ComboFix 09-03-03.01 — d 2009-03-04 13:21:02.2 — NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1251.1.1049.18.510.83 [GMT 5:00]
Running from: c:documents and settingsdРабочий столComboFix.exe
AV: Panda Internet Security 2009 *On-access scanning disabled* (Updated)
FW: Panda Personal Firewall 2009 *disabled*
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:windowssystem321
.
((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))))
.
2009-03-04 13:19 . 2009-03-04 13:19
C:32788R22FWJFW
2009-02-23 19:34 . 2009-02-23 19:34
2009-02-19 14:49 . 2009-02-19 14:49
c:documents and settingsAll UsersApplication DataPanda Software
2009-02-18 22:30 . 2009-02-24 09:27
c:program filestrend micro
2009-02-18 21:09 . 2009-02-18 21:09
c:windowsInstall
2009-02-18 09:50 . 2009-02-18 09:50
c:documents and settingsdApplication DataMalwarebytes
2009-02-18 09:49 . 2009-02-18 09:49
c:documents and settingsAll UsersApplication DataMalwarebytes
2009-02-18 09:48 . 2009-02-18 09:48 2,876,720 —a
c:program filesmbam-setup.exe
2009-02-17 13:00 . 2008-04-14 21:11 26,624 —a—c— c:windowssystem32dllcacheuserinit.exe
2009-02-16 21:20 . 2009-02-16 21:20
c:documents and settingsAll UsersApplication DataKaspersky Lab Setup Files
2009-02-16 21:20 . 2009-02-16 21:20 43,130,072 —a
c:program fileskis8.0.0.506ru.exe
2009-02-16 15:52 . 2009-02-16 21:40
c:documents and settingsAll UsersApplication DataSpybot — Search & Destroy
2009-02-13 21:32 . 2009-02-13 21:32
c:documents and settingsdApplication DataApple Computer
2009-02-13 20:35 . 2009-02-13 20:35
c:program filesQuickTime
2009-02-13 20:35 . 2009-02-13 20:35
c:documents and settingsAll UsersApplication DataApple Computer
2009-02-13 20:34 . 2009-02-13 20:34
c:program filesApple Software Update
2009-02-13 20:34 . 2009-02-13 20:34
c:documents and settingsAll UsersApplication DataApple
2009-02-13 20:33 . 2009-02-13 20:34 21,878,064 —a
c:program filesQuickTimeInstaller.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-04 08:11 13,880 —-a-w c:windowssystem32driversCOMFiltr.sys
2009-03-04 08:11 1,132 —-a-w c:windowssystem32driversAPPFLTR.CFG.bck
2009-03-04 08:11 1,132 —-a-w c:windowssystem32driversAPPFLTR.CFG
2009-03-03 04:31 294,752 —-a-w c:windowssystem32driversAPPFCONT.DAT.bck
2009-03-03 04:31 294,752 —-a-w c:windowssystem32driversAPPFCONT.DAT
2009-03-02 09:19
d
w c:program filesMetaTrader — Masterforex
2009-03-02 08:59
d
w c:documents and settingsAll UsersApplication DataGoogle Updater
2009-02-25 04:53
d
w c:documents and settingsdApplication DataSkype
2009-02-25 04:52
d
w c:documents and settingsdApplication DataskypePM
2009-02-01 13:36
d
w c:program filesCommon FilesEduSetup
2009-02-01 13:36
d
w c:program filesCommon Files1C Education Shared
2009-02-01 13:36
d
w c:program files1C Education
2009-01-23 17:20
d
w c:documents and settingsAll UsersApplication DataMicrosoft Help
2009-01-19 13:52
d
w c:program files1C Repetitor
2009-01-19 13:16
d
w c:documents and settingsAll UsersApplication DataQuickTime
2009-01-19 13:13
d
w c:program filesViewpoint
2009-01-19 13:10
d—h—w c:program filesInstallShield Installation Information
2009-01-17 15:43 399,360 —-a-w c:windowssystem32dllcacherpcss.dll
2009-01-15 13:27
d
r c:program filesAlfaDirect
2009-01-14 14:41
d
w c:program filesMSBuild
2009-01-14 14:41
d
w c:program filesMicrosoft Works
2009-01-14 14:39
d
w c:program filesMicrosoft.NET
2009-01-04 12:23
d
w c:program filesDisney Interactive
2008-12-20 23:03 826,368 —-a-w c:windowssystem32wininet.dll
2008-09-25 03:59 1,684,200 —-a-w c:program filesADSetup.exe
2008-09-16 04:11 164 —ha-w c:documents and settingsAll Usershpothb07.dat
2008-09-16 04:11 156 —ha-w c:documents and settingsdhpothb07.dat
2008-09-10 09:44 135,071,428 —-a-w c:program filesOOo_2.4.1_Win32Intel_install_wJRE_ru.exe
2008-09-08 08:03 6,114,816 —-a-w c:program filesrambler-icq5_1.exe
2008-08-24 14:39 1,662,925 —-a-w c:program filestetris.zip
