ComboFix 10-07-19.02 — Наумов Роман 20.07.2010 16:02:20.4.2 — x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.1022.561 [GMT 1:00]
Running from: c:documents and settingsНаумов РоманРабочий столComboFix.exe
Command switches used :: c:documents and settingsНаумов РоманРабочий столCFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
«c:windowssystem32ab2ce665.exe»
«c:windowssystem32gyqcri.exe»
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:program filesCommon Fileskeylog.txt
c:windowssystem32ab2ce665.exe
c:windowssystem32eundtpw.exe
c:windowssystem32gyqcri.exe
c:windowssystem32tniktuk.exe
.
((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.
2010-07-20 11:02 . 2010-07-20 11:02
d
w- C:rsit
2010-07-19 12:09 . 2010-07-19 12:09
d
w- C:mega
2010-07-14 10:06 . 2010-06-14 14:31 744448 -c—-w- c:windowssystem32dllcachehelpsvc.exe
2010-07-12 19:53 . 2009-03-04 00:18 73728 —-a-w- c:windowssystem32RtNicProp32.dll
2010-07-05 12:25 . 2010-07-05 14:40
d
w- c:documents and settingsНаумов РоманApplication DataiSendSMS
2010-07-05 12:23 . 2010-07-05 12:23
d
w- c:program filesiSendSMS
2010-07-05 12:14 . 2009-10-22 12:54 37392 —-a-w- c:windowssystem32drivers7992952.sys
2010-07-05 12:14 . 2009-09-25 16:59 128016 —-a-w- c:windowssystem32drivers7992951.sys
2010-07-05 12:14 . 2009-10-09 22:31 315408 —-a-w- c:windowssystem32drivers799295.sys
2010-07-02 21:56 . 2010-07-03 18:26
d
w- c:documents and settingsНаумов РоманApplication DataWebMoney
2010-06-26 17:32 . 2010-06-26 17:32
d
w- c:documents and settingsНаумов РоманApplication DataMicrosoft Shared
2010-06-26 17:32 . 2010-04-17 23:56 652288 —-a-w- c:documents and settingsНаумов РоманApplication DataMicrosoft SharedUninstallFirewallInstallHelper.dll
2010-06-26 17:32 . 2010-01-30 14:45 395184 —-a-w- c:documents and settingsНаумов РоманApplication DataMicrosoft SharedUninstallGameuxInstallHelper.dll
2010-06-25 18:44 . 2010-07-18 14:12
d
w- c:documents and settingsНаумов РоманDoctorWeb
2010-06-23 15:15 . 2010-06-23 15:15
d-sh—w- c:documents and settingsНаумов РоманIECompatCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 11:02 . 2010-05-30 09:49
d
w- c:program filestrend micro
2010-07-19 14:03 . 2010-02-05 18:50
d
w- c:documents and settingsНаумов РоманApplication DataICQ
2010-07-18 10:17 . 2010-02-04 23:13
d
w- c:program filesShareman
2010-07-16 17:38 . 2010-05-25 21:22
d
w- c:program filesOpera
2010-07-14 12:52 . 2010-02-04 14:18
d
w- c:documents and settingsAll UsersApplication DataMicrosoft Help
2010-07-05 14:51 . 2010-04-18 18:02
d
w- c:documents and settingsНаумов РоманApplication DataSkype
2010-07-05 13:24 . 2010-04-18 18:08
d
w- c:documents and settingsНаумов РоманApplication DataskypePM
2010-07-03 18:27 . 2010-06-07 09:13
d—a-w- c:documents and settingsAll UsersApplication DataTEMP
2010-06-26 23:03 . 2010-02-06 13:31
d
w- c:program files2gis
2010-06-23 19:01 . 2008-04-15 10:00 558312 —-a-w- c:windowssystem32perfh019.dat
2010-06-23 19:01 . 2008-04-15 10:00 107642 —-a-w- c:windowssystem32perfc019.dat
