ComboFix 09-04-15.08 — Михаил 18.04.2009 22:29.2 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.1023.592 [GMT 7:00]
Running from: c:documents and settingsМихаилРабочий столComboFix.exe
Command switches used :: c:documents and settingsМихаилРабочий столCFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
FW: NVIDIA Firewall *disabled*
FW: Outpost Firewall Pro *enabled*
* Created a new restore point
* Resident AV is active
FILE ::
c:windowssystem32ugpernuw.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
Legacy_ZFLNP
Service_zflnp
((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.
2009-04-12 15:26 . 2009-04-12 15:26
d
w c:windows85EBB28365AF4C539EBE7C0A232762F7.TMP
2009-04-11 18:46 . 1998-10-29 09:45 306688 —-a-w c:windowsIsUninst.exe
2009-04-11 16:44 . 2009-04-11 16:44
d—h—w c:windows$hf_mig$
2009-04-11 16:10 . 2009-04-11 16:10
d-s—w c:documents and settingsМихаилUserData
2009-04-11 16:10 . 2009-04-11 16:10
d-s—w c:documents and settingsМихаилUserData
2009-04-11 15:48 . 2009-04-11 15:49
d
w C:rsit
2009-04-11 15:28 . 2009-04-18 15:44
d
w c:documents and settingsМихаилApplication DataSkype
2009-04-11 15:24 . 2009-04-11 15:24
d
w c:documents and settingsLocalServiceLocal SettingsApplication DataGoogle
2009-04-11 15:24 . 2009-04-11 15:30
d
w c:documents and settingsМихаилLocal SettingsApplication DataGoogle
2009-04-04 18:07 . 2007-11-02 15:33 1891008 —-a-r c:windowsunasetup.exe
2009-04-02 16:39 . 2007-11-02 15:33 1602240 —-a-r c:windowsuncsetup.exe
2009-03-31 17:00 . 2009-03-31 17:00
d
w c:documents and settingsОльгаLocal SettingsApplication DataMicrosoft Help
2009-03-25 21:06 . 2009-03-25 21:06 1700352 —-a-w c:windowssystem32gdiplus.dll
2009-03-25 21:00 . 2009-03-25 21:01
d
w c:windowssystem32driversumdf
2009-03-25 20:55 . 2009-03-25 20:55
d
w c:windowssystem32xlive
2009-03-24 04:46 . 2009-03-24 04:46
d
w c:documents and settingsОльгаApplication DataLavasoft
2009-03-22 14:03 . 2009-03-22 14:03 208 —-a-w c:windowsUpdateClientUI.INI
2009-03-20 07:31 . 2009-03-20 07:31
d
w c:documents and settings??????
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 10:27 . 2009-02-05 14:50
d
w c:documents and settingsОльгаApplication DataSpyware Terminator
2009-04-15 11:16 . 2009-02-05 13:35
d
w c:documents and settingsМихаилApplication DataSpyware Terminator
2009-04-13 14:15 . 2009-02-05 13:35
d
w c:program filesSpyware Terminator
2009-04-12 16:32 . 2009-02-05 13:01
d—h—w c:program filesInstallShield Installation Information
2009-04-12 15:26 . 2009-02-21 17:09
d
w c:program filesCommon FilesWise Installation Wizard
2009-04-12 06:15 . 2009-02-05 13:35
d
w c:documents and settingsAll UsersApplication DataSpyware Terminator
2009-04-11 16:46 . 2009-04-11 15:19
d
w c:program filesGoogle
2009-04-11 15:49 . 2009-04-11 15:48
d
w c:program filestrend micro
2009-04-11 15:33 . 2009-04-11 15:33
d
w c:program filesSkype
2009-04-11 15:33 . 2009-04-11 15:33
d
w c:program filesCommon FilesSkype
2009-04-11 15:32 . 2009-03-05 05:38
d
w c:documents and settingsAll UsersApplication DataSkype
2009-04-11 10:18 . 2009-02-25 13:30
d
w c:documents and settingsМихаилApplication DataskypePM
2009-03-28 20:01 . 2008-04-15 12:00 78770 —-a-w c:windowssystem32perfc019.dat
2009-03-28 20:01 . 2008-04-15 12:00 472114 —-a-w c:windowssystem32perfh019.dat
2009-03-25 21:25 . 2009-02-05 13:18 937864 —-a-w c:documents and settingsLocalServiceLocal SettingsApplication DataFontCache3.0.0.0.dat