2008-03-18 09:30 3,650,904 —-a-w c:program filesmt4setup.exe
2005-12-21 15:18 0 —-a-w c:documents and settingsdApplication Datawklnhst.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-03-04_13.04.41,04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-04 08:10:16 16,384 —-atw c:windowsTempPerflib_Perfdata_740.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«ctfmon.exe»=»c:windowssystem32ctfmon.exe» [2008-04-14 15360]
«Yupdate!»=»c:program filesCommon FilesYandexYupdateyupdate.exe» [2008-03-14 457992]
«swg»=»c:program filesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe» [2008-02-02 68856]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«RaidTool»=»c:program filesVIARAIDraid_tool.exe» [2005-06-20 1056768]
«type32″=»c:program filesMicrosoft IntelliType Protype32.exe» [2005-06-10 196608]
«IntelliPoint»=»c:program filesMicrosoft IntelliPointpoint32.exe» [2005-06-10 217088]
«NeroCheck»=»c:windowssystem32\NeroCheck.exe» [2001-07-09 155648]
«ATIPTA»=»c:program filesATI TechnologiesATI Control Panelatiptaxx.exe» [2005-09-14 344064]
«MBBalloon»=»c:program filesHOTALBUMMyBOXMBBalloon.exe» [2006-12-15 787096]
«WinampAgent»=»c:program filesWinampwinampa.exe» [2008-08-04 36352]
«Share-to-Web Namespace Daemon»=»c:program filesHewlett-PackardHP Share-to-Webhpgs2wnd.exe» [2002-04-17 69632]
«APVXDWIN»=»c:program filesPanda SecurityPanda Internet Security 2009APVXDWIN.EXE» [2008-12-03 869632]
«SCANINICIO»=»c:program filesPanda SecurityPanda Internet Security 2009Inicio.exe» [2008-07-07 50432]
«Adobe Reader Speed Launcher»=»c:program filesAdobeReader 8.0ReaderReader_sl.exe» [2008-10-15 39792]
«SunJavaUpdateSched»=»c:program filesJavajre6binjusched.exe» [2008-11-10 136600]
«GrooveMonitor»=»c:program filesMicrosoft OfficeOffice12GrooveMonitor.exe» [2006-10-27 31016]
«QuickTime Task»=»c:program filesQuickTimeQTTask.exe» [2009-01-05 413696]
«VTTimer»=»VTTimer.exe» [2005-03-08 c:windowssystem32VTTimer.exe]
«VTTrayp»=»VTtrayp.exe» [2005-03-11 c:windowssystem32VTTrayp.exe]
«SoundMan»=»SOUNDMAN.EXE» [2005-10-04 c:windowssoundman.exe]
«BluetoothAuthenticationAgent»=»bthprops.cpl» [2008-04-14 c:windowssystem32bthprops.cpl]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«ctfmon.exe»=»c:windowssystem32CTFMON.EXE» [2008-04-14 15360]
c:documents and settingsdѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
HotSync Manager.lnk — c:program filesPalmHOTSYNC.EXE [2002-09-12 299008]
OpenOffice.org 3.0.lnk — c:program filesOpenOffice.org 3programquickstart.exe [2008-09-12 384000]
‚л१Є нЄа Ё Їа®Ја ¬¬ § ЇгбЄ ¤«п OneNote 2007.lnk — c:program filesMicrosoft OfficeOffice12ONENOTEM.EXE [2006-10-26 98632]
€бва㬥⠯஢ҐаЄЁ ®бЁвҐ«п Picture Motion Browser.lnk — c:program filesSonySony Picture UtilityPMBCoreSPUVolumeWatcher.exe [2008-06-21 385024]
c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
BlueSoleil.lnk — c:program filesIVT CorporationBlueSoleilBlueSoleil.exe [2006-04-28 872526]
MediaChecker.lnk — c:program filesHOTALBUMMyBOXMediaChecker.exe [2006-12-15 913560]
Microsoft Office.lnk — c:program filesMicrosoft OfficeOfficeOSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifycpcsp]
2008-07-28 14:53 726528 c:program filesCrypto ProCSPcpcspi.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyavldr]
2008-03-18 15:58 58672 c:windowssystem32avldr.dll
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversiondrivers32]
«vidc.ffds»= c:program filesffdshowffdshow.ax
«msacm.avis»= c:program filesffdshowffdshow.ax
[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 wdigest cpssl
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalPskSvcRetail]
@=»Service»
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«c:\WINDOWS\system32\sessmgr.exe»=
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«c:\Program Files\Messenger\msmsgs.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\ICQ6\ICQ.exe»=
