Вирус зашифровал файлы

Printable View

Показывать 40 сообщений этой темы на одной странице

14.01.2015, 19:15
Kex17

Вложений: 1

Вирус зашифровал файлы

Помогите пожалуйста, расширение XTBL
A syschek - нет такого
А вот hijack:
[SPOILER][CODE]Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 19:53:52, on 14.01.2015
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

FIREFOX: 34.0.5 (x86 ru)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BaiduProtect.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\SafeSurf\safesurf.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Common Files\ABBYY\FineReader\11.00\Licensing\CE\NetworkLicenseServer.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\nvsvc32.exe
C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe
C:\windows\system32\svchost.exe
C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
C:\windows\system32\CNAB4RPK.EXE
C:\Program Files\TeamViewer\Version9\TeamViewer.exe
C:\Program Files\TeamViewer\Version9\tv_w32.exe
C:\Program Files\SafeSurf\surfguard.exe
C:\WINDOWS\hh.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Admin\Рабочий стол\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://yamdex.net/?searchid=1&l10n=ru&fromsearch=1&imsid=7e1c4437f9259ec5f9be0f4ead38f2e1&text={searchTerms}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://yamdex.net/?searchid=1&l10n=ru&fromsearch=1&imsid=7e1c4437f9259ec5f9be0f4ead38f2e1&text={searchTerms}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://mail.ru/cnt/10445[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://yamdex.net/?searchid=1&l10n=ru&fromsearch=1&imsid=7e1c4437f9259ec5f9be0f4ead38f2e1&text=[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url]http://yamdex.net/?searchid=1&l10n=ru&fromsearch=1&imsid=7e1c4437f9259ec5f9be0f4ead38f2e1&text=[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = [url]http://ertaco.com/balls/reenter2.rou[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {0633EE93-D776-472f-A0FF-E1416B8B2E3D} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: WebMoneyAdvisor BHO - {E7D2CB77-6E2D-4C1F-B485-D50506B9FA6B} - C:\Program Files\WebMoney Advisor\2.2.4\wmadvisor.dll
O3 - Toolbar: WebMoney Advisor - {405DFEAE-1D2F-4649-BE08-C92313C3E1CE} - C:\Program Files\WebMoney Advisor\2.2.4\wmadvisor.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [jsafesurf] C:\Program Files\SafeSurf\safesurf.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [VistaIcon] C:\Program Files\VistaDriveIcon\VistaDrv.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [VistaIcon] C:\Program Files\VistaDriveIcon\VistaDrv.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [VistaIcon] C:\Program Files\VistaDriveIcon\VistaDrv.exe (User 'Default user')
O4 - .DEFAULT User Startup: bWlr8jwOycpYmuXfgoH7QVr-jFnDbrIUHmqcVT3yveo=.xtbl (User 'Default user')
O4 - Startup: AutorunsDisabled
O8 - Extra context menu item: &Отправить в OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
O9 - Extra button: Отправить в OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Отправить в OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: &Связанные заметки OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: &Связанные заметки OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Предзагрузчик Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: Демон кэша категорий компонентов - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll
O23 - Service: 2GIS UpdateService (2GISUpdateService) - ООО ДубльГИС - C:\Program Files\2gis\3.0\2GISUpdateService.exe
O23 - Service: ABBYY FineReader 11 CE Licensing Service (ABBYY.Licensing.FineReader.Corporate.11.0) - ABBYY - C:\Program Files\Common Files\ABBYY\FineReader\11.00\Licensing\CE\NetworkLicenseServer.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: BDSGRTP Service (BDSGRTP) - ????????(??)???? - C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BaiduProtect.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\windows\system32\services.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: KMService - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\windows\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: SAMSUNG Mobile Connectivity Service (ss_conn_service) - DEVGURU Co., LTD. - C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\windows\system32\smlogsvc.exe
O23 - Service: TeamViewer 9 (TeamViewer9) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 8931 bytes[/CODE][/SPOILER]
14.01.2015, 19:16
Info_bot

Уважаемый(ая) [B]Kex17[/B], спасибо за обращение на наш форум!

Помощь при заражении комьютера на VirusInfo.Info оказывается абсолютно бесплатно. Хелперы, в самое ближайшее время, ответят на Ваш запрос. Для оказания помощи необходимо предоставить логи сканирования утилитами АВЗ и HiJackThis, подробнее можно прочитать в [URL="http://virusinfo.info/pravila.html"]правилах оформления запроса о помощи[/URL].

Если наш сайт окажется полезен Вам и у Вас будет такая возможность - пожалуйста [URL="http://virusinfo.info/content.php?r=113-virusinfo.info-donate"]поддержите проект[/URL].
14.01.2015, 21:47
mike 1

[URL="http://virusinfo.info/showthread.php?t=165835"]Пофиксите[/URL] следующие строчки в HiJackThis (некоторые строки могут отсутствовать).

[CODE]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://yamdex.net/?searchid=1&l10n=r...ad38f2e1&text=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://yamdex.net/?searchid=1&l10n=r...ad38f2e1&text=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://ertaco.com/balls/reenter2.rou
R3 - URLSearchHook: (no name) - {0633EE93-D776-472f-A0FF-E1416B8B2E3D} - (no file)

[/CODE]

[LIST][*]Скачайте [B][URL="http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/2-adwcleaner"]AdwCleaner (by Xplode)[/URL][/B] и сохраните его на [B]Рабочем столе[/B].[*]Запустите его (в ОС [B]Windows Vista/Seven[/B] необходимо запускать через правую кн. мыши [B]от имени администратора[/B]), нажмите кнопку [B]"Scan"[/B] и дождитесь окончания сканирования.[*]Когда сканирование будет завершено, отчет будет сохранен в следующем расположении: [B][COLOR="Blue"]C:\AdwCleaner\AdwCleaner[R0].txt[/COLOR][/B].[*]Прикрепите отчет к своему следующему сообщению.[/LIST]

Подробнее читайте в [URL="http://virusinfo.info/showthread.php?t=146192"]этом руководстве[/URL].
15.01.2015, 10:07
Kex17

Вложений: 1

Вот отчёт:
А ещё попутно: стали падать браузеры (Мозилла и Опера), которыми постоянно пльзовался, пришлось скачать и установить Хром, чтобы хотя бы мог с вами связываться
15.01.2015, 13:15
mike 1

[NOTICE]Если утилита повиснет при очистке, то тогда выполните очистку в безопасном режиме.[/NOTICE]

[LIST][*]Запустите повторно [COLOR="Blue"][B]AdwCleaner (by Xplode)[/B][/COLOR] (в ОС [B]Windows Vista/Seven[/B] необходимо запускать через правую кн. мыши [B]от имени администратора[/B]), нажмите кнопку [B]"Scan"[/B].[*]По окончанию сканирования снимите галочки со следующих строк:
[CODE]
***** [ Службы ] *****
Служба Найдено : KMService
***** [ Файлы / Папки ] *****
Папка Найдено : C:\Documents and Settings\Admin\Local Settings\Application Data\Mail.Ru
Папка Найдено : C:\Documents and Settings\Admin\Local Settings\Application Data\MailRu
Папка Найдено : C:\Program Files\Mail.Ru
Файл Найдено : C:\windows\system32\srvany.exe
[/CODE][*]Нажмите кнопку "[B]Очистить[/B]" ("[B]Clean[/B]") и дождитесь окончания удаления.[*]Когда удаление будет завершено, отчет будет сохранен в следующем расположении: [B][COLOR="Blue"]C:\AdwCleaner\AdwCleaner[S0].txt[/COLOR][/B].[*]Прикрепите отчет к своему следующему сообщению[/LIST]
[B]Внимание: [COLOR="Red"]Для успешного удаления нужна [U]перезагрузка компьютера[/U]!!![/COLOR][/B].

