ComboFix 09-11-07.02 — Irbis 08.11.2009 15:40.1.4 — NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1251.7.1049.18.3326.2286 [GMT 3:00]
Running from: c:usersIrbisDownloadsComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 3.0 *disabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:$recycle.binS-1-5-21-1446179839-891853363-1653453915-500
c:$recycle.binS-1-5-21-6276019-3713205604-3198127286-500
c:program filesMail.RuAgentMradllnewmrasearch.dll
c:programdataMicrosoftNetworkDownloaderqmgr0.dat
c:programdataMicrosoftNetworkDownloaderqmgr1.dat
c:usersIrbisAppDataRoamingDesktopicon
c:usersIrbisAppDataRoamingDesktopiconconfig.ini
c:usersIrbisAppDataRoamingMicrosoftInternet ExplorerqiPSearchbar.dll
BITS: Possible infected sites
hxxp://soft.export.yandex.ru
hxxp://bar.export.yandex.ru
.
((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.
2009-11-08 12:48 . 2009-11-08 12:48
d
w- c:usersirbis2AppDataLocaltemp
2009-11-08 12:48 . 2009-11-08 12:48
d
w- c:usersIrbisAppDataLocaltemp
2009-11-08 12:48 . 2009-11-08 12:48
d
w- c:usersDefaultAppDataLocaltemp
2009-11-06 12:21 . 2009-11-06 12:21
d
w- c:program filesIObit
2009-11-03 11:52 . 2009-11-03 11:52
d
w- c:usersIrbisAppDataRoamingMalwarebytes
2009-11-03 11:52 . 2009-09-10 11:54 38224 —-a-w- c:windowssystem32driversmbamswissarmy.sys
2009-11-03 11:52 . 2009-11-03 11:52
d
w- c:programdataMalwarebytes
2009-11-03 11:52 . 2009-09-10 11:53 19160 —-a-w- c:windowssystem32driversmbam.sys
2009-11-03 11:52 . 2009-11-03 11:52 4096 d
w- c:program filesMalwarebytes’ Anti-Malware
2009-10-30 17:24 . 2009-10-30 17:24
d
w- c:program filesWindows Portable Devices
2009-10-30 15:48 . 2009-09-10 02:00 92672 —-a-w- c:windowssystem32UIAnimation.dll
2009-10-30 15:48 . 2009-09-10 02:01 3023360 —-a-w- c:windowssystem32UIRibbon.dll
2009-10-30 15:48 . 2009-09-10 02:00 1164800 —-a-w- c:windowssystem32UIRibbonRes.dll
2009-10-30 15:46 . 2009-10-01 01:02 30208 —-a-w- c:windowssystem32WPDShextAutoplay.exe
2009-10-30 15:46 . 2009-10-01 01:02 31232 —-a-w- c:windowssystem32BthMtpContextHandler.dll
2009-10-30 15:46 . 2009-10-01 01:01 81920 —-a-w- c:windowssystem32wpdbusenum.dll
2009-10-30 15:46 . 2009-10-01 01:01 60928 —-a-w- c:windowssystem32PortableDeviceConnectApi.dll
2009-10-30 15:46 . 2009-10-01 01:02 2537472 —-a-w- c:windowssystem32wpdshext.dll
2009-10-30 15:46 . 2009-10-01 01:02 334848 —-a-w- c:windowssystem32PortableDeviceApi.dll
2009-10-30 15:46 . 2009-10-01 01:02 87552 —-a-w- c:windowssystem32WPDShServiceObj.dll
2009-10-30 15:46 . 2009-10-01 01:01 546816 —-a-w- c:windowssystem32wpd_ci.dll
2009-10-30 15:46 . 2009-10-01 01:01 160256 —-a-w- c:windowssystem32PortableDeviceTypes.dll
2009-10-30 15:46 . 2009-10-01 01:01 350208 —-a-w- c:windowssystem32WPDSp.dll
2009-10-30 15:46 . 2009-10-01 01:01 196608 —-a-w- c:windowssystem32PortableDeviceWMDRM.dll
2009-10-30 15:46 . 2009-10-01 01:01 100864 —-a-w- c:windowssystem32PortableDeviceClassExtension.dll
2009-10-30 15:43 . 2009-10-08 21:08 555520 —-a-w- c:windowssystem32UIAutomationCore.dll
