ComboFix 09-05-26.05 — Admin 28.05.2009 20:43.3 — NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.2046.1596 [GMT 4:00]
Running from: c:documents and settingsAdminРабочий столCombofixComboFix.exe
Command switches used :: c:documents and settingsAdminРабочий столCombofixWindowsXP-KB310994-SP2-Pro-BootDisk-RUS.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.
2009-05-27 16:53 . 2009-05-27 16:54
d
w c:documents and settingsAdminApplication DataAuslogics
2009-05-27 16:52 . 2009-05-27 16:52
d
w c:program filesAuslogics
2009-05-24 06:16 . 2009-05-24 06:16
d
w c:program filesMSXML 4.0
2009-05-24 06:16 . 2009-05-24 06:19
d—h—w c:windows$hf_mig$
2009-05-24 03:20 . 2008-12-20 22:15 1289728 -c—-w c:windowssystem32dllcachequartz.dll
2009-05-24 03:20 . 2009-02-20 17:19 102912 -c—-w c:windowssystem32dllcacheoccache.dll
2009-05-24 03:20 . 2009-02-20 17:19 52224 -c—-w c:windowssystem32dllcachemsfeedsbs.dll
2009-05-24 03:20 . 2009-02-20 17:19 44544 -c—-w c:windowssystem32dllcacheiernonce.dll
2009-05-24 03:20 . 2009-02-20 17:19 268288 -c—-w c:windowssystem32dllcacheiertutil.dll
2009-05-24 03:20 . 2009-02-20 17:19 63488 -c—-w c:windowssystem32dllcacheicardie.dll
2009-05-24 03:20 . 2009-02-20 17:19 230400 -c—-w c:windowssystem32dllcacheieaksie.dll
2009-05-24 03:20 . 2009-02-20 10:24 13824 -c—-w c:windowssystem32dllcacheieudinit.exe
2009-05-24 03:20 . 2009-02-28 04:54 636088 -c—-w c:windowssystem32dllcacheiexplore.exe
2009-05-24 03:20 . 2009-02-20 17:19 459264 -c—-w c:windowssystem32dllcachemsfeeds.dll
2009-05-24 03:19 . 2009-02-20 17:19 1163264 -c—-w c:windowssystem32dllcacheurlmon.dll
2009-05-24 03:19 . 2009-02-20 17:19 105984 -c—-w c:windowssystem32dllcacheurl.dll
2009-05-24 03:19 . 2009-02-20 17:19 380928 -c—-w c:windowssystem32dllcacheieapfltr.dll
2009-05-24 03:19 . 2008-07-09 14:25 2455488 -c—-w c:windowssystem32dllcacheieapfltr.dat
2009-05-24 03:19 . 2009-03-03 00:16 828416 -c—-w c:windowssystem32dllcachewininet.dll
2009-05-24 03:19 . 2009-02-20 17:19 6068736 -c—-w c:windowssystem32dllcacheieframe.dll
2009-05-24 03:17 . 2009-02-09 11:18 2067968 -c—-w c:windowssystem32dllcachentkrnlpa.exe
2009-05-24 03:17 . 2009-02-09 11:18 2147328 -c—-w c:windowssystem32dllcachentkrnlmp.exe
2009-05-24 03:17 . 2009-02-09 11:18 2025984 -c—-w c:windowssystem32dllcachentkrpamp.exe
2009-05-24 03:16 . 2008-10-24 11:21 455296 -c—-w c:windowssystem32dllcachemrxsmb.sys
2009-05-24 03:13 . 2008-09-04 17:17 1106944 -c—-w c:windowssystem32dllcachemsxml3.dll
2009-05-24 03:12 . 2008-04-21 21:15 218624 -c—-w c:windowssystem32dllcachewordpad.exe
2009-05-24 03:10 . 2008-10-16 10:06 268648 —-a-w c:windowssystem32mucltui.dll
2009-05-23 12:54 . 2009-05-23 12:54
d
w c:documents and settingsLocalServiceLocal SettingsApplication DataESET
2009-05-23 08:32 . 2009-05-23 13:01
d
w c:program filestrend micro
2009-05-23 08:32 . 2009-05-23 08:33
d
w C:rsit
2009-05-23 07:08 . 2009-05-23 07:24
d
w c:program filesORT Clock
2009-05-23 07:08 . 2009-05-23 07:08 1223151 —-a-w c:windowssystem32ORT Clock.scr