2009-03-25 20:55 . 2009-03-25 20:55
d
w c:program filesMicrosoft Games for Windows — LIVE
2009-03-22 13:57 . 2009-02-21 08:10
d
w c:program files2gis
2009-03-20 07:57 . 2009-03-20 07:56
d
w c:program filesPunto Switcher
2009-03-20 07:56 . 2009-02-05 13:20
d
w c:documents and settingsМихаилApplication DataYandex
2009-03-20 07:31 . 2009-03-05 03:43
d
w c:documents and settingsМихаилApplication DataNokia
2009-03-18 18:41 . 2009-02-05 16:59
d
w c:program filesQIP Infium
2009-03-18 04:00 . 2009-03-11 17:15
d
w c:documents and settingsОльгаApplication DataSkype
2009-03-16 17:11 . 2009-03-16 17:01
d
w c:documents and settingsМихаилApplication DataThinstall
2009-03-14 15:09 . 2009-03-14 15:09 2911848 —-a-w c:windowssystem32driversappdrv01.sys
2009-03-14 15:09 . 2009-03-14 15:09 304528 —-a-w c:windowssystem32appdrvrem01.exe
2009-03-14 15:03 . 2009-03-14 15:03
d
w c:documents and settingsAll UsersApplication DataTest Drive Unlimited
2009-03-13 06:24 . 2009-03-13 06:24
d
w c:documents and settingsОльгаApplication DataGrym
2009-03-11 17:26 . 2009-02-05 13:28
d
w c:program filesTotal Commander
2009-03-07 12:24 . 2009-03-07 12:24 60416 —-a-w c:windowsALCFDRTM.EXE
2009-03-05 09:16 . 2009-03-05 09:16
d
w c:documents and settingsОльгаApplication DataPC Suite
2009-03-05 05:27 . 2009-02-07 10:37
d
w c:program filesMicrosoft ActiveSync
2009-03-05 05:08 . 2009-03-05 05:08 0 —ha-w c:windowssystem32driversMsft_Kernel_ccdcmb_01007.Wdf
2009-03-05 05:08 . 2009-03-05 05:08 0 —ha-w c:windowssystem32driversMsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-03-05 05:02 . 2009-03-05 05:02
d
w c:program filesCommon FilesPCSuite
2009-03-05 05:01 . 2009-03-05 05:00
d
w c:program filesCommon FilesNokia
2009-03-05 05:01 . 2009-03-05 04:57
d
w c:program filesNokia
2009-03-05 04:59 . 2009-03-05 04:59
d
w c:program filesPC Connectivity Solution
2009-03-05 04:56 . 2009-03-05 03:37
d
w c:documents and settingsAll UsersApplication DataDownloaded Installations
2009-03-05 04:51 . 2009-03-05 04:51
d
w c:documents and settingsAll UsersApplication DataInstallations
2009-03-05 03:57 . 2009-03-05 03:57
d
w c:documents and settingsМихаилApplication DataDatalayer
2009-03-05 03:56 . 2009-03-05 03:40
d
w c:documents and settingsМихаилApplication DataPC Suite
2009-03-05 03:43 . 2009-03-05 03:43
d
w c:documents and settingsAll UsersApplication DataPC Suite
2009-03-05 03:40 . 2009-03-05 03:40
d
w c:program filesDIFX
2009-03-04 08:10 . 2009-03-04 08:10
d
w c:documents and settingsОльгаApplication DataDivX
2009-02-26 16:45 . 2009-02-26 16:45
d
w c:program filesCommon FilesPAC207
2009-02-26 16:45 . 2009-02-26 16:45
d
w c:program filesTrust
2009-02-26 16:29 . 2009-02-26 16:29
d
w c:documents and settingsМихаилApplication DataArcSoft
2009-02-23 07:06 . 2009-02-05 14:50 68456 —-a-w c:documents and settingsОльгаLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-02-22 20:34 . 2009-02-22 20:34
d
w c:documents and settingsМихаилApplication Dataubi.com
2009-02-21 17:57 . 2009-02-05 13:22 68456 —-a-w c:documents and settingsМихаилLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-02-21 17:52 . 2009-02-10 05:00
d
w c:program filesCommon FilesAdobe
2009-02-21 17:46 . 2009-02-21 12:53
d
w c:program files1C
2009-02-21 17:12 . 2009-02-21 17:10
d
w c:program filesAGEIA Technologies
2009-02-21 15:37 . 2009-02-15 09:35 107888 —-a-w c:windowssystem32CmdLineExt.dll