2010-06-22 19:04 . 2010-02-04 14:29
d—h—w- c:program filesInstallShield Installation Information
2010-06-15 17:49 . 2010-06-15 17:49
d
w- c:documents and settingsAll UsersApplication DatanView_Profiles
2010-06-14 14:31 . 2010-02-04 13:10 744448 —-a-w- c:windowspchealthhelpctrbinarieshelpsvc.exe
2010-06-11 19:17 . 2010-02-05 20:14
d
w- c:program filesICQ7.0
2010-06-11 12:35 . 2010-02-12 13:02
d
w- c:program filesRadioClicker LITE
2010-06-09 20:42 . 2010-06-09 20:40
d
w- c:documents and settingsНаумов РоманApplication DataDAEMON Tools Lite
2010-06-09 20:41 . 2010-06-09 20:41
d
w- c:program filesDAEMON Tools Lite
2010-06-09 20:30 . 2010-02-04 13:15 691696 —-a-w- c:windowssystem32driverssptd.sys
2010-06-09 20:19 . 2010-06-09 01:16
d
w- c:program filesCommon FilesOpera
2010-06-09 01:16 . 2010-02-04 13:48
d
w- c:documents and settingsНаумов РоманApplication DataAdobeUM
2010-06-04 17:04 . 2010-02-18 20:40
d
w- c:program filesMicrosoft Silverlight
2010-06-04 14:08 . 2010-03-09 14:40
d
w- c:program filesXvid
2010-06-04 10:34 . 2010-06-04 10:34
d
w- c:program filesAuslogics
2010-06-02 15:53 . 2010-02-04 14:29
d
w- c:program filesIEPro
2010-05-31 16:10 . 2010-05-31 16:10
d
w- c:documents and settingsAll UsersApplication DataCodemasters
2010-05-31 16:05 . 2010-05-31 16:05
d
w- c:program filesBRS
2010-05-31 16:05 . 2010-02-04 13:13 445016 —-a-w- c:windowssystem32wrap_oal.dll
2010-05-31 16:05 . 2010-02-04 13:13 109144 —-a-w- c:windowssystem32OpenAL32.dll
2010-05-31 11:06 . 2010-05-31 11:06
d
w- c:program filesOpenAL
2010-05-11 22:20 . 2010-02-04 14:35 664 —-a-w- c:windowssystem32d3d9caps.dat
2010-05-06 10:35 . 2009-03-15 16:40 916480 —-a-w- c:windowssystem32wininet.dll
2010-05-02 12:33 . 2009-03-15 16:40 1860480 —-a-w- c:windowssystem32win32k.sys
2010-02-10 17:59 . 2010-02-10 17:58 3580 —-a-w- c:program filesCommon Filesunins000.dat
2010-02-10 17:58 . 2010-02-10 17:58 729072 —-a-w- c:program filesCommon Filesunins000.exe
2006-12-10 18:30 . 2010-02-04 13:19 225 —-a-r- c:program filesboot.ini
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
— c:windowssystem32d3d9caps.dat —
Company:
File Description:
File Version:
Product Name:
Copyright:
Original Filename:
File size: 664
Created time: 2010-02-04 14:35
Modified time: 2010-05-11 22:20
MD5: 991FDA20D569603BE90430D25E3BACA7
SHA1: 18FC27C4D0B8A631994FD362D5266DDFEAC11164
— c:windowssystem32dllcachehelpsvc.exe —
Company: Microsoft Corporation
File Description: Microsoft Help Center Service
File Version: 5.1.2600.5997 (xpsp_sp3_gdr.100614-1759)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: HELPSVC.EXE
File size: 744448
Created time: 2010-07-14 10:06
Modified time: 2010-06-14 14:31
MD5: E5517D0908CA75EEF9633A93FF3F0408
SHA1: F8F38DEE458D4ED6D5F98830F2578A2BCA517E89
— c:windowssystem32drivers799295.sys —
Company: Kaspersky Lab
File Description: Klif Mini-Filter [fre_wnet_x86]
File Version: 8.4.0.101 built by: WinDDK
Product Name: Kaspersky™ Anti-Virus ®
Copyright: Copyright © Kaspersky Lab 1996-2009.