Подробнее читайте в [URL="http://virusinfo.info/showthread.php?t=146192"]этом руководстве[/URL].
15.01.2015, 16:07
Kex17

Вложений: 1

Вот:
15.01.2015, 18:19
mike 1

Скачайте [url=http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/][b]Farbar Recovery Scan Tool[/b][/url] [img]https://www.dropbox.com/s/fv5udu0pse3a82g/FRST_canned.png?dl=1[/img] и сохраните на Рабочем столе.

[b]Примечание[/b]: необходимо выбрать версию, совместимую с Вашей операционной системой. Если Вы не уверены, какая версия подойдет для Вашей системы, скачайте обе и попробуйте запустить. Только одна из них запустится на Вашей системе.
[list][*]Запустите программу двойным щелчком. Когда программа запустится, нажмите [b]Yes[/b] для соглашения с предупреждением.[*]Убедитесь, что под окном [b]Optional Scan[/b] отмечены [i]"List BCD"[/i] и [i]"Driver MD5"[/i].[*]Нажмите кнопку [b]Scan[/b].[*]После окончания сканирования будет создан отчет ([b]FRST.txt[/b]) в той же папке, откуда была запущена программа. Пожалуйста, прикрепите отчет в следующем сообщении.[*]Если программа была запущена в первый раз, будет создан отчет ([b]Addition.txt[/b]). Пожалуйста, прикрепите его в следующем сообщении.[/list]
[img]https://www.dropbox.com/s/bw0sjh213n7646i/FRST.png?dl=1[/img]
15.01.2015, 19:48
Kex17

Вложений: 2

Вот:
15.01.2015, 20:12
mike 1

[NOTICE]
Скрипт выполняйте в безопасном режиме!
[/NOTICE]

[list][*]Скопируйте приведенный ниже текст в Блокнот и сохраните файл как [b]fixlist.txt[/b] в ту же папку откуда была запущена утилита Farbar Recovery Scan Tool:
[code]
CreateRestorePoint:
(百度在线网络技术(北京)有限公司) C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BaiduProtect.exe
HKLM\...\Run: [update] => C:\Documents and Settings\Admin\Application Data\Microsoft\Windows\gupdater.exe [117248 2015-01-15] (Panned)
HKLM\...\Policies\Explorer\Run: [2225777215] => C:\Documents and Settings\All Users\mslmanq.exe [70656 2015-01-15] ( (Resolving))
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-1708537768-1409082233-725345543-500 -> {77F2B683-BFE4-4140-A5D5-3004C16E3A8F} URL = http://inet123.ru/?cx=partner-pub-7107628092852806%3Asxiti5-ktqk&cof=FORID%3A10&ie=utf-8&q={searchTerms}&sa=%CF%EE%E8%F1%EA&siteurl=inet123.ru%2F#881
CHR Extension: (Svinorez) - C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kklgjadbechkeoggpekdakichdfhlcdf [2015-01-15]
R2 BDSGRTP; C:\Program Files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BaiduProtect.exe [1940072 2014-12-04] (百度在线网络技术(北京)有限公司)
R1 bd0001; C:\windows\System32\DRIVERS\bd0001.sys [73032 2014-10-17] (Baidu)
R1 bd0004; C:\windows\System32\DRIVERS\bd0004.sys [185672 2014-12-03] (Baidu)
R2 BDArKit; C:\windows\System32\DRIVERS\BDArKit.sys [145224 2014-12-27] (Baidu Technology)
R1 BDMWrench; C:\windows\System32\DRIVERS\BDMWrench.sys [245576 2014-12-21] (Baidu)
R2 BDSafeBrowser; C:\windows\system32\drivers\BDSafeBrowser.sys [67656 2014-12-02] (Baidu)
S1 bd0002; system32\DRIVERS\bd0002.sys [X]
S1 BDEnhanceBoost; system32\DRIVERS\BDEnhanceBoost.sys [X]
2015-01-15 15:56 - 2015-01-15 15:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Baidu
2015-01-13 14:10 - 2015-01-14 10:13 - 00000000 __SHD () C:\Documents and Settings\All Users\Application Data\Windows
2015-01-15 15:55 - 2014-10-07 20:56 - 00000000 ____D () C:\Program Files\Common Files\Baidu
Reboot:
[/code][*]Запустите FRST и нажмите один раз на кнопку [b]Fix[/b] и подождите. Программа создаст лог-файл ([b]Fixlog.txt[/b]). Пожалуйста, прикрепите его в следующем сообщении![*]Обратите внимание, что компьютер будет [b]перезагружен[/b].[/list]

Сделайте новые логи Farbar.
17.01.2015, 14:09
Kex17

Запустил FRST в 7.00 сейчас 14.00. Процесс до сих пор идет. Это нормально? И сколько еще ждать? Hard 1 терабайт. Процессор Core Quad. Может быть я что-то не так сделал? Пишу с другого компа, тот всё ещё в работе
17.01.2015, 17:18
mike 1

Вы скрипт выполняете в безопасном режиме?
17.01.2015, 17:37
Kex17

[QUOTE=mike 1;1214485]Вы скрипт выполняете в безопасном режиме?[/QUOTE]

Да, в безопасном
17.01.2015, 23:22
mike 1

Ну тогда так

Скачайте ComboFix [url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe]здесь[/url] и сохраните в корень диска С.

1. [color=red]Внимание![/color] Обязательно закройте все браузеры, [URL="http://virusinfo.info/showthread.php?t=130828"]временно выключите антивирус, firewall и другое защитное программное обеспечение[/URL]. Не запускайте других программ во время работы Combofix. Combofix может отключить интернет через некоторое время после запуска, не переподключайте интернет пока Combofix не завершит работу. Если интернет не появился после окончания работы Combofix, перезагрузите компьютер. Во время работы Combofix не нажимайте кнопки мыши, это может стать причиной зависания Combofix.

2. Запустите [b]combofix.exe[/b], когда процесс завершится, скопируйте текст из [b]C:\ComboFix.txt[/b] и вставьте в следующее сообщение или запакуйте файл C:\ComboFix.txt и прикрепите к сообщению.
Примечание: В случае, если ComboFix не запускается, переименуйте combofix.exe. Например: temp.exe
18.01.2015, 09:36
Kex17