«c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE»=
«c:\Program Files\Microsoft Office\Office12\GROOVE.EXE»=
«c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE»=
«c:\Program Files\Common Files\1C Education Shared\fb\bin\ibserver.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«443:UDP»= 443:UDP:*:Disabled:ooVoo UDP порт443
«37674:TCP»= 37674:TCP:*:Disabled:ooVoo TCP порт37674
«37674:UDP»= 37674:UDP:*:Disabled:ooVoo UDP порт37674
«37675:UDP»= 37675:UDP:*:Disabled:ooVoo UDP порт37675
R0 pavboot;Panda boot driver;c:windowssystem32driverspavboot.sys [2008-10-03 28544]
R0 PzWDM;PzWDM;c:windowssystem32driversPzWDM.sys [2007-08-05 15172]
R1 APPFLT;App Filter Plugin;c:windowssystem32driversAPPFLT.SYS [2008-10-03 73728]
R1 CProCtrl;КриптоПро CSP драйвер;c:windowssystem32driversCProCtrl.sys [2008-07-21 54024]
R1 DSAFLT;DSA Filter Plugin;c:windowssystem32driversdsaflt.sys [2008-10-03 52992]
R1 FNETMON;NetMon Filter Plugin;c:windowssystem32driversfnetmon.sys [2008-10-03 22072]
R1 IDSFLT;Ids Filter Plugin;c:windowssystem32driversidsflt.sys [2008-10-03 193792]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:windowssystem32driversNETFLTDI.SYS [2008-10-03 20:47:08 158848]
R1 ShldDrv;Panda File Shield Driver;c:windowssystem32driversShlDrv51.sys [2008-10-03 41144]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:windowssystem32driverswnmflt.sys [2008-10-03 46720]
R2 cpcsp1;КриптоПро CSP KC1;c:windowssystem32svchost.exe -k cpcsp [2004-08-18 14336]
R2 Gwmsrv;Panda Goodware Cache Manager;c:windowssystem32svchost -k Panda —> c:windowssystem32svchost -k Panda [?]
R2 PavProc;Panda Process Protection Driver;c:windowssystem32driversPavProc.sys [2008-10-03 179640]
R2 PskSvcRetail;Panda PSK service;c:program filesPanda SecurityPanda Internet Security 2009psksvc.exe [2008-10-03 28928]
R3 NETIMFLT01060034;PANDA NDIS IM Filter Miniport v1.6.0.34;c:windowssystem32driversneti1634.sys [2008-10-03 197888]
R3 PavTPK.sys;PavTPK.sys;??c:windowssystem32PavTPK.sys —> c:windowssystem32PavTPK.sys [?]
R3 RTIFDH;RTIFDH;c:windowssystem32driversrtIFDH.sys [2007-03-23 13056]
S3 RTUSB;Rutoken;c:windowssystem32driversrtUSB.sys [2008-09-24 29440]
S3 s3chipid;s3chipid;??c:docume~1dLOCALS~1Temps3chipid.sys —> c:docume~1dLOCALS~1Temps3chipid.sys [?]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
cpcsp REG_MULTI_SZ cpcsp1
panda REG_MULTI_SZ Gwmsrv
.
Contents of the ‘Scheduled Tasks’ folder
2009-03-04 c:windowsTasksUser_Feed_Synchronization-{5797FC88-E461-4A06-B2D1-D81ECB1BB3DF}.job
— c:windowssystem32msfeedssync.exe [2006-10-17 10:58]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: &Экспорт в Microsoft Excel — c:progra~1MI1933~1Office12EXCEL.EXE/3000
IE: Закачать все при помощи FlashGet — c:program filesFlashGetjc_all.htm
IE: Закачать при помощи FlashGet — c:program filesFlashGetjc_link.htm
IE: Найти с помощью Рамблера — c:program filesRambler AssistantramblertoolbarU0.dll/search.htm
IE: Перевести с помощью словарей Рамблера — c:program filesRambler AssistantramblertoolbarU0.dll/dic.htm
Trusted Zone: webmoney.rubanking
Trusted Zone: webmoney.ruwww
TCP: {85C977D4-A0C4-4E9D-A888-0CC8849B01E4} = 213.135.97.131,195.128.128.1
DPF: {C6DBEB23-7475-11D2-8968-0060080BBFF8} — hxxp://demo.bankline.ru/servlets/ibc?File=11309.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 13:25:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(1472)
c:windowssystem32Ati2evxx.dll
c:windowssystem32avldr.dll
.
Completion time: 2009-03-04 13:28:51
ComboFix-quarantined-files.txt 2009-03-04 08:28:33
ComboFix2.txt 2009-03-04 08:06:20
Pre-Run: 35 679 416 320 байт свободно
Post-Run: 35,664,580,608 байт свободно
202 — E O F — 2009-02-11 08:
Медленно открываются сайты.
Скорость скачивания программ (например Combofix) нормальная в соответствии с тарифом.
с цифрами всё нормально были сбиты настройки рабочего стола.