2009-10-30 15:43 . 2009-10-08 21:08 234496 —-a-w- c:windowssystem32oleacc.dll
2009-10-30 15:43 . 2009-10-08 21:07 4096 —-a-w- c:windowssystem32oleaccrc.dll
2009-10-30 13:11 . 2009-09-10 14:58 310784 —-a-w- c:windowssystem32unregmp2.exe
2009-10-30 13:11 . 2009-09-10 14:59 8147456 —-a-w- c:windowssystem32wmploc.DLL
2009-10-27 15:25 . 2009-10-27 15:27
d
w- c:windowssystem32ca-ES
2009-10-27 15:25 . 2009-10-27 15:27
d
w- c:windowssystem32eu-ES
2009-10-27 15:25 . 2009-10-27 15:27
d
w- c:windowssystem32vi-VN
2009-10-27 14:41 . 2009-10-27 14:41
d
w- C:rsit
2009-10-27 14:28 . 2009-10-27 14:28 4096 d
w- c:windowssystem32EventProviders
2009-10-27 13:53 . 2009-10-27 13:53
d
w- c:program filesTrend Micro
2009-10-27 13:48 . 2009-08-27 05:22 916480 —-a-w- c:windowssystem32wininet.dll
2009-10-27 13:48 . 2009-08-27 05:17 71680 —-a-w- c:windowssystem32iesetup.dll
2009-10-27 13:47 . 2009-08-27 05:17 109056 —-a-w- c:windowssystem32iesysprep.dll
2009-10-27 13:47 . 2009-08-27 03:42 133632 —-a-w- c:windowssystem32ieUnatt.exe
2009-10-27 13:40 . 2009-08-07 02:24 44768 —-a-w- c:windowssystem32wups2.dll
2009-10-27 13:40 . 2009-08-07 02:24 53472 —-a-w- c:windowssystem32wuauclt.exe
2009-10-27 13:40 . 2009-08-07 02:23 1929952 —-a-w- c:windowssystem32wuaueng.dll
2009-10-27 13:40 . 2009-08-07 01:45 2421760 —-a-w- c:windowssystem32wucltux.dll
2009-10-27 13:40 . 2009-08-07 02:24 35552 —-a-w- c:windowssystem32wups.dll
2009-10-27 13:40 . 2009-08-07 02:23 575704 —-a-w- c:windowssystem32wuapi.dll
2009-10-27 13:40 . 2009-08-07 01:44 87552 —-a-w- c:windowssystem32wudriver.dll
2009-10-27 13:40 . 2009-08-06 16:23 171608 —-a-w- c:windowssystem32wuwebv.dll
2009-10-27 13:40 . 2009-08-06 15:44 33792 —-a-w- c:windowssystem32wuapp.exe
2009-10-21 11:25 . 2009-10-21 11:25
d
w- c:usersIrbisAppDataRoamingPeerNetworking
2009-10-19 18:25 . 2009-10-19 18:25
d
w- c:program filesAPC
2009-10-15 20:50 . 2009-10-21 08:25
d
w- c:program filesESET
2009-10-15 19:36 . 2009-10-15 19:36
d
w- c:usersIrbisAppDataLocalESET
2009-10-15 13:00 . 2009-09-10 16:48 218624 —-a-w- c:windowssystem32msv1_0.dll
2009-10-15 12:56 . 2009-08-04 12:34 3600456 —-a-w- c:windowssystem32ntkrnlpa.exe
2009-10-15 12:56 . 2009-08-04 12:34 3548216 —-a-w- c:windowssystem32ntoskrnl.exe
2009-10-15 12:34 . 2009-09-04 11:41 60928 —-a-w- c:windowssystem32msasn1.dll
2009-10-15 12:34 . 2009-09-14 09:29 144896 —-a-w- c:windowssystem32driverssrv2.sys
2009-10-15 12:34 . 2009-05-08 12:53 604672 —-a-w- c:windowssystem32WMSPDMOD.DLL
2009-10-13 07:07 . 2009-10-13 07:07
d
w- c:usersIrbisAppDataRoamingSamsung
2009-10-13 07:06 . 2006-07-24 12:05 5632 —-a-w- c:windowssystem32driversStarOpen.sys
2009-10-13 07:03 . 2009-10-13 07:06
d
w- c:windowssystem32Samsung_USB_Drivers
2009-10-13 07:03 . 2009-10-13 07:03
d
w- c:program filesSamsung
2009-10-12 16:39 . 2008-02-28 09:26 1414440 —-a-w- c:windowssystem32ShellManager310E2D762.dll
2009-10-12 15:34 . 2009-10-12 16:53
d
w- c:usersIrbisAppDataLocalAhead
2009-10-12 15:32 . 2009-10-12 15:39
d
w- c:usersIrbisAppDataRoamingAhead