[SPOILER]ComboFix 15-01-08.01 - Admin 18.01.2015 9:17.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.3326.2363 [GMT 4:00]
Running from: C:\ComboFix.exe
AV: ESET NOD32 Antivirus 5.2 *Disabled/Outdated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\admin\locals~1\temp\kb00066906.exe
c:\documents and settings\Admin\Избранное\KmyKOvpesJ+7zyNki4oTF+eQiEKP296A3nO1oBCWxAk=.xtbl
c:\documents and settings\Admin\Главное меню\Программы\Автозагрузка\update.exe
c:\documents and settings\Admin\Application Data\12650675
c:\documents and settings\Admin\Application Data\12650675\svchost.exe
c:\documents and settings\Admin\Application Data\2FCC4E0CC765E9B2.bmp
c:\documents and settings\Admin\Application Data\Microsoft\Windows\gupdater.exe
c:\documents and settings\Admin\Application Data\SQLite3.dll
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\iImpy+Jo-Z5MSLXid5SiT8SVSh1a88Euw2LRH+QfMeY=.xtbl
c:\documents and settings\Admin\Recent\s4ECf6pqrIuZ2PmB4SqHpyZ7AQ4eI9Jdwvs5gOQFbvo=.xtbl
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}\PostBuild.exe
c:\documents and settings\All Users\Application Data\windows
c:\documents and settings\All Users\mslmanq.exe
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\OT2QTOAZLwV1uCyxvgfQYiFINUNCp2LB1-Rdhk97bAE=.xtbl
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\dv0Nwn1yjImS+lZ+lWme38dPer2TQGlxFj-rKdqYr2c=.xtbl
c:\program files\safesurf
c:\program files\safesurf\auth.txt
c:\program files\safesurf\bl.txt
c:\program files\safesurf\block.txt
c:\program files\safesurf\crashes.txt
c:\program files\safesurf\debug.txt
c:\program files\safesurf\dotnetfx.exe
c:\program files\safesurf\f\1\AccessibleMarshal.dll
c:\program files\safesurf\f\1\breakpadinjector.dll
c:\program files\safesurf\f\1\D3DCompiler_43.dll
c:\program files\safesurf\f\1\freebl3.chk
c:\program files\safesurf\f\1\freebl3.dll
c:\program files\safesurf\f\1\gkmedias.dll
c:\program files\safesurf\f\1\IA2Marshal.dll
c:\program files\safesurf\f\1\js-gdb.py
c:\program files\safesurf\f\1\libEGL.dll
c:\program files\safesurf\f\1\libGLESv2.dll
c:\program files\safesurf\f\1\mozalloc.dll
c:\program files\safesurf\f\1\mozglue.dll
c:\program files\safesurf\f\1\mozjs.dll
c:\program files\safesurf\f\1\msvcp100.dll
c:\program files\safesurf\f\1\msvcr100.dll
c:\program files\safesurf\f\1\nss3.dll
c:\program files\safesurf\f\1\nssckbi.dll
c:\program files\safesurf\f\1\nssdbm3.chk
c:\program files\safesurf\f\1\nssdbm3.dll
c:\program files\safesurf\f\1\omni.ja
c:\program files\safesurf\f\1\plugin-container.exe
c:\program files\safesurf\f\1\plugin-hang-ui.exe
c:\program files\safesurf\f\1\plugins\NPSWF32_13_0_0_214.dll
c:\program files\safesurf\f\1\profile\_CACHE_CLEAN_
c:\program files\safesurf\f\1\profile\Cache\_CACHE_001_
c:\program files\safesurf\f\1\profile\Cache\_CACHE_002_
c:\program files\safesurf\f\1\profile\Cache\_CACHE_003_
c:\program files\safesurf\f\1\profile\Cache\_CACHE_MAP_
c:\program files\safesurf\f\1\profile\Cache\1\B4\C8751d01
c:\program files\safesurf\f\1\profile\Cache\2\07\A04FDd01
c:\program files\safesurf\f\1\profile\Cache\3\05\88454d01
c:\program files\safesurf\f\1\profile\Cache\3\84\ECF27d01
c:\program files\safesurf\f\1\profile\Cache\4\59\7BE96d01
c:\program files\safesurf\f\1\profile\Cache\4\D0\A831Bd01
c:\program files\safesurf\f\1\profile\Cache\5\6B\9C337d01
c:\program files\safesurf\f\1\profile\Cache\5\92\3A7B6d01
c:\program files\safesurf\f\1\profile\Cache\7\83\6F61Ed01
c:\program files\safesurf\f\1\profile\Cache\7\ED\463F8d01
c:\program files\safesurf\f\1\profile\Cache\8\CD\FFA82d01
c:\program files\safesurf\f\1\profile\Cache\9\A1\DFEBFd01
c:\program files\safesurf\f\1\profile\Cache\A\80\7AA10d01
c:\program files\safesurf\f\1\profile\Cache\A\96\342F4d01
c:\program files\safesurf\f\1\profile\Cache\A\F4\64147d01
c:\program files\safesurf\f\1\profile\Cache\B\4C\C778Ad01
c:\program files\safesurf\f\1\profile\Cache\B\E0\04EBCd01
c:\program files\safesurf\f\1\profile\Cache\C\B4\29186d01
c:\program files\safesurf\f\1\profile\Cache\C\D3\8E9C9d01
c:\program files\safesurf\f\1\profile\Cache\E\47\A2279d01
c:\program files\safesurf\f\1\profile\Cache\E\51\A6DF2d01
c:\program files\safesurf\f\1\profile\Cache\F\94\5906Fd01
c:\program files\safesurf\f\1\softokn3.chk
c:\program files\safesurf\f\1\softokn3.dll
c:\program files\safesurf\f\1\xul.dll
c:\program files\safesurf\f\bitsurf
c:\program files\safesurf\f\cg.exe
c:\program files\safesurf\f\crashinfo.txt
c:\program files\safesurf\f\jet.exe
c:\program files\safesurf\f\sfa.bin
c:\program files\safesurf\f\sfc.txt
c:\program files\safesurf\f\upcache
c:\program files\safesurf\f\upfilelist
c:\program files\safesurf\fon.jpg
c:\program files\safesurf\geckofx-core.dll
c:\program files\safesurf\geckofx-winforms.dll
c:\program files\safesurf\lastsid.txt
c:\program files\safesurf\log.txt
c:\program files\safesurf\poclbm130302GeForce GTS 250v1w256l4.bin
c:\program files\safesurf\poclbm130302GeForce GTX 650gv1w256l4.bin
c:\program files\safesurf\prevsid.txt
c:\program files\safesurf\prtest.exe
c:\program files\safesurf\SafeSurf ABUSE README.txt
c:\program files\SafeSurf\safesurf.exe
c:\program files\safesurf\sf.txt
c:\program files\safesurf\Skybound.Gecko.dll
c:\program files\safesurf\SurfGuard.exe
c:\program files\safesurf\unins000.dat
c:\program files\safesurf\unins000.exe
c:\windows\system32\Пузыри.scr
c:\windows\system32\wordpad.exe
E:\install.exe
E:\setup.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BD0001
-------\Legacy_BD0002
-------\Service_bd0001
-------\Service_bd0002
.
.
((((((((((((((((((((((((( Files Created from 2014-12-18 to 2015-01-18 )))))))))))))))))))))))))))))))
.
.
2015-01-15 15:43 . 2015-01-15 15:45 -------- d-----w- C:\FRST
2015-01-15 11:56 . 2015-01-15 11:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Baidu
2015-01-15 05:48 . 2015-01-15 11:55 -------- d-----w- C:\AdwCleaner
2015-01-15 04:08 . 2015-01-15 04:08 -------- d-sh--w- c:\documents and settings\Admin\Application Data\AAN-DUPKSPPO
2015-01-14 16:51 . 2015-01-14 16:51 5013680 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2015-01-13 12:55 . 2015-01-13 12:55 -------- d--h--w- c:\windows\$hf_mig$
2015-01-08 19:02 . 2014-06-16 06:01 184192 ----a-w- c:\windows\system32\drivers\ssudserd.sys
2015-01-08 19:02 . 2014-06-16 06:01 184192 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
2015-01-08 19:02 . 2014-06-16 06:01 89856 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2015-01-08 19:02 . 2014-06-16 06:01 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2015-01-08 17:59 . 2012-01-11 19:07 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2015-01-08 17:59 . 2012-01-11 19:07 3072 ------w- c:\windows\system32\iacenc.dll
2015-01-08 17:32 . 2015-01-08 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Samsung
2015-01-08 17:00 . 2015-01-13 14:54 -------- d-----w- C:\WinSetupFromUSB
2015-01-08 05:18 . 2015-01-08 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2014-12-25 07:45 . 2014-12-25 07:45 -------- d-----w- c:\documents and settings\Admin\Application Data\WebMoneyAdvisor
2014-12-25 07:45 . 2014-12-25 07:45 -------- d-----w- c:\program files\WebMoney Agent
2014-12-25 07:44 . 2014-12-25 07:45 -------- d-----w- c:\program files\WebMoney
2014-12-25 07:43 . 2015-01-15 06:12 -------- d-sh--w- c:\documents and settings\Admin\IECompatCache
2014-12-20 05:37 . 2015-01-15 06:07 -------- d-----w- c:\program files\Mozilla Maintenance Service
2014-12-19 11:37 . 2014-12-19 11:37 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\game_release
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-14 16:51 . 2013-12-21 14:13 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-01-14 16:51 . 2013-12-21 14:13 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-12-27 01:40 . 2014-12-04 14:23 145224 ----a-w- c:\windows\system32\drivers\BDArKit.sys
2014-12-21 10:42 . 2014-12-05 02:50 245576 ----a-w- c:\windows\system32\drivers\BDMWrench.sys
2014-12-03 13:03 . 2014-10-07 17:01 185672 ----a-w- c:\windows\system32\drivers\bd0004.sys
2014-12-02 07:59 . 2014-10-07 17:01 67656 ----a-w- c:\windows\system32\drivers\BDSafeBrowser.sys
