32\DRIVERS\ewusbdev.sys [?] S3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [04.11.2010 22:29 32256] S3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [04.11.2010 22:29 41344] S3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [04.11.2010 22:29 39936] S3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [04.11.2010 22:29 59776] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WUAUSERV *Deregistered* - uphcleanhlp . Contents of the 'Scheduled Tasks' folder . 2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-22 19:18] . 2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-22 19:18] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.mail.ru/cnt/7828 mStart Page = about:blank uInternet Settings,ProxyOverride = *.local IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Закачать ВСЕ при помощи Download Master - c:\program files\Download Master\dmieall.htm IE: Закачать при помощи Download Master - c:\program files\Download Master\dmie.htm . - - - - ORPHANS REMOVED - - - - . Toolbar-{EDF7BDB3-F1D6-4b9f-8E93-742A4D9443FC} - c:\program files\MyPlayCity\MyPlayCityBarIE\MyPlayCityBar.dll Toolbar-ITBar7Position - (no file) WebBrowser-{EDF7BDB3-F1D6-4b9f-8E93-742A4D9443FC} - c:\program files\MyPlayCity\MyPlayCityBarIE\MyPlayCityBar.dll HKCU-Run-Ysetoy - c:\windows\icipresa.dll AddRemove-AstroAvenger_is1 - c:\program files\Realore\AstroAvenger\unins000.exe AddRemove-Chicken Invaders 2 Christmas Edition demo_is1 - c:\program files\Chicken Invaders 2 Christmas Edition demo\unins000.exe AddRemove-Czeski Rajd_is1 - d:\start.exe\unins000.exe AddRemove-Mad Cars_is1 - c:\program files\REALORE\Mad Cars\unins000.exe AddRemove-Starcars - Demo Version_is1 - c:\program files\Starcars - Demo Version\unins000.exe AddRemove-Мега Гонки_is1 - c:\program files\MyPlayCity.ru\Мега Гонки\unins000.exe AddRemove-Смертельная Гонка_is1 - d:\смертельная гонка\unins000.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-01 18:11 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2788) c:\windows\system32\WININET.dll c:\windows\system32\msi.dll c:\program files\VolumeControl2\LHook.dll c:\program files\LClock\LC.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast5\AvastSvc.exe c:\windows\system32\igfxsrvc.exe c:\program files\UPHClean\uphclean.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2011-04-01 18:14:08 - machine was rebooted ComboFix-quarantined-files.txt 2011-04-01 14:14 . Pre-Run: 1 599 569 920 байт свободно Post-Run: 1 912 504 320 байт свободно . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional RU" /noexecute=optin /fastdetect . - - End Of File - - CD248BBC7A3B807FEB79572B79F07942