2009-10-12 15:31 . 2009-10-12 15:49 4096 d
w- c:program filesCommon FilesAhead
2009-10-12 14:56 . 2009-10-12 14:56
d
w- c:usersIrbisAppDataRoamingNeroDigital(TM)
2009-10-09 16:34 . 2009-10-09 16:34
d
w- c:program filesIVT Corporation
2009-10-09 15:32 . 2009-10-19 15:01 319456 —-a-w- c:windowsDIFxAPI.dll
2009-10-09 15:32 . 2008-08-26 04:25 150560 —-a-w- c:windowssystem32driversRtHDMIV.sys
2009-10-09 15:32 . 2008-08-25 04:35 2296320 —-a-w- c:windowssystem32RtkHDMI.dll
2009-10-09 15:32 . 2008-08-22 10:05 799744 —-a-w- c:windowssystem32RHDMIExt.dll
2009-10-09 15:32 . 2008-08-06 08:51 1200128 —-a-w- c:windowsRtkUpd.exe
2009-10-09 15:32 . 2008-07-31 07:13 34304 —-a-w- c:windowssystem32RHCoInst.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 09:12 . 2008-01-21 05:59 693850 —-a-w- c:windowssystem32perfh019.dat
2009-11-08 09:12 . 2008-01-21 05:59 143974 —-a-w- c:windowssystem32perfc019.dat
2009-11-06 14:48 . 2008-12-19 09:24 4096 d—h—w- c:program filesInstallShield Installation Information
2009-11-06 14:44 . 2009-02-11 09:19
d
w- c:usersIrbisAppDataRoamingIObit
2009-11-05 07:19 . 2009-01-28 17:47 4096 d
w- c:usersIrbisAppDataRoamingIP-TV Player
2009-11-03 16:42 . 2008-12-16 12:16
d
w- c:usersIrbisAppDataRoamingOpenOffice.org2
2009-11-03 16:42 . 2008-12-16 12:16 1 —-a-w- c:usersIrbisAppDataRoamingOpenOffice.org2useruno_packagescachestamp.sys
2009-11-02 17:42 . 2009-10-03 10:18 195456
w- c:windowssystem32MpSigStub.exe
2009-10-30 17:24 . 2006-11-02 10:25 665600 —-a-w- c:windowsinfdrvindex.dat
2009-10-30 17:24 . 2009-10-30 17:24 0 —ha-w- c:windowssystem32driversMsft_User_WpdFs_01_07_00.Wdf
2009-10-27 15:27 . 2006-11-02 12:35
d
w- c:program filesWindows Calendar
2009-10-27 15:27 . 2006-11-02 11:18 4096 d
w- c:program filesWindows Mail
2009-10-27 15:27 . 2006-11-02 12:35 4096 d
w- c:program filesWindows Sidebar
2009-10-27 15:27 . 2006-11-02 12:35 4096 d
w- c:program filesWindows Collaboration
2009-10-27 15:27 . 2006-11-02 12:35 4096 d
w- c:program filesWindows Photo Gallery
2009-10-27 15:27 . 2006-11-02 12:35 4096 d
w- c:program filesWindows Defender
2009-10-22 12:31 . 2009-06-20 08:10 4096 d
w- c:program filesCommon FilesNero
2009-10-22 12:29 . 2009-01-09 11:46 4096 d
w- c:programdataNero
2009-10-19 16:13 . 2009-01-30 12:48 4096 d
w- c:program filesUnlocker
2009-10-18 19:00 . 2008-12-22 22:16 22328 —-a-w- c:windowssystem32driversPnkBstrK.sys
2009-10-18 19:00 . 2008-12-22 22:16 103736 —-a-w- c:windowssystem32PnkBstrB.exe
2009-10-15 21:30 . 2009-10-06 14:16
d
w- c:usersIrbisAppDataRoamingCMedia
2009-10-15 20:30 . 2008-12-16 12:13
d
w- c:programdataSkype
2009-10-15 12:12 . 2008-12-22 20:54
d
w- c:usersIrbisAppDataRoamingskypePM
2009-10-12 17:15 . 2009-06-20 08:10
d
w- c:program filesNero
2009-10-12 16:20 . 2009-06-20 08:35 4096 d
w- c:usersIrbisAppDataRoamingNero
2009-10-09 16:36 . 2009-10-03 11:32
d
w- c:programdataBluetooth
2009-10-09 16:36 . 2009-10-03 11:28 12 —-a-w- c:windowsbthservsdp.dat
2009-10-09 11:51 . 2009-10-09 11:51 54656 —-a-w- c:usersirbis2AppDataLocalGDIPFONTCACHEV1.DAT