2010-12-20 14:08 . 2014-04-23 07:12 77648 ----a-w- c:\program files\mbamext.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-03-15 . B8F35C9F3938FCF8131E64918D2D447E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\e54644597fb5ba29bf4a386b93c95aec\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\e54644597fb5ba29bf4a386b93c95aec\SP3GDR\tcpip.sys
.
[-] 2011-03-15 12:37 . D642709203ADC066E35350591E4FD9C0 . 855040 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
.
[-] 2011-03-15 . 23B7D3F3F5EC8FEEA75EC381C71CBD5E . 579072 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
.
[-] 2014-03-06 . E230193CC66982F0423384022BC96AF0 . 920064 . . [8.00.6001.23580] . . c:\windows\SoftwareDistribution\Download\5aa932222a68edb219a960afe7d16b41\SP3QFE\wininet.dll
[-] 2011-03-15 . ABD6BEB53BD656A6013CE62583C449EA . 1044480 . . [8.00.6001.23111] . . c:\windows\system32\wininet.dll
.
[-] 2011-03-15 . 6C16E975F7186845FA5A9A7DC449A152 . 226816 . . [5.1.2600.5512] . . c:\windows\regedit.exe
.
[-] 2011-03-15 . 8494518476E9E4E0CB49D69FA09CD65E . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0YndCase0Sync]
@="{63D48440-63AB-44D0-B323-4731DFCDE9E9}"
[HKEY_CLASSES_ROOT\CLSID\{63D48440-63AB-44D0-B323-4731DFCDE9E9}]
2013-12-17 09:59 1278752 ----a-w- c:\program files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0YndCase1Modified]
@="{7E7DC279-E6BE-4D57-9DEC-14FA0339DBC0}"
[HKEY_CLASSES_ROOT\CLSID\{7E7DC279-E6BE-4D57-9DEC-14FA0339DBC0}]
2013-12-17 09:59 1278752 ----a-w- c:\program files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0YndCase2Error]
@="{FB2FE984-05F5-4512-9D9B-69D3DE61F6D9}"
[HKEY_CLASSES_ROOT\CLSID\{FB2FE984-05F5-4512-9D9B-69D3DE61F6D9}]
2013-12-17 09:59 1278752 ----a-w- c:\program files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0YndCase3Shared]
@="{AF8D197E-7022-4c3d-BD88-68AD35C9C169}"
[HKEY_CLASSES_ROOT\CLSID\{AF8D197E-7022-4c3d-BD88-68AD35C9C169}]
2013-12-17 09:59 1278752 ----a-w- c:\program files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2012-11-27 1726976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2012-11-16 3117384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2013-03-15 15668512]
"skytel.exe"="c:\documents and settings\Admin\Application Data\AAN-DUPKSPPO\skytel.exe" [2008-04-15 118272]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2008-01-02 132096]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
.
c:\documents and settings\Default User\Главное меню\Программы\Автозагрузка\
bWlr8jwOycpYmuXfgoH7QVr-jFnDbrIUHmqcVT3yveo=.xtbl [2015-1-13 480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
"HideSCAHealth"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleNetIDList"= 1 (0x1)
"TaskbarNoNotification"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleNetIDList"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Главное меню^Программы^Автозагрузка^Behold TV.lnk]
path=c:\documents and settings\Admin\Главное меню\Программы\Автозагрузка\Behold TV.lnk
backup=c:\windows\pss\Behold TV.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Главное меню^Программы^Автозагрузка^Nzj4KgKY2omCk6B+aUujj1QHzGTos7EwB7SiOphIa2w=.xtbl]
path=c:\documents and settings\Admin\Главное меню\Программы\Автозагрузка\Nzj4KgKY2omCk6B+aUujj1QHzGTos7EwB7SiOphIa2w=.xtbl
backup=c:\windows\pss\Nzj4KgKY2omCk6B+aUujj1QHzGTos7EwB7SiOphIa2w=.xtblStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Главное меню^Программы^Автозагрузка^ProfitTaskMonitor.lnk]
backup=c:\windows\pss\ProfitTaskMonitor.lnkStartup
path=c:\documents and settings\Admin\Главное меню\Программы\Автозагрузка\ProfitTaskMonitor.lnk
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Главное меню^Программы^Автозагрузка^System Check.lnk]
path=c:\documents and settings\Admin\Главное меню\Программы\Автозагрузка\System Check.lnk
backup=c:\windows\pss\System Check.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Z9qrXLW9Ua12VNBEqLoxC7HEgZpCkW5pi0ng-ULq+T8=.xtbl]
path=c:\documents and settings\All Users\Главное меню\Программы\Автозагрузка\Z9qrXLW9Ua12VNBEqLoxC7HEgZpCkW5pi0ng-ULq+T8=.xtbl
backup=c:\windows\pss\Z9qrXLW9Ua12VNBEqLoxC7HEgZpCkW5pi0ng-ULq+T8=.xtblCommon Startup
.
[HKLM\~\startupfolder\C:^Program Files^ProfitTask^ProfitTaskMonitor.exe]
backup=c:\program files\ProfitTask\ProfitTaskMonitor.exe\pss\ProfitTaskMonitor.lnk.Startup
path=c:\program files\ProfitTask\ProfitTaskMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shell22]
c:\documents and settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\531RRGKQ\su2f[1] [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2Gis Update Notifier]
2014-12-18 17:40 4582936 ----a-w- c:\program files\2gis\3.0\2GISTrayNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 00:44 500208 ----a-w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 11:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-15 13:00 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Coin Miner]
2015-01-12 13:19 15613824 ----a-w- c:\program files\CoinMiner\coinminer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-15 11:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2013-03-15 02:57 15668512 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2013-03-15 02:57 223008 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nvtmru]
2013-11-08 20:49 1028384 ----a-w- c:\program files\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintDisp]
2013-06-25 09:44 877568 ----a-w- c:\windows\system32\PrintDisp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-06-12 11:10 17887232 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkinClock]
2012-11-27 21:01 1726976 ----a-w- c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2014-07-24 14:26 21650016 ------w- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 06:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SyncManPath]
2014-08-27 20:27 17281312 ----a-w- c:\program files\Yandex\YandexDisk\bin\YandexDisk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Antivirus]
2011-02-01 00:08 623520 ----a-w- c:\program files\USB Disk Security\USBGuard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-03-17 12:37 399736 ----a-w- c:\program files\uTorrent\utorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VistaIcon]
2008-01-02 10:52 132096 ----a-w- c:\program files\VistaDriveIcon\VistaDrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wmagent.exe]
2009-10-19 11:47 210400 ----a-w- c:\program files\WebMoney Agent\wmagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Agent"=2 (0x2)
"MSDTC"=3 (0x3)
"Printer Control"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"srservice"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
R1 bd0004;bd0004;c:\windows\system32\drivers\bd0004.sys [07.10.2014 21:01 185672]
R1 BDMWrench;BDMWrench;c:\windows\system32\drivers\BDMWrench.sys [05.12.2014 6:50 245576]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.03.2012 7:40 120152]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.03.2012 7:40 104160]
R2 ABBYY.Licensing.FineReader.Corporate.11.0;ABBYY FineReader 11 CE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\11.00\Licensing\CE\NetworkLicenseServer.exe [18.08.2011 16:47 819976]
R2 BDArKit;BDArKit;c:\windows\system32\drivers\BDArKit.sys [04.12.2014 18:23 145224]
R2 BDSGRTP;BDSGRTP Service;c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BaiduProtect.exe [05.12.2014 14:02 1940072]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [16.11.2012 14:24 913184]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [03.04.2014 20:21 315008]
R2 ss_conn_service;SAMSUNG Mobile Connectivity Service;c:\program files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe [08.01.2015 23:02 741640]
R2 TeamViewer9;TeamViewer 9;c:\program files\TeamViewer\Version9\TeamViewer_Service.exe [22.04.2014 9:40 4799760]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [08.01.2015 23:02 89856]
R3 SAA713x;Behold TV WDM Capture (SAA713x);c:\windows\system32\drivers\saa713x.sys [17.12.2013 13:21 279552]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [08.01.2015 23:02 184192]