2009-02-21 15:18 . 2009-02-21 15:18 22328 —-a-w c:windowssystem32driversPnkBstrK.sys
2009-02-21 15:18 . 2009-02-21 15:18 22328 —-a-w c:documents and settingsМихаилApplication DataPnkBstrK.sys
2009-02-21 15:17 . 2009-02-21 15:17 107832 —-a-w c:windowssystem32PnkBstrB.exe
2009-02-21 15:16 . 2009-02-21 15:16 66872 —-a-w c:windowssystem32PnkBstrA.exe
2009-02-21 15:16 . 2009-02-21 15:16 2250024 —-a-w c:windowssystem32pbsvc.exe
2009-02-21 08:21 . 2009-02-21 08:10
d
w c:documents and settingsAll UsersApplication Data2GIS
2009-02-21 08:16 . 2009-02-21 08:16
d
w c:documents and settingsМихаилApplication DataGrym
2009-02-20 16:52 . 2009-02-20 16:52 138752 —-a-w c:windowssystem32driverssp_rsdrv2.sys
2009-02-05 13:34 . 2009-02-05 12:51 86327 —-a-w c:windowspchealthhelpctrOfflineCacheindex.dat
2009-02-05 12:49 . 2009-02-05 12:49 22564 —-a-w c:windowssystem32emptyregdb.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-04-15_12.42.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 15:40 . 2005-10-20 13:02 163328 c:windowsERDNTsubsERDNT.EXE
— 2009-04-15 12:39 . 2005-10-20 13:02 163328 c:windowsERDNTsubsERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-04-15 15360]
«Punto Switcher»=»c:program filesPunto Switcherpunto.exe» [2008-10-16 735016]
«BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}»=»c:program filesCommon FilesNeroLibNMBgMonitor.exe» [2007-09-20 202024]
«PC Suite Tray»=»c:program filesNokiaNokia PC Suite 7PCSuite.exe» [2008-12-03 1205760]
«Skype»=»c:program filesSkypePhoneSkype.exe» [2006-12-11 25343016]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«StartCCC»=»c:program filesATI TechnologiesATI.ACECore-StaticCLIStart.exe» [2008-08-01 61440]
«Outpost Firewall»=»c:program filesAgnitumOutpost Firewalloutpost.exe» [2005-11-25 91648]
«OutpostFeedBack»=»c:program filesAgnitumOutpost Firewallfeedback.exe» [2005-11-25 315460]
«SpywareTerminator»=»c:progra~1SPYWAR~1SpywareTerminatorShield.exe» [2009-02-05 2834432]
«NeroFilterCheck»=»c:program filesCommon FilesNeroLibNeroCheck.exe» [2007-03-01 153136]
«NBKeyScan»=»c:program filesNeroNero8Nero BackItUpNBKeyScan.exe» [2007-09-20 1836328]
«HNMonitor»=»c:program filesHomeNetMonitorMonitor.exe» [2008-06-23 335872]
«GrooveMonitor»=»c:program filesMicrosoft OfficeOffice12GrooveMonitor.exe» [2006-10-26 31016]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2007-11-14 1410304]
«Adobe Reader Speed Launcher»=»c:program filesAdobeReader 9.0ReaderReader_sl.exe» [2008-06-11 34672]
«Monitor»=»c:windowsPixArtPAC207Monitor.exe» [2006-11-03 319488]
«SoundMan»=»SOUNDMAN.EXE» — c:windowssoundman.exe [2007-04-16 577536]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-04-15 15360]
c:documents and settingsЊЁе Ё«ѓ« ў®Ґ ¬ҐоЏа®Ја ¬¬лЂўв®§ Јаг§Є
‚л१Є нЄа Ё Їа®Ја ¬¬ § ЇгбЄ ¤«п OneNote 2007.lnk — c:program filesMicrosoft OfficeOffice12ONENOTEM.EXE [2006-10-26 98632]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdf01000.sys]
@=»Driver»
[HKLM~startupfolderC:^Documents and Settings^Михаил^Главное меню^Программы^Автозагрузка^Total Commander.lnk]
path=c:documents and settingsМихаилГлавное менюПрограммыАвтозагрузкаTotal Commander.lnk
backup=c:windowspssTotal Commander.lnkStartup
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregnTrayFw]
2005-04-29 12:22 266240 —-a-w c:program filesNVIDIA CorporationNetworkAccessManagerbinnTrayFw.exe
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregYupdate!]