2009-10-09 11:51 . 2009-10-09 11:51
d
w- c:usersirbis2AppDataRoamingMRA
2009-10-09 11:51 . 2009-10-09 11:51
d
w- c:usersirbis2AppDataRoamingATI
2009-10-09 11:51 . 2009-10-09 11:51
d
w- c:programdataATI
2009-10-06 14:16 . 2009-10-06 14:16 804864 —-a-w- c:usersIrbisAppDataRoamingCMediaUninstall.exe
2009-10-06 11:20 . 2009-02-24 16:09 4096 d
w- c:programdataInstallations
2009-10-04 00:06 . 2009-03-13 11:10 4096 dc-h—w- c:programdata{0151C9FC-719D-4459-B1E2-4685CC6E62A8}
2009-09-25 02:10 . 2009-10-30 15:47 974848 —-a-w- c:windowssystem32WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-30 15:47 189440 —-a-w- c:windowssystem32WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-30 15:47 321024 —-a-w- c:windowssystem32PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-30 15:47 1554432 —-a-w- c:windowssystem32xpsservices.dll
2009-09-25 01:48 . 2009-10-30 15:47 351232 —-a-w- c:windowssystem32XpsPrint.dll
2009-09-25 01:38 . 2009-10-30 15:47 847360 —-a-w- c:windowssystem32OpcServices.dll
2009-09-25 01:36 . 2009-10-30 15:47 280064 —-a-w- c:windowssystem32XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-30 15:47 135680 —-a-w- c:windowssystem32XpsRasterService.dll
2009-09-25 01:33 . 2009-10-30 15:47 195584 —-a-w- c:windowssystem32dxdiagn.dll
2009-09-25 01:33 . 2009-10-30 15:47 829440 —-a-w- c:windowssystem32d3d10warp.dll
2009-09-25 01:33 . 2009-10-30 15:47 369664 —-a-w- c:windowssystem32WMPhoto.dll
2009-09-25 01:32 . 2009-10-30 15:47 252928 —-a-w- c:windowssystem32dxdiag.exe
2009-09-25 01:31 . 2009-10-30 15:47 519680 —-a-w- c:windowssystem32d3d11.dll
2009-09-25 01:31 . 2009-10-30 15:47 486912 —-a-w- c:windowssystem32d3d10level9.dll
2009-09-25 01:31 . 2009-10-30 15:47 161280 —-a-w- c:windowssystem32d3d10_1.dll
2009-09-25 01:31 . 2009-10-30 15:47 218112 —-a-w- c:windowssystem32d3d10_1core.dll
2009-09-25 01:31 . 2009-10-30 15:47 1030144 —-a-w- c:windowssystem32d3d10.dll
2009-09-25 01:31 . 2009-10-30 15:47 828928 —-a-w- c:windowssystem32d2d1.dll
2009-09-25 01:30 . 2009-10-30 15:47 481792 —-a-w- c:windowssystem32dxgi.dll
2009-09-25 01:30 . 2009-10-30 15:47 190464 —-a-w- c:windowssystem32d3d10core.dll
2009-09-25 01:27 . 2009-10-30 15:47 634880 —-a-w- c:windowssystem32driversdxgkrnl.sys
2009-09-25 01:27 . 2009-10-30 15:47 37888 —-a-w- c:windowssystem32cdd.dll
2009-09-25 01:27 . 2009-10-30 15:47 793088 —-a-w- c:windowssystem32FntCache.dll
2009-09-25 01:27 . 2009-10-30 15:47 1064448 —-a-w- c:windowssystem32DWrite.dll
2009-09-24 22:54 . 2009-10-30 15:47 258048 —-a-w- c:windowssystem32winspool.drv
2009-09-24 22:54 . 2009-10-30 15:47 667648 —-a-w- c:windowssystem32printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-30 15:47 26112 —-a-w- c:windowssystem32printfilterpipelineprxy.dll
2009-09-21 09:06 . 2009-09-21 09:06
d
w- c:programdataUbisoft
2009-09-21 08:49 . 2009-09-21 08:49
d
w- c:usersIrbisAppDataRoamingInstallShield
2009-09-13 13:44 . 2009-09-13 13:44 4096 d
w- c:program filesDAEMON Tools Lite
2009-09-13 13:44 . 2008-12-28 14:16 4096 d