R3 ssudserd;SAMSUNG Mobile USB Diagnostic Serial Port(DEVGURU Ver.);c:\windows\system32\drivers\ssudserd.sys [08.01.2015 23:02 184192]
S1 BDEnhanceBoost;BDEnhanceBoost;c:\windows\system32\DRIVERS\BDEnhanceBoost.sys --> c:\windows\system32\DRIVERS\BDEnhanceBoost.sys [?]
S2 BDSafeBrowser;BDSafeBrowser;c:\windows\system32\drivers\BDSafeBrowser.sys [07.10.2014 21:01 67656]
S2 KMService;KMService;c:\windows\system32\srvany.exe [17.12.2013 15:15 8192]
S3 2GISUpdateService;2GIS UpdateService;c:\program files\2gis\3.0\2GISUpdateService.exe [18.12.2014 21:40 3764760]
S3 4587704161521984;4587704161521984;\??\c:\documents and settings\admin\local settings\temp\11A7A9CC4.sys --> c:\documents and settings\admin\local settings\temp\11A7A9CC4.sys [?]
S3 458770516902D884;458770516902D884;\??\c:\documents and settings\admin\local settings\temp\5AC1FA511.sys --> c:\documents and settings\admin\local settings\temp\5AC1FA511.sys [?]
S3 45877F66D17C7F04;45877F66D17C7F04;\??\c:\documents and settings\admin\local settings\temp\30FC3BD06.sys --> c:\documents and settings\admin\local settings\temp\30FC3BD06.sys [?]
S3 4598BA4FF70D0BA2;4598BA4FF70D0BA2;\??\c:\documents and settings\admin\local settings\temp\72129873.sys --> c:\documents and settings\admin\local settings\temp\72129873.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [17.12.2013 13:43 1684736]
S3 eapihdrv;eapihdrv;\??\c:\docume~1\Admin\LOCALS~1\Temp\ehdrv.sys --> c:\docume~1\Admin\LOCALS~1\Temp\ehdrv.sys [?]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys --> c:\windows\system32\DRIVERS\ew_jubusenum.sys [?]
S3 zte_ecm_enum_filter;zte_ecm_enum_filter;c:\windows\system32\DRIVERS\zte_ecm_enum_filter.sys --> c:\windows\system32\DRIVERS\zte_ecm_enum_filter.sys [?]
S4 Agent;VPDAgent;c:\windows\VPDAgent.exe [13.05.2014 18:01 200704]
S4 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [11.11.2014 20:08 102400]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-01-15 07:04 1087816 ----a-w- c:\program files\Google\Chrome\Application\39.0.2171.99\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-01-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-21 16:51]
.
2015-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-01-15 07:04]
.
2015-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-01-15 07:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.ru/cnt/10445
uDefault_Search_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.Google.com/
IE: &Отправить в OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 92.39.136.130 8.8.8.8
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\kwmsvgwf.default-1421337993328\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-ITBar7Position - (no file)
HKLM-Run-jsafesurf - c:\program files\SafeSurf\safesurf.exe
c:\documents and settings\Admin\Главное меню\Программы\Автозагрузка\AutorunsDisabled\winupdate.lnk - c:\documents and settings\Admin\Local Settings\Application Data\Microsoft\Windows\winupdate.exe /app 0A98F6B5D98732C4A93EB5423FE0CC9D
Notify-WgaLogon - (no file)
MSConfigStartUp-Client Server Runtime Subsystem - c:\documents and settings\All Users\Application Data\Windows\csrss.exe
MSConfigStartUp-explorer - c:\docume~1\Admin\LOCALS~1\Temp\324A.tmp
MSConfigStartUp-jsafesurf - c:\program files\SafeSurf\safesurf.exe
AddRemove-HashTab 4.0.0.2 - c:\windows\system32\Uninstall.exe
AddRemove-JetSwap SafeSurf_is1 - c:\program files\SafeSurf\unins000.exe
AddRemove-01_Simmental - c:\program files\SAMSUNG\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\SAMSUNG\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-07_Schorl - c:\program files\SAMSUNG\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-09_Hsp - c:\program files\SAMSUNG\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\SAMSUNG\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\SAMSUNG\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\SAMSUNG\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\SAMSUNG\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2015-01-18 09:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\.Default\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\AppGPFault\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\CCSelect\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\Close\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\CriticalBatteryAlarm\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\DeviceConnect\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\DeviceDisconnect\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\DeviceFail\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\InternetAlert\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\LowBatteryAlarm\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\MailBeep\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\Maximize\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\MenuCommand\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\MenuPopup\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\Minimize\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\Open\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\PrintComplete\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\RestoreDown\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\RestoreUp\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\ShowBand\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemAsterisk\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemExclamation\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemExit\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemHand\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemNotification\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemQuestion\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemStart\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\WindowsLogoff\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\WindowsLogon\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\ActivatingDocument\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\BlockedPopup\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\FeedDiscovered\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\MoveMenuItem\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\Navigating\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\SearchProviderDiscovered\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\SecurityBand\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\PictureIt\PiDeleteObject\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\PictureIt\PiMiscue\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\PictureIt\PiTaskButton\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Names\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="Хуй"
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,00,fd,6c,7e,43,00,8b,4a,98,48,8f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,00,fd,6c,7e,43,00,8b,4a,98,48,8f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\cscui.dll
.
- - - - - - - > 'explorer.exe'(2852)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\WININET.dll
c:\windows\system32\COMRes.dll
c:\program files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~1\Office14\1049\GrooveIntlResource.dll
c:\windows\System32\cscui.dll
c:\program files\Atomic Alarm Clock\Clock.dll
c:\windows\system32\msi.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\NETSHELL.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wudfhost.exe
c:\program files\Google\Update\1.3.25.11\GoogleCrashHandler.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\CNAB4RPK.EXE
c:\windows\system32\wscntfy.exe
c:\program files\TeamViewer\Version9\TeamViewer.exe
c:\program files\TeamViewer\Version9\tv_w32.exe
.
**************************************************************************
.
Completion time: 2015-01-18 09:27:16 - machine was rebooted
ComboFix-quarantined-files.txt 2015-01-18 05:27
.
Pre-Run: 25*211*592*704 байт свободно
Post-Run: 25*702*121*472 байт свободно
.
- - End Of File - - E16887874D38425F1E088BA2213AF478
8F558EB6672622401DA993E1E865C861[/SPOILER]
18.01.2015, 13:16
mike 1