2009-05-23 07:06 . 2009-05-23 07:06 12328 —-a-w c:documents and settingsAdminLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-05-22 23:23 . 2009-05-22 23:23
d
w c:program filesCommon FilesDirectX
2009-05-22 22:34 . 2009-05-28 09:47
d
w c:program filesArenaOnline3D
2009-05-22 22:32 . 2009-05-22 22:32
d
w c:program filesCommon FilesArsenal Shared
2009-05-22 22:32 . 2009-05-22 22:32
d
w c:program filesArsenal Company
2009-05-22 22:32 . 2009-05-22 22:32
d
w c:program filesCommon FilesInstallShield
2009-05-22 19:55 . 2009-05-24 07:00
d
w c:program filesUnlocker
2009-05-22 19:55 . 2009-05-22 19:56
d
w c:documents and settingsAdminApplication DataDesktopicon
2009-05-22 19:27 . 2009-05-22 19:27
d
w c:documents and settingsAdminLocal SettingsApplication DataESET
2009-05-22 19:25 . 2009-05-22 19:25
d
w c:program filesESET
2009-05-22 19:25 . 2009-05-22 19:25
d
w c:documents and settingsAll UsersApplication DataESET
2009-05-22 19:21 . 2009-05-22 20:58
d
w c:documents and settingsAdminApplication DatauTorrent
2009-05-22 19:12 . 2009-05-22 22:32
d—h—w c:program filesInstallShield Installation Information
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-27 15:22 . 2008-04-15 12:00 77078 —-a-w c:windowssystem32perfc019.dat
2009-05-27 15:22 . 2008-04-15 12:00 448934 —-a-w c:windowssystem32perfh019.dat
2009-05-23 20:44 . 2009-05-22 13:47 86327 —-a-w c:windowspchealthhelpctrOfflineCacheindex.dat
2009-05-22 20:02 . 2009-05-22 14:37
d
w c:documents and settingsAdminApplication DataDownload Master
2009-05-22 14:41 . 2009-05-22 14:37
d
w c:program filesDownload Master
2009-05-22 14:07 . 2009-05-22 14:07 0 —ha-w c:windowssystem32driversMsft_Kernel_winbondhidcir_01005.Wdf
2009-05-22 14:07 . 2009-05-22 14:07 0 —ha-w c:windowssystem32driversMsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-05-22 14:07 . 2009-05-22 14:07
d
w c:program filesCONEXANT
2009-05-22 13:57 . 2009-05-22 13:57
d
w c:program filesuTorrent
2009-05-22 13:57 . 2009-05-22 13:57
d
w c:program filesUltraISO
2009-05-22 13:57 . 2009-05-22 13:57
d
w c:program filesCommon FilesEZB Systems
2009-05-22 13:57 . 2009-05-22 13:57
d
w c:program filesEverest
2009-05-22 13:51 . 2009-05-22 13:51
d
w c:program filesVistaDriveIcon
2009-05-22 13:51 . 2009-05-22 13:51 717296 —-a-w c:windowssystem32driverssptd.sys
2009-05-22 13:51 . 2009-05-22 13:51
d
w c:program filesPaint.NET
2009-05-22 13:50 . 2009-05-22 13:50
d
w c:program filesJava
2009-05-22 13:50 . 2009-05-22 13:50
d
w c:program filesCommon FilesJava
2009-05-22 13:44 . 2009-05-22 13:44 22564 —-a-w c:windowssystem32emptyregdb.dat
2009-05-22 13:44 . 2009-05-22 13:44
d
w c:program filesWindows Media Connect 2
2009-03-19 07:45 . 2009-03-19 07:45 93848 —-a-w c:windowssystem32driversepfwtdir.sys
2009-03-19 07:44 . 2009-03-19 07:44 107256 —-a-w c:windowssystem32driversehdrv.sys
2009-03-19 07:41 . 2009-03-19 07:41 113960 —-a-w c:windowssystem32driverseamon.sys
2009-03-06 13:51 . 2008-04-15 12:00 284672 —-a-w c:windowssystem32pdh.dll
2009-03-03 00:16 . 2008-08-19 16:23 828416 —-a-w c:windowssystem32wininet.dll
.