Original Filename: KLIF
File size: 315408
Created time: 2010-07-05 12:14
Modified time: 2009-10-09 22:31
MD5: 66EF49622BAA18E4D4F1FE4BAE1D51B8
SHA1: 0C2651FF9F5661AE124408C457F6C8AC20F0C9CB
— c:windowssystem32drivers7992951.sys —
Company: Kaspersky Lab
File Description: Kaspersky Unified Driver
File Version: 6.4.0.11
Product Name: Kaspersky Anti-Virus
Copyright: Copyright © Kaspersky Lab 1997-2009.
Original Filename: KL1.SYS
File size: 128016
Created time: 2010-07-05 12:14
Modified time: 2009-09-25 16:59
MD5: 7DD41B7AC1FBB1DBF20BB1F4E4FBE58C
SHA1: C763C52F8B0DBB6594F1A81246AE2C27C6F74557
— c:windowssystem32drivers7992952.sys —
Company: Kaspersky Lab
File Description: Kaspersky Lab Boot Guard Driver
File Version: 9.1.0.0
Product Name: Kaspersky Anti-Virus
Copyright: Copyright © Kaspersky Lab 1997-2009.
Original Filename: KLBG.SYS
File size: 37392
Created time: 2010-07-05 12:14
Modified time: 2009-10-22 12:54
MD5: A305FAD3719C5DB0C13D1C2BFD08A04D
SHA1: CD7300AE608DB1CA6583736B9648CF36B476F832
— c:windowssystem32msfeedssync.exe —
Company: Microsoft Corporation
File Description: Microsoft Feeds Synchronization
File Version: 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
Product Name: Windows® Internet Explorer
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: msfeedssync.exe
File size: 13312
Created time: 2010-02-04 13:09
Modified time: 2009-03-08 03:31
MD5: FEE2BA1AD38F457F418E82EA30724053
SHA1: 7BA67318A83E01543DC455288191B6E6DD41047B
— c:windowssystem32OpenAL32.dll —
Company: Portions (C) Creative Labs Inc. and NVIDIA Corp.
File Description: Standard OpenAL(TM) Implementation
File Version: 6.14.0357.24
Product Name: Standard OpenAL(TM) Library
Copyright: Copyright (C) 2000-2006
Original Filename: OpenAL32.dll
File size: 109144
Created time: 2010-02-04 13:13
Modified time: 2010-05-31 16:05
MD5: 628321A50ED9558513F8A5E37A5E1FBA
SHA1: 4B62B9EF4E681BAA00964440D023C20B5442F5B5
— c:windowssystem32win32k.sys —
Company: Корпорация Майкрософт
File Description: Многопользовательский драйвер Win32
File Version: 5.1.2600.5976 (xpsp_sp3_qfe.100501-1623)
Product Name: Операционная система Microsoft® Windows®
Copyright: © Корпорация Майкрософт. Все права защищены.