Скопируйте текст ниже в Блокнот и [COLOR="#0000CD"]сохраните[/COLOR] как файл с названием [B]CFScript.txt[/B] [COLOR="#0000CD"][B]в корень диска С.[/B][/COLOR]
[code]
KillAll::

File::
c:\windows\system32\drivers\bd0004.sys
c:\windows\system32\drivers\BDMWrench.sys
c:\windows\system32\DRIVERS\BDEnhanceBoost.sys
c:\windows\system32\drivers\BDSafeBrowser.sys

Driver::
bd0004
BDMWrench
BDArKit
BDSGRTP
BDEnhanceBoost
BDSafeBrowser

Folder::
c:\documents and settings\All Users\Application Data\Baidu
c:\documents and settings\Admin\Application Data\AAN-DUPKSPPO
c:\program files\Common Files\Baidu

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Admin^Главное меню^Программы^Автозагрузка^System Check.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shell22]

FileLook::

DirLook::

Reboot::
[/code]
После сохранения переместите [B]CFScript.txt[/B] на пиктограмму ComboFix.exe.
[IMG]http://savepic.org/5315621m.gif[/IMG]
Когда сохранится новый отчет [B]ComboFix.txt[/B], прикрепите его к сообщению.
18.01.2015, 15:17
Kex17