w- c:program filesDAEMON Tools Toolbar
2009-09-13 11:42 . 2009-09-13 11:42 93 —-a-w- c:usersIrbisAppDataLocalfusioncache.dat
2009-09-10 07:00 . 2009-01-07 09:09
d
w- c:program filesMicrosoft Games for Windows — LIVE
2009-08-29 00:27 . 2009-09-03 06:33 4240384 —-a-w- c:windowssystem32GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-03 06:33 28672 —-a-w- c:windowssystem32Apphlpdm.dll
2009-08-14 16:27 . 2009-09-10 06:01 904776 —-a-w- c:windowssystem32driverstcpip.sys
2009-08-14 15:53 . 2009-09-10 06:01 17920 —-a-w- c:windowssystem32netevent.dll
2009-08-14 13:49 . 2009-09-10 06:01 9728 —-a-w- c:windowssystem32TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-10 06:01 17920 —-a-w- c:windowssystem32ROUTE.EXE
2009-08-14 13:49 . 2009-09-10 06:01 11264 —-a-w- c:windowssystem32MRINFO.EXE
2009-08-14 13:49 . 2009-09-10 06:01 27136 —-a-w- c:windowssystem32NETSTAT.EXE
2009-08-14 13:49 . 2009-09-10 06:01 8704 —-a-w- c:windowssystem32HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-10 06:01 19968 —-a-w- c:windowssystem32ARP.EXE
2009-08-14 13:49 . 2009-09-10 06:01 10240 —-a-w- c:windowssystem32finger.exe
2009-08-14 13:48 . 2009-09-10 06:01 30720 —-a-w- c:windowssystem32driverstcpipreg.sys
2009-08-14 13:48 . 2009-09-10 06:01 105984 —-a-w- c:windowssystem32netiohlp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerURLSearchHooks]
«{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}»= «c:program filesWinamp Toolbarwinamptb.dll» [2008-07-16 1266992]
[HKEY_CLASSES_ROOTclsid{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOTWINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOTTypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOTWINAMPTB.AOLTBSearch]
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebbrowser]
«{91397D20-1446-11D4-8AF4-0040CA1127B6}»= «c:program filesYandexYandexBarIEyndbar.dll» [2009-07-24 5586208]
[HKEY_CLASSES_ROOTclsid{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOTYandex.Toolbar.1]
[HKEY_CLASSES_ROOTTypeLib{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOTYandex.Toolbar]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«Windows Mobile-based device management»=»c:windowsWindowsMobilewmdSync.exe» [2008-01-21 215552]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2008-07-01 1447168]
«Malwarebytes Anti-Malware (reboot)»=»c:program filesMalwarebytes’ Anti-Malwarembam.exe» [2009-09-10 1312080]
c:usersIrbisAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup
explorer — џа«лЄ.lnk — c:windowsexplorer.exe [2009-9-24 2926592]
c:programdataMicrosoftWindowsStart MenuProgramsStartup
APC UPS Status.lnk — c:program filesAPCAPC PowerChute Personal EditionDisplay.exe [2009-10-19 221247]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
«EnableUIADesktopToggle»= 0 (0x0)
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinDefend]
@=»Service»
[HKLM~startupfolderC:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^FlyLinkDC++.lnk]