Original Filename: win32k.sys
File size: 1860480
Created time: 2009-03-15 16:40
Modified time: 2010-05-02 12:33
MD5: D680C128D9FF7B509C4CE6D6DAA9D641
SHA1: 38A541885C86570823575A90907F18BD76C2BC1F
— c:windowssystem32wininet.dll —
Company: Microsoft Corporation
File Description: Internet Extensions for Win32
File Version: 8.00.6001.18923 (longhorn_ie8_gdr.100419-1241)
Product Name: Windows® Internet Explorer
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: wininet.dll
File size: 916480
Created time: 2009-03-15 16:40
Modified time: 2010-05-06 10:35
MD5: E4241A31680B229D2162CF188F967303
SHA1: D429FC24B72C5D87CDACB935A85415EE8CE38949
Sigcheck
[-] 2008-10-24 . 1F39C7BDBA4C5F3F01C4EABF7EDBF4B3 . 361600 . . [5.1.2600.5625] . . c:windowssystem32driverstcpip.sys
[-] 2010-04-01 . FAD4579B18A9E134B5BAC0A88874E2FD . 509440 . . [5.1.2600.5512] . . c:windowssystem32winlogon.exe
[-] 2008-04-15 . 85461D19DA3F60CBF2B99DB254183AC3 . 653312 . . [5.82] . . c:windowssystem32comctl32.dll
[-] 2008-04-14 . 2BCDBCC87A74950CD0786E2A6B73F895 . 631808 . . [5.1.2600.5512] . . c:windowssystem32user32.dll
[-] 2008-04-15 . 06E454E5D1340DE9E4BF491E6C840AF0 . 1926144 . . [6.00.2900.5512] . . c:windowsexplorer.exe
[-] 2010-02-04 . 64F69CB7BF611283ABAF72864FBC14A6 . 1571840 . . [5.1.2600.5512] . . c:windowssystem32sfcfiles.dll
[-] 2008-04-15 . E880528ACB65C5E05EE7CF83B08464EA . 37376 . . [5.1.2600.5512] . . c:windowssystem32ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«SkinClock»=»c:program filesAtomic Alarm ClockAtomicAlarmClock.exe» [2008-09-30 1740288]
«tPerm»=»c:program filestPermtPerm.exe» [2006-03-19 680960]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«Gainward»=»c:program filesVDOToolTBPanel.exe» [2007-02-01 2154496]
«exflashservice»=»c:program filesEPOXEFSEZ_FLASH_SERVICE.exe» [2006-05-02 408064]
«hwmdr»=»c:program filesEPoXEPTPEPTP.EXE» [2006-07-03 988160]
«CHotkey»=»mHotkey.exe» [2004-12-08 550912]
«ShowWnd»=»showwnd.exe» [2003-09-18 36864]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2009-05-14 2029640]
«BootSkin Startup Jobs»=»c:program filesStardockWinCustomizeBootSkinBootSkin.exe» [2004-04-26 270336]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2009-06-10 13758464]
«nwiz»=»nwiz.exe» [2009-06-10 1657376]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2009-06-10 86016]
«2Gis Update Notifier»=»c:program files2gis3.02GISTrayNotifier.exe» [2010-06-04 3319640]
«SoundMan»=»SOUNDMAN.EXE» [2007-04-16 577536]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-15 37376]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«IE7_012″=»advpack.dll» [2009-03-08 128512]
c:documents and settingsЌ 㬮ў ђ®¬ ѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Punto Switcher.lnk — c:program filesYandexPunto Switcherpunto.exe [2010-2-4 831272]
c:documents and settingsAll Usersѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
Atomic Alarm Clock.lnk — c:program filesAtomic Alarm ClockAtomicAlarmClock.exe [2010-2-4 1740288]
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)
[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 0 (0x0)
[HKLM~startupfolderC:^Documents and Settings^Наумов Роман^Главное меню^Программы^Автозагрузка^setup_9.0.0.722_30.03.2010_21-04.lnk]
path=c:documents and settingsНаумов РоманГлавное менюПрограммыАвтозагрузкаsetup_9.0.0.722_30.03.2010_21-04.lnk
backup=c:windowspsssetup_9.0.0.722_30.03.2010_21-04.lnkStartup
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001
«FirewallOverride»=dword:00000001
«UpdatesOverride»=dword:00000001