[SPOILER]ComboFix 15-01-18.01 - Admin 18.01.2015 15:04:59.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.3326.2296 [GMT 4:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt
AV: ESET NOD32 Antivirus 5.2 *Disabled/Outdated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
FILE ::
"c:\windows\system32\drivers\bd0004.sys"
"c:\windows\system32\DRIVERS\BDEnhanceBoost.sys"
"c:\windows\system32\drivers\BDMWrench.sys"
"c:\windows\system32\drivers\BDSafeBrowser.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\Application Data\AAN-DUPKSPPO
c:\documents and settings\Admin\Application Data\AAN-DUPKSPPO\skytel.exe
c:\documents and settings\All Users\Application Data\Baidu
c:\documents and settings\All Users\Application Data\Baidu\BDSG\Config\4401.dat
c:\documents and settings\All Users\Application Data\Baidu\BDSG\Config\4402.dat
c:\documents and settings\All Users\Application Data\Baidu\BDSG\Config\812.dat
c:\documents and settings\All Users\Application Data\Baidu\Common\Global.db
c:\program files\Common Files\Baidu
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\7z.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\ad.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\app.ico
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BaiduProtect.exe
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\bc.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\bc.xml
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BDKitUtils.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BDLogicUtils.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BDMDownload.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BDMNet.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BDMReport.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\bdsg0001.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\BDSGBugRpt.exe
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\Data\apps.db
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\Data\cache.db
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\Data\kv.db
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dnw.xml
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\DriverManager.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\drivers\bd0001.sys
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\drivers\bd0004.sys
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\drivers\BDArKit.sys
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\drivers\BDMWrench.sys
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\drivers\BDSafeBrowser.sys
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\{32C6ED7B-43E9-429C-8091-7A23AF5F29AC}_PluginConfig.xml
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\{466DECC0-8683-4CEC-A037-3E5E07CA24F4}_PluginConfig.xml
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\{A84385C9-874A-41D5-AB44-D12351EB5BFF}_PluginConfig.xml
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\{CD5A0F19-E9A1-4A44-8AC0-9DAA7808795A}_PluginConfig.xml
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\ArKit.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\AssistReport\config.dat
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\AssistReportPlugin.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\BDSGRtpDyn_ContainerConfig.xml
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\BDSGRtpDyn_PluginConfig.xml
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\DTipsPlugin_1.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\FileUpdatePlugin.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\FixSePlugin.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\HostPlugin.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\HostPlugin\config.dat
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\Microsoft.VC80.ATL\atl80.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\dynplugins\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\fileverify.xml
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\hips.xml
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\Microsoft.VC80.ATL\atl80.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\plugins\BaiduRepair.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\plugins\BDSGRtp_ContainerConfig.xml
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\plugins\BDSGRtp_PluginConfig.xml
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\plugins\HIPS.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\plugins\Microsoft.VC80.ATL\atl80.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\plugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\plugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\plugins\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\plugins\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\plugins\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\safebrowser.xml
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\SafeBrowserDll.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\SafeBrowserHelper.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\SafeExplorer.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\SafeExplorer_x64.dll
c:\program files\Common Files\Baidu\BaiduProtect1.3\1.3.0.645\uninst.exe
c:\program files\safesurf
c:\program files\safesurf\dotnetfx.exe
c:\program files\safesurf\f\cg.exe
c:\program files\safesurf\f\jet.exe
c:\program files\safesurf\fon.jpg
c:\program files\safesurf\PrTest.exe
c:\program files\safesurf\safesurf.exe
c:\program files\safesurf\sf.txt
c:\program files\safesurf\Skybound.Gecko.dll
c:\program files\safesurf\SurfGuard.exe
c:\program files\safesurf\unins000.dat
c:\program files\safesurf\unins000.exe
c:\windows\system32\drivers\bd0004.sys
c:\windows\system32\drivers\BDMWrench.sys
c:\windows\system32\drivers\BDSafeBrowser.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BD0001
-------\Legacy_BD0004
-------\Legacy_BDARKIT
-------\Legacy_BDENHANCEBOOST
-------\Legacy_BDMWRENCH
-------\Legacy_BDSAFEBROWSER
-------\Legacy_BDSGRTP
-------\Service_bd0001
-------\Service_bd0002
-------\Service_bd0004
-------\Service_BDArKit
-------\Service_BDEnhanceBoost
-------\Service_BDMWrench
-------\Service_BDSafeBrowser
-------\Service_BDSGRTP
.
.
((((((((((((((((((((((((( Files Created from 2014-12-18 to 2015-01-18 )))))))))))))))))))))))))))))))
.
.
2015-01-15 15:43 . 2015-01-15 15:45 -------- d-----w- C:\FRST
2015-01-15 05:48 . 2015-01-15 11:55 -------- d-----w- C:\AdwCleaner
2015-01-14 16:51 . 2015-01-14 16:51 5013680 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2015-01-13 12:55 . 2015-01-13 12:55 -------- d--h--w- c:\windows\$hf_mig$
2015-01-08 19:02 . 2014-06-16 06:01 184192 ----a-w- c:\windows\system32\drivers\ssudserd.sys
2015-01-08 19:02 . 2014-06-16 06:01 184192 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
2015-01-08 19:02 . 2014-06-16 06:01 89856 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2015-01-08 19:02 . 2014-06-16 06:01 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2015-01-08 17:59 . 2012-01-11 19:07 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2015-01-08 17:59 . 2012-01-11 19:07 3072 ------w- c:\windows\system32\iacenc.dll
2015-01-08 17:32 . 2015-01-08 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Samsung
2015-01-08 17:00 . 2015-01-13 14:54 -------- d-----w- C:\WinSetupFromUSB
2015-01-08 05:18 . 2015-01-08 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2014-12-25 07:45 . 2014-12-25 07:45 -------- d-----w- c:\documents and settings\Admin\Application Data\WebMoneyAdvisor
2014-12-25 07:45 . 2014-12-25 07:45 -------- d-----w- c:\program files\WebMoney Agent
2014-12-25 07:44 . 2014-12-25 07:45 -------- d-----w- c:\program files\WebMoney
2014-12-25 07:43 . 2015-01-15 06:12 -------- d-sh--w- c:\documents and settings\Admin\IECompatCache
2014-12-20 05:37 . 2015-01-15 06:07 -------- d-----w- c:\program files\Mozilla Maintenance Service
2014-12-19 11:37 . 2014-12-19 11:37 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\game_release
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-14 16:51 . 2013-12-21 14:13 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-01-14 16:51 . 2013-12-21 14:13 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-12-27 01:40 . 2014-12-04 14:23 145224 ----a-w- c:\windows\system32\drivers\BDArKit.sys
2010-12-20 14:08 . 2014-04-23 07:12 77648 ----a-w- c:\program files\mbamext.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-03-15 . B8F35C9F3938FCF8131E64918D2D447E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\e54644597fb5ba29bf4a386b93c95aec\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\e54644597fb5ba29bf4a386b93c95aec\SP3GDR\tcpip.sys
.
[-] 2011-03-15 12:37 . D642709203ADC066E35350591E4FD9C0 . 855040 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
.
[-] 2011-03-15 . 23B7D3F3F5EC8FEEA75EC381C71CBD5E . 579072 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
.
[-] 2014-03-06 . E230193CC66982F0423384022BC96AF0 . 920064 . . [8.00.6001.23580] . . c:\windows\SoftwareDistribution\Download\5aa932222a68edb219a960afe7d16b41\SP3QFE\wininet.dll
[-] 2011-03-15 . ABD6BEB53BD656A6013CE62583C449EA . 1044480 . . [8.00.6001.23111] . . c:\windows\system32\wininet.dll
.
[-] 2011-03-15 . 6C16E975F7186845FA5A9A7DC449A152 . 226816 . . [5.1.2600.5512] . . c:\windows\regedit.exe
.
[-] 2011-03-15 . 8494518476E9E4E0CB49D69FA09CD65E . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0YndCase0Sync]
@="{63D48440-63AB-44D0-B323-4731DFCDE9E9}"
[HKEY_CLASSES_ROOT\CLSID\{63D48440-63AB-44D0-B323-4731DFCDE9E9}]
2013-12-17 09:59 1278752 ----a-w- c:\program files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0YndCase1Modified]
@="{7E7DC279-E6BE-4D57-9DEC-14FA0339DBC0}"
[HKEY_CLASSES_ROOT\CLSID\{7E7DC279-E6BE-4D57-9DEC-14FA0339DBC0}]
2013-12-17 09:59 1278752 ----a-w- c:\program files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0YndCase2Error]
@="{FB2FE984-05F5-4512-9D9B-69D3DE61F6D9}"
[HKEY_CLASSES_ROOT\CLSID\{FB2FE984-05F5-4512-9D9B-69D3DE61F6D9}]
2013-12-17 09:59 1278752 ----a-w- c:\program files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0YndCase3Shared]
@="{AF8D197E-7022-4c3d-BD88-68AD35C9C169}"
[HKEY_CLASSES_ROOT\CLSID\{AF8D197E-7022-4c3d-BD88-68AD35C9C169}]
2013-12-17 09:59 1278752 ----a-w- c:\program files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2012-11-27 1726976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2012-11-16 3117384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2013-03-15 15668512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"VistaIcon"="c:\program files\VistaDriveIcon\VistaDrv.exe" [2008-01-02 132096]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
.
c:\documents and settings\Default User\Главное меню\Программы\Автозагрузка\
bWlr8jwOycpYmuXfgoH7QVr-jFnDbrIUHmqcVT3yveo=.xtbl [2015-1-13 480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
"HideSCAHealth"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleNetIDList"= 1 (0x1)
"TaskbarNoNotification"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleNetIDList"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Главное меню^Программы^Автозагрузка^Behold TV.lnk]
path=c:\documents and settings\Admin\Главное меню\Программы\Автозагрузка\Behold TV.lnk
backup=c:\windows\pss\Behold TV.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Главное меню^Программы^Автозагрузка^Nzj4KgKY2omCk6B+aUujj1QHzGTos7EwB7SiOphIa2w=.xtbl]
path=c:\documents and settings\Admin\Главное меню\Программы\Автозагрузка\Nzj4KgKY2omCk6B+aUujj1QHzGTos7EwB7SiOphIa2w=.xtbl