backup=c:windowspssFlyLinkDC++.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM~startupfolderC:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^IP-TV Player Agent.lnk]
path=c:programdataMicrosoftWindowsStart MenuProgramsStartupIP-TV Player Agent.lnk
backup=c:windowspssIP-TV Player Agent.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM~startupfolderC:^Users^Irbis^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Punto Switcher.lnk]
backup=c:windowspssPunto Switcher.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregYupdate!
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerSvc]
«VistaSp2″=hex(b):a6,e0,41,85,86,59,ca,01
R0 hotcore3;hotcore3;c:windowsSystem32drivershotcore3.sys [22.12.2008 19:08 40368]
R1 epfwtdir;epfwtdir;c:windowsSystem32driversepfwtdir.sys [01.07.2008 8:04 34312]
R2 ekrn;Eset Service;c:program filesESETESET NOD32 Antivirusekrn.exe [21.12.2007 7:21 468224]
R3 dc3d;USBCCGP filter driver (dc3d);c:windowsSystem32driversdc3d.sys [15.01.2009 9:15 15360]
S3 btnetBUs;Bluetooth PAN Bus Service;c:windowsSystem32driversbtnetBus.sys [17.06.2009 13:02 29192]
S3 FontCache;Служба кэша шрифтов Windows;c:windowssystem32svchost.exe -k LocalServiceAndNoImpersonation [21.01.2008 5:33 21504]
— Other Services/Drivers In Memory —
*NewlyCreated* — MBR
*NewlyCreated* — PROCEXP113
*Deregistered* — mbr
*Deregistered* — PROCEXP113
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the ‘Scheduled Tasks’ folder
2009-11-08 c:windowsTasksAWC AutoSweep.job
— c:program filesIObitAdvanced SystemCare 3AutoSweep.exe [2009-11-06 12:35]
2009-11-08 c:windowsTasksAWC Startup.job
— c:program filesIObitAdvanced SystemCare 3AWC.exe [2009-11-06 06:30]
2009-11-06 c:windowsTasksAWC Update.job
— c:program filesIObitAdvanced SystemCare 3IObitUpdate.exe [2009-11-06 07:15]
2009-10-04 c:windowsTasksCrysis Wars(R) Updates.job
— c:windowsInstallerCrysis Wars(R) Updates for All Users.lnk [2009-03-13 11:10]
2009-11-08 c:windowsTasksUser_Feed_Synchronization-{11B80F1F-A2FA-4650-AE3D-FF57D2DC2C9B}.job
— c:windowssystem32msfeedssync.exe [2009-10-27 03:41]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.apeha.ru
uDefault_Search_URL = hxxp://search.qip.ru
uSearchURL,(Default) = hxxp://search.qip.ru/search?query=%s&from=IE
IE: &Winamp Search — c:programdataWinamp ToolbarieToolbarresourcesen-USlocalsearch.html
TCP: {0BE9002C-16D0-4D5C-8E24-72119F8E8B16} = 195.98.160.26,80.253.30.20
FF — ProfilePath — c:usersIrbisAppDataRoamingMozillaFirefoxProfiles9vf96daw.default
FF — prefs.js: browser.search.defaulturl — hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF — prefs.js: browser.search.selectedEngine — DAEMON Search
FF — prefs.js: browser.startup.homepage — hxxp://www.yandex.ru/?clid=21973
FF — prefs.js: keyword.URL — hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF — component: c:usersIrbisAppDataRoamingMozillaFirefoxProfiles9vf96daw.defaultextensions{0b38152b-1b20-484d-a11f-5e04a9b0661f}componentsWinampTBPlayer.dll
FF — HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} — c:windowsMicrosoft.NETFrameworkv3.5Windows Presentation FoundationDotNetAssistantExtension