Sigcheck
[-] 2008-08-19 16:23 579072 23B7D3F3F5EC8FEEA75EC381C71CBD5E c:windowssystem32user32.dll
[-] 2008-08-19 16:20 361600 6A104BA98D99D53AB0C91825CE659FC6 c:windowssystem32driverstcpip.sys
[-] 2008-08-19 16:22 1721344 62EA07EDF5E3F3FF34EFF9BF7619BC64 c:windowsexplorer.exe
[-] 2008-08-19 16:21 30208 B8B35F99DADAA5459FBA639F20045FE2 c:windowssystem32ctfmon.exe
[-] 2008-08-21 17:34 1571840 66452823532746FA58EFEDBA320F46A2 c:windowssystem32sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32ctfmon.exe» [2008-08-19 30208]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
«NvCplDaemon»=»c:windowssystem32NvCpl.dll» [2007-06-06 8433664]
«NvMediaCenter»=»c:windowssystem32NvMcTray.dll» [2007-06-06 81920]
«egui»=»c:program filesESETESET NOD32 Antivirusegui.exe» [2009-03-19 2029640]
«RTHDCPL»=»RTHDCPL.EXE» — c:windowsRTHDCPL.EXE [2008-04-10 16861184]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
«CTFMON.EXE»=»c:windowssystem32CTFMON.EXE» [2008-08-19 30208]
«VistaIcon»=»c:program filesVistaDriveIconVistaDrv.exe» [2008-01-02 132096]
[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
«IE7_011″=»shell32» [X]
«ZZZZ2_FirstLogonSetting»=»advpack.dll» — c:windowssystem32advpack.dll [2009-02-20 124928]
«IE7_012″=»advpack.dll» — c:windowssystem32advpack.dll [2009-02-20 124928]
[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)
[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
«NoSMConfigurePrograms»= 1 (0x1)
[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity center]
«FirewallOverride»=dword:00000001
«UpdatesDisableNotify»=dword:00000001
«UpdatesOverride»=dword:00000001
«AntiVirusDisableNotify»=dword:00000001
«AntiVirusOverride»=dword:00000001
[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
«%windir%\Network Diagnostic\xpnetdiag.exe»=
«%windir%\system32\sessmgr.exe»=
R0 iastor78;iastor78;c:windowssystem32driversiastor78.sys [21.08.2008 21:33 308248]
R1 ehdrv;ehdrv;c:windowssystem32driversehdrv.sys [19.03.2009 11:44 107256]
R1 epfwtdir;epfwtdir;c:windowssystem32driversepfwtdir.sys [19.03.2009 11:45 93848]
R2 ekrn;ESET Service;c:program filesESETESET NOD32 Antivirusekrn.exe [19.03.2009 11:44 731840]
R3 hidshim;Service for HID-KMDF Shim layer;c:windowssystem32drivershidshim.sys [22.05.2009 18:07 5632]
R3 winbondhidcir;Winbond HID CIR Receiver;c:windowssystem32driverswinbondhidcir.sys [22.05.2009 18:07 21504]
— Other Services/Drivers In Memory —
*NewlyCreated* — SRSERVICE
.
.
Supplementary Scan
.
uStart Page = hxxp://www.mail.ru/
uInternet Connection Wizard,ShellNext = hxxp://www.yandex.ru/
IE: Закачать ВСЕ при помощи Download Master — c:program filesDownload Masterdmieall.htm
IE: Закачать при помощи Download Master — c:program filesDownload Masterdmie.htm
IE: Передать на удаленную закачку DM — c:program filesDownload Masterremdown.htm
IE: {{8DAE90AD-4583-4977-9DD4-4360F7A45C74} — c:program filesDownload Masterdmaster.exe
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista — rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 20:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
— — — — — — — > ‘winlogon.exe'(1016)
c:windowssystem32SETUPAPI.dll
c:windowssystem32cscui.dll
— — — — — — — > ‘lsass.exe'(1076)
c:windowssystem32setupapi.dll
— — — — — — — > ‘explorer.exe'(3388)
c:windowssystem32SHDOCVW.dll
c:windowssystem32COMRes.dll
c:windowsSystem32cscui.dll
c:windowssystem32SETUPAPI.dll
c:windowssystem32NETSHELL.dll
c:windowssystem32wpdshserviceobj.dll
c:windowssystem32portabledevicetypes.dll
c:windowssystem32portabledeviceapi.dll
.
Completion time: 2009-05-28 20:44
ComboFix-quarantined-files.txt 2009-05-28 16:44
ComboFix2.txt 2009-05-28 16:41
ComboFix3.txt 2009-05-28 16:34
Pre-Run: 51 220 819 968 байт свободно
Post-Run: 51 212 075 008 байт свободно
173 — E O F — 2009-05-27 13:24