backup=c:\windows\pss\Nzj4KgKY2omCk6B+aUujj1QHzGTos7EwB7SiOphIa2w=.xtblStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Главное меню^Программы^Автозагрузка^ProfitTaskMonitor.lnk]
backup=c:\windows\pss\ProfitTaskMonitor.lnkStartup
path=c:\documents and settings\Admin\Главное меню\Программы\Автозагрузка\ProfitTaskMonitor.lnk
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Z9qrXLW9Ua12VNBEqLoxC7HEgZpCkW5pi0ng-ULq+T8=.xtbl]
path=c:\documents and settings\All Users\Главное меню\Программы\Автозагрузка\Z9qrXLW9Ua12VNBEqLoxC7HEgZpCkW5pi0ng-ULq+T8=.xtbl
backup=c:\windows\pss\Z9qrXLW9Ua12VNBEqLoxC7HEgZpCkW5pi0ng-ULq+T8=.xtblCommon Startup
.
[HKLM\~\startupfolder\C:^Program Files^ProfitTask^ProfitTaskMonitor.exe]
backup=c:\program files\ProfitTask\ProfitTaskMonitor.exe\pss\ProfitTaskMonitor.lnk.Startup
path=c:\program files\ProfitTask\ProfitTaskMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2Gis Update Notifier]
2014-12-18 17:40 4582936 ----a-w- c:\program files\2gis\3.0\2GISTrayNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 00:44 500208 ----a-w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 11:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-15 13:00 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Coin Miner]
2015-01-12 13:19 15613824 ----a-w- c:\program files\CoinMiner\coinminer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-15 11:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2013-03-15 02:57 15668512 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2013-03-15 02:57 223008 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nvtmru]
2013-11-08 20:49 1028384 ----a-w- c:\program files\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintDisp]
2013-06-25 09:44 877568 ----a-w- c:\windows\system32\PrintDisp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-06-12 11:10 17887232 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkinClock]
2012-11-27 21:01 1726976 ----a-w- c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2014-07-24 14:26 21650016 ------w- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 06:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SyncManPath]
2014-08-27 20:27 17281312 ----a-w- c:\program files\Yandex\YandexDisk\bin\YandexDisk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Antivirus]
2011-02-01 00:08 623520 ----a-w- c:\program files\USB Disk Security\USBGuard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-03-17 12:37 399736 ----a-w- c:\program files\uTorrent\utorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VistaIcon]
2008-01-02 10:52 132096 ----a-w- c:\program files\VistaDriveIcon\VistaDrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wmagent.exe]
2009-10-19 11:47 210400 ----a-w- c:\program files\WebMoney Agent\wmagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Agent"=2 (0x2)
"MSDTC"=3 (0x3)
"Printer Control"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"srservice"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.03.2012 7:40 120152]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.03.2012 7:40 104160]
R2 ABBYY.Licensing.FineReader.Corporate.11.0;ABBYY FineReader 11 CE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\11.00\Licensing\CE\NetworkLicenseServer.exe [18.08.2011 16:47 819976]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [16.11.2012 14:24 913184]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [03.04.2014 20:21 315008]
R2 ss_conn_service;SAMSUNG Mobile Connectivity Service;c:\program files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe [08.01.2015 23:02 741640]
R2 TeamViewer9;TeamViewer 9;c:\program files\TeamViewer\Version9\TeamViewer_Service.exe [22.04.2014 9:40 4799760]
R3 SAA713x;Behold TV WDM Capture (SAA713x);c:\windows\system32\drivers\saa713x.sys [17.12.2013 13:21 279552]
S2 KMService;KMService;c:\windows\system32\srvany.exe [17.12.2013 15:15 8192]
S3 2GISUpdateService;2GIS UpdateService;c:\program files\2gis\3.0\2GISUpdateService.exe [18.12.2014 21:40 3764760]
S3 4587704161521984;4587704161521984;\??\c:\documents and settings\admin\local settings\temp\11A7A9CC4.sys --> c:\documents and settings\admin\local settings\temp\11A7A9CC4.sys [?]
S3 458770516902D884;458770516902D884;\??\c:\documents and settings\admin\local settings\temp\5AC1FA511.sys --> c:\documents and settings\admin\local settings\temp\5AC1FA511.sys [?]
S3 45877F66D17C7F04;45877F66D17C7F04;\??\c:\documents and settings\admin\local settings\temp\30FC3BD06.sys --> c:\documents and settings\admin\local settings\temp\30FC3BD06.sys [?]
S3 4598BA4FF70D0BA2;4598BA4FF70D0BA2;\??\c:\documents and settings\admin\local settings\temp\72129873.sys --> c:\documents and settings\admin\local settings\temp\72129873.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [17.12.2013 13:43 1684736]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [08.01.2015 23:02 89856]
S3 eapihdrv;eapihdrv;\??\c:\docume~1\Admin\LOCALS~1\Temp\ehdrv.sys --> c:\docume~1\Admin\LOCALS~1\Temp\ehdrv.sys [?]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys --> c:\windows\system32\DRIVERS\ew_jubusenum.sys [?]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [08.01.2015 23:02 184192]
S3 ssudserd;SAMSUNG Mobile USB Diagnostic Serial Port(DEVGURU Ver.);c:\windows\system32\drivers\ssudserd.sys [08.01.2015 23:02 184192]
S3 zte_ecm_enum_filter;zte_ecm_enum_filter;c:\windows\system32\DRIVERS\zte_ecm_enum_filter.sys --> c:\windows\system32\DRIVERS\zte_ecm_enum_filter.sys [?]
S4 Agent;VPDAgent;c:\windows\VPDAgent.exe [13.05.2014 18:01 200704]
S4 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [11.11.2014 20:08 102400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-01-15 07:04 1087816 ----a-w- c:\program files\Google\Chrome\Application\39.0.2171.99\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-01-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-21 16:51]
.
2015-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-01-15 07:04]
.
2015-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-01-15 07:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.ru/cnt/10445
uDefault_Search_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.Google.com/
IE: &Отправить в OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 92.39.136.130 8.8.8.8
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\kwmsvgwf.default-1421337993328\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-ITBar7Position - (no file)
HKLM-Run-skytel.exe - c:\documents and settings\Admin\Application Data\AAN-DUPKSPPO\skytel.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2015-01-18 15:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\.Default\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\AppGPFault\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\CCSelect\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\Close\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\CriticalBatteryAlarm\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\DeviceConnect\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\DeviceDisconnect\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\DeviceFail\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\InternetAlert\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\LowBatteryAlarm\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\MailBeep\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\Maximize\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\MenuCommand\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\MenuPopup\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\Minimize\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\Open\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\PrintComplete\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\RestoreDown\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\RestoreUp\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\ShowBand\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemAsterisk\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemExclamation\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemExit\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemHand\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemNotification\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemQuestion\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\SystemStart\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\WindowsLogoff\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\.Default\WindowsLogon\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\ActivatingDocument\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\BlockedPopup\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\FeedDiscovered\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\MoveMenuItem\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\Navigating\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\SearchProviderDiscovered\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\Explorer\SecurityBand\%C90*nC]
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\PictureIt\PiDeleteObject\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\PictureIt\PiMiscue\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Apps\PictureIt\PiTaskButton\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@=""
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\AppEvents\Schemes\Names\%C90*nC]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="Хуй"
.
[HKEY_USERS\S-1-5-21-1708537768-1409082233-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,00,fd,6c,7e,43,00,8b,4a,98,48,8f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,00,fd,6c,7e,43,00,8b,4a,98,48,8f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\cscui.dll
.
- - - - - - - > 'explorer.exe'(2404)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\WININET.dll
c:\windows\system32\COMRes.dll
c:\program files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~1\Office14\1049\GrooveIntlResource.dll
c:\windows\System32\cscui.dll
c:\program files\Atomic Alarm Clock\Clock.dll
c:\windows\system32\msi.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\NETSHELL.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Update\1.3.25.11\GoogleCrashHandler.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\CNAB4RPK.EXE
c:\windows\system32\wscntfy.exe
c:\program files\TeamViewer\Version9\TeamViewer.exe
c:\program files\TeamViewer\Version9\tv_w32.exe
.
**************************************************************************
.
Completion time: 2015-01-18 15:14:34 - machine was rebooted
ComboFix-quarantined-files.txt 2015-01-18 11:14
ComboFix2.txt 2015-01-18 05:27
.
Pre-Run: 25*368*625*152 байт свободно
Post-Run: 25*410*437*120 байт свободно
.
- - End Of File - - A665ADF4EC3BAA3FD4CCB6BDA20877CB
8F558EB6672622401DA993E1E865C861[/SPOILER]
18.01.2015, 16:28
mike 1

С:\Qoobox\ComboFix-quarantined-files.txt прикрепите.
18.01.2015, 17:18
Kex17

Вложений: 1

Вот:
18.01.2015, 18:20
mike 1

[QUOTE]
C:\Qoobox\Quarantine\C\Documents and Settings\Admin\Главное меню\Программы\Автозагрузка\update.exe.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Admin\Application Data\12650675\svchost.exe.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Admin\Application Data\Microsoft\Windows\gupdater.exe.vir
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\mslmanq.exe.vir
[/QUOTE]
Пришлите карантин согласно Приложения 2 правил по красной ссылке [B]Прислать запрошенный карантин[/B] вверху темы
18.01.2015, 20:08
Kex17

Ну закачал, вроде, только уже теряюсь, что и как делать, может опять не так

Показывать 40 сообщений этой темы на одной странице