—- FIREFOX POLICIES —-
FF — user.js: browser.cache.memory.capacity — 65536
FF — user.js: browser.chrome.favicons — fales
FF — user.js: browser.display.show_image_placeholders — true
FF — user.js: browser.turbo.enabled — true
FF — user.js: browser.urlbar.autocomplete.enabled — true
FF — user.js: browser.urlbar.autofill — true
FF — user.js: browser.xul.error_pages.enabled — true
FF — user.js: content.interrupt.parsing — true
FF — user.js: content.max.tokenizing.time — 3000000
FF — user.js: content.maxtextrun — 8191
FF — user.js: content.notify.backoffcount — 5
FF — user.js: content.notify.interval — 750000
FF — user.js: content.notify.ontimer — true
FF — user.js: content.switch.threshold — 750000
FF — user.js: network.http.max-connections — 32
FF — user.js: network.http.max-connections-per-server — 8
FF — user.js: network.http.max-persistent-connections-per-proxy — 8
FF — user.js: network.http.max-persistent-connections-per-server — 4
FF — user.js: network.http.pipelining — true
FF — user.js: network.http.pipelining.firstrequest — true
FF — user.js: network.http.pipelining.maxrequests — 8
FF — user.js: network.http.proxy.pipelining — true
FF — user.js: network.http.request.max-start-delay — 0
FF — user.js: nglayout.initialpaint.delay — 0
FF — user.js: plugin.expose_full_path — true
FF — user.js: ui.submenuDelay — 0
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-08 15:49
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x857C61F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
Driveratapi -> 0x857c61f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use «Recovery Console» command «fixmbr» to clear infection !
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERSS-1-5-21-1446179839-891853363-1653453915-1000SoftwareSecuROM!CAUTION! NEVER A OR CHANGE ANY KEY*]
«??»=hex:1a,df,a9,24,f3,cd,c4,5e,5b,57,6a,c5,80,0b,fc,9a,c7,f9,27,5f,e7,1e,66,
e7,ae,d3,3b,99,8c,73,34,85,5b,68,ea,a4,a7,ca,c0,63,7d,57,87,2a,a2,fa,5c,d3,
«??»=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
[HKEY_USERSS-1-5-21-1446179839-891853363-1653453915-1000SoftwareSecuROMLicense information*]
«datasecu»=hex:d9,c9,72,54,09,b0,4c,77,19,14,07,d6,c2,8c,19,e0,bc,25,1d,a7,74,
35,a3,4c,55,be,d0,ba,a9,ef,04,f3,74,a5,1a,ac,e7,8c,39,da,fc,59,2b,87,36,00,
«rkeysecu»=hex:0d,0d,43,2c,3f,4e,39,63,90,b8,22,6e,61,b9,09,3c
[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}000AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
«BlindDial»=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}001AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
«BlindDial»=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E96D-E325-11CE-BFC1-08002BE10318}002AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
«BlindDial»=dword:00000000
.
Completion time: 2009-11-08 15:52
ComboFix-quarantined-files.txt 2009-11-08 12:51
Pre-Run: 19 608 797 184 байт свободно
Post-Run: 19 547 557 888 байт свободно
— — End Of File — — 78B264087BF9969EF3D540839855CDA0