2007-11-06 13:48 468744 —-a-w c:program filesCommon FilesYandexYupdateyupdate.exe
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«AntiVirusOverride»=dword:00000001
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
«EnableFirewall»= 0 (0x0)
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
«c:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe»=
«c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE»=
«c:\Program Files\Microsoft Office\Office12\GROOVE.EXE»=
«c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE»=
«c:\Program Files\HomeNet\Monitor\Monitor.exe»=
«c:\Program Files\Skype\Phone\Skype.exe»=
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
«8814:TCP»= 8814:TCP:zefptfzp
R1 VFILT;Outpost Firewall Kernel Driver; [x]
R2 appdrvrem01;Application Driver Auto Removal Service (01); [x]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);c:program filesAgnitumOutpost FirewallkernelADBLOCK.DLL [2005-11-25 33568]
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);c:program filesAgnitumOutpost FirewallkernelARP.DLL [2005-11-25 17440]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);c:program filesAgnitumOutpost FirewallkernelCONTENT.DLL [2005-11-25 4864]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);c:program filesAgnitumOutpost FirewallkernelDNSCACHE.DLL [2005-11-25 14176]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);c:program filesAgnitumOutpost FirewallkernelFTPFILT.DLL [2005-11-25 8992]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);c:program filesAgnitumOutpost FirewallkernelHTMLFILT.DLL [2005-11-25 11552]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);c:program filesAgnitumOutpost FirewallkernelHTTPFILT.DLL [2005-11-25 13248]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);c:program filesAgnitumOutpost FirewallkernelIMAPFILT.DLL [2005-11-25 7200]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);c:program filesAgnitumOutpost FirewallkernelMAILFILT.DLL [2005-11-25 14912]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);c:program filesAgnitumOutpost FirewallkernelNNTPFILT.DLL [2005-11-25 6752]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);c:program filesAgnitumOutpost FirewallkernelPOP3FILT.DLL [2005-11-25 9984]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);c:program filesAgnitumOutpost FirewallkernelPROTECT.DLL [2005-11-25 16928]
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);c:program filesAgnitumOutpost FirewallkernelSECRET.DLL [2005-11-25 9664]
S1 appdrv01;Application Driver (01);c:windowssystem32Driversappdrv01.sys [2009-03-14 2911848]
S1 epfwtdir;epfwtdir;c:windowssystem32DRIVERSepfwtdir.sys [2007-11-14 30728]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:windowssystem32driverssp_rsdrv2.sys [2009-02-20 138752]
S2 2GIS UpdateClientService;2GIS UpdateClientService;c:program files2gisUpdateClientWin32UpdateClientService.exe [2008-09-17 1134592]
S2 ekrn;Eset Service;c:program filesESETESET NOD32 Antivirusekrn.exe [2007-11-14 455936]
S3 FStarForce;FStarForce;c:windowssystem32DRIVERSFStarForce.sys [2008-10-16 7680]
S3 ipgd;ASUS NX1101 Gigabit Ethernet Adapter Driver;c:windowssystem32DRIVERSipgdnd51.sys [2005-01-28 33536]
S3 PAC207;Trust WB-1400T Webcam;c:windowssystem32DRIVERSPFC027.SYS [2007-05-14 508288]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.mail.ru/
IE: &Экспорт в Microsoft Excel — c:progra~1MICROS~2Office12EXCEL.EXE/3000
LSP: %SYSTEMROOT%system32nvappfilter.dll
TCP: {F4CBC39B-090C-4CD7-83C0-A4E288139F91} = 217.117.80.1
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 22:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERSS-1-5-21-2052111302-1614895754-682003330-1003SoftwareMicrosoftSystemCertificatesAddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(720)
c:windowssystem32Ati2evxx.dll
— — — — — — — > ‘lsass.exe'(776)
c:windowssystem32nvappfilter.dll
— — — — — — — > ‘explorer.exe'(3976)
c:program filesPunto Switcherpshook.dll
c:windowssystem32WPDShServiceObj.dll
c:program filesNokiaNokia PC Suite 7PhoneBrowser.dll
c:program filesNokiaNokia PC Suite 7NGSCM.DLL
c:program filesNokiaNokia PC Suite 7LangPhoneBrowser_rus.nlr
c:program filesNokiaNokia PC Suite 7ResourcePhoneBrowser_Nokia.ngr
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
Other Running Processes
.
c:windowssystem32ati2evxx.exe
c:windowssystem32ati2evxx.exe
c:program filesNVIDIA CorporationNetworkAccessManagerApache GroupApache2binApache.exe
c:program filesNeroNero8Nero BackItUpNBService.exe
c:program filesNVIDIA CorporationNetworkAccessManagerbinnSvcIp.exe
c:program filesNVIDIA CorporationNetworkAccessManagerbinnSvcLog.exe
c:windowssystem32PnkBstrA.exe
c:windowssystem32PnkBstrB.exe
c:progra~1SPYWAR~1sp_rsser.exe
c:program filesNVIDIA CorporationNetworkAccessManagerApache GroupApache2binApache.exe
c:program filesNVIDIA CorporationNetworkAccessManagerbinnSvcAppFlt.exe
c:program filesATI TechnologiesATI.ACECore-StaticMOM.exe
c:program filesATI TechnologiesATI.ACECore-StaticCCC.exe
c:program filesCommon FilesNeroLibNMIndexingService.exe
c:program filesCommon FilesNeroLibNMIndexStoreSvr.exe
c:program filesPC Connectivity SolutionServiceLayer.exe
c:program filesPC Connectivity SolutionTransportsNclUSBSrv.exe
c:program filesPC Connectivity SolutionTransportsNclRSSrv.exe
c:windowssystem32wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-18 22:56 — machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 15:56
ComboFix2.txt 2009-04-15 12:44
Pre-Run: 33 098 854 400 байт свободно
Post-Run: 33 131 311 104 байт свободно
256