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«DisableUnicastResponsesToMulticastBroadcast»= 0 (0x0)
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE»=
«c:\Program Files\ICQ7.0\ICQ.exe»=
«c:\Program Files\ICQ7.0\aolload.exe»=
«c:\Program Files\TVUPlayer\TVUPlayer.exe»=
«d:\Игрушки\Napoleon — Total War\Napoleon.exe»=
«c:\Program Files\IEPro\MiniDM.exe»=
«c:\WINDOWS\system32\dpvsetup.exe»=
«c:\Program Files\Skype\Plugin Manager\skypePM.exe»=
«c:\Program Files\Opera\opera.exe»=
«d:\Games\DiRT2\dirt2_game.exe»=
«d:\Games\3D Instructor 2.0 Home\bin\win32\Starter.exe»=
«d:\Games\Brothers in Arms — Hell’s Highway\Binaries\biahh.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=
«c:\Program Files\Shareman\Shareman.exe»=
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«5353:TCP»= 5353:TCP:Adobe CSI CS4
R1 ehdrv;ehdrv;c:windowssystem32driversehdrv.sys [14.05.2009 16:47 107256]
R1 epfwtdir;epfwtdir;c:windowssystem32driversepfwtdir.sys [14.05.2009 16:49 94360]
R2 ekrn;ESET Service;c:program filesESETESET NOD32 Antivirusekrn.exe [14.05.2009 16:47 731840]
R2 epcpuid;epcpuid;c:windowssystem32driversepcpuid.SYS [04.02.2010 14:37 2816]
R2 GetBINFile;GetBINFile;c:windowssystem32driversGetBinFile.SYS [04.02.2010 14:37 3200]
R2 hwmdr;hwmdr;c:windowssystem32drivershwmdr.SYS [04.02.2010 14:37 12288]
R3 EPScanMemory;EPScanMemory;c:program filesEPOXEPTPScanMemory32.sys [04.02.2010 14:37 2432]
S3 2GISUpdateService;2GIS UpdateService;c:program files2gis3.02GISUpdateService.exe [04.06.2010 16:30 775512]
S4 sptd;sptd;c:windowssystem32driverssptd.sys [04.02.2010 14:15 691696]
[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
UPHClean REG_MULTI_SZ UPHClean
[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled componentsNewUserCustom]
2009-03-08 03:32 128512 —-a-w- c:windowssystem32advpack.dll
.
Contents of the ‘Scheduled Tasks’ folder
2010-07-20 c:windowsTasksUser_Feed_Synchronization-{BC16DFA8-353D-4DC9-AB02-333030CB66CB}.job
— c:windowssystem32msfeedssync.exe [2010-02-04 03:31]
.
.
Supplementary Scan
.
uStart Page = hxxp://libra.ccl.ru/
mStart Page = hxxp://www.rambler.ru/ra/
uInternet Settings,ProxyOverride = local
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
.
— — — — ORPHANS REMOVED — — — —
Toolbar-ITBar7Position — (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 16:09
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(668)
c:windowssystem32SETUPAPI.dll
— — — — — — — > ‘lsass.exe'(724)
c:windowssystem32setupapi.dll
— — — — — — — > ‘explorer.exe'(2956)
c:windowssystem32SHDOCVW.dll
c:windowssystem32WININET.dll
c:program filesYandexPunto Switcherpshook.dll
c:windowssystem32COMRes.dll
c:windowsSystem32cscui.dll
c:windowssystem32credui.dll
c:windowssystem32MSVCP60.dll
c:windowssystem32msi.dll
c:windowssystem32SETUPAPI.dll
c:program filesAtomic Alarm ClockClock.dll
c:windowssystem32wpdshserviceobj.dll
c:windowssystem32webcheck.dll
c:windowssystem32portabledevicetypes.dll
c:windowssystem32portabledeviceapi.dll
.
Other Running Processes
.
c:windowssystem32nvsvc32.exe
c:windowssystem32dllhost.exe
c:windowsmHotkey.exe
c:windowssystem32RUNDLL32.EXE
c:windowsSOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2010-07-20 16:12:23 — machine was rebooted
ComboFix-quarantined-files.txt 2010-07-20 15:12
Pre-Run: 12 028 891 136 байт свободно
Post-Run: 12 023 181 312 байт свободно
Current=13 Default=13 Failed=12 LastKnownGood=14 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14
— — End Of File — — 3FF398CB23CEC5E58F2BB64840ABCF49
